Secure your dependencies. Ship with confidence.

The code poses a significant security risk and should be reviewed. It is recommended to remove unnecessary imports, verify the contents of the data folder and the WordPress websites before proceeding, and avoid using hardcoded credentials for WordPress login.

Live on npm for 3 hours and 19 minutes before removal. Socket users were protected even while the package was live.

This script is potentially malicious as it sends sensitive information (environment variables) to a remote server without the user's knowledge or consent. It should be treated as a high security risk.

The script poses a high security risk as malware due to its ability to alter disk partitions without user interaction, leading to data loss or system damage.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 1 hour and 13 minutes before removal. Socket users were protected even while the package was live.

The script 'packer/provisioners/post_install.sh' exhibits malicious behavior by performing several harmful actions: - **Deletes user and root history files**: Uses secure deletion methods to remove history files, potentially to conceal malicious activities. - **Clears system log files**: Erases log files from '/var/log', hindering the ability to audit and investigate system actions. - **Disables the root account**: Locks the root account password without ensuring alternative secure administrative access, possibly preventing legitimate administrative operations. - **Sets a weak default password ('changeme') for the 'admin' user**: Introduces a significant security risk by using an easily guessable password, facilitating unauthorized access. These actions can be exploited by an attacker to gain unauthorized access, disrupt legitimate operations, and prevent system recovery. The combination of log and history deletion, disabling of root access, and setting weak credentials indicates malicious intent to compromise system security and conceal nefarious activities.

The script poses a high security risk as malware due to its ability to alter disk partitions without user interaction, leading to data loss or system damage.

This file executes a reverse shell by invoking 'exec' to run a shell command that fetches a script from https://reverse-shell[.]sh/10[.]0[.]20[.]139:1337 and pipes it to 'sh', providing unauthorized remote access to the system.

Live on npm for 22 days, 15 hours and 9 minutes before removal. Socket users were protected even while the package was live.

The code presents significant security risks due to its ability to download and execute files from potentially untrusted sources. The lack of error handling and validation increases the risk of executing malicious code. The recursive call in init_helper is also problematic and could lead to unintended behavior.

Live on PyPI for 34 minutes before removal. Socket users were protected even while the package was live.

The code is a shell script intended to deploy a Docker-based Monero miner using XMRig. It first detects the underlying operating system and accordingly installs Docker while removing potential package conflicts on Ubuntu. The script manages a sensitive configuration passphrase—either using an environment variable or by retrieving it from AWS Secrets Manager—and stores it securely on disk. It then creates and enables a systemd service that runs the miner container in privileged mode. The design of the script poses a high risk if executed without proper authorization, as it illicitly commandeers system resources for cryptocurrency mining. Furthermore, the use of privileged Docker execution introduces a serious security vulnerability that could allow an attacker to escape the container environment and compromise the host system.

The provided code has unusual variable and function names, which may be indicative of obfuscation or an attempt to disguise its true purpose. The imported modules have non-descriptive names, and their origins and behavior are not clear from the code snippet alone. Without further information about these modules, it is challenging to fully assess the intent and security risk. The code itself does not perform any immediately obvious malicious actions, but the use of these potentially suspicious modules suggests that further investigation is warranted.

Live on npm for 43 days, 3 hours and 51 minutes before removal. Socket users were protected even while the package was live.

The script is downloading and executing remote scripts, which poses a high security risk. The content of the remote scripts should be thoroughly inspected to ensure they are not malicious.

Live on npm for 1 day, 8 hours and 10 minutes before removal. Socket users were protected even while the package was live.

The code is highly suspicious and likely malicious, as it exfiltrates sensitive client credentials to an untrusted external domain repeatedly without proper safeguards. It contains coding errors that would cause runtime failures, but the intent to steal credentials is clear. This module poses a significant supply chain security risk and should be removed or thoroughly audited before use.

Possible 1-step D-L dist typosquat of sm-commons - Explanation: The package 'fe-commons' is labeled as a 'security holding package', which is often used to prevent typosquatting. The names 'fe-commons' and 'sm-commons' are not similar enough to be a typical typo, but the lack of maintainers and the security holding description make it suspicious. Fe-commons is a security holding package

Live on npm for 9 hours and 56 minutes before removal. Socket users were protected even while the package was live.

