Secure your dependencies. Ship with confidence.

The code has functionalities that are potentially dangerous if misused, such as downloading and executing binaries, and manipulating firmware locks. It lacks strong authentication for remote command execution, which is a significant security risk. However, there is no explicit malicious intent identified, but it should be reviewed carefully before deployment due to its capabilities.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 28 minutes before removal. Socket users were protected even while the package was live.

The source code collects detailed system information and sends it to a remote server without user consent. This behavior is highly suspicious and can be classified as data exfiltration, posing a significant security risk.

This bundle contains a malicious/inappropriate insertion inside an EventSource polyfill which displays political content and forcibly opens external URLs (alert + window.open) on page load (after a timeout). This is not related to the component's stated functionality and constitutes a supply-chain compromise or injected backdoor. Do not use this build; treat it as malicious and remove/replace with a clean, verified package. Investigate package source, version history, and supply-chain integrity.

This code retrieves a DLL from hxxp://example[.]com/tts/Trade.dll and a ZIP file from hxxp://example[.]com/tts/TdxTradeServer-0.1_20170823174759.zip, modifies the DLL with user-provided credentials, and sets up a server environment. The absence of file integrity or signature checks significantly increases the risk of executing malicious code. Embedding user account details in the DLL also raises privacy concerns. Reliance on potentially unsafe external URLs for core functionality further escalates the threat potential.

The analyzed fragment exhibits high-risk patterns due to dynamic runtime code execution (new Function) driven by configuration data, base64-decoded payload handling, and heavy obfuscation. While some license/plugin contexts can be legitimate, the presence of untrusted data execution paths marks a potential supply-chain and runtime security risk. This should be treated as suspicious with medium-to-high confidence until a full, clean-room de-obfuscation and threat-model assessment confirms legitimate behavior.

This source code is malicious. It performs stealthy data exfiltration of sensitive system and environment information to a suspicious hardcoded IP address. The evasion techniques and randomized network behavior indicate intentional concealment. This represents a serious security and privacy risk and should be flagged as high severity malware.

Live on npm for 6 days, 19 hours and 5 minutes before removal. Socket users were protected even while the package was live.

This module is a remote worker that deserializes and executes callables received via cloudpickle over file descriptors. The core security issue is arbitrary code execution via cloudpickle.loads and direct invocation of the deserialized function. The file itself does not contain obvious malicious payloads, hardcoded secrets, or obfuscation, but it presents a high security risk if used with untrusted inputs: it can trivially be used for RCE, data exfiltration, or other malicious behavior by a remote sender. Use only in fully trusted environments or add sandboxing and strict validation.

The code engages in potentially malicious behavior by collecting sensitive system information and sending it to a remote server without clear user consent. The hard-coded domain, data obfuscation, and lack of transparency raise significant privacy and security concerns. The risk score is high due to the invasive nature of the code.

Live on npm for 20 minutes before removal. Socket users were protected even while the package was live.

The code contains a critical supply chain security vulnerability by executing remote code fetched at runtime via eval(). This enables arbitrary code execution controlled by an external party, which can lead to malware infection, data theft, or system compromise. The provided reports are invalid and fail to identify this issue. The package should be considered highly risky and potentially malicious until proven otherwise.

Live on npm for 23 days, 8 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The code takes a base64 encoded string, decodes it, and evaluates it using the 'eval' function. This introduces a significant security risk as it allows arbitrary code execution. The code should be considered dangerous and should not be used.

Live on npm for 49 minutes before removal. Socket users were protected even while the package was live.

The bundle contains legitimate library code and expected app-specific helpers, but also contains clearly malicious/abusive behavior: a region-targeted audio injection (autoplay of remote audio on certain Russian locales/hosts) and persistent disabling of pointer events. Additionally, cookies named 'token','qdid','qaid','qvid' are automatically read and forwarded as headers to the hard-coded API endpoint — a sensitive data flow that could exfiltrate credentials if the endpoint is not trusted. There are also leftover debug artifacts (alert and console logs). Recommended actions: do NOT deploy this bundle to production; remove or disable the region-targeted audio injection immediately; audit why cookies are forwarded and validate that the backend is trusted; remove debugging alerts; split third-party libs from app code and audit both.

