Secure your dependencies. Ship with confidence.

Malicious code in azure-graphrbac (npm) Source: ghsa-malware (8753478507375846584df851f88ad72637d64beb4e8e6a5ffdaa19b39440e7fe) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 1 hour and 37 minutes before removal. Socket users were protected even while the package was live.

This file retrieves the current user’s username, hostname, external IP address, and local file paths, then sends a sanitized version of these details via DNS queries to an external domain (oastify[.]com). This behavior exceeds mere telemetry and constitutes data exfiltration without user consent, indicating malicious intent.

Live on npm for 15 hours and 33 minutes before removal. Socket users were protected even while the package was live.

Malicious code in s1variables (npm) Source: ghsa-malware (ce2694c224a1ab13eee5a99d65f4dd3dd183936b54feb10813ee416a4ce6d0f2) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The code is heavily obfuscated and uses patterns that could be indicative of malicious behavior, such as executing arbitrary code and accessing the global object. However, without clear evidence of malicious actions, the risk remains speculative.

Live on npm for 15 days, 1 hour and 48 minutes before removal. Socket users were protected even while the package was live.

Malicious code in pingheretoo (npm) Source: ghsa-malware (23a2e8bbe10f8d447a38579950eafa702ec80407b7b0dc518a9c52f40ac5e8e3) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The script is designed to send sensitive information to a remote server, which poses a significant security risk and indicates malicious behavior.

Live on npm for 2 hours and 14 minutes before removal. Socket users were protected even while the package was live.

The source code collects detailed system information and sends it to a remote server without user consent. This behavior is highly suspicious and can be classified as data exfiltration, posing a significant security risk.

Live on npm for 1 hour and 35 minutes before removal. Socket users were protected even while the package was live.

This shell script alters critical system files by granting group write permissions on /etc/passwd and then removes itself. Such actions can facilitate privilege escalation or unauthorized account modifications, indicating malicious intent and posing a significant security risk.

This file collects system information including home directory, hostname, username, and DNS servers, then sends it via an HTTPS POST request to a suspicious domain (1prbelvn9xn14ee384a50q9e65cy0uoj[.]oastify[.]com) without user consent. Such behavior indicates malicious intent and constitutes data exfiltration.

Live on npm for 14 days, 11 hours and 25 minutes before removal. Socket users were protected even while the package was live.

Malicious code in testpkgabc (npm) Source: ghsa-malware (06d3cb7f95d0c7c173763b88c89a4c6dec25a45c86c0a52b38bb92bc4edeff66) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 5 hours and 59 minutes before removal. Socket users were protected even while the package was live.

This file contains heavily obfuscated code that gathers system data such as hostname, current working directory, user information, and network interfaces. It encodes this information (e.g., in Base64) and transmits it to a suspicious domain, for example example[.]com, using a dynamically constructed ping command. The obfuscation techniques, unauthorized data collection, and exfiltration attempt clearly indicate malicious intent consistent with malware.

The code does not exhibit any obvious malicious behavior, but the use of 'eval' for module loading and the obfuscated nature of the code introduce potential security risks. The URI parsing and manipulation functions appear to be standard and not inherently malicious.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

This code exfiltrates system environment variables (e.g., USERDOMAIN) to a remote endpoint (e.g., https://example[.]com/api/webhooks/...), creates and executes shell commands to copy files and scripts to system directories, and places a script in the startup folder to run on system boot. The use of base64 encoding for the webhook conceals its destination, indicating intent to hide malicious communications. Changing the PowerShell execution policy and interacting with system startup folders further support its classification as malware.

Live on npm for 5 hours and 21 minutes before removal. Socket users were protected even while the package was live.

The script is designed to send sensitive information (the contents of '/etc/passwd') to an external server, indicating malicious behavior and a high security risk.

Live on npm for 1 hour and 31 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 15 minutes before removal. Socket users were protected even while the package was live.

Malicious code in json-rpc-adapter (npm) Source: ghsa-malware (f4fdeb0a41688e0145066a567cbaa4beda509d5d3f9f84b13e7dcff7e289fd11) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 14 hours and 54 minutes before removal. Socket users were protected even while the package was live.

