New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More

Secure your dependencies. Ship with confidence.

Socket is a developer-first security platform that protects your code from both vulnerable and malicious dependencies.

Find and compare millions of open source packages

Quickly evaluate the security and health of any open source package.

We protect you from vulnerable and malicious packages

azure-graphrbac

16.23.1000

by npm

Removed from npm

Blocked by Socket

Malicious code in azure-graphrbac (npm) Source: ghsa-malware (8753478507375846584df851f88ad72637d64beb4e8e6a5ffdaa19b39440e7fe) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 1 hour and 37 minutes before removal. Socket users were protected even while the package was live.

ebay-testo

999.9.9

by amigomioteconsidero100

Removed from npm

Blocked by Socket

This file retrieves the current user’s username, hostname, external IP address, and local file paths, then sends a sanitized version of these details via DNS queries to an external domain (oastify[.]com). This behavior exceeds mere telemetry and constitutes data exfiltration without user consent, indicating malicious intent.

Live on npm for 15 hours and 33 minutes before removal. Socket users were protected even while the package was live.

s1variables

0.0.1-security

by npm

Live on npm

Blocked by Socket

Malicious code in s1variables (npm) Source: ghsa-malware (ce2694c224a1ab13eee5a99d65f4dd3dd183936b54feb10813ee416a4ce6d0f2) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

react-ui-mat

5.59.67

by ademirtemur

Removed from npm

Blocked by Socket

The code is heavily obfuscated and uses patterns that could be indicative of malicious behavior, such as executing arbitrary code and accessing the global object. However, without clear evidence of malicious actions, the risk remains speculative.

Live on npm for 15 days, 1 hour and 48 minutes before removal. Socket users were protected even while the package was live.

pingheretoo

0.0.1-security

by npm

Live on npm

Blocked by Socket

Malicious code in pingheretoo (npm) Source: ghsa-malware (23a2e8bbe10f8d447a38579950eafa702ec80407b7b0dc518a9c52f40ac5e8e3) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

yandex-sanitizer

0.4.1

by meow-test

Removed from npm

Blocked by Socket

The script is designed to send sensitive information to a remote server, which poses a significant security risk and indicates malicious behavior.

Live on npm for 2 hours and 14 minutes before removal. Socket users were protected even while the package was live.

super-streams

1.0.1

Removed from npm

Blocked by Socket

The source code collects detailed system information and sends it to a remote server without user consent. This behavior is highly suspicious and can be classified as data exfiltration, posing a significant security risk.

Live on npm for 1 hour and 35 minutes before removal. Socket users were protected even while the package was live.

github.com/nmstate/kubernetes-nmstate

v0.10.0

Live on Go

Blocked by Socket

This shell script alters critical system files by granting group write permissions on /etc/passwd and then removes itself. Such actions can facilitate privilege escalation or unauthorized account modifications, indicating malicious intent and posing a significant security risk.

engineering-blog

1.0.11

by npm-aditech387

Removed from npm

Blocked by Socket

This file collects system information including home directory, hostname, username, and DNS servers, then sends it via an HTTPS POST request to a suspicious domain (1prbelvn9xn14ee384a50q9e65cy0uoj[.]oastify[.]com) without user consent. Such behavior indicates malicious intent and constitutes data exfiltration.

Live on npm for 14 days, 11 hours and 25 minutes before removal. Socket users were protected even while the package was live.

testpkgabc

1.0.4

by npm

Removed from npm

Blocked by Socket

Malicious code in testpkgabc (npm) Source: ghsa-malware (06d3cb7f95d0c7c173763b88c89a4c6dec25a45c86c0a52b38bb92bc4edeff66) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 5 hours and 59 minutes before removal. Socket users were protected even while the package was live.