This file gathers detailed OS and network information (including hostname, user details, and IP addresses) and sends it to hardcoded endpoints (e.g., http://23[.]22[.]251[.]177:8080/jpd[.]php and http://23[.]22[.]251[.]177:8080/jpd1[.]php) via HTTP GET and POST requests. It also attempts to fall back on a WebSocket connection (wss://yourserver[.]com/socket) if needed. The code fetches the public IP address from https://api64.ipify.org, then exfiltrates the collected data without user consent, indicating malicious intent and posing a serious security risk.

Live on npm for 9 days, 2 hours and 22 minutes before removal. Socket users were protected even while the package was live.

This code implements an unauthenticated HTTP control surface for a viewer object that accepts arbitrary commands from request paths and bodies, dynamically looks up and calls attributes on internal objects, loads JSON from requests and triggers callbacks, and serves local files. These behaviors make it high risk for supply-chain or runtime compromise: untrusted clients can invoke methods and mutate state which could lead to data exfiltration, filesystem access, or other damaging actions depending on the viewer's API. It should not be exposed to untrusted networks or used without strict authentication/authorization and input validation.

This script is designed to exfiltrate environment variables to an external server, which poses a significant security risk and is indicative of malicious behavior.

Live on npm for 4 days, 3 hours and 59 minutes before removal. Socket users were protected even while the package was live.

The source code is a configuration for a cryptocurrency miner using the Coinhive script. While the code itself is not obfuscated or directly malicious, it enables cryptomining which is considered malware if done without explicit user consent. The existing reports are invalid and provide no useful information. This package poses a high security risk due to unauthorized cryptomining behavior.

High-risk/backdoor behavior: this module will sign a transaction that sends a fixed token amount to a hardcoded recipient regardless of caller-provided destination/amount. If an application passes user mnemonics to this function (or otherwise uses it as a general signer), those users' funds can be siphoned to the hardcoded address. Treat the package as malicious/untrusted: do not provide mnemonics to it and remove it from any production use. Audit any systems that depended on it and rotate any exposed keys.

This install script performs a destructive filesystem operation (removing the katex directory) and then executes an unknown command. Even if not overtly labeled as malware, it poses a high risk: it can cause data loss and enables execution of arbitrary code. You should not run this without inspecting the package contents and verifying what `copy-files-from-to` refers to and why katex is being removed.

Live on PyPI for 3 hours and 36 minutes before removal. Socket users were protected even while the package was live.

The code contains dynamic URL alterations and uses 'os.system' with user inputs, posing a security risk. It is recommended to review the code for safer alternatives.

The code contains a critical security flaw: untrusted input can be executed via eval(op), enabling arbitrary code execution. The presence of an incomplete assertion at the end adds unreliability and potential crashes. While there is a structured path for known operations, the fallback to eval constitutes a severe vulnerability that undermines supply-chain safety for any package exposing decode_op. Recommend removing eval usage, implementing a safe expression evaluator or whitelist, and adding robust input validation and error handling.

The script exhibits clear signs of malicious activity by exfiltrating sensitive system information to an external server and performing suspicious DNS queries. The use of encoding and compression techniques indicates an attempt to obfuscate the data being transmitted.

Live on npm for 49 minutes before removal. Socket users were protected even while the package was live.

This code is highly suspicious and should not be used without further investigation. The code is heavily obfuscated and could potentially contain malicious code. The purpose of the code is unclear and further investigation is necessary to determine its exact behavior.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

The code is designed to exfiltrate sensitive system information to an external domain without user consent, indicating malicious intent. This poses a significant security risk.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

This is clearly a malicious SMS/call bombing tool designed to harass individuals by flooding their phone with verification messages and calls. The code has no legitimate use case and constitutes a form of digital harassment. It deliberately abuses authentication systems of legitimate services and likely violates terms of service, anti-spam laws, and telecommunications regulations in many jurisdictions.

The code exhibits a high-risk dynamic evaluation path (eval of untrusted JavaScript from a server message) and a file upload sink that could enable data exfiltration or remote control. Combined with remote message handling and global exposure of internal widgets, this pattern constitutes a potential backdoor or supply-chain-like risk if the WebSocket server is compromised or if messages can be spoofed. The code should be treated as dangerous and reworked to remove eval and to tightly validate and sandbox any remote inputs.

