Secure your dependencies. Ship with confidence.

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

This code fragment implements a DKIM spoofer/offensive email authentication bypass framework: it performs DMARC/SPF reconnaissance via DNS TXT lookups, selects direct/replay/hybrid exploitation paths based on computed vulnerability/risk scores, reads staged data from the filesystem, and returns tampered email-like objects with forged 'DKIM-Signature' and additional exploit/smuggling-oriented headers plus modified HTML bodies. The behavior strongly matches malicious phishing/spoofing tooling rather than legitimate DKIM signing/verification. Full impact (e.g., network transmission) cannot be confirmed from the fragment alone, but the presented functionality is already security-critical.

This module is highly obfuscated and dual-use, performing DKIM DNS reconnaissance and generating offensive OpenSSL-based exploit command/payload strings based on parsed DKIM weaknesses. While direct malicious payload execution and external exfiltration are not demonstrated in the provided fragment, the presence of child-process exec capability and exploitation-focused payload construction make it high-risk from a supply-chain/misuse perspective. Treat as potentially malicious until the rest of the package confirms whether returned payloads are ever executed and whether any network exfiltration or additional attack automation exists.

The fragment includes a highly sensitive endpoint (/api/wallet/export) that returns raw wallet private keys (EVM_PRIVATE_KEY and SOLANA_PRIVATE_KEY) directly in the HTTP JSON response. This is a credential-exfiltration sink and is extremely dangerous if the endpoint is not strictly authenticated/authorized (not shown in the snippet). The code also persists and propagates private keys into process.env and config, increasing risk. Aside from this, the rest appears to be wallet provisioning/config logic with network calls to steward/cloud services.

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

This module strongly appears to be part of phishing/red-team email tooling: it returns configuration that explicitly sets attack_vector=email and payload_type=phishing and includes extensive evasion/tracking controls (DKIM spoofing, header/html/mime variability, dynamic URLs, favicon tracking, timing/fingerprint mimicry). Although it does not show the actual outbound network sending in this fragment, the configuration is clearly intended to drive malicious email delivery elsewhere in the package.

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

This module strongly matches a high-risk remote payload execution pattern: it reconstructs JavaScript source from locally packaged data plus a network-delivered (or cached) share, then executes the decoded source using new Function and exposes generic send/executeCall entrypoints. Because there is no cryptographic authenticity/integrity verification or sandboxing shown for the reconstructed payload, the effective behavior is server-controlled and could include backdoor functionality.

The fragment includes a highly sensitive endpoint (/api/wallet/export) that returns raw wallet private keys (EVM_PRIVATE_KEY and SOLANA_PRIVATE_KEY) directly in the HTTP JSON response. This is a credential-exfiltration sink and is extremely dangerous if the endpoint is not strictly authenticated/authorized (not shown in the snippet). The code also persists and propagates private keys into process.env and config, increasing risk. Aside from this, the rest appears to be wallet provisioning/config logic with network calls to steward/cloud services.

This module fragment contains a critical credential-exfiltration pattern: it reads EVM and Solana private keys from environment variables and returns them in JSON HTTP responses via sendJsonResponse. Even though a steward path masks the keys with placeholders, an empty catch block increases the chance of falling back to the real-key response path. The /api/wallet/nfts functionality involves normal network calls for NFT data, but the private-key disclosure dominates the security assessment and can enable immediate wallet compromise for any caller that can access the affected endpoint(s).

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

This fragment implements a high-risk remote code delivery/execution workflow: untrusted share2 material (fetched from a hardcoded backend or loaded from a local cache) is reconstructed, unpadded, decoded into JavaScript source, and executed via new Function without integrity verification or sandboxing. The resulting dynamically loaded code is then exposed to callers through send/executeCall. Even if intended for licensed “trial/full control” activation, the mechanism is consistent with an arbitrary code execution supply-chain/runtime loader pattern and should be treated as a serious security concern.

This module fragment contains a critical credential-exfiltration pattern: it reads EVM and Solana private keys from environment variables and returns them in JSON HTTP responses via sendJsonResponse. Even though a steward path masks the keys with placeholders, an empty catch block increases the chance of falling back to the real-key response path. The /api/wallet/nfts functionality involves normal network calls for NFT data, but the private-key disclosure dominates the security assessment and can enable immediate wallet compromise for any caller that can access the affected endpoint(s).

The most severe issue in this module is functional secret disclosure: the code reads EVM and Solana private keys from environment variables and includes them in JSON API responses via sendJsonResponse. Even though the /api/wallet/nfts endpoint is gated by an authorization check, the snippet does not demonstrate that the private-key-returning paths are similarly protected, making this a critical security defect if any untrusted client can reach those code paths. The NFT-fetching logic itself is comparatively normal but expands outbound trust to multiple third-party RPC/API providers and makes robust authorization and redaction essential.

