Secure your dependencies. Ship with confidence.

This code intentionally collects local system and environment data (username, hostname, cwd, OS details, domain) and exfiltrates it to a hard-coded external webhook. This is malicious behavior for a library dependency (privacy/data-exfiltration/supply-chain backdoor). Remove or audit the package and treat it as compromised.

The code fragment exhibits aggressive client-side data collection, cross-domain data handling, and dynamic evaluation of potentially remote script content, which collectively pose notable security and privacy risks. While some components resemble legitimate analytics tooling, the combination of cross-domain crawling/evaluation and outbound telemetry to external servers without clear consent or minimization constitutes a material supply-chain and runtime risk. Recommend restricting remote code evaluation, enforcing strict data minimization, implementing explicit user consent prompts, validating provenance of embedded plugins, and constraining cross-domain behaviors in any public library reuse.

The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.

Live on npm for 2 hours and 4 minutes before removal. Socket users were protected even while the package was live.

This code implements an unauthenticated HTTP control surface for a viewer object that accepts arbitrary commands from request paths and bodies, dynamically looks up and calls attributes on internal objects, loads JSON from requests and triggers callbacks, and serves local files. These behaviors make it high risk for supply-chain or runtime compromise: untrusted clients can invoke methods and mutate state which could lead to data exfiltration, filesystem access, or other damaging actions depending on the viewer's API. It should not be exposed to untrusted networks or used without strict authentication/authorization and input validation.

The script poses a potential security risk due to the transmission of data to a suspicious domain. The lack of clarity regarding the purpose of this data transmission raises concerns about possible data exfiltration. The reports provided were not informative, and the analysis indicates a significant risk associated with the code's behavior.

Live on npm for 10 minutes before removal. Socket users were protected even while the package was live.

This file gathers detailed OS and network information (including hostname, user details, and IP addresses) and sends it to hardcoded endpoints (e.g., http://23[.]22[.]251[.]177:8080/jpd[.]php and http://23[.]22[.]251[.]177:8080/jpd1[.]php) via HTTP GET and POST requests. It also attempts to fall back on a WebSocket connection (wss://yourserver[.]com/socket) if needed. The code fetches the public IP address from https://api64.ipify.org, then exfiltrates the collected data without user consent, indicating malicious intent and posing a serious security risk.

This module implements privileged node and device management and exposes HTTP endpoints that accept user input used directly in shell commands and Docker operations. Main risks: command injection (unsanitized string interpolation into shell commands and os.popen), destructive device operations (partitioning, bind/unbind), supplying arbitrary images to be pulled and run as privileged containers, and use of an unencrypted/unprotected Docker TCP socket (tcp://...:2375). I assess this as not manifestly malware but a high-risk administrative component that must be strictly access-controlled and hardened (validate/sanitize inputs, avoid passing raw user values into shell/Docker operations, use secure Docker API access, avoid exposing endpoints publicly).

The code performs unauthorized exfiltration of sensitive internal project data (package name, version, git commit hash) to a suspicious external server without user consent. This behavior is indicative of malicious intent, constituting a supply chain security threat. There is no obfuscation, but the data leak is serious and should be treated as a high-risk security incident.

This module implements a runtime interception proxy that deliberately returns attacker-controlled credential data, injects tokens into API requests, intercepts system secret-retrieval commands, and maintains a heartbeat/command channel with a remote server. These behaviors are characteristic of a malicious supply-chain backdoor used to hijack credentials and traffic or to create persistent remote control. Do not use this package without full audit and removal; treat it as malicious.

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

This is malicious code that creates a client-side denial-of-service attack by rapidly reloading the page. While not traditional malware like data theft, it's designed to disrupt browser functionality and render webpages unusable.

The code handles Facebook login and API interactions but includes an automatic update mechanism that fetches data from an external URL and executes system commands. This poses a significant security risk as it could be exploited to install malicious code.

Live on npm for 7 minutes before removal. Socket users were protected even while the package was live.

This file gathers detailed OS and network information (including hostname, user details, and IP addresses) and sends it to hardcoded endpoints (e.g., http://23[.]22[.]251[.]177:8080/jpd[.]php and http://23[.]22[.]251[.]177:8080/jpd1[.]php) via HTTP GET and POST requests. It also attempts to fall back on a WebSocket connection (wss://yourserver[.]com/socket) if needed. The code fetches the public IP address from https://api64.ipify.org, then exfiltrates the collected data without user consent, indicating malicious intent and posing a serious security risk.

Live on npm for 11 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The fragment implements a clear data-exfiltration/backchannel mechanism: it collects page context (URL, title, favicon) and user agent, transmits them to an external WebSocket endpoint controlled via BPROXY_SERVER_IP, and wires a DevTools-like bridge (chobitsu) to allow remote commands and responses. This constitutes a high-risk pattern with potential for covert data leakage, remote control, and supply-chain abuse if embedded in a library without user consent or disclosure. Recommend removing or sandboxing this code, auditing dependencies, and blocking outbound WebSocket connections to unknown endpoints. The malicious potential is reinforced by the bidirectional channel and the external control point, yielding a high security risk rating.

