Secure your dependencies. Ship with confidence.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

The code exhibits behavior consistent with data exfiltration by sending environment variables and directory listings to an external server without user consent. This poses a significant security risk.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

The code is obfuscated and performs data exfiltration by sending environment variables to an external server, which is a serious security concern.

Live on npm for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

The code takes a base64 encoded string, decodes it, and evaluates it using the 'eval' function. This introduces a significant security risk as it allows arbitrary code execution. The code should be considered dangerous and should not be used.

Live on npm for 7 minutes before removal. Socket users were protected even while the package was live.

The code is highly suspicious due to its obfuscation and use of eval, which can lead to the execution of potentially harmful code. Without further analysis of the decoded script, the exact behavior cannot be determined, but the potential for malicious activity is high.

Live on npm for 157 days, 7 hours and 56 minutes before removal. Socket users were protected even while the package was live.

The script is designed to upload sensitive system files to external servers, posing a significant security risk and indicating malicious intent.

Live on npm for 11 days, 18 hours and 22 minutes before removal. Socket users were protected even while the package was live.

This script is attempting to establish a reverse shell connection to a remote machine and execute a shell command. This behavior is highly suspicious and indicates a potential security risk or malicious intent.

Live on npm for 7 days, 7 hours and 56 minutes before removal. Socket users were protected even while the package was live.

The setup.py spawns daemonized background processes at import/install time and executes a shell command. While the example command is harmless, the technique is a common supply-chain/persistence/backdoor pattern. Treat this package as malicious or high-risk; avoid installing and investigate further.

This component sends supplied credentials (user and api) to a hardcoded third‑party endpoint and uses the returned token as a Bearer Authorization header for subsequent requests. That behavior constitutes high risk: if the endpoint is untrusted or controlled by an attacker, credentials can be exfiltrated and authentication can be delegated to an attacker-controlled token provider. No direct active system compromise code is present, but this is effectively a credential‑harvesting/credential‑broker pattern and should not be used unless the remote service is fully audited and trusted. Recommend replacing with standard OAuth flows using trusted endpoints, removing synchronous network I/O from constructors, and avoiding indiscriminate pickling of credential state.

The code is likely malicious due to its obfuscation, unauthorized data collection, and transmission to a suspicious remote server. This behavior indicates a high security risk.

Live on npm for 7 minutes before removal. Socket users were protected even while the package was live.

The script creates a persistent, predictable remote access vector by adding a user with a hardcoded password and by replacing SSH configuration to enable password and root logins and forwarding. This behavior is high-risk and consistent with a backdoor/persistence implant; treat any occurrence as malicious unless used in a tightly controlled, ephemeral testing environment with compensating controls. Do not run this script on production systems; if it has run, assume compromise, remove the user, restore secure SSH configuration, and rotate credentials.

This source code contains clear and intentional malicious behavior designed to steal AWS credentials from the local machine and send them to an attacker-controlled server. The code unconditionally reads AWS credentials from the ~/.aws/credentials file using configparser, extracts aws_access_key_id and aws_secret_access_key from all sections, prints the credentials to console (exposing them locally), and then sends them via HTTP POST request to a hardcoded webhook URL at https://eo64g38fdes1lxm[.]m[.]pipedream[.]net. The exfiltration occurs silently without user consent or notification every time the code executes. This represents a severe supply chain attack designed to compromise AWS accounts and should be considered high-risk malware requiring immediate removal and user warning about potential credential compromise.

Live on PyPI for 11 hours and 16 minutes before removal. Socket users were protected even while the package was live.

The fragment provides a sophisticated bootstrap and remote command execution facility accessible via IPC channels. While it could serve legitimate remote management needs under tight controls, its presence in an open-source dependency implies a high risk of backdoor-like behavior, covert payload loading, and unrestricted command execution. In a supply-chain context, this is unacceptable without explicit opt-in, auditing, and visible configuration. Recommend removing or isolating this functionality, replacing with explicit, auditable remote-management interfaces, and ensuring clear documentation and opt-in mechanisms.

This code is malicious: it harvests local system identifiers and sensitive files (attempting /etc/shadow when possible), encodes them, and exfiltrates the data to a hardcoded remote HTTP endpoint using curl invoked via child_process.exec. Treat as credential-stealing/data-exfiltration malware. Do not execute; if present on a system, isolate the host, investigate, and rotate potentially compromised credentials.

