Socket for Open Source Security

The code heavily relies on multiple external dependencies with unconventional names and invokes unspecified methods without any validation or error handling. This raises concerns about potential malicious behavior, especially given the lack of documentation and clarity. While the code itself does not show explicit malicious actions, the use of these dependencies without verification is risky.

Live on npm for 57 days, 2 hours and 16 minutes before removal. Socket users were protected even while the package was live.

The script seems to be part of a spamming operation and uses bad security practices, such as hardcoding paths and credentials. Therefore, it's a potential security risk.

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

This package was removed from the npm registry for security reasons.

The script is designed to collect and send sensitive information to an external server, which poses a significant security risk and is indicative of malicious behavior.

Live on npm for 4 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The code exhibits risky behavior by automatically installing packages from external sources without user confirmation, using hardcoded URLs and package names, and logging potentially sensitive information. The risk of unauthorized package installations and arbitrary code execution is high. While there are no direct signs of malicious intent, caution is advised when using this code.

Live on npm for 57 minutes before removal. Socket users were protected even while the package was live.

This package was removed from the npm registry for security reasons.

Live on npm for 14 minutes before removal. Socket users were protected even while the package was live.

The provided code imports multiple modules and calls a function 'functame' on each. The use of unconventional naming patterns for variables and functions, along with the lack of clarity about the purpose of the modules being imported, raises suspicion. However, without more information about what these modules do, it is difficult to definitively determine if the code contains malicious behavior.

Live on npm for 56 days, 15 hours and 52 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 34 minutes before removal. Socket users were protected even while the package was live.

This package was removed from the npm registry for security reasons.

Live on npm for 30 minutes before removal. Socket users were protected even while the package was live.

This script is malicious as it gathers sensitive system information and sends it to a remote server without the user's knowledge or consent.

Live on npm for 18 days, 20 hours and 51 minutes before removal. Socket users were protected even while the package was live.

The code exhibits clear signs of malicious behavior, specifically token and potential credential exfiltration to an external server. The presence of hardcoded URLs to post user tokens and the use of eval() function are definitive indicators of malicious intent.

Live on npm for 10 days, 4 hours and 6 minutes before removal. Socket users were protected even while the package was live.

The code exhibits several indicators of malicious behavior, including process termination, unauthorized modification of application files, and potential data exfiltration via webhooks. The use of obfuscated code further suggests malicious intent.

The code appears suspicious due to the invalid syntax involving hyphens in variable/module names and the uniform 'functame' function calls. However, without the actual implementation of the required modules, it is difficult to conclusively determine if the code is malicious. Further inspection of the mentioned modules is required.

Live on npm for 57 days, 6 hours and 3 minutes before removal. Socket users were protected even while the package was live.

The script collects information like package name, directory path, home directory, hostname, username, DNS servers, package version, and package.json content, and sends it to a remote server.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

This package was removed from the npm registry for security reasons.

Live on npm for 1 hour before removal. Socket users were protected even while the package was live.

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The package 'cbdev2024test' version '5.0.0' contains a 'preinstall' script that executes 'curl' commands to external endpoints during installation. Specifically, it sends HTTP requests to: - `https://webhook[.]site/199553c3-ea00-411d-9d8e-b119b0ebefd5/start` - `hxxps://34.165.144.112:25632/` - `https://webhook[.]site/199553c3-ea00-411d-9d8e-b119b0ebefd5/end` This behavior can be used to collect system information, perform unauthorized network communication, or download malicious content, posing a significant security risk to users.

Live on npm for 1 hour and 15 minutes before removal. Socket users were protected even while the package was live.

The code sends sensitive data to an unauthorized or malicious domain using DNS queries, and poses a high security risk. It should be removed immediately from any project.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The script is making a HTTP request to an external URL. This behavior could potentially be used for data exfiltration or to download malicious payloads. It poses a security risk and should be investigated further.

Live on npm for 30 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 1 hour and 12 minutes before removal. Socket users were protected even while the package was live.

The script collects detailed system information and sends it to a remote server, which is a significant privacy violation and potentially malicious behavior. This data collection and transmission could be used for unauthorized access or further exploitation.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

The script is designed to send sensitive information from the system to an external server, indicating malicious intent and a high security risk.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 59 minutes before removal. Socket users were protected even while the package was live.