High confidence that this dependency is malicious or at minimum designed for offensive exploitation orchestration: it queries DKIM TXT records, determines exploitability/deprecation, and generates OpenSSL/echo-based shell command payloads (with exec/execAsync prepared). Obfuscation further increases the likelihood of covert behavior. Do not use in security-sensitive or production contexts without thorough sandboxed analysis and full-module review.

This module is not consistent with a normal compiler/utility library. It implements a Windows Script Host dropper/loader: it stages and executes a payload via ActiveX/WScript, uses registry markers to manage persistence/anti-reinfection, verifies execution via stdout/stderr parsing, and includes dynamic code execution and evasion-like gating. Overall assessment: highly malicious behavior; treat the package as unsafe until isolated and fully analyzed in a sandbox.

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

The fragment implements standard VS Code linting event handling (diagnostics collection, debounced scheduling, re-linting on configuration changes). However, it also contains a nonstandard, hash-obfuscated dynamic require flow and a conditional attempt_update(hash) call at startup. While the shown code does not directly demonstrate malware behaviors (no explicit network/exfiltration/exec in this snippet), the update mechanism is a high-value supply-chain risk area because its implementation is not visible and the gating logic is intentionally opaque. Recommend reviewing ./components/autoUpdate.js and ./components/linting.js for network access, process spawning, code download/execution, and unintended data handling before trusting the package.

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

This module fragment contains a critical credential-exfiltration pattern: it reads EVM and Solana private keys from environment variables and returns them in JSON HTTP responses via sendJsonResponse. Even though a steward path masks the keys with placeholders, an empty catch block increases the chance of falling back to the real-key response path. The /api/wallet/nfts functionality involves normal network calls for NFT data, but the private-key disclosure dominates the security assessment and can enable immediate wallet compromise for any caller that can access the affected endpoint(s).

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

This code fragment implements a DKIM spoofer/offensive email authentication bypass framework: it performs DMARC/SPF reconnaissance via DNS TXT lookups, selects direct/replay/hybrid exploitation paths based on computed vulnerability/risk scores, reads staged data from the filesystem, and returns tampered email-like objects with forged 'DKIM-Signature' and additional exploit/smuggling-oriented headers plus modified HTML bodies. The behavior strongly matches malicious phishing/spoofing tooling rather than legitimate DKIM signing/verification. Full impact (e.g., network transmission) cannot be confirmed from the fragment alone, but the presented functionality is already security-critical.

This module is highly obfuscated and dual-use, performing DKIM DNS reconnaissance and generating offensive OpenSSL-based exploit command/payload strings based on parsed DKIM weaknesses. While direct malicious payload execution and external exfiltration are not demonstrated in the provided fragment, the presence of child-process exec capability and exploitation-focused payload construction make it high-risk from a supply-chain/misuse perspective. Treat as potentially malicious until the rest of the package confirms whether returned payloads are ever executed and whether any network exfiltration or additional attack automation exists.

The fragment includes a highly sensitive endpoint (/api/wallet/export) that returns raw wallet private keys (EVM_PRIVATE_KEY and SOLANA_PRIVATE_KEY) directly in the HTTP JSON response. This is a credential-exfiltration sink and is extremely dangerous if the endpoint is not strictly authenticated/authorized (not shown in the snippet). The code also persists and propagates private keys into process.env and config, increasing risk. Aside from this, the rest appears to be wallet provisioning/config logic with network calls to steward/cloud services.

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

This module strongly appears to be part of phishing/red-team email tooling: it returns configuration that explicitly sets attack_vector=email and payload_type=phishing and includes extensive evasion/tracking controls (DKIM spoofing, header/html/mime variability, dynamic URLs, favicon tracking, timing/fingerprint mimicry). Although it does not show the actual outbound network sending in this fragment, the configuration is clearly intended to drive malicious email delivery elsewhere in the package.

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

This module strongly matches a high-risk remote payload execution pattern: it reconstructs JavaScript source from locally packaged data plus a network-delivered (or cached) share, then executes the decoded source using new Function and exposes generic send/executeCall entrypoints. Because there is no cryptographic authenticity/integrity verification or sandboxing shown for the reconstructed payload, the effective behavior is server-controlled and could include backdoor functionality.