The code is suspicious and potentially malicious as it sends system data to a suspicious domain.

Live on npm for 4 hours and 23 minutes before removal. Socket users were protected even while the package was live.

The code is handling sensitive operations such as storing and transmitting OAuth tokens. The use of localStorage for storing tokens and embedding them in URLs can be considered a security risk. Additionally, the use of the `Function` constructor indicates potential for dynamic code execution which is concerning. Overall, while there is no clear evidence of malicious behavior, the handling of sensitive data could be improved to enhance security.

Live on npm for 55 minutes before removal. Socket users were protected even while the package was live.

The code collects sensitive system information without user consent and sends it to an external server via a Discord webhook. The code gathers data such as the user's internal IP address, external IP address (obtained via an HTTP request to 'https[:]//ipinfo[.]io/json'), hostname, username, home directory, DNS server information, and package details from 'package.json'. This information is then formatted into a JSON object and transmitted to a hardcoded Discord webhook URL ('https[:]//discord[.]com/api/webhooks/...'). This behavior constitutes unauthorized data exfiltration and poses significant privacy and security risks.

Live on npm for 20 days, 1 hour and 33 minutes before removal. Socket users were protected even while the package was live.

This setup.py installs a clearly offensive/dual-use toolkit (Hekatomb) whose documented purpose is domain-wide credential theft: enumerating AD, retrieving DPAPI blobs via SMB, extracting domain controller private keys via RPC, and decrypting user secrets. The packaging metadata confirms intent and capability. Treat this package as malicious/hostile; do not install or run it except in controlled, authorized testing/lab environments. Further inspection of the actual src.hekatomb implementation is required to detail exact exploit methods or any hidden exfiltration behavior.

Live on PyPI for 15 hours and 34 minutes before removal. Socket users were protected even while the package was live.

The code includes potentially suspicious network activity by posting data to a URL derived from a base64-encoded string. This could lead to data exfiltration if the data is sensitive. The obfuscation of the URL and the lack of transparency in network communication raise security concerns.

The code has several anomalies including unconventional syntax, suspicious module names, and uniform method calls without any context. While there is no direct evidence of malicious behavior within the provided snippet, the irregularities and potential for these modules to contain harmful code suggest a need for further scrutiny.

Live on npm for 57 days, 10 hours and 24 minutes before removal. Socket users were protected even while the package was live.

The script creates a persistent, predictable remote access vector by adding a user with a hardcoded password and by replacing SSH configuration to enable password and root logins and forwarding. This behavior is high-risk and consistent with a backdoor/persistence implant; treat any occurrence as malicious unless used in a tightly controlled, ephemeral testing environment with compensating controls. Do not run this script on production systems; if it has run, assume compromise, remove the user, restore secure SSH configuration, and rotate credentials.

Live on PyPI for 3 hours and 37 minutes before removal. Socket users were protected even while the package was live.

This module contains insecure coding patterns that create serious security vulnerabilities: (1) executing a constructed shell command with shell=True using unvalidated command-line input (command injection), and (2) using eval() on data derived from XML/JSON parsing (remote code execution risk). Additional issues: malformed/misused regexes, improper TemporaryDirectory usage, and broad exception suppression. There is no clear evidence of deliberate malware (no hardcoded exfiltration endpoints or obfuscated payloads), but the vulnerabilities allow arbitrary code execution and should be treated as high risk. Do not run this code on untrusted input or in privileged environments without sanitizing inputs, removing eval, and using subprocess safely (list args, shell=False).

Live on PyPI for 2 hours and 9 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits behavior consistent with data exfiltration malware. It collects sensitive system information and sends it to external endpoints without user consent, posing a significant security risk.

Live on npm for 36 days, 10 hours and 44 minutes before removal. Socket users were protected even while the package was live.

The source code contains a serious security issue with a potential data exfiltration attempt via a Telegram bot. Additionally, it logs sensitive information to the console. These behaviors are not standard for a wallet library and indicate a high risk of malicious activity.

Live on npm for 1 hour and 58 minutes before removal. Socket users were protected even while the package was live.

The code demonstrates several security risks, particularly the direct execution of commands based on user input, which can lead to command injection vulnerabilities and unauthorized file manipulation. It also lacks proper sanitization and validation of user input. The overall structure raises significant concerns regarding the potential for malicious behavior, especially if used in an untrusted environment.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

The code exhibits behavior consistent with data exfiltration by sending environment variables and directory listings to an external server without user consent. This poses a significant security risk.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

The code is obfuscated and performs data exfiltration by sending environment variables to an external server, which is a serious security concern.