The code imports the 'exec' function from the 'child_process' module and executes a shell command that retrieves the current system username using 'whoami'. It then performs a DNS query to '[username].xij0zeveed2uvtx4yijhzj2fn6txhp5e.oastify[.]com' by running 'host' on that domain. This behavior exfiltrates the system's username to an external domain 'oastify[.]com' without user consent, indicating malicious intent and posing a significant security risk.

Live on npm for 12 days, 18 hours and 45 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by exfiltrating system and user data to external servers without user consent. This poses a significant security risk and privacy violation.

Live on npm for 17 minutes before removal. Socket users were protected even while the package was live.

The preinstall script makes an HTTP request to http[:]//172[.]19[.]110[.]197:8080, which is an unusual pattern and may indicate unintended or unexpected behavior. While this network call could be harmless or related to internal testing, it presents a potential risk because it connects to an external IP address in a manner that is not clearly documented or explained.

The code contains suspicious patterns such as typos, dynamic imports, and extensive use of dynamic execution. While these may be legitimate design choices, they can also be indicative of attempts to evade static analysis or inject malicious behavior. Further scrutiny and context are needed to determine the actual intent.

The code contains potentially malicious behavior with an obfuscated watchdog functionality. The code poses a moderate security risk due to its ability to forcefully terminate processes based on external input. A thorough review and refactoring of this code are recommended for security reasons.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 54 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 59 minutes before removal. Socket users were protected even while the package was live.

The code is likely engaging in data exfiltration by sending system and network information over the network. While it does not contain any obvious malicious payloads, the act of sending system information without explicit user consent is a potential privacy violation. The hardcoded value for the `id` variable and the use of ICMP ping requests could be indicators of suspicious behavior. The code should be reviewed for its purpose and necessity.

Live on npm for 1 hour and 34 minutes before removal. Socket users were protected even while the package was live.

The code sends tracking data without user consent, potentially violating user privacy. The obfuscation of the domain name and inclusion of sensitive information in the tracking data raises concerns about the intent and security of the code. Therefore, this code poses a security risk and should be reviewed.

Live on npm for 9 hours and 54 minutes before removal. Socket users were protected even while the package was live.

An obfuscated module takes a username/password array, prints it to the console, and issues an HTTP POST to the API host (as returned by getApiHost()) at the path '/api/auth', sending the credentials in JSON. If the server’s JSON response has a truthy `data.status`, it writes the plaintext credentials as "username/password" into a hidden file at '../../../.auth'; otherwise it deletes that file. All string literals are hidden behind a hex-indexed decoding function to thwart analysis. Credentials are neither encrypted in transit nor at rest, and the hidden file may be used for persistent backdoor access. The remote host portion of the URL should be considered malicious if controlled by an attacker.

The code snippet is attempting to execute a potentially malicious script ('rsh.js') in a detached child process, followed by an immediate exit of the parent process. This behavior raises high suspicions of a reverse shell attempt or other malicious activity. Caution is advised.

Live on npm for 17 minutes before removal. Socket users were protected even while the package was live.

This file contains malicious code that functions as a backdoor with data exfiltration and remote code execution capabilities. The code systematically collects sensitive system information including all environment variables, platform details, hostname, username, and MAC addresses from network interfaces. This data is then transmitted via HTTP POST request to a suspicious remote server at https://log-server-lovat[.]vercel[.]app/api/ipcheck/703 with a custom header 'x-secret-header: secret'. After sending the collected data, the malware evaluates the server's response as JavaScript code using eval(), enabling arbitrary remote code execution. The code employs obfuscation by hex-encoding critical strings like 'require', 'axios', 'post', and the target URL to evade detection. Error handling is deliberately suppressed to prevent detection of failed operations. This represents a critical supply chain attack vector that compromises system security through both data theft and remote control capabilities.

Live on npm for 11 days, 10 hours and 27 minutes before removal. Socket users were protected even while the package was live.

