Secure your dependencies. Ship with confidence.

This is a tool designed for Instagram engagement manipulation that collects and transmits Instagram credentials to multiple third-party services. While not traditional malware, it poses significant security risks to users by sending their credentials to untrusted services and could lead to account compromise or suspension for violating Instagram's terms of service.

Live on PyPI for 3 hours and 49 minutes before removal. Socket users were protected even while the package was live.

The package contains heavily obfuscated code that interacts with an Ethereum smart contract to retrieve data used in constructing a download URL specific to the user's operating system. Without user consent or validation, the code downloads an executable file from this URL and executes it in the background. This behavior allows for the execution of malicious code on the user's system.

Live on npm for 24 days, 15 hours and 34 minutes before removal. Socket users were protected even while the package was live.

The code appears to be malicious as it exfiltrates sensitive environment variables to an external server without any legitimate reason. This can lead to credential theft and is a significant security risk.

Live on npm for 2 hours and 36 minutes before removal. Socket users were protected even while the package was live.

This code is intentionally obfuscated and uses DNS queries to exfiltrate system information, which could be a significant security risk. The hardcoded domain and the potential data exfiltration raise concerns about privacy violations. This package should be reviewed carefully before being used.

The script is designed to capture the current user's identity and send it to a remote server, which is a clear indication of malicious behavior.

Live on npm for 9 days, 21 hours and 52 minutes before removal. Socket users were protected even while the package was live.

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.

The code provides functionality for executing arbitrary shellcode and injecting libraries into processes, which are high-risk operations that can be exploited for malicious purposes. The use of unsafe memory operations and dynamic library injection are particularly concerning.

The code exhibits several features typical of malicious behavior, including the ability to execute arbitrary commands, manipulate the filesystem, and handle sensitive environment variables. The framework's name and functionality suggest potential use in unauthorized access. Caution is advised, and the code should not be used in a production environment.

The code collects and sends potentially sensitive system data to a remote server without user consent, which is indicative of malicious behavior. This poses a significant security risk due to unauthorized data transmission.

Live on npm for 3 hours and 29 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 27 minutes before removal. Socket users were protected even while the package was live.

The code contains cryptographic functions for AES encryption and authentication using GCM. However, it uses low-level buffer manipulation and bitwise operations that could introduce vulnerabilities. A thorough review and testing are necessary to ensure security.

While the execution of 'build.js' may be standard, the subsequent curl command raises concerns about potential data exfiltration or telemetry to an external server.

The script exhibits malicious behavior by sending potentially sensitive environment variables to an external server without user consent. The use of obfuscation techniques and the suspicious domain further indicate malicious intent.

Live on npm for 11 minutes before removal. Socket users were protected even while the package was live.

The code contains potentially malicious behavior by modifying system files to allow unauthorized access and sending sensitive information to an external server. This poses a significant security risk.

Live on npm for 25 days, 4 hours and 45 minutes before removal. Socket users were protected even while the package was live.

The code shows clear signs of data collection and exfiltration using DNS queries, which is a well-known method for bypassing firewall rules and exfiltrating data surreptitiously. This is likely malicious behavior designed to collect and transmit sensitive data from user environments without their knowledge.

Live on npm for 4 minutes before removal. Socket users were protected even while the package was live.

The code is malicious as it collects and sends sensitive system information to an external server without user consent. The use of obfuscation further suggests an attempt to hide its true purpose.

Live on npm for 1 hour before removal. Socket users were protected even while the package was live.

The provided source code is performing malicious activities by exfiltrating sensitive system information to a remote server. This behavior is indicative of data theft and poses a significant security risk.

Live on npm for 1 hour and 31 minutes before removal. Socket users were protected even while the package was live.

The script attempts to load a local module and ignores any errors that arise. This behavior is suspicious and could indicate an attempt to execute untrusted code without alerting the user.

The code exhibits behavior typical of malware, including data exfiltration and potential execution of arbitrary code. The use of obfuscation and eval() increases the security risk significantly.

Live on npm for 26 days, 23 hours and 6 minutes before removal. Socket users were protected even while the package was live.

This file defines a sendEmail function that, instead of sending mail through a legitimate SMTP or trusted API, exfiltrates all provided email fields (from, to, subject, message) along with added metadata (source, from_email, to_email) via an unencrypted HTTP POST to the hardcoded endpoint http://emails[.]egytag[.]com/api/emails/add. The behavior occurs without user consent or configuration, leaks potentially sensitive message contents to an untrusted third party, and constitutes a deliberate data-theft backdoor.

The code contains multiple security risks including potential command injection, improper handling of user input, and usage of external libraries with unknown behavior. Proper input validation and sanitization should be implemented to mitigate these risks. The dynamic execution of system commands and dynamic file path construction without proper validation pose significant security threats. Further review and hardening of the code are highly recommended.

Live on npm for 26 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits behavior consistent with data exfiltration malware. It collects sensitive system information and sends it to external endpoints without user consent, posing a significant security risk.

Live on npm for 36 days, 9 hours and 44 minutes before removal. Socket users were protected even while the package was live.

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 2 hours and 12 minutes before removal. Socket users were protected even while the package was live.

The code is highly malicious and represents a severe supply chain security risk. It downloads and executes remote code dynamically using obfuscated techniques to evade detection. This behavior is characteristic of malware and backdoors, posing a critical threat to any system using this package. Immediate removal and investigation are strongly recommended.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 1 hour and 53 minutes before removal. Socket users were protected even while the package was live.