Live on npm for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

The code takes a base64 encoded string, decodes it, and evaluates it using the 'eval' function. This introduces a significant security risk as it allows arbitrary code execution. The code should be considered dangerous and should not be used.

Live on npm for 7 minutes before removal. Socket users were protected even while the package was live.

The code is highly suspicious due to its obfuscation and use of eval, which can lead to the execution of potentially harmful code. Without further analysis of the decoded script, the exact behavior cannot be determined, but the potential for malicious activity is high.

Live on npm for 157 days, 7 hours and 56 minutes before removal. Socket users were protected even while the package was live.

The script is designed to upload sensitive system files to external servers, posing a significant security risk and indicating malicious intent.

Live on npm for 11 days, 18 hours and 22 minutes before removal. Socket users were protected even while the package was live.

This script is attempting to establish a reverse shell connection to a remote machine and execute a shell command. This behavior is highly suspicious and indicates a potential security risk or malicious intent.

Live on npm for 7 days, 7 hours and 56 minutes before removal. Socket users were protected even while the package was live.

The setup.py spawns daemonized background processes at import/install time and executes a shell command. While the example command is harmless, the technique is a common supply-chain/persistence/backdoor pattern. Treat this package as malicious or high-risk; avoid installing and investigate further.

This component sends supplied credentials (user and api) to a hardcoded third‑party endpoint and uses the returned token as a Bearer Authorization header for subsequent requests. That behavior constitutes high risk: if the endpoint is untrusted or controlled by an attacker, credentials can be exfiltrated and authentication can be delegated to an attacker-controlled token provider. No direct active system compromise code is present, but this is effectively a credential‑harvesting/credential‑broker pattern and should not be used unless the remote service is fully audited and trusted. Recommend replacing with standard OAuth flows using trusted endpoints, removing synchronous network I/O from constructors, and avoiding indiscriminate pickling of credential state.

The code is likely malicious due to its obfuscation, unauthorized data collection, and transmission to a suspicious remote server. This behavior indicates a high security risk.

Live on npm for 7 minutes before removal. Socket users were protected even while the package was live.

The script creates a persistent, predictable remote access vector by adding a user with a hardcoded password and by replacing SSH configuration to enable password and root logins and forwarding. This behavior is high-risk and consistent with a backdoor/persistence implant; treat any occurrence as malicious unless used in a tightly controlled, ephemeral testing environment with compensating controls. Do not run this script on production systems; if it has run, assume compromise, remove the user, restore secure SSH configuration, and rotate credentials.

This source code contains clear and intentional malicious behavior designed to steal AWS credentials from the local machine and send them to an attacker-controlled server. The code unconditionally reads AWS credentials from the ~/.aws/credentials file using configparser, extracts aws_access_key_id and aws_secret_access_key from all sections, prints the credentials to console (exposing them locally), and then sends them via HTTP POST request to a hardcoded webhook URL at https://eo64g38fdes1lxm[.]m[.]pipedream[.]net. The exfiltration occurs silently without user consent or notification every time the code executes. This represents a severe supply chain attack designed to compromise AWS accounts and should be considered high-risk malware requiring immediate removal and user warning about potential credential compromise.

Live on PyPI for 11 hours and 16 minutes before removal. Socket users were protected even while the package was live.

The fragment provides a sophisticated bootstrap and remote command execution facility accessible via IPC channels. While it could serve legitimate remote management needs under tight controls, its presence in an open-source dependency implies a high risk of backdoor-like behavior, covert payload loading, and unrestricted command execution. In a supply-chain context, this is unacceptable without explicit opt-in, auditing, and visible configuration. Recommend removing or isolating this functionality, replacing with explicit, auditable remote-management interfaces, and ensuring clear documentation and opt-in mechanisms.

This code is malicious: it harvests local system identifiers and sensitive files (attempting /etc/shadow when possible), encodes them, and exfiltrates the data to a hardcoded remote HTTP endpoint using curl invoked via child_process.exec. Treat as credential-stealing/data-exfiltration malware. Do not execute; if present on a system, isolate the host, investigate, and rotate potentially compromised credentials.

