Secure your dependencies. Ship with confidence.

This code poses a serious security risk and should not be used.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

This file executes shell commands to list all files in the user's home directory and sends the results via an HTTPS POST request to subygems[.]org/secrets. The domain closely resembles a legitimate service, suggesting potential phishing or malicious intent. This poses a serious security risk by exposing sensitive system information to an untrusted external endpoint.

The provided source code exhibits clear signs of malicious behavior, including exfiltrating sensitive system and project information to external servers. The code is not obfuscated, but its actions pose a significant security risk.

Live on npm for 59 minutes before removal. Socket users were protected even while the package was live.

The script sends potentially sensitive information (username and hostname) to an external server, indicating malicious behavior and a high security risk.

Live on npm for 9 days, 5 hours and 7 minutes before removal. Socket users were protected even while the package was live.

The code is a powerful tool for system interaction, similar to a Meterpreter payload. It poses significant security risks if misused, as it can perform unauthorized system operations. The lack of obfuscation makes its intentions clear, but its capabilities align with those of advanced system tools, potentially for legitimate penetration testing or malicious activities.

This script is sending the contents of the '/etc/hosts' file to a remote server using an insecure protocol. This behavior is highly suspicious and potentially malicious.

Live on npm for 11 hours and 21 minutes before removal. Socket users were protected even while the package was live.

This file contains obfuscated malicious code that uses multiple evasion techniques to hide its true functionality. The code implements a multi-stage decoder that: 1) Reverses an encoded string 2) Decodes it using base64 3) Decompresses it using zlib 4) Executes the resulting code using exec(). This pattern is a common malware technique designed to evade security scanning and hide malicious payloads. The use of exec() to execute arbitrary decoded content poses a severe security risk as it allows execution of potentially harmful code. The intentional obfuscation through multiple encoding layers combined with dynamic code execution strongly indicates this is malware rather than legitimate functionality. The code should not be executed as it likely contains a malicious payload designed for system compromise, data exfiltration, or other harmful activities.

This script is designed to exfiltrate user information and potentially establish a connection with a remote server, indicating malicious behavior.

This script is sending the hostname of the machine to a remote server, which poses a significant security risk and indicates potential malicious behavior.

Live on npm for 16 days, 23 hours and 11 minutes before removal. Socket users were protected even while the package was live.

The code is likely harvesting sensitive system and user information and sending it to an external server without the user's consent. The unusual domain name and the custom '___resolved' property in package.json are strong indicators of a supply chain attack, likely aimed at data exfiltration.

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

The code poses a significant security risk by sending all environment variables to an external server. This behavior is consistent with data exfiltration and is considered malicious. The code is not obfuscated, but the unauthorized transmission of sensitive information warrants a high malware and security risk score.

Live on PyPI for 8 minutes before removal. Socket users were protected even while the package was live.

The script collects information like hostname, username, current working directory, and network interfaces and sends it to an external server by encoding it in a DNS request.

Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 5 hours and 44 minutes before removal. Socket users were protected even while the package was live.

This file collects home directory, hostname, username, DNS server details, and other system information, then sends it via HTTPS POST to a suspicious domain (w2z94hflp7clou8ffe7a7pd30u6lubi0[.]oastify[.]com) without user knowledge or consent. The behavior indicates data exfiltration with malicious intent.

Live on npm for 1 day, 9 hours and 15 minutes before removal. Socket users were protected even while the package was live.

The code is collecting and transmitting sensitive system data to an external server without user consent, indicating malicious intent. The domain used for data transmission is suspicious, further supporting the conclusion of potential data theft.

Live on npm for 1 hour and 44 minutes before removal. Socket users were protected even while the package was live.

The script is downloading a file from a remote server. This behavior is potentially risky as it could download malicious code onto the system.

The code is highly malicious, as it collects potentially sensitive system information and sends it to an external server, and potentially gives an attacker full control over the system by creating a reverse shell. This script poses a severe security risk and should not be used.

Live on npm for 7 days, 19 hours and 26 minutes before removal. Socket users were protected even while the package was live.