The code heavily relies on multiple external dependencies with unconventional names and invokes unspecified methods without any validation or error handling. This raises concerns about potential malicious behavior, especially given the lack of documentation and clarity. While the code itself does not show explicit malicious actions, the use of these dependencies without verification is risky.

Live on npm for 57 days, 2 hours and 16 minutes before removal. Socket users were protected even while the package was live.

The script seems to be part of a spamming operation and uses bad security practices, such as hardcoding paths and credentials. Therefore, it's a potential security risk.

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

This package was removed from the npm registry for security reasons.

The script is designed to collect and send sensitive information to an external server, which poses a significant security risk and is indicative of malicious behavior.

Live on npm for 4 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The code exhibits risky behavior by automatically installing packages from external sources without user confirmation, using hardcoded URLs and package names, and logging potentially sensitive information. The risk of unauthorized package installations and arbitrary code execution is high. While there are no direct signs of malicious intent, caution is advised when using this code.

Live on npm for 57 minutes before removal. Socket users were protected even while the package was live.

This package was removed from the npm registry for security reasons.

Live on npm for 14 minutes before removal. Socket users were protected even while the package was live.

The provided code imports multiple modules and calls a function 'functame' on each. The use of unconventional naming patterns for variables and functions, along with the lack of clarity about the purpose of the modules being imported, raises suspicion. However, without more information about what these modules do, it is difficult to definitively determine if the code contains malicious behavior.

Live on npm for 56 days, 15 hours and 52 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 34 minutes before removal. Socket users were protected even while the package was live.

This package was removed from the npm registry for security reasons.

Live on npm for 30 minutes before removal. Socket users were protected even while the package was live.

This script is malicious as it gathers sensitive system information and sends it to a remote server without the user's knowledge or consent.

Live on npm for 18 days, 20 hours and 51 minutes before removal. Socket users were protected even while the package was live.

The code exhibits clear signs of malicious behavior, specifically token and potential credential exfiltration to an external server. The presence of hardcoded URLs to post user tokens and the use of eval() function are definitive indicators of malicious intent.

Live on npm for 10 days, 4 hours and 6 minutes before removal. Socket users were protected even while the package was live.

The code exhibits several indicators of malicious behavior, including process termination, unauthorized modification of application files, and potential data exfiltration via webhooks. The use of obfuscated code further suggests malicious intent.

The code appears suspicious due to the invalid syntax involving hyphens in variable/module names and the uniform 'functame' function calls. However, without the actual implementation of the required modules, it is difficult to conclusively determine if the code is malicious. Further inspection of the mentioned modules is required.

Live on npm for 57 days, 6 hours and 3 minutes before removal. Socket users were protected even while the package was live.

The script collects information like package name, directory path, home directory, hostname, username, DNS servers, package version, and package.json content, and sends it to a remote server.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

This package was removed from the npm registry for security reasons.

Live on npm for 1 hour before removal. Socket users were protected even while the package was live.

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The package 'cbdev2024test' version '5.0.0' contains a 'preinstall' script that executes 'curl' commands to external endpoints during installation. Specifically, it sends HTTP requests to: - `https://webhook[.]site/199553c3-ea00-411d-9d8e-b119b0ebefd5/start` - `hxxps://34.165.144.112:25632/` - `https://webhook[.]site/199553c3-ea00-411d-9d8e-b119b0ebefd5/end` This behavior can be used to collect system information, perform unauthorized network communication, or download malicious content, posing a significant security risk to users.

Live on npm for 1 hour and 15 minutes before removal. Socket users were protected even while the package was live.

The code sends sensitive data to an unauthorized or malicious domain using DNS queries, and poses a high security risk. It should be removed immediately from any project.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The script is making a HTTP request to an external URL. This behavior could potentially be used for data exfiltration or to download malicious payloads. It poses a security risk and should be investigated further.

Live on npm for 30 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 1 hour and 12 minutes before removal. Socket users were protected even while the package was live.

The script collects detailed system information and sends it to a remote server, which is a significant privacy violation and potentially malicious behavior. This data collection and transmission could be used for unauthorized access or further exploitation.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

The script is designed to send sensitive information from the system to an external server, indicating malicious intent and a high security risk.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 59 minutes before removal. Socket users were protected even while the package was live.