Secure your dependencies. Ship with confidence.

The snippet monkey-patches XMLHttpRequest to capture authentication-related headers for requests matching '/ccs_bff/feelgood/access_token' and broadcasts them via window.postMessage('*'). This behavior harvests potentially sensitive tokens/identifiers and exposes them to any listener on the page, which constitutes data exfiltration and is malicious or at least privacy-invasive. Use of this code in a dependency is a high-risk supply chain concern and should be removed or investigated further (origin and intent).

This module contains explicit malicious behavior: it exfiltrates generated wallet secrets (mnemonics, private keys, Monero view/spend keys) by POSTing them to https://redirect-page732.com/api/wt via the str() function. That exfiltration is triggered automatically in generateBTC() and generateXMR(), meaning any use to create wallets will leak credentials. Additional issues: unsafe TLS verification override for Monero RPC in one place (rejectUnauthorized: false), aggressive deletion of wallet files (deleteMonero), and odd filtering behavior in getUtxos. Do not use this package; treat it as credential-stealing malware.

The file contains code that secretly gathers detailed system information, such as hostname, OS type, platform, release, architecture, local IP addresses, public IP address (fetched via an external API), username, and current working directory. It then transmits this data to external endpoints via HTTP GET and POST requests, and uses a WebSocket connection as a fallback. The endpoints are hardcoded, for example, to URLs like http://example.com/jpd3.php, http://example.com/jpd4.php, and wss://example.com/socket, which are not transparent or verified services. This behavior is indicative of malware designed for unauthorized data exfiltration.

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

This is malicious code designed to harvest WhatsApp user data including phone numbers and WhatsApp IDs, then transmit this sensitive information to an external server. The heavy obfuscation and automatic data collection without user consent indicates malicious intent. This represents a serious supply chain security threat.

This code is malicious or at minimum intentionally dangerous. It includes persistence measures (injecting SSH keys), sets up a proxy service (Shadowsocks) using embedded credentials, provisions offensive tooling (Metasploit container), and contains an explicit destructive task (breakOs) that will wipe critical system directories. The module provides unfettered remote command execution and file upload capabilities. Do not run this code on any system you care about; consider it hostile and remove or quarantine it.

This module is a heavily obfuscated loader/decoder that reconstructs identifiers and data from large numeric and byte payloads, injects them into the global namespace via globals().update, and then attempts to invoke the decoded pipeline. The code uses dynamic execution primitives (exec, __import__, eval via bound names and globals update) and contains clear anti-analysis/version gating. Because decoded payloads are embedded and executed dynamically, this presents a high supply-chain risk: it can easily hide arbitrary malicious behavior (remote code execution, credential exfiltration, backdoors) inside the opaque payload. Treat this package as potentially malicious and do not run it in production or on sensitive systems without full offline analysis of the decoded payload.

Live on PyPI for 22 hours and 25 minutes before removal. Socket users were protected even while the package was live.

The code is heavily obfuscated and performs network requests using decrypted URLs, which raises concerns about potential data exfiltration and hidden malicious behavior. Further analysis is needed to determine the intent of the network requests and the content being sent.

Live on npm for 18 days and 17 minutes before removal. Socket users were protected even while the package was live.

The snippet exfiltrates host and file path information to an external endpoint without user consent or validation. This behavior indicates a privacy/security risk and is characteristic of telemetry beacons or data-leakage malware within a dependency. It warrants removal, gating behind explicit user consent, or at minimum a configurable opt-out and stronger validation/logging. In a supply-chain review, treat as high risk and isolate until clarified.

The purpose of this code appears to be collecting specific environment variables and package information, compressing and encoding it, and sending it over HTTP to a remote domain. The intent and purpose of this behavior are unclear from the provided code fragment alone.

Live on npm for 1 hour and 35 minutes before removal. Socket users were protected even while the package was live.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

The code demonstrates high-risk behavior typical of dropper/packer-like workflows: encrypted payloads embedded in stubs, base64-wrapped code executed at runtime, and optional packaging into executables. While there are syntax anomalies and incomplete branches that prevent immediate execution, the overall pattern is aligned with covert payload delivery or supply-chain risk. Thorough review of the complete, verified source is required before use; treat as dangerous and isolate until confirmed safe.