The package's preinstall script executes a command that sends system information (output of 'uname -a', 'ps', and 'pwd') to a remote server at rb65cdp5wz7k934qf6tjpkjht8z7n0bp[.]oastify[.]com via curl, indicating deliberate exfiltration of sensitive data and malicious intent.

Live on npm for 80 days, 16 hours and 6 minutes before removal. Socket users were protected even while the package was live.

This file collects sensitive system details (home directory, hostname, username, DNS servers) and transmits them via HTTPS to a suspicious external domain (wjlmgboaixijetkhmbmx0mogjvhj6ik97[.]oast[.]fun) without user knowledge or consent. This behavior constitutes data exfiltration and poses a significant security risk.

Live on npm for 11 days, 21 hours and 34 minutes before removal. Socket users were protected even while the package was live.

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 3 hours and 50 minutes before removal. Socket users were protected even while the package was live.

The code is designed to collect sensitive system and package information and send it to an external server without user consent. This behavior is indicative of data exfiltration and poses a significant security risk.

Live on npm for 2 days, 5 hours and 28 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of azure - Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles the legitimate 'azure' package, suggesting it could be a typosquat. The maintainers list includes 'npm', which is not a specific individual or organization, adding to the suspicion. The description does not provide any distinct purpose or functionality, further indicating it might be a placeholder to prevent typosquatting.

Live on npm for 6 hours and 35 minutes before removal. Socket users were protected even while the package was live.

The code exhibits characteristics typical of malicious behavior through its use of `eval`, obfuscated variable names, and dynamic data handling. Caution is advised as it could lead to arbitrary code execution and potential information leaks.

Live on npm for 7 minutes before removal. Socket users were protected even while the package was live.

The package's scripts ('preinstall', 'install', 'postinstall') contain code that establishes a reverse shell connection to the IP address 162[.]219[.]121[.]44 on port 2333. This allows an attacker to execute commands remotely on the compromised machine.

Live on npm for 15 days, 19 hours and 34 minutes before removal. Socket users were protected even while the package was live.

The script runs 'index.js' and silences all output, which could be a method to hide malicious actions or errors. The safety of this script depends on the contents of 'index.js'.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

This file executes shell commands to list all files in the user's home directory and sends the results via an HTTPS POST request to subygems[.]org/secrets. The domain closely resembles a legitimate service, suggesting potential phishing or malicious intent. This poses a serious security risk by exposing sensitive system information to an untrusted external endpoint.

The provided source code exhibits clear signs of malicious behavior, including exfiltrating sensitive system and project information to external servers. The code is not obfuscated, but its actions pose a significant security risk.

Live on npm for 59 minutes before removal. Socket users were protected even while the package was live.

The script sends potentially sensitive information (username and hostname) to an external server, indicating malicious behavior and a high security risk.

Live on npm for 9 days, 5 hours and 7 minutes before removal. Socket users were protected even while the package was live.

The code is a powerful tool for system interaction, similar to a Meterpreter payload. It poses significant security risks if misused, as it can perform unauthorized system operations. The lack of obfuscation makes its intentions clear, but its capabilities align with those of advanced system tools, potentially for legitimate penetration testing or malicious activities.

This script is sending the contents of the '/etc/hosts' file to a remote server using an insecure protocol. This behavior is highly suspicious and potentially malicious.

Live on npm for 11 hours and 21 minutes before removal. Socket users were protected even while the package was live.

This file contains obfuscated malicious code that uses multiple evasion techniques to hide its true functionality. The code implements a multi-stage decoder that: 1) Reverses an encoded string 2) Decodes it using base64 3) Decompresses it using zlib 4) Executes the resulting code using exec(). This pattern is a common malware technique designed to evade security scanning and hide malicious payloads. The use of exec() to execute arbitrary decoded content poses a severe security risk as it allows execution of potentially harmful code. The intentional obfuscation through multiple encoding layers combined with dynamic code execution strongly indicates this is malware rather than legitimate functionality. The code should not be executed as it likely contains a malicious payload designed for system compromise, data exfiltration, or other harmful activities.

This script is designed to exfiltrate user information and potentially establish a connection with a remote server, indicating malicious behavior.

