Secure your dependencies. Ship with confidence.

This Chrome extension is part of a large-scale commercial spam-automation campaign; while not classic malware, it functions as policy-abuse infrastructure that violates Chrome Web Store spam policies and WhatsApp anti-spam rules, enables bulk sending and scheduling via WhatsApp MAIN-world hooks, and exfiltrates media off-device despite marketing that minimizes or misrepresents these behaviors.

This module is a high-risk utility because it fetches Python code from remote URLs and local markdown files and executes that code directly via execute_py_script_string_as_new_proc without validation or sandboxing. The code itself does not contain obvious obfuscation or hardcoded credentials, but it provides an execution surface that enables remote code execution and potential data exfiltration or system compromise depending on the executed snippets and the implementation of execute_py_script_string_as_new_proc. Treat calls that use remote URLs or untrusted markdown as dangerous. Use only with trusted content or add validation/sandboxing (e.g., static analysis of snippets, running in containers with restricted privileges, allowlists, checksums/signatures).

The code is intended for malicious use, specifically designed to secretly collect and transmit sensitive system information to an external entity. This could be part of a reconnaissance step in a larger attack or a standalone information-gathering script.

Live on npm for 27 minutes before removal. Socket users were protected even while the package was live.

This code is highly suspicious and should not be used without further investigation. The code is heavily obfuscated and could potentially contain malicious code. The purpose of the code is unclear and further investigation is necessary to determine its exact behavior.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

The code is heavily obfuscated and uses dynamic code execution and network communication with obfuscated endpoints, which are strong indicators of potentially malicious behavior or backdoor functionality. The lack of meaningful existing reports and the presence of suspicious constructs justify treating this package as high risk and potentially malicious. Further in-depth analysis and deobfuscation are necessary to confirm its intent and impact.

This module implements privileged node and device management and exposes HTTP endpoints that accept user input used directly in shell commands and Docker operations. Main risks: command injection (unsanitized string interpolation into shell commands and os.popen), destructive device operations (partitioning, bind/unbind), supplying arbitrary images to be pulled and run as privileged containers, and use of an unencrypted/unprotected Docker TCP socket (tcp://...:2375). I assess this as not manifestly malware but a high-risk administrative component that must be strictly access-controlled and hardened (validate/sanitize inputs, avoid passing raw user values into shell/Docker operations, use secure Docker API access, avoid exposing endpoints publicly).

This script is performing a DNS lookup on the domain 'preinstall.dns.w00dr0w-usaa.com' with the IP address '3.145.70.183'. This could be used to perform a man-in-the-middle attack or execute malicious code. The user should be cautious when executing this script and should review the contents of index.js and run DNS scan on 'preinstall.dns.w00dr0w-usaa.com' to determine its reputation.

This module is not overtly malicious (no encoded payloads, no external exfiltration, no reverse shell), but it contains high-risk insecure patterns: user-controlled values are directly interpolated into shell command strings and passed to node_utils.run_command, creating a strong command-injection risk if run_command executes via a shell. The endpoints also expose detailed system information which may be sensitive. Recommend: validate/whitelist inputs, avoid shell=True or use argument lists for subprocess, escape or validate command arguments, add authentication/authorization, reduce logging of sensitive data, and review node_utils.run_command implementation. Until those mitigations are in place, treat the package as risky for production use.

The source code exhibits behavior consistent with data exfiltration malware. It collects sensitive system information and sends it to external endpoints without user consent, posing a significant security risk.

The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.

Live on npm for 14 hours and 58 minutes before removal. Socket users were protected even while the package was live.

The code is highly suspicious and potentially malicious, with a high probability of containing hidden or obfuscated functionality designed to evade detection or analysis. It is not recommended to use or execute this code without further analysis and verification of its safety and legitimacy.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

The code connects to a hardcoded IP address (47[.]251[.]102[.]182) on port 8057 without user consent. It sends system information, including OS type and architecture, to this remote server. The code listens for commands from the server and executes them locally using the `exec()` function, which can lead to arbitrary code execution. Additionally, it can receive files from the server and write them to the local filesystem, potentially introducing malicious files. It includes a scheduled task that collects and sends user information at a specific date and time. These behaviors represent unauthorized remote control and data exfiltration, posing significant security risks.

Live on npm for 22 days, 3 hours and 3 minutes before removal. Socket users were protected even while the package was live.

This is malicious software designed for supply chain attacks. It connects to a suspicious private IP to fetch obfuscation instructions and dynamically modifies code during build processes. The obfuscation mechanism can hide malicious functionality or inject backdoors. This represents an extremely high security risk and should not be used.

