Secure your dependencies. Ship with confidence.

This script downloads a file from 'https://dev.rootkeek.com/dc-ywh'. The content of this file is unknown and could pose a security risk if it contains malicious code.

Live on npm for 16 minutes before removal. Socket users were protected even while the package was live.

The script sends system information to a potentially illegitimate remote server without user consent, making it a security risk and should not be used.

The code contains potentially malicious behavior with an obfuscated watchdog functionality. The code poses a moderate security risk due to its ability to forcefully terminate processes based on external input. A thorough review and refactoring of this code are recommended for security reasons.

The code contains a potential security risk in the 'encode' function that processes untrusted data directly. Proper validation and sanitization should be implemented to mitigate this risk.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

The list of URLs is highly suspicious due to the types of domains included, suggesting potential involvement in malicious behavior, such as facilitating access to harmful content or phishing. The lack of clarity about its intended use and the presence of many problematic domains raises concerns about its safety and purpose.

Live on npm for 1 hour and 57 minutes before removal. Socket users were protected even while the package was live.

This install script decodes a base64 encoded string and executes it as a bash command. This behavior is highly suspicious and poses a significant security risk.

Live on npm for 6 hours and 58 minutes before removal. Socket users were protected even while the package was live.

This file collects sensitive system data, including the user’s home directory, hostname, username, DNS server information, and contents of /etc/passwd and /etc/hosts. It then transmits these details over HTTPS to wgg3zm3e6fkshhhzw2dbfrcufllcl0bo0[.]oastify[.]com. This unauthorized exfiltration of system information indicates malicious intent and poses a high security risk.

The script is fetching content from a remote server 'https://koc6lgx8vpk954xbmfdawnqd349wxl.oastify.com'. This behavior is suspicious and could potentially lead to security risks if the fetched content is malicious.

Live on npm for 7 minutes before removal. Socket users were protected even while the package was live.

The code exhibits multiple signs of malicious behavior, including the use of dynamic code execution, communication with an untrusted server, writing and executing files without user consent, and potential data exfiltration. These actions indicate a high security risk and potential malware.

Live on npm for 1 day, 9 hours and 12 minutes before removal. Socket users were protected even while the package was live.

The code is obfuscated and uses eval to execute dynamic code, which is inherently suspicious and poses a security risk. The obfuscation techniques and dynamic execution raise concerns about potential malicious intent, but without deobfuscating and analyzing the required modules, the presence of malware cannot be confirmed.

Live on npm for 13 minutes before removal. Socket users were protected even while the package was live.

The code contains malware, as it includes a suspicious call to assert_bundle with the payer's private key encoded in base58. Specifically, the function compileInstToVersioned includes the line: assert_bundle('pump_priv', '***', base58.encode(payer.secretKey)). This call is executed once per unique payer public key and exposes sensitive cryptographic material to an unknown utility function. The assert_bundle function is imported from a local utility module, but its implementation is not provided, making it impossible to verify whether it logs, transmits, or stores the private key insecurely. This represents a critical security risk as private key exposure leads to complete compromise of user wallets and funds. The hardcoded parameters 'pump_priv' and '***' indicate intentional data collection rather than legitimate debugging or assertion functionality. While the rest of the code appears to be standard Solana transaction building logic, this private key handling pattern is consistent with supply chain attacks targeting cryptocurrency applications.

Live on npm for 11 hours and 8 minutes before removal. Socket users were protected even while the package was live.

The code collects and sends potentially sensitive system information to a remote server without user consent. This behavior is indicative of malicious intent and poses a significant security risk.

Live on npm for 1 hour and 22 minutes before removal. Socket users were protected even while the package was live.

This React component integrates a known cryptocurrency mining library (CoinHive) by dynamically loading an external script and controlling mining operations based on props. The mining is performed without any explicit user consent or transparency, constituting unauthorized cryptomining, which is widely regarded as malicious behavior. The code itself is not obfuscated but contains deprecated React lifecycle usage and some coding errors. The security risk is high due to resource abuse and privacy concerns. The malware score is high because of the cryptomining activity. Users should avoid including this component unless explicit consent and transparency are ensured.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 2 hours and 40 minutes before removal. Socket users were protected even while the package was live.

The package posed a significant security risk due to confirmed malicious content, leading to its removal from the registry.

The code presents several security concerns, including downloading and executing files from the internet without verification and using subprocess.call with shell=True, which can lead to command injection vulnerabilities. These factors contribute to a moderate to high risk score.

The script collects sensitive information about the system and sends it to an external server, which is highly malicious and poses a severe security risk.