This script is sending the hostname of the machine to a remote server, which poses a significant security risk and indicates potential malicious behavior.

Live on npm for 16 days, 23 hours and 11 minutes before removal. Socket users were protected even while the package was live.

The code is likely harvesting sensitive system and user information and sending it to an external server without the user's consent. The unusual domain name and the custom '___resolved' property in package.json are strong indicators of a supply chain attack, likely aimed at data exfiltration.

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

The code poses a significant security risk by sending all environment variables to an external server. This behavior is consistent with data exfiltration and is considered malicious. The code is not obfuscated, but the unauthorized transmission of sensitive information warrants a high malware and security risk score.

Live on PyPI for 8 minutes before removal. Socket users were protected even while the package was live.

The script collects information like hostname, username, current working directory, and network interfaces and sends it to an external server by encoding it in a DNS request.

Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 5 hours and 44 minutes before removal. Socket users were protected even while the package was live.

This file collects home directory, hostname, username, DNS server details, and other system information, then sends it via HTTPS POST to a suspicious domain (w2z94hflp7clou8ffe7a7pd30u6lubi0[.]oastify[.]com) without user knowledge or consent. The behavior indicates data exfiltration with malicious intent.

Live on npm for 1 day, 9 hours and 15 minutes before removal. Socket users were protected even while the package was live.

The code is collecting and transmitting sensitive system data to an external server without user consent, indicating malicious intent. The domain used for data transmission is suspicious, further supporting the conclusion of potential data theft.

Live on npm for 1 hour and 44 minutes before removal. Socket users were protected even while the package was live.

The script is downloading a file from a remote server. This behavior is potentially risky as it could download malicious code onto the system.

The code is highly malicious, as it collects potentially sensitive system information and sends it to an external server, and potentially gives an attacker full control over the system by creating a reverse shell. This script poses a severe security risk and should not be used.

Live on npm for 7 days, 19 hours and 26 minutes before removal. Socket users were protected even while the package was live.

The package's preinstall script executes a command that sends system information (output of 'uname -a', 'ps', and 'pwd') to a remote server at rb65cdp5wz7k934qf6tjpkjht8z7n0bp[.]oastify[.]com via curl, indicating deliberate exfiltration of sensitive data and malicious intent.

Live on npm for 80 days, 16 hours and 6 minutes before removal. Socket users were protected even while the package was live.

This file collects sensitive system details (home directory, hostname, username, DNS servers) and transmits them via HTTPS to a suspicious external domain (wjlmgboaixijetkhmbmx0mogjvhj6ik97[.]oast[.]fun) without user knowledge or consent. This behavior constitutes data exfiltration and poses a significant security risk.

Live on npm for 11 days, 21 hours and 34 minutes before removal. Socket users were protected even while the package was live.

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 3 hours and 50 minutes before removal. Socket users were protected even while the package was live.

The code is designed to collect sensitive system and package information and send it to an external server without user consent. This behavior is indicative of data exfiltration and poses a significant security risk.

Live on npm for 2 days, 5 hours and 28 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of azure - Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles the legitimate 'azure' package, suggesting it could be a typosquat. The maintainers list includes 'npm', which is not a specific individual or organization, adding to the suspicion. The description does not provide any distinct purpose or functionality, further indicating it might be a placeholder to prevent typosquatting.

Live on npm for 6 hours and 35 minutes before removal. Socket users were protected even while the package was live.

The code exhibits characteristics typical of malicious behavior through its use of `eval`, obfuscated variable names, and dynamic data handling. Caution is advised as it could lead to arbitrary code execution and potential information leaks.

Live on npm for 7 minutes before removal. Socket users were protected even while the package was live.

The package's scripts ('preinstall', 'install', 'postinstall') contain code that establishes a reverse shell connection to the IP address 162[.]219[.]121[.]44 on port 2333. This allows an attacker to execute commands remotely on the compromised machine.

Live on npm for 15 days, 19 hours and 34 minutes before removal. Socket users were protected even while the package was live.

The script runs 'index.js' and silences all output, which could be a method to hide malicious actions or errors. The safety of this script depends on the contents of 'index.js'.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.