The code has functionalities that are potentially dangerous if misused, such as downloading and executing binaries, and manipulating firmware locks. It lacks strong authentication for remote command execution, which is a significant security risk. However, there is no explicit malicious intent identified, but it should be reviewed carefully before deployment due to its capabilities.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 28 minutes before removal. Socket users were protected even while the package was live.

The source code collects detailed system information and sends it to a remote server without user consent. This behavior is highly suspicious and can be classified as data exfiltration, posing a significant security risk.

This bundle contains a malicious/inappropriate insertion inside an EventSource polyfill which displays political content and forcibly opens external URLs (alert + window.open) on page load (after a timeout). This is not related to the component's stated functionality and constitutes a supply-chain compromise or injected backdoor. Do not use this build; treat it as malicious and remove/replace with a clean, verified package. Investigate package source, version history, and supply-chain integrity.

This code retrieves a DLL from hxxp://example[.]com/tts/Trade.dll and a ZIP file from hxxp://example[.]com/tts/TdxTradeServer-0.1_20170823174759.zip, modifies the DLL with user-provided credentials, and sets up a server environment. The absence of file integrity or signature checks significantly increases the risk of executing malicious code. Embedding user account details in the DLL also raises privacy concerns. Reliance on potentially unsafe external URLs for core functionality further escalates the threat potential.

The analyzed fragment exhibits high-risk patterns due to dynamic runtime code execution (new Function) driven by configuration data, base64-decoded payload handling, and heavy obfuscation. While some license/plugin contexts can be legitimate, the presence of untrusted data execution paths marks a potential supply-chain and runtime security risk. This should be treated as suspicious with medium-to-high confidence until a full, clean-room de-obfuscation and threat-model assessment confirms legitimate behavior.

This source code is malicious. It performs stealthy data exfiltration of sensitive system and environment information to a suspicious hardcoded IP address. The evasion techniques and randomized network behavior indicate intentional concealment. This represents a serious security and privacy risk and should be flagged as high severity malware.

Live on npm for 6 days, 19 hours and 5 minutes before removal. Socket users were protected even while the package was live.

This module is a remote worker that deserializes and executes callables received via cloudpickle over file descriptors. The core security issue is arbitrary code execution via cloudpickle.loads and direct invocation of the deserialized function. The file itself does not contain obvious malicious payloads, hardcoded secrets, or obfuscation, but it presents a high security risk if used with untrusted inputs: it can trivially be used for RCE, data exfiltration, or other malicious behavior by a remote sender. Use only in fully trusted environments or add sandboxing and strict validation.

The code engages in potentially malicious behavior by collecting sensitive system information and sending it to a remote server without clear user consent. The hard-coded domain, data obfuscation, and lack of transparency raise significant privacy and security concerns. The risk score is high due to the invasive nature of the code.

Live on npm for 20 minutes before removal. Socket users were protected even while the package was live.

The code contains a critical supply chain security vulnerability by executing remote code fetched at runtime via eval(). This enables arbitrary code execution controlled by an external party, which can lead to malware infection, data theft, or system compromise. The provided reports are invalid and fail to identify this issue. The package should be considered highly risky and potentially malicious until proven otherwise.

Live on npm for 23 days, 8 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The code takes a base64 encoded string, decodes it, and evaluates it using the 'eval' function. This introduces a significant security risk as it allows arbitrary code execution. The code should be considered dangerous and should not be used.

Live on npm for 49 minutes before removal. Socket users were protected even while the package was live.

The bundle contains legitimate library code and expected app-specific helpers, but also contains clearly malicious/abusive behavior: a region-targeted audio injection (autoplay of remote audio on certain Russian locales/hosts) and persistent disabling of pointer events. Additionally, cookies named 'token','qdid','qaid','qvid' are automatically read and forwarded as headers to the hard-coded API endpoint — a sensitive data flow that could exfiltrate credentials if the endpoint is not trusted. There are also leftover debug artifacts (alert and console logs). Recommended actions: do NOT deploy this bundle to production; remove or disable the region-targeted audio injection immediately; audit why cookies are forwarded and validate that the backend is trusted; remove debugging alerts; split third-party libs from app code and audit both.