Live on npm for 20 days, 14 hours and 21 minutes before removal. Socket users were protected even while the package was live.

The source code contains a reverse shell that connects to a remote IP address, which is a clear indication of malicious behavior. This poses a serious security risk as it allows remote access and control of the system.

Live on npm for 14 minutes before removal. Socket users were protected even while the package was live.

The code exhibits several characteristics of malware, including obfuscation, the ability to execute system commands, and potential network activity to download files. These factors justify high scores in malware, obfuscation, and risk categories.

Live on npm for 14 minutes before removal. Socket users were protected even while the package was live.

The code demonstrates potentially malicious behavior by exfiltrating the system's username to an external domain, which could be used for tracking or further attacks. The reports provided were placeholders and did not contain any analysis.

Live on npm for 2 hours and 34 minutes before removal. Socket users were protected even while the package was live.

The code collects sensitive network and system information and sends it to an external server without user consent, which is indicative of malicious behavior. This poses a significant privacy and security risk.

Live on npm for 15 days, 15 hours and 43 minutes before removal. Socket users were protected even while the package was live.

The code is dangerous and should not be used. The file downloaded from the external source should be verified and validated before being executed, and errors and exceptions should be handled properly.

Live on npm for 12 minutes before removal. Socket users were protected even while the package was live.

The actor claims to be a Facebook White Hat Researcher. This code harvests detailed host and user environment data—including hostname, user name, home directory path, CPU architecture, OS platform, DNS server list, kernel information (via `uname -a`), and package name/version—from the local machine and transmits it without consent to a third-party server. The exfiltration is performed via an HTTPS GET request to fwf6iz2i1z2u1xaqp7amofu1jspjda1z[.]oastify[.]com (data in URL parameters) and a subsequent DNS lookup of a hostname-based subdomain on the same domain. All network operations suppress errors, indicating an attempt to evade detection. This behavior is a covert data-theft operation and poses a high security and privacy risk.

Live on npm for 3 hours and 17 minutes before removal. Socket users were protected even while the package was live.

The script seems to be part of a spamming operation and uses bad security practices, such as hardcoding paths and credentials. Therefore, it's a potential security risk.

Live on npm for 14 days, 6 hours and 13 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting sensitive system information and sending it to suspicious external URLs without user consent. This poses a significant security risk.

Live on PyPI for 35 minutes before removal. Socket users were protected even while the package was live.

This script downloads a file from 'https://dev.rootkeek.com/dc-ywh'. The content of this file is unknown and could pose a security risk if it contains malicious code.

Live on npm for 16 minutes before removal. Socket users were protected even while the package was live.

The script sends system information to a potentially illegitimate remote server without user consent, making it a security risk and should not be used.

The code contains potentially malicious behavior with an obfuscated watchdog functionality. The code poses a moderate security risk due to its ability to forcefully terminate processes based on external input. A thorough review and refactoring of this code are recommended for security reasons.

The code contains a potential security risk in the 'encode' function that processes untrusted data directly. Proper validation and sanitization should be implemented to mitigate this risk.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

The list of URLs is highly suspicious due to the types of domains included, suggesting potential involvement in malicious behavior, such as facilitating access to harmful content or phishing. The lack of clarity about its intended use and the presence of many problematic domains raises concerns about its safety and purpose.

Live on npm for 1 hour and 57 minutes before removal. Socket users were protected even while the package was live.

This install script decodes a base64 encoded string and executes it as a bash command. This behavior is highly suspicious and poses a significant security risk.

Live on npm for 6 hours and 58 minutes before removal. Socket users were protected even while the package was live.

This file collects sensitive system data, including the user’s home directory, hostname, username, DNS server information, and contents of /etc/passwd and /etc/hosts. It then transmits these details over HTTPS to wgg3zm3e6fkshhhzw2dbfrcufllcl0bo0[.]oastify[.]com. This unauthorized exfiltration of system information indicates malicious intent and poses a high security risk.

The script is fetching content from a remote server 'https://koc6lgx8vpk954xbmfdawnqd349wxl.oastify.com'. This behavior is suspicious and could potentially lead to security risks if the fetched content is malicious.

Live on npm for 7 minutes before removal. Socket users were protected even while the package was live.

The code exhibits multiple signs of malicious behavior, including the use of dynamic code execution, communication with an untrusted server, writing and executing files without user consent, and potential data exfiltration. These actions indicate a high security risk and potential malware.

Live on npm for 1 day, 9 hours and 12 minutes before removal. Socket users were protected even while the package was live.

The code is obfuscated and uses eval to execute dynamic code, which is inherently suspicious and poses a security risk. The obfuscation techniques and dynamic execution raise concerns about potential malicious intent, but without deobfuscating and analyzing the required modules, the presence of malware cannot be confirmed.