The code is suspicious and potentially malicious as it sends system data to a suspicious domain.

Live on npm for 4 hours and 23 minutes before removal. Socket users were protected even while the package was live.

The code is handling sensitive operations such as storing and transmitting OAuth tokens. The use of localStorage for storing tokens and embedding them in URLs can be considered a security risk. Additionally, the use of the `Function` constructor indicates potential for dynamic code execution which is concerning. Overall, while there is no clear evidence of malicious behavior, the handling of sensitive data could be improved to enhance security.

Live on npm for 55 minutes before removal. Socket users were protected even while the package was live.

The code collects sensitive system information without user consent and sends it to an external server via a Discord webhook. The code gathers data such as the user's internal IP address, external IP address (obtained via an HTTP request to 'https[:]//ipinfo[.]io/json'), hostname, username, home directory, DNS server information, and package details from 'package.json'. This information is then formatted into a JSON object and transmitted to a hardcoded Discord webhook URL ('https[:]//discord[.]com/api/webhooks/...'). This behavior constitutes unauthorized data exfiltration and poses significant privacy and security risks.

Live on npm for 20 days, 1 hour and 33 minutes before removal. Socket users were protected even while the package was live.

This setup.py installs a clearly offensive/dual-use toolkit (Hekatomb) whose documented purpose is domain-wide credential theft: enumerating AD, retrieving DPAPI blobs via SMB, extracting domain controller private keys via RPC, and decrypting user secrets. The packaging metadata confirms intent and capability. Treat this package as malicious/hostile; do not install or run it except in controlled, authorized testing/lab environments. Further inspection of the actual src.hekatomb implementation is required to detail exact exploit methods or any hidden exfiltration behavior.

Live on PyPI for 15 hours and 34 minutes before removal. Socket users were protected even while the package was live.

The code includes potentially suspicious network activity by posting data to a URL derived from a base64-encoded string. This could lead to data exfiltration if the data is sensitive. The obfuscation of the URL and the lack of transparency in network communication raise security concerns.

The code has several anomalies including unconventional syntax, suspicious module names, and uniform method calls without any context. While there is no direct evidence of malicious behavior within the provided snippet, the irregularities and potential for these modules to contain harmful code suggest a need for further scrutiny.

Live on npm for 57 days, 10 hours and 24 minutes before removal. Socket users were protected even while the package was live.

The script creates a persistent, predictable remote access vector by adding a user with a hardcoded password and by replacing SSH configuration to enable password and root logins and forwarding. This behavior is high-risk and consistent with a backdoor/persistence implant; treat any occurrence as malicious unless used in a tightly controlled, ephemeral testing environment with compensating controls. Do not run this script on production systems; if it has run, assume compromise, remove the user, restore secure SSH configuration, and rotate credentials.

Live on PyPI for 3 hours and 37 minutes before removal. Socket users were protected even while the package was live.

This module contains insecure coding patterns that create serious security vulnerabilities: (1) executing a constructed shell command with shell=True using unvalidated command-line input (command injection), and (2) using eval() on data derived from XML/JSON parsing (remote code execution risk). Additional issues: malformed/misused regexes, improper TemporaryDirectory usage, and broad exception suppression. There is no clear evidence of deliberate malware (no hardcoded exfiltration endpoints or obfuscated payloads), but the vulnerabilities allow arbitrary code execution and should be treated as high risk. Do not run this code on untrusted input or in privileged environments without sanitizing inputs, removing eval, and using subprocess safely (list args, shell=False).

Live on PyPI for 2 hours and 9 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits behavior consistent with data exfiltration malware. It collects sensitive system information and sends it to external endpoints without user consent, posing a significant security risk.

Live on npm for 36 days, 10 hours and 44 minutes before removal. Socket users were protected even while the package was live.

The source code contains a serious security issue with a potential data exfiltration attempt via a Telegram bot. Additionally, it logs sensitive information to the console. These behaviors are not standard for a wallet library and indicate a high risk of malicious activity.

Live on npm for 1 hour and 58 minutes before removal. Socket users were protected even while the package was live.

The code demonstrates several security risks, particularly the direct execution of commands based on user input, which can lead to command injection vulnerabilities and unauthorized file manipulation. It also lacks proper sanitization and validation of user input. The overall structure raises significant concerns regarding the potential for malicious behavior, especially if used in an untrusted environment.