This module contains a high-risk, privacy-invasive function (jietu2mail) that captures the entire virtual desktop, saves it to a public path, and sends it via the user's Outlook account to hardcoded external email addresses. That capability constitutes a direct data-exfiltration backdoor. Other functions (os.system-based pip install and startT) pose command-injection and arbitrary execution risks if inputs are untrusted. Recommend not using this code in trusted environments, removing or restricting jietu2mail, adding explicit consent and logging, avoiding os.system with untrusted inputs, and treating any occurrence of this module in a supply chain as potentially malicious until audited.

This module behaves as a dropper: it fetches an executable from a remote hardcoded URL and executes it in a user-writable profile directory without validation or user interaction. This is consistent with malicious delivery techniques and represents a high security risk. Treat the code as hostile until proven otherwise. Do not run it on trusted systems; remove or quarantine the code and investigate upstream provenance and the referenced URL.

The fragment implements covert data collection and exfiltration. It intercepts targeted network responses and forwards the captured data via a cross-context messaging bridge to an external consumer. The combination of endpoint-bound data capture, a namespace/instanceId-based messaging protocol, and lack of explicit user consent signals a high risk of privacy invasion and supply-chain misuse when embedded in open-source code. Thorough auditing and removal or strict scoping is recommended before use in any production or widely distributed package.

The script sends data to an external URL, which is a significant security risk, and then runs a local script that may contain harmful behavior. This raises serious concerns about data exfiltration and untrusted code execution.

Live on npm for 28 minutes before removal. Socket users were protected even while the package was live.

This file is a legitimate-looking destructive cleanup script for removing AWS Landing Zone resources across an AWS Organization. It contains no signs of data-exfiltration, obfuscation, or third-party command-and-control. However, it performs many high-impact destructive AWS operations (deleting stacks, buckets, StackSets, moving accounts, deleting OUs, etc.) and thus is extremely dangerous to run with privileged credentials. Treat as a destructive tool: do not run in production unless you intend to irreversibly remove the listed resources and have backups/approval.

Live on PyPI for 9 days, 12 hours and 13 minutes before removal. Socket users were protected even while the package was live.

This Chrome extension’s background script defines a capture() function that invokes chrome.tabs.captureVisibleTab to take a PNG screenshot of the user’s currently visible tab. The screenshot is then passed to a function named sendProviderDealsMismatchBE, which transmits the image data to an external backend service. No user prompt, consent dialogue, or indication in the UI discloses this behavior. Because it silently collects potentially sensitive screen content (passwords, personal or financial information) and sends it off-device, this constitutes covert data exfiltration and a clear privacy-violating malware capability.

This code implements an automated mass-messaging/spam tool integrated into a client page/extension. It programmatically scrapes recipients, constructs personalized messages, automates sending (including captcha solving), and reports usage/telemetry to external domains (notably ukrainiangirls.pw). It asks the user for captcha service API keys (which it stores) and accepts captcha keys via postMessage. The behavior is abusive (spam) and leaks activity metadata externally; it should be considered malicious for most legitimate uses. Remove or block this script/extension unless you explicitly want this automated spam functionality and trust the external telemetry domains.

This module contains a critical vulnerability: unconstrained eval() of attacker-controlled 'input.expr' with access to local variables (including a formatted request object). This yields remote code execution and potential data exfiltration. The code likely represents an insecure design/bug rather than intentionally malicious code, but it must be remediated before handling untrusted inputs. Also fix the apparent syntax error in getAttr.

This module implements privileged node and device management and exposes HTTP endpoints that accept user input used directly in shell commands and Docker operations. Main risks: command injection (unsanitized string interpolation into shell commands and os.popen), destructive device operations (partitioning, bind/unbind), supplying arbitrary images to be pulled and run as privileged containers, and use of an unencrypted/unprotected Docker TCP socket (tcp://...:2375). I assess this as not manifestly malware but a high-risk administrative component that must be strictly access-controlled and hardened (validate/sanitize inputs, avoid passing raw user values into shell/Docker operations, use secure Docker API access, avoid exposing endpoints publicly).

The code contains risky operations that can enable supply-chain attacks and remote code execution: it downloads remote zip packages and extracts them without validation, and runs pip install/uninstall via shell subprocesses with unverified inputs. It also leaks host identification to an external notify endpoint. There is no evidence of deliberately hidden malware in this fragment (no obfuscation, no hardcoded credentials or reverse shell code), but the behavior (automatic fetching and installing of packages from remote URLs without integrity checks) presents a significant security risk. Recommend treating remote package sources as untrusted, adding integrity checks (hash/signature verification), avoiding shell=True, sanitizing zip entries before extraction, and limiting or requiring user confirmation for installs.