This file gathers detailed OS and network information (including hostname, user details, and IP addresses) and sends it to hardcoded endpoints (e.g., http://23[.]22[.]251[.]177:8080/jpd[.]php and http://23[.]22[.]251[.]177:8080/jpd1[.]php) via HTTP GET and POST requests. It also attempts to fall back on a WebSocket connection (wss://yourserver[.]com/socket) if needed. The code fetches the public IP address from https://api64.ipify.org, then exfiltrates the collected data without user consent, indicating malicious intent and posing a serious security risk.

Live on npm for 9 days, 2 hours and 22 minutes before removal. Socket users were protected even while the package was live.

This code implements an unauthenticated HTTP control surface for a viewer object that accepts arbitrary commands from request paths and bodies, dynamically looks up and calls attributes on internal objects, loads JSON from requests and triggers callbacks, and serves local files. These behaviors make it high risk for supply-chain or runtime compromise: untrusted clients can invoke methods and mutate state which could lead to data exfiltration, filesystem access, or other damaging actions depending on the viewer's API. It should not be exposed to untrusted networks or used without strict authentication/authorization and input validation.

This script is designed to exfiltrate environment variables to an external server, which poses a significant security risk and is indicative of malicious behavior.

Live on npm for 4 days, 3 hours and 59 minutes before removal. Socket users were protected even while the package was live.

The source code is a configuration for a cryptocurrency miner using the Coinhive script. While the code itself is not obfuscated or directly malicious, it enables cryptomining which is considered malware if done without explicit user consent. The existing reports are invalid and provide no useful information. This package poses a high security risk due to unauthorized cryptomining behavior.

High-risk/backdoor behavior: this module will sign a transaction that sends a fixed token amount to a hardcoded recipient regardless of caller-provided destination/amount. If an application passes user mnemonics to this function (or otherwise uses it as a general signer), those users' funds can be siphoned to the hardcoded address. Treat the package as malicious/untrusted: do not provide mnemonics to it and remove it from any production use. Audit any systems that depended on it and rotate any exposed keys.

This install script performs a destructive filesystem operation (removing the katex directory) and then executes an unknown command. Even if not overtly labeled as malware, it poses a high risk: it can cause data loss and enables execution of arbitrary code. You should not run this without inspecting the package contents and verifying what `copy-files-from-to` refers to and why katex is being removed.

Live on PyPI for 3 hours and 36 minutes before removal. Socket users were protected even while the package was live.

The code contains dynamic URL alterations and uses 'os.system' with user inputs, posing a security risk. It is recommended to review the code for safer alternatives.

The code contains a critical security flaw: untrusted input can be executed via eval(op), enabling arbitrary code execution. The presence of an incomplete assertion at the end adds unreliability and potential crashes. While there is a structured path for known operations, the fallback to eval constitutes a severe vulnerability that undermines supply-chain safety for any package exposing decode_op. Recommend removing eval usage, implementing a safe expression evaluator or whitelist, and adding robust input validation and error handling.

The script exhibits clear signs of malicious activity by exfiltrating sensitive system information to an external server and performing suspicious DNS queries. The use of encoding and compression techniques indicates an attempt to obfuscate the data being transmitted.

Live on npm for 49 minutes before removal. Socket users were protected even while the package was live.

This code is highly suspicious and should not be used without further investigation. The code is heavily obfuscated and could potentially contain malicious code. The purpose of the code is unclear and further investigation is necessary to determine its exact behavior.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

The code is designed to exfiltrate sensitive system information to an external domain without user consent, indicating malicious intent. This poses a significant security risk.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

This is clearly a malicious SMS/call bombing tool designed to harass individuals by flooding their phone with verification messages and calls. The code has no legitimate use case and constitutes a form of digital harassment. It deliberately abuses authentication systems of legitimate services and likely violates terms of service, anti-spam laws, and telecommunications regulations in many jurisdictions.

The code exhibits a high-risk dynamic evaluation path (eval of untrusted JavaScript from a server message) and a file upload sink that could enable data exfiltration or remote control. Combined with remote message handling and global exposure of internal widgets, this pattern constitutes a potential backdoor or supply-chain-like risk if the WebSocket server is compromised or if messages can be spoofed. The code should be treated as dangerous and reworked to remove eval and to tightly validate and sandbox any remote inputs.