Secure your dependencies. Ship with confidence.

This file contains heavily obfuscated code that checks system memory and, if sufficient, downloads and executes a script from hxxps://example[.]com/files/212.bat without user consent. Executing a file from an untrusted remote source poses a major security risk and is indicative of malware.

Live on npm for 5 days, 9 hours and 46 minutes before removal. Socket users were protected even while the package was live.

The code executes a shell command to send an HTTP request to an external domain and logs the HTTP status code. This behavior could be considered a security risk if the domain is not trusted or if the code is used in a sensitive context. The code is not obfuscated and is straightforward in its functionality.

The code downloads an executable from the internet and runs it without any user validation or consent. This is highly dangerous as it can lead to arbitrary code execution and potential system compromise. The specific URL used is also suspicious.

Live on PyPI for 3 minutes before removal. Socket users were protected even while the package was live.

The code collects system information and sends it to a remote server. It includes a suspicious command execution and immediate process termination. The presence of the command execution and process termination raises significant security concerns.

Live on npm for 30 days, 13 hours and 29 minutes before removal. Socket users were protected even while the package was live.

The code imports various modules and calls a method named `functame` on each of these modules. The naming conventions and method name are unusual and might suggest an attempt to obscure the actual behavior or intent of the code. Without additional context on the imported modules, it is difficult to determine if the code is malicious. However, the unusual patterns and naming conventions raise a moderate security risk.

Live on npm for 56 days, 20 hours and 25 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by exfiltrating system and project information to remote servers. The use of suspicious domains and the sending of sensitive data without user consent indicate a high security risk.

Live on npm for 32 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits clear malicious behavior, including unauthorized data exfiltration, remote command execution, and file manipulation. It poses a significant security risk to users.

Live on npm for 3 days, 4 hours and 19 minutes before removal. Socket users were protected even while the package was live.

The source code demonstrates clear signs of malicious activity by exfiltrating system and project data to external servers without user consent. This poses a significant security risk due to unauthorized data transmission. The code is not obfuscated, but the behavior is highly suspicious and indicative of malicious intent.

Live on npm for 47 minutes before removal. Socket users were protected even while the package was live.

The code is performing unauthorized data exfiltration by collecting and sending sensitive system information to a suspicious external domain. This behavior is indicative of malicious intent and poses a significant security risk.

Live on npm for 8 days, 3 hours and 38 minutes before removal. Socket users were protected even while the package was live.

The script is not inherently malicious but poses a high security risk due to its ability to alter disk partitions without user interaction. This can lead to data loss or system damage if executed unintentionally.

The code presents several potential security risks and suggests the intent of managing a C2 server, which could be used for malicious purposes. Specifically, the handling of subprocesses with shell=True, the lack of proper input validation, and the exposure of sensitive file operations could facilitate unauthorized actions and access to sensitive data. Therefore, this code should be treated with caution and likely indicates malicious intent in its context.

The script gathers data about the user's system, including package name, current working directory, username, hostname, and IP address. This data is then encoded and sent as DNS queries to a remote server.

Live on npm for 16 hours and 25 minutes before removal. Socket users were protected even while the package was live.

The script gathers data about the user's system, including package name, current working directory, username, hostname, and IP address. This data is then encoded and sent as DNS queries to a remote server.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

Malicious code in gemnasium-gitlab-service (RubyGems)

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 15 minutes before removal. Socket users were protected even while the package was live.

The source code establishes a reverse shell connection to a remote server, allowing remote control and data exfiltration. This behavior is indicative of malware and poses a significant security risk.

Live on npm for 28 minutes before removal. Socket users were protected even while the package was live.

The script is designed to upload sensitive system information to an external server, which poses a significant security risk and is indicative of malicious behavior.

Live on npm for 18 hours and 14 minutes before removal. Socket users were protected even while the package was live.

The code is exfiltrating sensitive system and user data to an external server without user consent, which poses a significant security risk. The use of a testing domain for data transmission is suspicious and indicates potential misuse.

Live on npm for 7 days, 16 hours and 11 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting and transmitting sensitive system information to an external server without user consent. This poses a high security risk and potential for data theft.

Live on npm for 1 hour and 10 minutes before removal. Socket users were protected even while the package was live.

The code exhibits clear malicious behavior by collecting extensive system information and sending it to a remote server without user consent. This poses a significant security risk and indicates potential data theft.

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

The code is heavily obfuscated and lacks transparency, which is highly unusual for open-source dependencies. This raises significant security concerns and the potential for malicious behavior. It should not be used without thorough analysis and understanding of its functionality.

Live on npm for 4 minutes before removal. Socket users were protected even while the package was live.

Masquerades as a cryptocurrency wallet recovery service to steal sensitive data.

The provided source code is performing malicious activities by sending environment variables over the network to a suspicious domain. The obfuscation techniques used in the code further increase the risk. Therefore, the code should be considered high risk and potentially malicious.

Live on npm for 25 minutes before removal. Socket users were protected even while the package was live.

This script is attempting to exfiltrate sensitive system information to a remote server without the user's consent. This behavior is highly suspicious and poses a significant security risk.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

The code is clearly designed for data exfiltration, sending sensitive system and project information to external servers without user consent. This poses a significant security risk and exhibits malicious behavior.

Live on npm for 8 hours and 40 minutes before removal. Socket users were protected even while the package was live.