@bair/styles

1.284.999

by pgriffin2021

Live on npm

Blocked by Socket

This file contains heavily obfuscated code that gathers system data such as hostname, current working directory, user information, and network interfaces. It encodes this information (e.g., in Base64) and transmits it to a suspicious domain, for example example[.]com, using a dynamically constructed ping command. The obfuscation techniques, unauthorized data collection, and exfiltration attempt clearly indicate malicious intent consistent with malware.

js-guava

1.1.16

by sunshine001

Removed from npm

Blocked by Socket

The code does not exhibit any obvious malicious behavior, but the use of 'eval' for module loading and the obfuscated nature of the code introduce potential security risks. The URI parsing and manipulation functions appear to be standard and not inherently malicious.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

solana-login

1.0.17

by coffeepasta

Removed from npm

Blocked by Socket

This code exfiltrates system environment variables (e.g., USERDOMAIN) to a remote endpoint (e.g., https://example[.]com/api/webhooks/...), creates and executes shell commands to copy files and scripts to system directories, and places a script in the startup folder to run on system boot. The use of base64 encoding for the webhook conceals its destination, indicating intent to hide malicious communications. Changing the PowerShell execution policy and interacting with system startup folders further support its classification as malware.

Live on npm for 5 hours and 21 minutes before removal. Socket users were protected even while the package was live.

internal-corp

1.0.0

by testing6667

Removed from npm

Blocked by Socket

The script is designed to send sensitive information (the contents of '/etc/passwd') to an external server, indicating malicious behavior and a high security risk.

Live on npm for 1 hour and 31 minutes before removal. Socket users were protected even while the package was live.

suer

1.2.0

by 17b4a931

Removed from npm

Blocked by Socket

This code poses a serious security risk and should not be used.

Live on npm for 15 minutes before removal. Socket users were protected even while the package was live.

json-rpc-adapter

0.0.1-security

by npm

Removed from npm

Blocked by Socket

Malicious code in json-rpc-adapter (npm) Source: ghsa-malware (f4fdeb0a41688e0145066a567cbaa4beda509d5d3f9f84b13e7dcff7e289fd11) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 14 hours and 54 minutes before removal. Socket users were protected even while the package was live.

gd-react-toolbox

5.99.99

by 0xsombra

Removed from npm

Blocked by Socket

This code sends potentially sensitive environment data and file system information to a remote server without user consent, indicating malicious or at least unethical behavior. The hardcoded destination and lack of user control over the data sent highlight a significant security risk.

Live on npm for 2 hours and 10 minutes before removal. Socket users were protected even while the package was live.

seed-builder

0.3.77

by erick_rivas

Live on npm

Blocked by Socket

The code poses a significant security risk due to the potential for command injection attacks, privilege escalation, and other vulnerabilities. The hardcoded 'sudo' command in the getBin function, lack of input validation, and use of template literals to build commands that will be passed to exec are particularly concerning. The code should be reviewed thoroughly and modified to address these issues before being used.

espapehtlm

0.0.1-security.0

by npm

Removed from npm

Blocked by Socket

Malicious code in espapehtlm (npm) Source: ghsa-malware (e01037a3f58f9453837f71988ae5573860f3530683ecf920bb52bda62bdce407) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 23 minutes before removal. Socket users were protected even while the package was live.

azure-video-analyzer-edge

0.0.1-security.0

by npm

Removed from npm

Blocked by Socket

Malicious code in azure-video-analyzer-edge (npm) Source: ghsa-malware (e0127d81ea77498d7cf290baf7482fe497d0e7159bcb6b3eda4229b01510592b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 19 hours and 19 minutes before removal. Socket users were protected even while the package was live.

hydrogen-js-sdk

2.5.2

by bmob2018

Live on npm

Blocked by Socket

The code exhibits potential obfuscation and the presence of hard-coded error codes, raising significant concerns about the potential for security vulnerabilities. Further review and analysis by security experts is warranted.

example-rust

7.0.9

by mega707

Removed from npm

Blocked by Socket

Malicious code in example-rust (npm) Source: ghsa-malware (3ea3b88110c6d99f6f13c45a70f1a3a66f9c32da09f15db73f1a166c2cbfa080) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 17 hours and 35 minutes before removal. Socket users were protected even while the package was live.