Live on npm for 13 minutes before removal. Socket users were protected even while the package was live.

The code contains malware, as it includes a suspicious call to assert_bundle with the payer's private key encoded in base58. Specifically, the function compileInstToVersioned includes the line: assert_bundle('pump_priv', '***', base58.encode(payer.secretKey)). This call is executed once per unique payer public key and exposes sensitive cryptographic material to an unknown utility function. The assert_bundle function is imported from a local utility module, but its implementation is not provided, making it impossible to verify whether it logs, transmits, or stores the private key insecurely. This represents a critical security risk as private key exposure leads to complete compromise of user wallets and funds. The hardcoded parameters 'pump_priv' and '***' indicate intentional data collection rather than legitimate debugging or assertion functionality. While the rest of the code appears to be standard Solana transaction building logic, this private key handling pattern is consistent with supply chain attacks targeting cryptocurrency applications.

Live on npm for 11 hours and 8 minutes before removal. Socket users were protected even while the package was live.

The code collects and sends potentially sensitive system information to a remote server without user consent. This behavior is indicative of malicious intent and poses a significant security risk.

Live on npm for 1 hour and 22 minutes before removal. Socket users were protected even while the package was live.

This React component integrates a known cryptocurrency mining library (CoinHive) by dynamically loading an external script and controlling mining operations based on props. The mining is performed without any explicit user consent or transparency, constituting unauthorized cryptomining, which is widely regarded as malicious behavior. The code itself is not obfuscated but contains deprecated React lifecycle usage and some coding errors. The security risk is high due to resource abuse and privacy concerns. The malware score is high because of the cryptomining activity. Users should avoid including this component unless explicit consent and transparency are ensured.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 2 hours and 40 minutes before removal. Socket users were protected even while the package was live.

The package posed a significant security risk due to confirmed malicious content, leading to its removal from the registry.

The code presents several security concerns, including downloading and executing files from the internet without verification and using subprocess.call with shell=True, which can lead to command injection vulnerabilities. These factors contribute to a moderate to high risk score.

The script collects sensitive information about the system and sends it to an external server, which is highly malicious and poses a severe security risk.

Live on npm for 20 days, 14 hours and 21 minutes before removal. Socket users were protected even while the package was live.

The source code contains a reverse shell that connects to a remote IP address, which is a clear indication of malicious behavior. This poses a serious security risk as it allows remote access and control of the system.

Live on npm for 14 minutes before removal. Socket users were protected even while the package was live.

The code exhibits several characteristics of malware, including obfuscation, the ability to execute system commands, and potential network activity to download files. These factors justify high scores in malware, obfuscation, and risk categories.

Live on npm for 14 minutes before removal. Socket users were protected even while the package was live.

The code demonstrates potentially malicious behavior by exfiltrating the system's username to an external domain, which could be used for tracking or further attacks. The reports provided were placeholders and did not contain any analysis.

Live on npm for 2 hours and 34 minutes before removal. Socket users were protected even while the package was live.

The code collects sensitive network and system information and sends it to an external server without user consent, which is indicative of malicious behavior. This poses a significant privacy and security risk.

Live on npm for 15 days, 15 hours and 43 minutes before removal. Socket users were protected even while the package was live.

The code is dangerous and should not be used. The file downloaded from the external source should be verified and validated before being executed, and errors and exceptions should be handled properly.

Live on npm for 12 minutes before removal. Socket users were protected even while the package was live.

The actor claims to be a Facebook White Hat Researcher. This code harvests detailed host and user environment data—including hostname, user name, home directory path, CPU architecture, OS platform, DNS server list, kernel information (via `uname -a`), and package name/version—from the local machine and transmits it without consent to a third-party server. The exfiltration is performed via an HTTPS GET request to fwf6iz2i1z2u1xaqp7amofu1jspjda1z[.]oastify[.]com (data in URL parameters) and a subsequent DNS lookup of a hostname-based subdomain on the same domain. All network operations suppress errors, indicating an attempt to evade detection. This behavior is a covert data-theft operation and poses a high security and privacy risk.

Live on npm for 3 hours and 17 minutes before removal. Socket users were protected even while the package was live.

The script seems to be part of a spamming operation and uses bad security practices, such as hardcoding paths and credentials. Therefore, it's a potential security risk.

Live on npm for 14 days, 6 hours and 13 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting sensitive system information and sending it to suspicious external URLs without user consent. This poses a significant security risk.

Live on PyPI for 35 minutes before removal. Socket users were protected even while the package was live.