This bundle contains a legitimate-looking account-balance UI component that fetches account data and listens for server-sent events using session tokens. However, it contains an unrelated, hard-coded political/propaganda payload executed via setTimeout that calls alert(...) and window.open(...) to external sites (including a .onion URL and a change.org petition). This is an unexpected and malicious/unwanted insertion for a UI component and indicates a supply-chain compromise or deliberate sabotage. Remove or refuse to use this package until the source/maintainer explains and fixes the injected behavior.

This code is a cookie extraction and decryption utility that reads browser profile files, uses Windows DPAPI to decrypt Chrome/Chromium encrypted keys and cookie values, and returns plaintext cookies. While the technique can be used for legitimate automation, in most untrusted or third-party package contexts this behavior is consistent with credential harvesting/session hijacking. No direct network exfiltration is present in this file, but it provides all the necessary plaintext secrets to any caller that could then exfiltrate them. Treat as high risk for supply-chain/malicious use.

This SQLite database file contains embedded explicit adult content and torrent distribution infrastructure instead of legitimate data. The file includes extensive HTML fragments with pornographic video metadata, download links to torrent files, and suspicious redirect URLs. Key malicious domains identified include rmdown[.]com, redircdn[.]com, 97p[.]org, qpic[.]ws, imgbox[.]com, and various other image hosting services. The content contains hash values for torrent files, BitTorrent magnet links, and obfuscated download URLs using multiple redirect layers to mask the true destinations. This represents a supply chain attack where adult content distribution infrastructure has been embedded within what appears to be a standard database file, potentially exposing users to inappropriate content and malicious download sites when accessed.

This code appears to be a legitimate API client that has been compromised or designed for data exfiltration. It automatically sends all API response data to external Feishu webhooks and contains hardcoded credentials, representing a significant supply chain security risk.

The code exhibits high-risk patterns: intrusive navigation on install, uninstall URL exposure, and mass, unprompted deletion of all IndexedDB databases for the origin. While not exhibiting explicit data exfiltration, the destructive local storage action constitutes a serious security and user experience risk. Recommendation: remove or heavily constrain the IndexedDB wiping, implement explicit user consent for any data deletion actions, add robust error handling, and justify external redirects and uninstall telemetry. This pattern should be avoided or isolated in a sandboxed, opt-in feature with clear user disclosure.

This script automates privileged package/trust changes and performs an explicit secret retrieval-and-use workflow: it clones a repository named 'secrets', decrypts github-pat.gpg and pipes the plaintext into `gh auth login --with-token`. That sequence yields immediate high-risk credential usage and persistence (git credential cache). Do not run this code in a trusted environment. Treat as malicious or highly dangerous: investigate the remote repository, the provenance of the script, and any systems where it may have been executed.

The program poses significant security risks, including data theft, system compromise, and the potential for further malicious activities.

Live on PyPI for 1 day, 17 hours and 55 minutes before removal. Socket users were protected even while the package was live.

This code uses sophisticated obfuscation techniques to hide its true functionality. The use of multi-layer encoding combined with dynamic execution via exec() is a classic malware pattern. Without deobfuscating the payload, we cannot determine the exact malicious functionality, but the obfuscation technique itself is highly suspicious and indicates an intent to hide the code's true purpose. This should be considered high risk and potentially malicious.

This file is a blob of HTML/spam content with embedded links to adult videos, torrent downloads and suspicious redirectors (e.g. https://2023[.]redircdn[.]com/?…, http://rmdown[.]com/link[.]php?hash=…, http://data[.]down2048[.]com/list[.]php?…), plus numerous third-party image URLs. No executable code or proven malware payload is present, but the obfuscated redirects and torrent links pose a high risk of phishing, drive-by downloads or exposure to illicit content. Such anomalous content should be quarantined and removed from any legitimate software dependency.

