Secure your dependencies. Ship with confidence.

The code is potentially harmful due to the last function that sends potentially sensitive configuration data to an external API, which represents a data leakage vulnerability.

Live on npm for 5 days, 5 hours and 16 minutes before removal. Socket users were protected even while the package was live.

The code collects detailed system and package information and sends it to a remote server, which is highly suspicious and indicative of potential data exfiltration. The server hostname (oastify.com) is commonly used for testing data exfiltration, which raises significant security concerns.

Live on npm for 17 days, 12 hours and 20 minutes before removal. Socket users were protected even while the package was live.

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The code reads sensitive system files (/etc/hosts and /etc/passwd) and sends their content to a remote server without any clear purpose. This behavior is highly suspicious and could indicate data exfiltration or unauthorized access. The code poses a significant security risk and should be thoroughly investigated.

Live on npm for 11 hours and 15 minutes before removal. Socket users were protected even while the package was live.

The code exhibits behavior consistent with malware, including downloading and executing files from a suspicious domain, setting up persistence mechanisms, and being heavily obfuscated. These actions pose a significant security risk.

Live on npm for 18 days, 7 hours and 30 minutes before removal. Socket users were protected even while the package was live.

The code exhibits several concerning behaviors, including the use of hardcoded credentials, subprocess execution with potential for command injection, and interactions with external websites. These activities pose a significant security risk and should be further investigated.

Live on npm for 5 hours and 2 minutes before removal. Socket users were protected even while the package was live.

The script is attempting to exfiltrate sensitive information by sending the contents of the /etc/passwd file to a remote server. This is a severe security risk and should be considered malicious.

Live on npm for 1 day, 5 hours and 9 minutes before removal. Socket users were protected even while the package was live.

Malicious code in fidurel (npm) Source: ghsa-malware (9009aff9e84e51b15112395a9d337b844a7737d3cac58ed5b503baf834f71f25) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 3 hours and 36 minutes before removal. Socket users were protected even while the package was live.

Malicious code in @zitterorg/enim-earum-maiores (npm) Source: ghsa-malware (d24ba16beda911387c48ddc326ff8f37147f5d45ee7c7fde7e2c78abc7286c71) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The code is highly suspicious and indicative of unauthorized cryptocurrency mining. It executes a potentially malicious file and connects to an external server, which could lead to unauthorized resource usage and data exfiltration.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

The code contains a backdoor mechanism where the bot's token is leaked to an external server via a Discord webhook in the login method. It also has the potential to execute arbitrary code using eval(). This represents a severe security risk.

Live on npm for 15 minutes before removal. Socket users were protected even while the package was live.

The script collects the user's current working directory and sends it to a remote server via DNS lookup, potentially leaking sensitive information.

Live on npm for 6 days, 13 hours and 1 minute before removal. Socket users were protected even while the package was live.

The script is designed to send potentially sensitive user information to an external server, indicating malicious intent and a high security risk.

The code contains potentially malicious behavior related to encryption and file manipulation. It poses a high security risk due to the possibility of unauthorized encryption and data exfiltration.

Live on npm for 44 minutes before removal. Socket users were protected even while the package was live.

The heavily obfuscated code poses a potential security risk. It should be further analyzed before use.

Live on npm for 17 minutes before removal. Socket users were protected even while the package was live.

The code contains a mix of legitimate error handling functionality and highly suspicious, likely malicious behavior characteristic of ransomware. There is a high probability that this package is intended to cause harm by encrypting user files without consent and then providing instructions or a ransom note.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

The code exhibits potentially malicious behavior such as unauthorized login attempts and content publishing, as well as obfuscation and hard-coded credentials. The overall security risk is high due to the presence of these factors.

Live on npm for 54 days, 18 hours and 47 minutes before removal. Socket users were protected even while the package was live.

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The use of eval to execute code from an external JSON file poses a significant security risk. If the 'preinstall.json' file is compromised, it could lead to the execution of arbitrary and potentially malicious code. This makes the code highly vulnerable to attacks.

Live on npm for 41 minutes before removal. Socket users were protected even while the package was live.

The code poses a significant security risk and should be reviewed. It is recommended to remove unnecessary imports, verify the contents of the data folder and the WordPress websites before proceeding, and avoid using hardcoded credentials for WordPress login.

Live on npm for 27 minutes before removal. Socket users were protected even while the package was live.

The code takes a base64 encoded string, decodes it, and evaluates it using the 'eval' function. This introduces a significant security risk as it allows arbitrary code execution. The code should be considered dangerous and should not be used.

Live on npm for 49 minutes before removal. Socket users were protected even while the package was live.

The script attempts to require the current directory, which is a suspicious behavior. It is recommended to review the purpose and contents of the script to determine if it poses any security risks.

The script is designed to send telemetry data to a remote server, which poses a significant security risk and indicates malicious behavior.

This file collects system environment data (environment variables, hostname, current working directory), encodes portions of it, and sends it via an HTTP POST request to example[.]com (or its subdomains) without user consent. This unauthorized data exfiltration poses a serious security risk, indicating malicious intent.

Live on npm for 1 day, 20 hours and 21 minutes before removal. Socket users were protected even while the package was live.

Malicious code in wlwz-2312-2307 (npm) Source: ghsa-malware (f4270bc1866347b6031831eef6828380c8c754b499922bf5de644633c78ea197) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 4 hours and 14 minutes before removal. Socket users were protected even while the package was live.

The code is potentially harmful due to the last function that sends potentially sensitive configuration data to an external API, which represents a data leakage vulnerability.