This is a tool designed for Instagram engagement manipulation that collects and transmits Instagram credentials to multiple third-party services. While not traditional malware, it poses significant security risks to users by sending their credentials to untrusted services and could lead to account compromise or suspension for violating Instagram's terms of service.

Live on PyPI for 3 hours and 49 minutes before removal. Socket users were protected even while the package was live.

The package contains heavily obfuscated code that interacts with an Ethereum smart contract to retrieve data used in constructing a download URL specific to the user's operating system. Without user consent or validation, the code downloads an executable file from this URL and executes it in the background. This behavior allows for the execution of malicious code on the user's system.

Live on npm for 24 days, 15 hours and 34 minutes before removal. Socket users were protected even while the package was live.

The code appears to be malicious as it exfiltrates sensitive environment variables to an external server without any legitimate reason. This can lead to credential theft and is a significant security risk.

Live on npm for 2 hours and 36 minutes before removal. Socket users were protected even while the package was live.

This code is intentionally obfuscated and uses DNS queries to exfiltrate system information, which could be a significant security risk. The hardcoded domain and the potential data exfiltration raise concerns about privacy violations. This package should be reviewed carefully before being used.

The script is designed to capture the current user's identity and send it to a remote server, which is a clear indication of malicious behavior.

Live on npm for 9 days, 21 hours and 52 minutes before removal. Socket users were protected even while the package was live.

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.

The code provides functionality for executing arbitrary shellcode and injecting libraries into processes, which are high-risk operations that can be exploited for malicious purposes. The use of unsafe memory operations and dynamic library injection are particularly concerning.

The code exhibits several features typical of malicious behavior, including the ability to execute arbitrary commands, manipulate the filesystem, and handle sensitive environment variables. The framework's name and functionality suggest potential use in unauthorized access. Caution is advised, and the code should not be used in a production environment.

The code collects and sends potentially sensitive system data to a remote server without user consent, which is indicative of malicious behavior. This poses a significant security risk due to unauthorized data transmission.

Live on npm for 3 hours and 29 minutes before removal. Socket users were protected even while the package was live.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 27 minutes before removal. Socket users were protected even while the package was live.

The code contains cryptographic functions for AES encryption and authentication using GCM. However, it uses low-level buffer manipulation and bitwise operations that could introduce vulnerabilities. A thorough review and testing are necessary to ensure security.

While the execution of 'build.js' may be standard, the subsequent curl command raises concerns about potential data exfiltration or telemetry to an external server.

The script exhibits malicious behavior by sending potentially sensitive environment variables to an external server without user consent. The use of obfuscation techniques and the suspicious domain further indicate malicious intent.

Live on npm for 11 minutes before removal. Socket users were protected even while the package was live.

The code contains potentially malicious behavior by modifying system files to allow unauthorized access and sending sensitive information to an external server. This poses a significant security risk.

Live on npm for 25 days, 4 hours and 45 minutes before removal. Socket users were protected even while the package was live.

The code shows clear signs of data collection and exfiltration using DNS queries, which is a well-known method for bypassing firewall rules and exfiltrating data surreptitiously. This is likely malicious behavior designed to collect and transmit sensitive data from user environments without their knowledge.

Live on npm for 4 minutes before removal. Socket users were protected even while the package was live.

The code is malicious as it collects and sends sensitive system information to an external server without user consent. The use of obfuscation further suggests an attempt to hide its true purpose.

Live on npm for 1 hour before removal. Socket users were protected even while the package was live.

The provided source code is performing malicious activities by exfiltrating sensitive system information to a remote server. This behavior is indicative of data theft and poses a significant security risk.

Live on npm for 1 hour and 31 minutes before removal. Socket users were protected even while the package was live.

The script attempts to load a local module and ignores any errors that arise. This behavior is suspicious and could indicate an attempt to execute untrusted code without alerting the user.

The code exhibits behavior typical of malware, including data exfiltration and potential execution of arbitrary code. The use of obfuscation and eval() increases the security risk significantly.

Live on npm for 26 days, 23 hours and 6 minutes before removal. Socket users were protected even while the package was live.

This file defines a sendEmail function that, instead of sending mail through a legitimate SMTP or trusted API, exfiltrates all provided email fields (from, to, subject, message) along with added metadata (source, from_email, to_email) via an unencrypted HTTP POST to the hardcoded endpoint http://emails[.]egytag[.]com/api/emails/add. The behavior occurs without user consent or configuration, leaks potentially sensitive message contents to an untrusted third party, and constitutes a deliberate data-theft backdoor.

The code contains multiple security risks including potential command injection, improper handling of user input, and usage of external libraries with unknown behavior. Proper input validation and sanitization should be implemented to mitigate these risks. The dynamic execution of system commands and dynamic file path construction without proper validation pose significant security threats. Further review and hardening of the code are highly recommended.

Live on npm for 26 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits behavior consistent with data exfiltration malware. It collects sensitive system information and sends it to external endpoints without user consent, posing a significant security risk.

Live on npm for 36 days, 9 hours and 44 minutes before removal. Socket users were protected even while the package was live.

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 2 hours and 12 minutes before removal. Socket users were protected even while the package was live.

The code is highly malicious and represents a severe supply chain security risk. It downloads and executes remote code dynamically using obfuscated techniques to evade detection. This behavior is characteristic of malware and backdoors, posing a critical threat to any system using this package. Immediate removal and investigation are strongly recommended.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 1 hour and 53 minutes before removal. Socket users were protected even while the package was live.