f1pen

1.2.0

by 17b4a931

Removed from npm

Blocked by Socket

Malicious code in f1pen (npm) Source: ghsa-malware (14c1dcf21e2f68afd899faac1227f7e68c55d1fef725bb62237561d86ea6517c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 23 minutes before removal. Socket users were protected even while the package was live.

chainalert_npm_package

1.2.2

by du-research

Removed from npm

Blocked by Socket

Malicious code in chainalert_npm_package (npm) Source: ghsa-malware (638ce7288b08c83f26374b2a215fe4a1e85cb2776453de48254f8effd8549c6b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 15 hours and 2 minutes before removal. Socket users were protected even while the package was live.

feedback-schema

2.8.1

by npm

Removed from npm

Blocked by Socket

Malicious code in feedback-schema (npm) Source: ghsa-malware (0ce3047c466c30d8bf8684b6bedb5286b46a6addb1502e7f64e70afcac31131c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 9 minutes before removal. Socket users were protected even while the package was live.

azure-graphrbac

16.23.1000

by npm

Removed from npm

Blocked by Socket

Malicious code in azure-graphrbac (npm) Source: ghsa-malware (8753478507375846584df851f88ad72637d64beb4e8e6a5ffdaa19b39440e7fe) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 1 hour and 37 minutes before removal. Socket users were protected even while the package was live.

ebay-testo

999.9.9

by amigomioteconsidero100

Removed from npm

Blocked by Socket

This file retrieves the current user’s username, hostname, external IP address, and local file paths, then sends a sanitized version of these details via DNS queries to an external domain (oastify[.]com). This behavior exceeds mere telemetry and constitutes data exfiltration without user consent, indicating malicious intent.

Live on npm for 15 hours and 33 minutes before removal. Socket users were protected even while the package was live.

s1variables

0.0.1-security

by npm

Live on npm

Blocked by Socket

Malicious code in s1variables (npm) Source: ghsa-malware (ce2694c224a1ab13eee5a99d65f4dd3dd183936b54feb10813ee416a4ce6d0f2) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

react-ui-mat

5.59.67

by ademirtemur

Removed from npm

Blocked by Socket

The code is heavily obfuscated and uses patterns that could be indicative of malicious behavior, such as executing arbitrary code and accessing the global object. However, without clear evidence of malicious actions, the risk remains speculative.

Live on npm for 15 days, 1 hour and 48 minutes before removal. Socket users were protected even while the package was live.

pingheretoo

0.0.1-security

by npm

Live on npm

Blocked by Socket

Malicious code in pingheretoo (npm) Source: ghsa-malware (23a2e8bbe10f8d447a38579950eafa702ec80407b7b0dc518a9c52f40ac5e8e3) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

yandex-sanitizer

0.4.1

by meow-test

Removed from npm

Blocked by Socket

The script is designed to send sensitive information to a remote server, which poses a significant security risk and indicates malicious behavior.

Live on npm for 2 hours and 14 minutes before removal. Socket users were protected even while the package was live.

super-streams

1.0.1

Removed from npm

Blocked by Socket

The source code collects detailed system information and sends it to a remote server without user consent. This behavior is highly suspicious and can be classified as data exfiltration, posing a significant security risk.

Live on npm for 1 hour and 35 minutes before removal. Socket users were protected even while the package was live.

github.com/nmstate/kubernetes-nmstate

v0.10.0

Live on Go

Blocked by Socket

This shell script alters critical system files by granting group write permissions on /etc/passwd and then removes itself. Such actions can facilitate privilege escalation or unauthorized account modifications, indicating malicious intent and posing a significant security risk.

engineering-blog

1.0.11

by npm-aditech387

Removed from npm

Blocked by Socket

This file collects system information including home directory, hostname, username, and DNS servers, then sends it via an HTTPS POST request to a suspicious domain (1prbelvn9xn14ee384a50q9e65cy0uoj[.]oastify[.]com) without user consent. Such behavior indicates malicious intent and constitutes data exfiltration.