This file contains heavily obfuscated code that checks system memory and, if sufficient, downloads and executes a script from hxxps://example[.]com/files/212.bat without user consent. Executing a file from an untrusted remote source poses a major security risk and is indicative of malware.

Live on npm for 5 days, 9 hours and 46 minutes before removal. Socket users were protected even while the package was live.

The code executes a shell command to send an HTTP request to an external domain and logs the HTTP status code. This behavior could be considered a security risk if the domain is not trusted or if the code is used in a sensitive context. The code is not obfuscated and is straightforward in its functionality.

The code downloads an executable from the internet and runs it without any user validation or consent. This is highly dangerous as it can lead to arbitrary code execution and potential system compromise. The specific URL used is also suspicious.

Live on PyPI for 3 minutes before removal. Socket users were protected even while the package was live.

The code collects system information and sends it to a remote server. It includes a suspicious command execution and immediate process termination. The presence of the command execution and process termination raises significant security concerns.

Live on npm for 30 days, 13 hours and 29 minutes before removal. Socket users were protected even while the package was live.

The code imports various modules and calls a method named `functame` on each of these modules. The naming conventions and method name are unusual and might suggest an attempt to obscure the actual behavior or intent of the code. Without additional context on the imported modules, it is difficult to determine if the code is malicious. However, the unusual patterns and naming conventions raise a moderate security risk.

Live on npm for 56 days, 20 hours and 25 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by exfiltrating system and project information to remote servers. The use of suspicious domains and the sending of sensitive data without user consent indicate a high security risk.

Live on npm for 32 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits clear malicious behavior, including unauthorized data exfiltration, remote command execution, and file manipulation. It poses a significant security risk to users.

Live on npm for 3 days, 4 hours and 19 minutes before removal. Socket users were protected even while the package was live.

The source code demonstrates clear signs of malicious activity by exfiltrating system and project data to external servers without user consent. This poses a significant security risk due to unauthorized data transmission. The code is not obfuscated, but the behavior is highly suspicious and indicative of malicious intent.

Live on npm for 47 minutes before removal. Socket users were protected even while the package was live.

The code is performing unauthorized data exfiltration by collecting and sending sensitive system information to a suspicious external domain. This behavior is indicative of malicious intent and poses a significant security risk.

Live on npm for 8 days, 3 hours and 38 minutes before removal. Socket users were protected even while the package was live.

The script is not inherently malicious but poses a high security risk due to its ability to alter disk partitions without user interaction. This can lead to data loss or system damage if executed unintentionally.

The code presents several potential security risks and suggests the intent of managing a C2 server, which could be used for malicious purposes. Specifically, the handling of subprocesses with shell=True, the lack of proper input validation, and the exposure of sensitive file operations could facilitate unauthorized actions and access to sensitive data. Therefore, this code should be treated with caution and likely indicates malicious intent in its context.

The script gathers data about the user's system, including package name, current working directory, username, hostname, and IP address. This data is then encoded and sent as DNS queries to a remote server.

Live on npm for 16 hours and 25 minutes before removal. Socket users were protected even while the package was live.

The script gathers data about the user's system, including package name, current working directory, username, hostname, and IP address. This data is then encoded and sent as DNS queries to a remote server.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

Malicious code in gemnasium-gitlab-service (RubyGems)

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 15 minutes before removal. Socket users were protected even while the package was live.

The source code establishes a reverse shell connection to a remote server, allowing remote control and data exfiltration. This behavior is indicative of malware and poses a significant security risk.

Live on npm for 28 minutes before removal. Socket users were protected even while the package was live.

The script is designed to upload sensitive system information to an external server, which poses a significant security risk and is indicative of malicious behavior.

Live on npm for 18 hours and 14 minutes before removal. Socket users were protected even while the package was live.

The code is exfiltrating sensitive system and user data to an external server without user consent, which poses a significant security risk. The use of a testing domain for data transmission is suspicious and indicates potential misuse.

Live on npm for 7 days, 16 hours and 11 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting and transmitting sensitive system information to an external server without user consent. This poses a high security risk and potential for data theft.

Live on npm for 1 hour and 10 minutes before removal. Socket users were protected even while the package was live.

The code exhibits clear malicious behavior by collecting extensive system information and sending it to a remote server without user consent. This poses a significant security risk and indicates potential data theft.

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

The code is heavily obfuscated and lacks transparency, which is highly unusual for open-source dependencies. This raises significant security concerns and the potential for malicious behavior. It should not be used without thorough analysis and understanding of its functionality.

Live on npm for 4 minutes before removal. Socket users were protected even while the package was live.

Masquerades as a cryptocurrency wallet recovery service to steal sensitive data.

The provided source code is performing malicious activities by sending environment variables over the network to a suspicious domain. The obfuscation techniques used in the code further increase the risk. Therefore, the code should be considered high risk and potentially malicious.

Live on npm for 25 minutes before removal. Socket users were protected even while the package was live.

This script is attempting to exfiltrate sensitive system information to a remote server without the user's consent. This behavior is highly suspicious and poses a significant security risk.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

The code is clearly designed for data exfiltration, sending sensitive system and project information to external servers without user consent. This poses a significant security risk and exhibits malicious behavior.

Live on npm for 8 hours and 40 minutes before removal. Socket users were protected even while the package was live.