This code sends potentially sensitive environment data and file system information to a remote server without user consent, indicating malicious or at least unethical behavior. The hardcoded destination and lack of user control over the data sent highlight a significant security risk.

Live on npm for 2 hours and 10 minutes before removal. Socket users were protected even while the package was live.

The code poses a significant security risk due to the potential for command injection attacks, privilege escalation, and other vulnerabilities. The hardcoded 'sudo' command in the getBin function, lack of input validation, and use of template literals to build commands that will be passed to exec are particularly concerning. The code should be reviewed thoroughly and modified to address these issues before being used.

Malicious code in espapehtlm (npm) Source: ghsa-malware (e01037a3f58f9453837f71988ae5573860f3530683ecf920bb52bda62bdce407) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 23 minutes before removal. Socket users were protected even while the package was live.

Malicious code in azure-video-analyzer-edge (npm) Source: ghsa-malware (e0127d81ea77498d7cf290baf7482fe497d0e7159bcb6b3eda4229b01510592b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 19 hours and 19 minutes before removal. Socket users were protected even while the package was live.

The code exhibits potential obfuscation and the presence of hard-coded error codes, raising significant concerns about the potential for security vulnerabilities. Further review and analysis by security experts is warranted.

Malicious code in example-rust (npm) Source: ghsa-malware (3ea3b88110c6d99f6f13c45a70f1a3a66f9c32da09f15db73f1a166c2cbfa080) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 17 hours and 35 minutes before removal. Socket users were protected even while the package was live.

Malicious code in f1pen (npm) Source: ghsa-malware (14c1dcf21e2f68afd899faac1227f7e68c55d1fef725bb62237561d86ea6517c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 23 minutes before removal. Socket users were protected even while the package was live.

Malicious code in chainalert_npm_package (npm) Source: ghsa-malware (638ce7288b08c83f26374b2a215fe4a1e85cb2776453de48254f8effd8549c6b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 15 hours and 2 minutes before removal. Socket users were protected even while the package was live.

Malicious code in feedback-schema (npm) Source: ghsa-malware (0ce3047c466c30d8bf8684b6bedb5286b46a6addb1502e7f64e70afcac31131c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 9 minutes before removal. Socket users were protected even while the package was live.

Malicious code in azure-graphrbac (npm) Source: ghsa-malware (8753478507375846584df851f88ad72637d64beb4e8e6a5ffdaa19b39440e7fe) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 1 hour and 37 minutes before removal. Socket users were protected even while the package was live.

This file retrieves the current user’s username, hostname, external IP address, and local file paths, then sends a sanitized version of these details via DNS queries to an external domain (oastify[.]com). This behavior exceeds mere telemetry and constitutes data exfiltration without user consent, indicating malicious intent.

Live on npm for 15 hours and 33 minutes before removal. Socket users were protected even while the package was live.

Malicious code in s1variables (npm) Source: ghsa-malware (ce2694c224a1ab13eee5a99d65f4dd3dd183936b54feb10813ee416a4ce6d0f2) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The code is heavily obfuscated and uses patterns that could be indicative of malicious behavior, such as executing arbitrary code and accessing the global object. However, without clear evidence of malicious actions, the risk remains speculative.

Live on npm for 15 days, 1 hour and 48 minutes before removal. Socket users were protected even while the package was live.

Malicious code in pingheretoo (npm) Source: ghsa-malware (23a2e8bbe10f8d447a38579950eafa702ec80407b7b0dc518a9c52f40ac5e8e3) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The script is designed to send sensitive information to a remote server, which poses a significant security risk and indicates malicious behavior.

Live on npm for 2 hours and 14 minutes before removal. Socket users were protected even while the package was live.

The source code collects detailed system information and sends it to a remote server without user consent. This behavior is highly suspicious and can be classified as data exfiltration, posing a significant security risk.

Live on npm for 1 hour and 35 minutes before removal. Socket users were protected even while the package was live.

This shell script alters critical system files by granting group write permissions on /etc/passwd and then removes itself. Such actions can facilitate privilege escalation or unauthorized account modifications, indicating malicious intent and posing a significant security risk.

This file collects system information including home directory, hostname, username, and DNS servers, then sends it via an HTTPS POST request to a suspicious domain (1prbelvn9xn14ee384a50q9e65cy0uoj[.]oastify[.]com) without user consent. Such behavior indicates malicious intent and constitutes data exfiltration.