Live on PyPI for 12 hours and 2 minutes before removal. Socket users were protected even while the package was live.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This Chrome extension is part of a large-scale commercial spam-automation campaign; while not classic malware, it functions as policy-abuse infrastructure that violates Chrome Web Store spam policies and WhatsApp anti-spam rules, enables bulk sending and scheduling via WhatsApp MAIN-world hooks, and exfiltrates media off-device despite marketing that minimizes or misrepresents these behaviors.

This module is a high-risk utility because it fetches Python code from remote URLs and local markdown files and executes that code directly via execute_py_script_string_as_new_proc without validation or sandboxing. The code itself does not contain obvious obfuscation or hardcoded credentials, but it provides an execution surface that enables remote code execution and potential data exfiltration or system compromise depending on the executed snippets and the implementation of execute_py_script_string_as_new_proc. Treat calls that use remote URLs or untrusted markdown as dangerous. Use only with trusted content or add validation/sandboxing (e.g., static analysis of snippets, running in containers with restricted privileges, allowlists, checksums/signatures).

The code is intended for malicious use, specifically designed to secretly collect and transmit sensitive system information to an external entity. This could be part of a reconnaissance step in a larger attack or a standalone information-gathering script.

Live on npm for 27 minutes before removal. Socket users were protected even while the package was live.

This code is highly suspicious and should not be used without further investigation. The code is heavily obfuscated and could potentially contain malicious code. The purpose of the code is unclear and further investigation is necessary to determine its exact behavior.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

The code is heavily obfuscated and uses dynamic code execution and network communication with obfuscated endpoints, which are strong indicators of potentially malicious behavior or backdoor functionality. The lack of meaningful existing reports and the presence of suspicious constructs justify treating this package as high risk and potentially malicious. Further in-depth analysis and deobfuscation are necessary to confirm its intent and impact.

This module implements privileged node and device management and exposes HTTP endpoints that accept user input used directly in shell commands and Docker operations. Main risks: command injection (unsanitized string interpolation into shell commands and os.popen), destructive device operations (partitioning, bind/unbind), supplying arbitrary images to be pulled and run as privileged containers, and use of an unencrypted/unprotected Docker TCP socket (tcp://...:2375). I assess this as not manifestly malware but a high-risk administrative component that must be strictly access-controlled and hardened (validate/sanitize inputs, avoid passing raw user values into shell/Docker operations, use secure Docker API access, avoid exposing endpoints publicly).

This script is performing a DNS lookup on the domain 'preinstall.dns.w00dr0w-usaa.com' with the IP address '3.145.70.183'. This could be used to perform a man-in-the-middle attack or execute malicious code. The user should be cautious when executing this script and should review the contents of index.js and run DNS scan on 'preinstall.dns.w00dr0w-usaa.com' to determine its reputation.

This module is not overtly malicious (no encoded payloads, no external exfiltration, no reverse shell), but it contains high-risk insecure patterns: user-controlled values are directly interpolated into shell command strings and passed to node_utils.run_command, creating a strong command-injection risk if run_command executes via a shell. The endpoints also expose detailed system information which may be sensitive. Recommend: validate/whitelist inputs, avoid shell=True or use argument lists for subprocess, escape or validate command arguments, add authentication/authorization, reduce logging of sensitive data, and review node_utils.run_command implementation. Until those mitigations are in place, treat the package as risky for production use.

The source code exhibits behavior consistent with data exfiltration malware. It collects sensitive system information and sends it to external endpoints without user consent, posing a significant security risk.

The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.

Live on npm for 14 hours and 58 minutes before removal. Socket users were protected even while the package was live.

The code is highly suspicious and potentially malicious, with a high probability of containing hidden or obfuscated functionality designed to evade detection or analysis. It is not recommended to use or execute this code without further analysis and verification of its safety and legitimacy.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

The code connects to a hardcoded IP address (47[.]251[.]102[.]182) on port 8057 without user consent. It sends system information, including OS type and architecture, to this remote server. The code listens for commands from the server and executes them locally using the `exec()` function, which can lead to arbitrary code execution. Additionally, it can receive files from the server and write them to the local filesystem, potentially introducing malicious files. It includes a scheduled task that collects and sends user information at a specific date and time. These behaviors represent unauthorized remote control and data exfiltration, posing significant security risks.

Live on npm for 22 days, 3 hours and 3 minutes before removal. Socket users were protected even while the package was live.

This is malicious software designed for supply chain attacks. It connects to a suspicious private IP to fetch obfuscation instructions and dynamically modifies code during build processes. The obfuscation mechanism can hide malicious functionality or inject backdoors. This represents an extremely high security risk and should not be used.