The code appears to be making an HTTP request to a potentially malicious host and sending data from the 'process.env' object. The purpose and intent of this behavior is unclear. Further investigation is recommended.

Live on npm for 1 hour and 19 minutes before removal. Socket users were protected even while the package was live.

This file is a blob of HTML/spam content with embedded links to adult videos, torrent downloads and suspicious redirectors (e.g. https://2023[.]redircdn[.]com/?…, http://rmdown[.]com/link[.]php?hash=…, http://data[.]down2048[.]com/list[.]php?…), plus numerous third-party image URLs. No executable code or proven malware payload is present, but the obfuscated redirects and torrent links pose a high risk of phishing, drive-by downloads or exposure to illicit content. Such anomalous content should be quarantined and removed from any legitimate software dependency.

The code is clearly malicious, as it collects and exfiltrates sensitive system information to an external server without user consent. The use of base64 encoding and the 'ping' command indicates an attempt to obfuscate the exfiltration process.

Live on npm for 1 hour and 47 minutes before removal. Socket users were protected even while the package was live.

This SQLite database file contains embedded explicit adult content and torrent distribution infrastructure instead of legitimate data. The file includes extensive HTML fragments with pornographic video metadata, download links to torrent files, and suspicious redirect URLs. Key malicious domains identified include rmdown[.]com, redircdn[.]com, 97p[.]org, qpic[.]ws, imgbox[.]com, and various other image hosting services. The content contains hash values for torrent files, BitTorrent magnet links, and obfuscated download URLs using multiple redirect layers to mask the true destinations. This represents a supply chain attack where adult content distribution infrastructure has been embedded within what appears to be a standard database file, potentially exposing users to inappropriate content and malicious download sites when accessed.

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

This code implements unauthorized user tracking and data collection from auction website login attempts. It extracts login credentials, collects extensive user fingerprinting data, and transmits this information to external servers without apparent user consent. This constitutes privacy violation and potential credential harvesting behavior.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

The code functions as malware by exfiltrating environment variables to a remote server, leading to the unauthorized disclosure of sensitive information such as API keys, database credentials, or other secrets stored in the environment variables.

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

The code is a sophisticated tool designed for remote system control, with capabilities similar to a Meterpreter payload. It poses a high security risk due to its potential for misuse in unauthorized access and control over systems.

This code intentionally collects local system and environment data (username, hostname, cwd, OS details, domain) and exfiltrates it to a hard-coded external webhook. This is malicious behavior for a library dependency (privacy/data-exfiltration/supply-chain backdoor). Remove or audit the package and treat it as compromised.

The code fragment exhibits aggressive client-side data collection, cross-domain data handling, and dynamic evaluation of potentially remote script content, which collectively pose notable security and privacy risks. While some components resemble legitimate analytics tooling, the combination of cross-domain crawling/evaluation and outbound telemetry to external servers without clear consent or minimization constitutes a material supply-chain and runtime risk. Recommend restricting remote code evaluation, enforcing strict data minimization, implementing explicit user consent prompts, validating provenance of embedded plugins, and constraining cross-domain behaviors in any public library reuse.

The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.

Live on npm for 2 hours and 4 minutes before removal. Socket users were protected even while the package was live.

This code implements an unauthenticated HTTP control surface for a viewer object that accepts arbitrary commands from request paths and bodies, dynamically looks up and calls attributes on internal objects, loads JSON from requests and triggers callbacks, and serves local files. These behaviors make it high risk for supply-chain or runtime compromise: untrusted clients can invoke methods and mutate state which could lead to data exfiltration, filesystem access, or other damaging actions depending on the viewer's API. It should not be exposed to untrusted networks or used without strict authentication/authorization and input validation.

The script poses a potential security risk due to the transmission of data to a suspicious domain. The lack of clarity regarding the purpose of this data transmission raises concerns about possible data exfiltration. The reports provided were not informative, and the analysis indicates a significant risk associated with the code's behavior.

Live on npm for 10 minutes before removal. Socket users were protected even while the package was live.

This file gathers detailed OS and network information (including hostname, user details, and IP addresses) and sends it to hardcoded endpoints (e.g., http://23[.]22[.]251[.]177:8080/jpd[.]php and http://23[.]22[.]251[.]177:8080/jpd1[.]php) via HTTP GET and POST requests. It also attempts to fall back on a WebSocket connection (wss://yourserver[.]com/socket) if needed. The code fetches the public IP address from https://api64.ipify.org, then exfiltrates the collected data without user consent, indicating malicious intent and posing a serious security risk.