Live on npm for 14 days, 11 hours and 25 minutes before removal. Socket users were protected even while the package was live.

testpkgabc

1.0.4

by npm

Removed from npm

Blocked by Socket

Malicious code in testpkgabc (npm) Source: ghsa-malware (06d3cb7f95d0c7c173763b88c89a4c6dec25a45c86c0a52b38bb92bc4edeff66) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 5 hours and 59 minutes before removal. Socket users were protected even while the package was live.

@bair/styles

1.284.999

by pgriffin2021

Live on npm

Blocked by Socket

This file contains heavily obfuscated code that gathers system data such as hostname, current working directory, user information, and network interfaces. It encodes this information (e.g., in Base64) and transmits it to a suspicious domain, for example example[.]com, using a dynamically constructed ping command. The obfuscation techniques, unauthorized data collection, and exfiltration attempt clearly indicate malicious intent consistent with malware.

js-guava

1.1.16

by sunshine001

Removed from npm

Blocked by Socket

The code does not exhibit any obvious malicious behavior, but the use of 'eval' for module loading and the obfuscated nature of the code introduce potential security risks. The URI parsing and manipulation functions appear to be standard and not inherently malicious.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

solana-login

1.0.17

by coffeepasta

Removed from npm

Blocked by Socket

This code exfiltrates system environment variables (e.g., USERDOMAIN) to a remote endpoint (e.g., https://example[.]com/api/webhooks/...), creates and executes shell commands to copy files and scripts to system directories, and places a script in the startup folder to run on system boot. The use of base64 encoding for the webhook conceals its destination, indicating intent to hide malicious communications. Changing the PowerShell execution policy and interacting with system startup folders further support its classification as malware.

Live on npm for 5 hours and 21 minutes before removal. Socket users were protected even while the package was live.

internal-corp

1.0.0

by testing6667

Removed from npm

Blocked by Socket

The script is designed to send sensitive information (the contents of '/etc/passwd') to an external server, indicating malicious behavior and a high security risk.

Live on npm for 1 hour and 31 minutes before removal. Socket users were protected even while the package was live.

suer

1.2.0

by 17b4a931

Removed from npm

Blocked by Socket

This code poses a serious security risk and should not be used.

Live on npm for 15 minutes before removal. Socket users were protected even while the package was live.

json-rpc-adapter

0.0.1-security

by npm

Removed from npm

Blocked by Socket

Malicious code in json-rpc-adapter (npm) Source: ghsa-malware (f4fdeb0a41688e0145066a567cbaa4beda509d5d3f9f84b13e7dcff7e289fd11) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 14 hours and 54 minutes before removal. Socket users were protected even while the package was live.

gd-react-toolbox

5.99.99

by 0xsombra

Removed from npm

Blocked by Socket

This code sends potentially sensitive environment data and file system information to a remote server without user consent, indicating malicious or at least unethical behavior. The hardcoded destination and lack of user control over the data sent highlight a significant security risk.

Live on npm for 2 hours and 10 minutes before removal. Socket users were protected even while the package was live.

seed-builder

0.3.77

by erick_rivas

Live on npm

Blocked by Socket

The code poses a significant security risk due to the potential for command injection attacks, privilege escalation, and other vulnerabilities. The hardcoded 'sudo' command in the getBin function, lack of input validation, and use of template literals to build commands that will be passed to exec are particularly concerning. The code should be reviewed thoroughly and modified to address these issues before being used.

espapehtlm

0.0.1-security.0

by npm

Removed from npm

Blocked by Socket

Malicious code in espapehtlm (npm) Source: ghsa-malware (e01037a3f58f9453837f71988ae5573860f3530683ecf920bb52bda62bdce407) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 23 minutes before removal. Socket users were protected even while the package was live.