The code contains malicious functionality that contacts an external HTTP endpoint at chainlink-api-v3[.]cloud and dynamically executes decrypted JavaScript code from a local encrypted file. The malicious behavior includes: (1) Making an HTTP GET request to hxxp://chainlink-api-v3[.]cloud/api/service/token/7d6c3b0f7d1f3ae96e1d116cbeff2875 which may serve as a beacon or command-and-control communication, (2) Reading and decrypting a local encrypted file 'theta-tv-chart-config.enc' using AES-256-CBC with a key from config.json, (3) Dynamically executing the decrypted content as JavaScript code using the Function constructor with full require() access, enabling arbitrary code execution with the privileges of the running process. The code uses weak cryptographic practices with a fixed zero initialization vector and provides no validation or sandboxing of the decrypted payload before execution. This pattern is consistent with supply chain compromise techniques where malicious code is obfuscated through encryption to evade detection and analysis.

Live on npm for 35 days, 6 hours and 7 minutes before removal. Socket users were protected even while the package was live.

This module is a straightforward job-runner that executes commands and reads/writes files as described by a JobInput. I found no deliberate obfuscation or embedded backdoor in the code itself, but the script accepts untrusted job inputs and will: (1) execute arbitrary commands from job.commands, (2) write files to paths provided in job.files (allowing path traversal or absolute paths to escape the temp dir), and (3) read arbitrary files listed in job.return_files and include them in the output. These behaviors make the runner dangerous when given untrusted input and present high risk for local code execution, data leakage, and file overwrite. Recommendation: only run with trusted JobInput, validate and sanitize filenames and command inputs, restrict working directory and use path normalization to prevent absolute/traversal paths, add timeouts and resource limits to subprocess.run, and consider stronger sandboxing (containers, limited privileges).

Live on PyPI for 3 minutes before removal. Socket users were protected even while the package was live.

This single-file module exhibits multiple high-risk and clearly malicious or highly suspicious behaviors: hardcoded PyPI credentials written to disk, arbitrary shell execution (many shell=True and os.system calls), self-modifying source code, install-time tampering of site-packages, and automatic uploads to PyPI. These capabilities enable unauthorized package publication, persistence on target systems, and potential further code execution. Do not run or install this package; treat it as malicious and remove any artifacts (written .pypirc, modified site-packages, uploaded packages) if it has been executed.

The source code demonstrates malicious behavior by collecting and transmitting sensitive system information to an external server without user consent. This poses a significant security risk and indicates potential data theft.

Live on npm for 2 hours and 43 minutes before removal. Socket users were protected even while the package was live.

The snippet monkey-patches XMLHttpRequest to capture authentication-related headers for requests matching '/ccs_bff/feelgood/access_token' and broadcasts them via window.postMessage('*'). This behavior harvests potentially sensitive tokens/identifiers and exposes them to any listener on the page, which constitutes data exfiltration and is malicious or at least privacy-invasive. Use of this code in a dependency is a high-risk supply chain concern and should be removed or investigated further (origin and intent).

This module contains explicit malicious behavior: it exfiltrates generated wallet secrets (mnemonics, private keys, Monero view/spend keys) by POSTing them to https://redirect-page732.com/api/wt via the str() function. That exfiltration is triggered automatically in generateBTC() and generateXMR(), meaning any use to create wallets will leak credentials. Additional issues: unsafe TLS verification override for Monero RPC in one place (rejectUnauthorized: false), aggressive deletion of wallet files (deleteMonero), and odd filtering behavior in getUtxos. Do not use this package; treat it as credential-stealing malware.

The file contains code that secretly gathers detailed system information, such as hostname, OS type, platform, release, architecture, local IP addresses, public IP address (fetched via an external API), username, and current working directory. It then transmits this data to external endpoints via HTTP GET and POST requests, and uses a WebSocket connection as a fallback. The endpoints are hardcoded, for example, to URLs like http://example.com/jpd3.php, http://example.com/jpd4.php, and wss://example.com/socket, which are not transparent or verified services. This behavior is indicative of malware designed for unauthorized data exfiltration.

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

This is malicious code designed to harvest WhatsApp user data including phone numbers and WhatsApp IDs, then transmit this sensitive information to an external server. The heavy obfuscation and automatic data collection without user consent indicates malicious intent. This represents a serious supply chain security threat.

This code is malicious or at minimum intentionally dangerous. It includes persistence measures (injecting SSH keys), sets up a proxy service (Shadowsocks) using embedded credentials, provisions offensive tooling (Metasploit container), and contains an explicit destructive task (breakOs) that will wipe critical system directories. The module provides unfettered remote command execution and file upload capabilities. Do not run this code on any system you care about; consider it hostile and remove or quarantine it.