The code poses a significant security risk and should be reviewed. It is recommended to remove unnecessary imports, verify the contents of the data folder and the WordPress websites before proceeding, and avoid using hardcoded credentials for WordPress login.

Live on npm for 3 hours and 19 minutes before removal. Socket users were protected even while the package was live.

This script is potentially malicious as it sends sensitive information (environment variables) to a remote server without the user's knowledge or consent. It should be treated as a high security risk.

The script poses a high security risk as malware due to its ability to alter disk partitions without user interaction, leading to data loss or system damage.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 1 hour and 13 minutes before removal. Socket users were protected even while the package was live.

The script 'packer/provisioners/post_install.sh' exhibits malicious behavior by performing several harmful actions: - **Deletes user and root history files**: Uses secure deletion methods to remove history files, potentially to conceal malicious activities. - **Clears system log files**: Erases log files from '/var/log', hindering the ability to audit and investigate system actions. - **Disables the root account**: Locks the root account password without ensuring alternative secure administrative access, possibly preventing legitimate administrative operations. - **Sets a weak default password ('changeme') for the 'admin' user**: Introduces a significant security risk by using an easily guessable password, facilitating unauthorized access. These actions can be exploited by an attacker to gain unauthorized access, disrupt legitimate operations, and prevent system recovery. The combination of log and history deletion, disabling of root access, and setting weak credentials indicates malicious intent to compromise system security and conceal nefarious activities.

The script poses a high security risk as malware due to its ability to alter disk partitions without user interaction, leading to data loss or system damage.

This file executes a reverse shell by invoking 'exec' to run a shell command that fetches a script from https://reverse-shell[.]sh/10[.]0[.]20[.]139:1337 and pipes it to 'sh', providing unauthorized remote access to the system.

Live on npm for 22 days, 15 hours and 9 minutes before removal. Socket users were protected even while the package was live.

The code presents significant security risks due to its ability to download and execute files from potentially untrusted sources. The lack of error handling and validation increases the risk of executing malicious code. The recursive call in init_helper is also problematic and could lead to unintended behavior.

Live on PyPI for 34 minutes before removal. Socket users were protected even while the package was live.

The code is a shell script intended to deploy a Docker-based Monero miner using XMRig. It first detects the underlying operating system and accordingly installs Docker while removing potential package conflicts on Ubuntu. The script manages a sensitive configuration passphrase—either using an environment variable or by retrieving it from AWS Secrets Manager—and stores it securely on disk. It then creates and enables a systemd service that runs the miner container in privileged mode. The design of the script poses a high risk if executed without proper authorization, as it illicitly commandeers system resources for cryptocurrency mining. Furthermore, the use of privileged Docker execution introduces a serious security vulnerability that could allow an attacker to escape the container environment and compromise the host system.

The provided code has unusual variable and function names, which may be indicative of obfuscation or an attempt to disguise its true purpose. The imported modules have non-descriptive names, and their origins and behavior are not clear from the code snippet alone. Without further information about these modules, it is challenging to fully assess the intent and security risk. The code itself does not perform any immediately obvious malicious actions, but the use of these potentially suspicious modules suggests that further investigation is warranted.

Live on npm for 43 days, 3 hours and 51 minutes before removal. Socket users were protected even while the package was live.

The script is downloading and executing remote scripts, which poses a high security risk. The content of the remote scripts should be thoroughly inspected to ensure they are not malicious.

Live on npm for 1 day, 8 hours and 10 minutes before removal. Socket users were protected even while the package was live.

The code is highly suspicious and likely malicious, as it exfiltrates sensitive client credentials to an untrusted external domain repeatedly without proper safeguards. It contains coding errors that would cause runtime failures, but the intent to steal credentials is clear. This module poses a significant supply chain security risk and should be removed or thoroughly audited before use.

Possible 1-step D-L dist typosquat of sm-commons - Explanation: The package 'fe-commons' is labeled as a 'security holding package', which is often used to prevent typosquatting. The names 'fe-commons' and 'sm-commons' are not similar enough to be a typical typo, but the lack of maintainers and the security holding description make it suspicious. Fe-commons is a security holding package

Live on npm for 9 hours and 56 minutes before removal. Socket users were protected even while the package was live.