Live on npm for 5 days, 5 hours and 16 minutes before removal. Socket users were protected even while the package was live.

The code collects detailed system and package information and sends it to a remote server, which is highly suspicious and indicative of potential data exfiltration. The server hostname (oastify.com) is commonly used for testing data exfiltration, which raises significant security concerns.

Live on npm for 17 days, 12 hours and 20 minutes before removal. Socket users were protected even while the package was live.

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The code reads sensitive system files (/etc/hosts and /etc/passwd) and sends their content to a remote server without any clear purpose. This behavior is highly suspicious and could indicate data exfiltration or unauthorized access. The code poses a significant security risk and should be thoroughly investigated.

Live on npm for 11 hours and 15 minutes before removal. Socket users were protected even while the package was live.

The code exhibits behavior consistent with malware, including downloading and executing files from a suspicious domain, setting up persistence mechanisms, and being heavily obfuscated. These actions pose a significant security risk.

Live on npm for 18 days, 7 hours and 30 minutes before removal. Socket users were protected even while the package was live.

The code exhibits several concerning behaviors, including the use of hardcoded credentials, subprocess execution with potential for command injection, and interactions with external websites. These activities pose a significant security risk and should be further investigated.

Live on npm for 5 hours and 2 minutes before removal. Socket users were protected even while the package was live.

The script is attempting to exfiltrate sensitive information by sending the contents of the /etc/passwd file to a remote server. This is a severe security risk and should be considered malicious.

Live on npm for 1 day, 5 hours and 9 minutes before removal. Socket users were protected even while the package was live.

Malicious code in fidurel (npm) Source: ghsa-malware (9009aff9e84e51b15112395a9d337b844a7737d3cac58ed5b503baf834f71f25) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 3 hours and 36 minutes before removal. Socket users were protected even while the package was live.

Malicious code in @zitterorg/enim-earum-maiores (npm) Source: ghsa-malware (d24ba16beda911387c48ddc326ff8f37147f5d45ee7c7fde7e2c78abc7286c71) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The code is highly suspicious and indicative of unauthorized cryptocurrency mining. It executes a potentially malicious file and connects to an external server, which could lead to unauthorized resource usage and data exfiltration.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

The code contains a backdoor mechanism where the bot's token is leaked to an external server via a Discord webhook in the login method. It also has the potential to execute arbitrary code using eval(). This represents a severe security risk.

Live on npm for 15 minutes before removal. Socket users were protected even while the package was live.

The script collects the user's current working directory and sends it to a remote server via DNS lookup, potentially leaking sensitive information.

Live on npm for 6 days, 13 hours and 1 minute before removal. Socket users were protected even while the package was live.

The script is designed to send potentially sensitive user information to an external server, indicating malicious intent and a high security risk.

The code contains potentially malicious behavior related to encryption and file manipulation. It poses a high security risk due to the possibility of unauthorized encryption and data exfiltration.

Live on npm for 44 minutes before removal. Socket users were protected even while the package was live.

The heavily obfuscated code poses a potential security risk. It should be further analyzed before use.

Live on npm for 17 minutes before removal. Socket users were protected even while the package was live.

The code contains a mix of legitimate error handling functionality and highly suspicious, likely malicious behavior characteristic of ransomware. There is a high probability that this package is intended to cause harm by encrypting user files without consent and then providing instructions or a ransom note.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

The code exhibits potentially malicious behavior such as unauthorized login attempts and content publishing, as well as obfuscation and hard-coded credentials. The overall security risk is high due to the presence of these factors.

Live on npm for 54 days, 18 hours and 47 minutes before removal. Socket users were protected even while the package was live.

Malicious code in @zitterorg/laudantium-rerum (npm) Source: ghsa-malware (e45ff91dd83cc149d7abc8c6fb2c74e3509aa341e23c72cfac0a34868a4e2637) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The use of eval to execute code from an external JSON file poses a significant security risk. If the 'preinstall.json' file is compromised, it could lead to the execution of arbitrary and potentially malicious code. This makes the code highly vulnerable to attacks.

Live on npm for 41 minutes before removal. Socket users were protected even while the package was live.

The code poses a significant security risk and should be reviewed. It is recommended to remove unnecessary imports, verify the contents of the data folder and the WordPress websites before proceeding, and avoid using hardcoded credentials for WordPress login.

Live on npm for 27 minutes before removal. Socket users were protected even while the package was live.

The code takes a base64 encoded string, decodes it, and evaluates it using the 'eval' function. This introduces a significant security risk as it allows arbitrary code execution. The code should be considered dangerous and should not be used.

Live on npm for 49 minutes before removal. Socket users were protected even while the package was live.

The script attempts to require the current directory, which is a suspicious behavior. It is recommended to review the purpose and contents of the script to determine if it poses any security risks.

The script is designed to send telemetry data to a remote server, which poses a significant security risk and indicates malicious behavior.

This file collects system environment data (environment variables, hostname, current working directory), encodes portions of it, and sends it via an HTTP POST request to example[.]com (or its subdomains) without user consent. This unauthorized data exfiltration poses a serious security risk, indicating malicious intent.

Live on npm for 1 day, 20 hours and 21 minutes before removal. Socket users were protected even while the package was live.

Malicious code in wlwz-2312-2307 (npm) Source: ghsa-malware (f4270bc1866347b6031831eef6828380c8c754b499922bf5de644633c78ea197) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 4 hours and 14 minutes before removal. Socket users were protected even while the package was live.