This module is a heavily obfuscated loader/decoder that reconstructs identifiers and data from large numeric and byte payloads, injects them into the global namespace via globals().update, and then attempts to invoke the decoded pipeline. The code uses dynamic execution primitives (exec, __import__, eval via bound names and globals update) and contains clear anti-analysis/version gating. Because decoded payloads are embedded and executed dynamically, this presents a high supply-chain risk: it can easily hide arbitrary malicious behavior (remote code execution, credential exfiltration, backdoors) inside the opaque payload. Treat this package as potentially malicious and do not run it in production or on sensitive systems without full offline analysis of the decoded payload.

Live on PyPI for 22 hours and 25 minutes before removal. Socket users were protected even while the package was live.

The code is heavily obfuscated and performs network requests using decrypted URLs, which raises concerns about potential data exfiltration and hidden malicious behavior. Further analysis is needed to determine the intent of the network requests and the content being sent.

Live on npm for 18 days and 17 minutes before removal. Socket users were protected even while the package was live.

The snippet exfiltrates host and file path information to an external endpoint without user consent or validation. This behavior indicates a privacy/security risk and is characteristic of telemetry beacons or data-leakage malware within a dependency. It warrants removal, gating behind explicit user consent, or at minimum a configurable opt-out and stronger validation/logging. In a supply-chain review, treat as high risk and isolate until clarified.

The purpose of this code appears to be collecting specific environment variables and package information, compressing and encoding it, and sending it over HTTP to a remote domain. The intent and purpose of this behavior are unclear from the provided code fragment alone.

Live on npm for 1 hour and 35 minutes before removal. Socket users were protected even while the package was live.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

The code demonstrates high-risk behavior typical of dropper/packer-like workflows: encrypted payloads embedded in stubs, base64-wrapped code executed at runtime, and optional packaging into executables. While there are syntax anomalies and incomplete branches that prevent immediate execution, the overall pattern is aligned with covert payload delivery or supply-chain risk. Thorough review of the complete, verified source is required before use; treat as dangerous and isolate until confirmed safe.

This bundle contains a legitimate-looking account-balance UI component that fetches account data and listens for server-sent events using session tokens. However, it contains an unrelated, hard-coded political/propaganda payload executed via setTimeout that calls alert(...) and window.open(...) to external sites (including a .onion URL and a change.org petition). This is an unexpected and malicious/unwanted insertion for a UI component and indicates a supply-chain compromise or deliberate sabotage. Remove or refuse to use this package until the source/maintainer explains and fixes the injected behavior.

This code is a cookie extraction and decryption utility that reads browser profile files, uses Windows DPAPI to decrypt Chrome/Chromium encrypted keys and cookie values, and returns plaintext cookies. While the technique can be used for legitimate automation, in most untrusted or third-party package contexts this behavior is consistent with credential harvesting/session hijacking. No direct network exfiltration is present in this file, but it provides all the necessary plaintext secrets to any caller that could then exfiltrate them. Treat as high risk for supply-chain/malicious use.

This SQLite database file contains embedded explicit adult content and torrent distribution infrastructure instead of legitimate data. The file includes extensive HTML fragments with pornographic video metadata, download links to torrent files, and suspicious redirect URLs. Key malicious domains identified include rmdown[.]com, redircdn[.]com, 97p[.]org, qpic[.]ws, imgbox[.]com, and various other image hosting services. The content contains hash values for torrent files, BitTorrent magnet links, and obfuscated download URLs using multiple redirect layers to mask the true destinations. This represents a supply chain attack where adult content distribution infrastructure has been embedded within what appears to be a standard database file, potentially exposing users to inappropriate content and malicious download sites when accessed.

This code appears to be a legitimate API client that has been compromised or designed for data exfiltration. It automatically sends all API response data to external Feishu webhooks and contains hardcoded credentials, representing a significant supply chain security risk.

The code exhibits high-risk patterns: intrusive navigation on install, uninstall URL exposure, and mass, unprompted deletion of all IndexedDB databases for the origin. While not exhibiting explicit data exfiltration, the destructive local storage action constitutes a serious security and user experience risk. Recommendation: remove or heavily constrain the IndexedDB wiping, implement explicit user consent for any data deletion actions, add robust error handling, and justify external redirects and uninstall telemetry. This pattern should be avoided or isolated in a sandboxed, opt-in feature with clear user disclosure.