The code imports the 'exec' function from the 'child_process' module and executes a shell command that retrieves the current system username using 'whoami'. It then performs a DNS query to '[username].xij0zeveed2uvtx4yijhzj2fn6txhp5e.oastify[.]com' by running 'host' on that domain. This behavior exfiltrates the system's username to an external domain 'oastify[.]com' without user consent, indicating malicious intent and posing a significant security risk.

Live on npm for 12 days, 18 hours and 45 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by exfiltrating system and user data to external servers without user consent. This poses a significant security risk and privacy violation.

Live on npm for 17 minutes before removal. Socket users were protected even while the package was live.

The preinstall script makes an HTTP request to http[:]//172[.]19[.]110[.]197:8080, which is an unusual pattern and may indicate unintended or unexpected behavior. While this network call could be harmless or related to internal testing, it presents a potential risk because it connects to an external IP address in a manner that is not clearly documented or explained.

The code contains suspicious patterns such as typos, dynamic imports, and extensive use of dynamic execution. While these may be legitimate design choices, they can also be indicative of attempts to evade static analysis or inject malicious behavior. Further scrutiny and context are needed to determine the actual intent.

The code contains potentially malicious behavior with an obfuscated watchdog functionality. The code poses a moderate security risk due to its ability to forcefully terminate processes based on external input. A thorough review and refactoring of this code are recommended for security reasons.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 54 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 59 minutes before removal. Socket users were protected even while the package was live.

The code is likely engaging in data exfiltration by sending system and network information over the network. While it does not contain any obvious malicious payloads, the act of sending system information without explicit user consent is a potential privacy violation. The hardcoded value for the `id` variable and the use of ICMP ping requests could be indicators of suspicious behavior. The code should be reviewed for its purpose and necessity.

Live on npm for 1 hour and 34 minutes before removal. Socket users were protected even while the package was live.

The code sends tracking data without user consent, potentially violating user privacy. The obfuscation of the domain name and inclusion of sensitive information in the tracking data raises concerns about the intent and security of the code. Therefore, this code poses a security risk and should be reviewed.

Live on npm for 9 hours and 54 minutes before removal. Socket users were protected even while the package was live.

An obfuscated module takes a username/password array, prints it to the console, and issues an HTTP POST to the API host (as returned by getApiHost()) at the path '/api/auth', sending the credentials in JSON. If the server’s JSON response has a truthy `data.status`, it writes the plaintext credentials as "username/password" into a hidden file at '../../../.auth'; otherwise it deletes that file. All string literals are hidden behind a hex-indexed decoding function to thwart analysis. Credentials are neither encrypted in transit nor at rest, and the hidden file may be used for persistent backdoor access. The remote host portion of the URL should be considered malicious if controlled by an attacker.

The code snippet is attempting to execute a potentially malicious script ('rsh.js') in a detached child process, followed by an immediate exit of the parent process. This behavior raises high suspicions of a reverse shell attempt or other malicious activity. Caution is advised.

Live on npm for 17 minutes before removal. Socket users were protected even while the package was live.

This file contains malicious code that functions as a backdoor with data exfiltration and remote code execution capabilities. The code systematically collects sensitive system information including all environment variables, platform details, hostname, username, and MAC addresses from network interfaces. This data is then transmitted via HTTP POST request to a suspicious remote server at https://log-server-lovat[.]vercel[.]app/api/ipcheck/703 with a custom header 'x-secret-header: secret'. After sending the collected data, the malware evaluates the server's response as JavaScript code using eval(), enabling arbitrary remote code execution. The code employs obfuscation by hex-encoding critical strings like 'require', 'axios', 'post', and the target URL to evade detection. Error handling is deliberately suppressed to prevent detection of failed operations. This represents a critical supply chain attack vector that compromises system security through both data theft and remote control capabilities.

Live on npm for 11 days, 10 hours and 27 minutes before removal. Socket users were protected even while the package was live.