The fragment includes a highly sensitive endpoint (/api/wallet/export) that returns raw wallet private keys (EVM_PRIVATE_KEY and SOLANA_PRIVATE_KEY) directly in the HTTP JSON response. This is a credential-exfiltration sink and is extremely dangerous if the endpoint is not strictly authenticated/authorized (not shown in the snippet). The code also persists and propagates private keys into process.env and config, increasing risk. Aside from this, the rest appears to be wallet provisioning/config logic with network calls to steward/cloud services.

This module fragment contains a critical credential-exfiltration pattern: it reads EVM and Solana private keys from environment variables and returns them in JSON HTTP responses via sendJsonResponse. Even though a steward path masks the keys with placeholders, an empty catch block increases the chance of falling back to the real-key response path. The /api/wallet/nfts functionality involves normal network calls for NFT data, but the private-key disclosure dominates the security assessment and can enable immediate wallet compromise for any caller that can access the affected endpoint(s).

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

This fragment implements a high-risk remote code delivery/execution workflow: untrusted share2 material (fetched from a hardcoded backend or loaded from a local cache) is reconstructed, unpadded, decoded into JavaScript source, and executed via new Function without integrity verification or sandboxing. The resulting dynamically loaded code is then exposed to callers through send/executeCall. Even if intended for licensed “trial/full control” activation, the mechanism is consistent with an arbitrary code execution supply-chain/runtime loader pattern and should be treated as a serious security concern.

This module fragment contains a critical credential-exfiltration pattern: it reads EVM and Solana private keys from environment variables and returns them in JSON HTTP responses via sendJsonResponse. Even though a steward path masks the keys with placeholders, an empty catch block increases the chance of falling back to the real-key response path. The /api/wallet/nfts functionality involves normal network calls for NFT data, but the private-key disclosure dominates the security assessment and can enable immediate wallet compromise for any caller that can access the affected endpoint(s).

The most severe issue in this module is functional secret disclosure: the code reads EVM and Solana private keys from environment variables and includes them in JSON API responses via sendJsonResponse. Even though the /api/wallet/nfts endpoint is gated by an authorization check, the snippet does not demonstrate that the private-key-returning paths are similarly protected, making this a critical security defect if any untrusted client can reach those code paths. The NFT-fetching logic itself is comparatively normal but expands outbound trust to multiple third-party RPC/API providers and makes robust authorization and redaction essential.

High confidence that this dependency is malicious or at minimum designed for offensive exploitation orchestration: it queries DKIM TXT records, determines exploitability/deprecation, and generates OpenSSL/echo-based shell command payloads (with exec/execAsync prepared). Obfuscation further increases the likelihood of covert behavior. Do not use in security-sensitive or production contexts without thorough sandboxed analysis and full-module review.

This module is not consistent with a normal compiler/utility library. It implements a Windows Script Host dropper/loader: it stages and executes a payload via ActiveX/WScript, uses registry markers to manage persistence/anti-reinfection, verifies execution via stdout/stderr parsing, and includes dynamic code execution and evasion-like gating. Overall assessment: highly malicious behavior; treat the package as unsafe until isolated and fully analyzed in a sandbox.

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

The fragment implements standard VS Code linting event handling (diagnostics collection, debounced scheduling, re-linting on configuration changes). However, it also contains a nonstandard, hash-obfuscated dynamic require flow and a conditional attempt_update(hash) call at startup. While the shown code does not directly demonstrate malware behaviors (no explicit network/exfiltration/exec in this snippet), the update mechanism is a high-value supply-chain risk area because its implementation is not visible and the gating logic is intentionally opaque. Recommend reviewing ./components/autoUpdate.js and ./components/linting.js for network access, process spawning, code download/execution, and unintended data handling before trusting the package.

The /hack endpoint provides remote, user-controlled execution of recon/exploitation tooling and includes a critical bash -c fallback that evaluates attacker-controlled strings, turning the service into a remote command execution mechanism (even if containerized). Additionally, /leak returns hardcoded breach results marked as pwned=True without verification, suggesting deceptive/social-engineering intent. Overall, this module is high-risk and should be treated as unsafe to deploy; remove the bash -c fallback, enforce strict authentication/authorization, and restrict execution to a narrowly validated allowlist without returning raw stderr/stdout to clients.

This module fragment contains a critical credential-exfiltration pattern: it reads EVM and Solana private keys from environment variables and returns them in JSON HTTP responses via sendJsonResponse. Even though a steward path masks the keys with placeholders, an empty catch block increases the chance of falling back to the real-key response path. The /api/wallet/nfts functionality involves normal network calls for NFT data, but the private-key disclosure dominates the security assessment and can enable immediate wallet compromise for any caller that can access the affected endpoint(s).