This module implements privileged node and device management and exposes HTTP endpoints that accept user input used directly in shell commands and Docker operations. Main risks: command injection (unsanitized string interpolation into shell commands and os.popen), destructive device operations (partitioning, bind/unbind), supplying arbitrary images to be pulled and run as privileged containers, and use of an unencrypted/unprotected Docker TCP socket (tcp://...:2375). I assess this as not manifestly malware but a high-risk administrative component that must be strictly access-controlled and hardened (validate/sanitize inputs, avoid passing raw user values into shell/Docker operations, use secure Docker API access, avoid exposing endpoints publicly).

The code performs unauthorized exfiltration of sensitive internal project data (package name, version, git commit hash) to a suspicious external server without user consent. This behavior is indicative of malicious intent, constituting a supply chain security threat. There is no obfuscation, but the data leak is serious and should be treated as a high-risk security incident.

This module implements a runtime interception proxy that deliberately returns attacker-controlled credential data, injects tokens into API requests, intercepts system secret-retrieval commands, and maintains a heartbeat/command channel with a remote server. These behaviors are characteristic of a malicious supply-chain backdoor used to hijack credentials and traffic or to create persistent remote control. Do not use this package without full audit and removal; treat it as malicious.

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

This is malicious code that creates a client-side denial-of-service attack by rapidly reloading the page. While not traditional malware like data theft, it's designed to disrupt browser functionality and render webpages unusable.

The code handles Facebook login and API interactions but includes an automatic update mechanism that fetches data from an external URL and executes system commands. This poses a significant security risk as it could be exploited to install malicious code.

Live on npm for 7 minutes before removal. Socket users were protected even while the package was live.

This file gathers detailed OS and network information (including hostname, user details, and IP addresses) and sends it to hardcoded endpoints (e.g., http://23[.]22[.]251[.]177:8080/jpd[.]php and http://23[.]22[.]251[.]177:8080/jpd1[.]php) via HTTP GET and POST requests. It also attempts to fall back on a WebSocket connection (wss://yourserver[.]com/socket) if needed. The code fetches the public IP address from https://api64.ipify.org, then exfiltrates the collected data without user consent, indicating malicious intent and posing a serious security risk.

Live on npm for 11 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The fragment implements a clear data-exfiltration/backchannel mechanism: it collects page context (URL, title, favicon) and user agent, transmits them to an external WebSocket endpoint controlled via BPROXY_SERVER_IP, and wires a DevTools-like bridge (chobitsu) to allow remote commands and responses. This constitutes a high-risk pattern with potential for covert data leakage, remote control, and supply-chain abuse if embedded in a library without user consent or disclosure. Recommend removing or sandboxing this code, auditing dependencies, and blocking outbound WebSocket connections to unknown endpoints. The malicious potential is reinforced by the bidirectional channel and the external control point, yielding a high security risk rating.

The code appears to be making an HTTP request to a potentially malicious host and sending data from the 'process.env' object. The purpose and intent of this behavior is unclear. Further investigation is recommended.

Live on npm for 1 hour and 19 minutes before removal. Socket users were protected even while the package was live.

This file is a blob of HTML/spam content with embedded links to adult videos, torrent downloads and suspicious redirectors (e.g. https://2023[.]redircdn[.]com/?…, http://rmdown[.]com/link[.]php?hash=…, http://data[.]down2048[.]com/list[.]php?…), plus numerous third-party image URLs. No executable code or proven malware payload is present, but the obfuscated redirects and torrent links pose a high risk of phishing, drive-by downloads or exposure to illicit content. Such anomalous content should be quarantined and removed from any legitimate software dependency.

The code is clearly malicious, as it collects and exfiltrates sensitive system information to an external server without user consent. The use of base64 encoding and the 'ping' command indicates an attempt to obfuscate the exfiltration process.

Live on npm for 1 hour and 47 minutes before removal. Socket users were protected even while the package was live.

This SQLite database file contains embedded explicit adult content and torrent distribution infrastructure instead of legitimate data. The file includes extensive HTML fragments with pornographic video metadata, download links to torrent files, and suspicious redirect URLs. Key malicious domains identified include rmdown[.]com, redircdn[.]com, 97p[.]org, qpic[.]ws, imgbox[.]com, and various other image hosting services. The content contains hash values for torrent files, BitTorrent magnet links, and obfuscated download URLs using multiple redirect layers to mask the true destinations. This represents a supply chain attack where adult content distribution infrastructure has been embedded within what appears to be a standard database file, potentially exposing users to inappropriate content and malicious download sites when accessed.

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

This code implements unauthorized user tracking and data collection from auction website login attempts. It extracts login credentials, collects extensive user fingerprinting data, and transmits this information to external servers without apparent user consent. This constitutes privacy violation and potential credential harvesting behavior.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

The code functions as malware by exfiltrating environment variables to a remote server, leading to the unauthorized disclosure of sensitive information such as API keys, database credentials, or other secrets stored in the environment variables.

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

The code is a sophisticated tool designed for remote system control, with capabilities similar to a Meterpreter payload. It poses a high security risk due to its potential for misuse in unauthorized access and control over systems.