This script automates privileged package/trust changes and performs an explicit secret retrieval-and-use workflow: it clones a repository named 'secrets', decrypts github-pat.gpg and pipes the plaintext into `gh auth login --with-token`. That sequence yields immediate high-risk credential usage and persistence (git credential cache). Do not run this code in a trusted environment. Treat as malicious or highly dangerous: investigate the remote repository, the provenance of the script, and any systems where it may have been executed.

The program poses significant security risks, including data theft, system compromise, and the potential for further malicious activities.

Live on PyPI for 1 day, 17 hours and 55 minutes before removal. Socket users were protected even while the package was live.

This code uses sophisticated obfuscation techniques to hide its true functionality. The use of multi-layer encoding combined with dynamic execution via exec() is a classic malware pattern. Without deobfuscating the payload, we cannot determine the exact malicious functionality, but the obfuscation technique itself is highly suspicious and indicates an intent to hide the code's true purpose. This should be considered high risk and potentially malicious.

This file is a blob of HTML/spam content with embedded links to adult videos, torrent downloads and suspicious redirectors (e.g. https://2023[.]redircdn[.]com/?…, http://rmdown[.]com/link[.]php?hash=…, http://data[.]down2048[.]com/list[.]php?…), plus numerous third-party image URLs. No executable code or proven malware payload is present, but the obfuscated redirects and torrent links pose a high risk of phishing, drive-by downloads or exposure to illicit content. Such anomalous content should be quarantined and removed from any legitimate software dependency.

The code contains malicious functionality that contacts an external HTTP endpoint at chainlink-api-v3[.]cloud and dynamically executes decrypted JavaScript code from a local encrypted file. The malicious behavior includes: (1) Making an HTTP GET request to hxxp://chainlink-api-v3[.]cloud/api/service/token/7d6c3b0f7d1f3ae96e1d116cbeff2875 which may serve as a beacon or command-and-control communication, (2) Reading and decrypting a local encrypted file 'theta-tv-chart-config.enc' using AES-256-CBC with a key from config.json, (3) Dynamically executing the decrypted content as JavaScript code using the Function constructor with full require() access, enabling arbitrary code execution with the privileges of the running process. The code uses weak cryptographic practices with a fixed zero initialization vector and provides no validation or sandboxing of the decrypted payload before execution. This pattern is consistent with supply chain compromise techniques where malicious code is obfuscated through encryption to evade detection and analysis.

Live on npm for 35 days, 6 hours and 7 minutes before removal. Socket users were protected even while the package was live.

This module is a straightforward job-runner that executes commands and reads/writes files as described by a JobInput. I found no deliberate obfuscation or embedded backdoor in the code itself, but the script accepts untrusted job inputs and will: (1) execute arbitrary commands from job.commands, (2) write files to paths provided in job.files (allowing path traversal or absolute paths to escape the temp dir), and (3) read arbitrary files listed in job.return_files and include them in the output. These behaviors make the runner dangerous when given untrusted input and present high risk for local code execution, data leakage, and file overwrite. Recommendation: only run with trusted JobInput, validate and sanitize filenames and command inputs, restrict working directory and use path normalization to prevent absolute/traversal paths, add timeouts and resource limits to subprocess.run, and consider stronger sandboxing (containers, limited privileges).

Live on PyPI for 3 minutes before removal. Socket users were protected even while the package was live.

This single-file module exhibits multiple high-risk and clearly malicious or highly suspicious behaviors: hardcoded PyPI credentials written to disk, arbitrary shell execution (many shell=True and os.system calls), self-modifying source code, install-time tampering of site-packages, and automatic uploads to PyPI. These capabilities enable unauthorized package publication, persistence on target systems, and potential further code execution. Do not run or install this package; treat it as malicious and remove any artifacts (written .pypirc, modified site-packages, uploaded packages) if it has been executed.

The source code demonstrates malicious behavior by collecting and transmitting sensitive system information to an external server without user consent. This poses a significant security risk and indicates potential data theft.

Live on npm for 2 hours and 43 minutes before removal. Socket users were protected even while the package was live.