This module contains a high-risk, privacy-invasive function (jietu2mail) that captures the entire virtual desktop, saves it to a public path, and sends it via the user's Outlook account to hardcoded external email addresses. That capability constitutes a direct data-exfiltration backdoor. Other functions (os.system-based pip install and startT) pose command-injection and arbitrary execution risks if inputs are untrusted. Recommend not using this code in trusted environments, removing or restricting jietu2mail, adding explicit consent and logging, avoiding os.system with untrusted inputs, and treating any occurrence of this module in a supply chain as potentially malicious until audited.

This module behaves as a dropper: it fetches an executable from a remote hardcoded URL and executes it in a user-writable profile directory without validation or user interaction. This is consistent with malicious delivery techniques and represents a high security risk. Treat the code as hostile until proven otherwise. Do not run it on trusted systems; remove or quarantine the code and investigate upstream provenance and the referenced URL.

The fragment implements covert data collection and exfiltration. It intercepts targeted network responses and forwards the captured data via a cross-context messaging bridge to an external consumer. The combination of endpoint-bound data capture, a namespace/instanceId-based messaging protocol, and lack of explicit user consent signals a high risk of privacy invasion and supply-chain misuse when embedded in open-source code. Thorough auditing and removal or strict scoping is recommended before use in any production or widely distributed package.

The script sends data to an external URL, which is a significant security risk, and then runs a local script that may contain harmful behavior. This raises serious concerns about data exfiltration and untrusted code execution.

Live on npm for 28 minutes before removal. Socket users were protected even while the package was live.

This file is a legitimate-looking destructive cleanup script for removing AWS Landing Zone resources across an AWS Organization. It contains no signs of data-exfiltration, obfuscation, or third-party command-and-control. However, it performs many high-impact destructive AWS operations (deleting stacks, buckets, StackSets, moving accounts, deleting OUs, etc.) and thus is extremely dangerous to run with privileged credentials. Treat as a destructive tool: do not run in production unless you intend to irreversibly remove the listed resources and have backups/approval.

Live on PyPI for 9 days, 12 hours and 13 minutes before removal. Socket users were protected even while the package was live.

This Chrome extension’s background script defines a capture() function that invokes chrome.tabs.captureVisibleTab to take a PNG screenshot of the user’s currently visible tab. The screenshot is then passed to a function named sendProviderDealsMismatchBE, which transmits the image data to an external backend service. No user prompt, consent dialogue, or indication in the UI discloses this behavior. Because it silently collects potentially sensitive screen content (passwords, personal or financial information) and sends it off-device, this constitutes covert data exfiltration and a clear privacy-violating malware capability.

This code implements an automated mass-messaging/spam tool integrated into a client page/extension. It programmatically scrapes recipients, constructs personalized messages, automates sending (including captcha solving), and reports usage/telemetry to external domains (notably ukrainiangirls.pw). It asks the user for captcha service API keys (which it stores) and accepts captcha keys via postMessage. The behavior is abusive (spam) and leaks activity metadata externally; it should be considered malicious for most legitimate uses. Remove or block this script/extension unless you explicitly want this automated spam functionality and trust the external telemetry domains.

This module contains a critical vulnerability: unconstrained eval() of attacker-controlled 'input.expr' with access to local variables (including a formatted request object). This yields remote code execution and potential data exfiltration. The code likely represents an insecure design/bug rather than intentionally malicious code, but it must be remediated before handling untrusted inputs. Also fix the apparent syntax error in getAttr.

This module implements privileged node and device management and exposes HTTP endpoints that accept user input used directly in shell commands and Docker operations. Main risks: command injection (unsanitized string interpolation into shell commands and os.popen), destructive device operations (partitioning, bind/unbind), supplying arbitrary images to be pulled and run as privileged containers, and use of an unencrypted/unprotected Docker TCP socket (tcp://...:2375). I assess this as not manifestly malware but a high-risk administrative component that must be strictly access-controlled and hardened (validate/sanitize inputs, avoid passing raw user values into shell/Docker operations, use secure Docker API access, avoid exposing endpoints publicly).

The code contains risky operations that can enable supply-chain attacks and remote code execution: it downloads remote zip packages and extracts them without validation, and runs pip install/uninstall via shell subprocesses with unverified inputs. It also leaks host identification to an external notify endpoint. There is no evidence of deliberately hidden malware in this fragment (no obfuscation, no hardcoded credentials or reverse shell code), but the behavior (automatic fetching and installing of packages from remote URLs without integrity checks) presents a significant security risk. Recommend treating remote package sources as untrusted, adding integrity checks (hash/signature verification), avoiding shell=True, sanitizing zip entries before extraction, and limiting or requiring user confirmation for installs.

Live on PyPI for 12 hours and 2 minutes before removal. Socket users were protected even while the package was live.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.