azure-video-analyzer-edge

0.0.1-security.0

by npm

Removed from npm

Blocked by Socket

Malicious code in azure-video-analyzer-edge (npm) Source: ghsa-malware (e0127d81ea77498d7cf290baf7482fe497d0e7159bcb6b3eda4229b01510592b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 19 hours and 19 minutes before removal. Socket users were protected even while the package was live.

hydrogen-js-sdk

2.5.2

by bmob2018

Live on npm

Blocked by Socket

The code exhibits potential obfuscation and the presence of hard-coded error codes, raising significant concerns about the potential for security vulnerabilities. Further review and analysis by security experts is warranted.

example-rust

7.0.9

by mega707

Removed from npm

Blocked by Socket

Malicious code in example-rust (npm) Source: ghsa-malware (3ea3b88110c6d99f6f13c45a70f1a3a66f9c32da09f15db73f1a166c2cbfa080) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 17 hours and 35 minutes before removal. Socket users were protected even while the package was live.

f1pen

1.2.0

by 17b4a931

Removed from npm

Blocked by Socket

Malicious code in f1pen (npm) Source: ghsa-malware (14c1dcf21e2f68afd899faac1227f7e68c55d1fef725bb62237561d86ea6517c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 23 minutes before removal. Socket users were protected even while the package was live.

chainalert_npm_package

1.2.2

by du-research

Removed from npm

Blocked by Socket

Malicious code in chainalert_npm_package (npm) Source: ghsa-malware (638ce7288b08c83f26374b2a215fe4a1e85cb2776453de48254f8effd8549c6b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 15 hours and 2 minutes before removal. Socket users were protected even while the package was live.

feedback-schema

2.8.1

by npm

Removed from npm

Blocked by Socket

Malicious code in feedback-schema (npm) Source: ghsa-malware (0ce3047c466c30d8bf8684b6bedb5286b46a6addb1502e7f64e70afcac31131c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 9 minutes before removal. Socket users were protected even while the package was live.

Detect and block software supply chain attacks

Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.

Known malware

Possible typosquat attack

NPM Shrinkwrap

Git dependency

HTTP dependency

Suspicious Stars on GitHub

Protestware or potentially unwanted behavior

Unstable ownership

AI-detected potential malware

Obfuscated code

20 more alerts

Detect suspicious package updates in real-time

Socket detects and blocks malicious dependencies, often within just minutes of them being published to public registries, making it the most effective tool for blocking zero-day supply chain attacks.

GitHub app screenshot

Developers love Socket

Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.

Security teams trust Socket

The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.

Why teams choose Socket

Pro-active security

Depend on Socket to prevent malicious open source dependencies from infiltrating your app.

Easy to install

Install the Socket GitHub App in just 2 clicks and get protected today.

Comprehensive open source protection

Block 70+ issues in open source code, including malware, typo-squatting, hidden code, misleading packages, permission creep, and more.

Develop faster

Reduce work by surfacing actionable security information directly in GitHub. Empower developers to make better decisions.

Supply chain attacks are on the rise

Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.

Dec 14, 2023

Hijacked cryptocurrency library adds malware

Widely-used library in cryptocurrency frontend was compromised to include wallet-draining code, following the hijacking of NPM account credentials via phishing.

Jan 06, 2022

Maintainer intentionally adds malware

Rogue maintainer sabotages his own open source package with 100M downloads/month, notably breaking Amazon's AWS SDK.

Nov 15, 2021

npm discovers a platform vulnerability allowing unauthorized publishing of any package

Attackers could publish new versions of any npm package without authorization for multiple years.

Oct 22, 2021

Hijacked package adds cryptominers and password-stealing malware

Multiple packages with 30M downloads/month are hijacked and publish malicious versions directly into the software supply chain.

Nov 26, 2018

Package hijacked adding organization specific backdoors

Obfuscated malware added to a dependency which targeted a single company, went undetected for over a week, and made it into their production build.

Ready to dive in?

Get protected by Socket with just 2 clicks.

The latest from the Socket team

Get our latest security research, open source insights, and product updates.

View all articles