Live on npm for 14 days, 11 hours and 25 minutes before removal. Socket users were protected even while the package was live.

Malicious code in testpkgabc (npm) Source: ghsa-malware (06d3cb7f95d0c7c173763b88c89a4c6dec25a45c86c0a52b38bb92bc4edeff66) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 5 hours and 59 minutes before removal. Socket users were protected even while the package was live.

This file contains heavily obfuscated code that gathers system data such as hostname, current working directory, user information, and network interfaces. It encodes this information (e.g., in Base64) and transmits it to a suspicious domain, for example example[.]com, using a dynamically constructed ping command. The obfuscation techniques, unauthorized data collection, and exfiltration attempt clearly indicate malicious intent consistent with malware.

The code does not exhibit any obvious malicious behavior, but the use of 'eval' for module loading and the obfuscated nature of the code introduce potential security risks. The URI parsing and manipulation functions appear to be standard and not inherently malicious.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

This code exfiltrates system environment variables (e.g., USERDOMAIN) to a remote endpoint (e.g., https://example[.]com/api/webhooks/...), creates and executes shell commands to copy files and scripts to system directories, and places a script in the startup folder to run on system boot. The use of base64 encoding for the webhook conceals its destination, indicating intent to hide malicious communications. Changing the PowerShell execution policy and interacting with system startup folders further support its classification as malware.

Live on npm for 5 hours and 21 minutes before removal. Socket users were protected even while the package was live.

The script is designed to send sensitive information (the contents of '/etc/passwd') to an external server, indicating malicious behavior and a high security risk.

Live on npm for 1 hour and 31 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 15 minutes before removal. Socket users were protected even while the package was live.

Malicious code in json-rpc-adapter (npm) Source: ghsa-malware (f4fdeb0a41688e0145066a567cbaa4beda509d5d3f9f84b13e7dcff7e289fd11) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 14 hours and 54 minutes before removal. Socket users were protected even while the package was live.

This code sends potentially sensitive environment data and file system information to a remote server without user consent, indicating malicious or at least unethical behavior. The hardcoded destination and lack of user control over the data sent highlight a significant security risk.

Live on npm for 2 hours and 10 minutes before removal. Socket users were protected even while the package was live.

The code poses a significant security risk due to the potential for command injection attacks, privilege escalation, and other vulnerabilities. The hardcoded 'sudo' command in the getBin function, lack of input validation, and use of template literals to build commands that will be passed to exec are particularly concerning. The code should be reviewed thoroughly and modified to address these issues before being used.

Malicious code in espapehtlm (npm) Source: ghsa-malware (e01037a3f58f9453837f71988ae5573860f3530683ecf920bb52bda62bdce407) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 23 minutes before removal. Socket users were protected even while the package was live.

Malicious code in azure-video-analyzer-edge (npm) Source: ghsa-malware (e0127d81ea77498d7cf290baf7482fe497d0e7159bcb6b3eda4229b01510592b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 19 hours and 19 minutes before removal. Socket users were protected even while the package was live.

The code exhibits potential obfuscation and the presence of hard-coded error codes, raising significant concerns about the potential for security vulnerabilities. Further review and analysis by security experts is warranted.

Malicious code in example-rust (npm) Source: ghsa-malware (3ea3b88110c6d99f6f13c45a70f1a3a66f9c32da09f15db73f1a166c2cbfa080) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 17 hours and 35 minutes before removal. Socket users were protected even while the package was live.

Malicious code in f1pen (npm) Source: ghsa-malware (14c1dcf21e2f68afd899faac1227f7e68c55d1fef725bb62237561d86ea6517c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 23 minutes before removal. Socket users were protected even while the package was live.

Malicious code in chainalert_npm_package (npm) Source: ghsa-malware (638ce7288b08c83f26374b2a215fe4a1e85cb2776453de48254f8effd8549c6b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 15 hours and 2 minutes before removal. Socket users were protected even while the package was live.

Malicious code in feedback-schema (npm) Source: ghsa-malware (0ce3047c466c30d8bf8684b6bedb5286b46a6addb1502e7f64e70afcac31131c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 9 minutes before removal. Socket users were protected even while the package was live.