Secure your dependencies. Ship with confidence.

The code poses a significant security risk by sending sensitive system information to suspicious external domains. This behavior is consistent with data exfiltration attempts, and the use of unknown URLs suggests potential malicious intent.

Live on PyPI for 3 hours and 30 minutes before removal. Socket users were protected even while the package was live.

The code appears to be collecting sensitive system and environment information and is designed to send this data to a remote server. This behavior is indicative of a data exfiltration attempt, which can be considered malicious depending on the context in which this script is used. However, due to incomplete and malformed request execution code, as presented, the script would not successfully send data as intended.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

Given the obfuscation, use of critical node modules, and patterns consistent with malicious scripts such as dynamic execution of code, the script is likely intended to perform unauthorized actions on the system. This includes data manipulation, executing commands, or acting as a backdoor.

Live on npm for 1 day and 37 minutes before removal. Socket users were protected even while the package was live.

The script sends the hostname of the machine to a remote server, which poses a significant security risk and indicates malicious behavior.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

The code potentially allows execution of arbitrary JavaScript code by manipulating the 'time' input to point to a malicious script. The lack of validation or sanitization of the input combined with the execution rights raises security concerns.

Live on npm for 5 days, 21 hours and 40 minutes before removal. Socket users were protected even while the package was live.

The code exhibits potentially malicious behavior with dynamic command execution and file operations that could lead to system compromise. Caution is advised when dealing with this code as it poses a high security risk.

Live on npm for 29 minutes before removal. Socket users were protected even while the package was live.

The code engages in potentially malicious behavior by collecting sensitive system information and sending it to a remote server without clear user consent. The hard-coded domain, data obfuscation, and lack of transparency raise significant privacy and security concerns. The risk score is high due to the invasive nature of the code.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

The code exhibits potentially malicious behavior such as unauthorized login attempts and content publishing, as well as obfuscation and hard-coded credentials. The overall security risk is high due to the presence of these factors.

Live on npm for 57 minutes before removal. Socket users were protected even while the package was live.

The code contains a severe security vulnerability due to the use of eval() on remotely fetched data, enabling remote code execution. This represents a critical supply chain security risk. The unknown domain contacted and suspicious headers increase suspicion. The code should not be used in production or trusted environments without significant revision. Malware risk is high due to arbitrary code execution potential.

The code contains unusual naming conventions and method calls that do not align with standard practices. Without the actual content of the imported modules, it's challenging to determine the exact behavior or intent of the code. The naming and structure raise suspicion but do not definitively indicate malicious intent. There is no evidence of data leakage or clear security risks within the provided code itself. However, the lack of clarity and unusual patterns suggest that a more in-depth review of the imported modules is necessary to rule out potential threats.

Live on npm for 57 days and 54 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting and exfiltrating system information using DNS queries. The heavy obfuscation further suggests an intent to hide these actions. This poses a significant security risk.

Live on npm for 59 minutes before removal. Socket users were protected even while the package was live.

The code is malicious. It collects sensitive system information (hostname, current user, current working directory, and directory listing) without consent, encodes this information in base64 to obfuscate it, and sends it to an external server. This behavior is characteristic of a malware payload designed for data exfiltration.

Live on npm for 26 minutes before removal. Socket users were protected even while the package was live.

The script 'packer/provisioners/post_install.sh' exhibits malicious behavior by performing several harmful actions: - **Deletes user and root history files**: Uses secure deletion methods to remove history files, potentially to conceal malicious activities. - **Clears system log files**: Erases log files from '/var/log', hindering the ability to audit and investigate system actions. - **Disables the root account**: Locks the root account password without ensuring alternative secure administrative access, possibly preventing legitimate administrative operations. - **Sets a weak default password ('changeme') for the 'admin' user**: Introduces a significant security risk by using an easily guessable password, facilitating unauthorized access. These actions can be exploited by an attacker to gain unauthorized access, disrupt legitimate operations, and prevent system recovery. The combination of log and history deletion, disabling of root access, and setting weak credentials indicates malicious intent to compromise system security and conceal nefarious activities.

The code is designed to fetch and process JSONP data from a remote API. It contains a serious security flaw by using eval() on untrusted network data, which can lead to remote code execution vulnerabilities. There is no direct evidence of malware or obfuscation, but the security risk is high due to unsafe eval usage. The reports provided are invalid and uninformative. It is recommended to avoid eval and use safer JSONP parsing or standard JSON parsing methods. Hardcoded cookies and headers should be handled carefully to avoid leaking sensitive information.

Live on npm for 4 hours and 26 minutes before removal. Socket users were protected even while the package was live.

The code snippet transmits the local machine's hostname to an external, suspicious ngrok.io domain without user consent, silently ignoring errors and response. This constitutes a privacy violation and potential data exfiltration, which is suspicious and may be malicious depending on context. There is no obfuscation or complex code, but the use of a dynamic external endpoint and silent error handling increases the security risk. Overall, this code should be treated as potentially malicious or at least privacy-invasive.

Live on npm for 1 hour and 38 minutes before removal. Socket users were protected even while the package was live.

This Python-based credential harvester masquerades as an Instagram growth tool while implementing multiple layers of deception. The malware uses base64 encoding to conceal its code and checks a remote Netlify-hosted file for authorization before executing. Upon running, it prompts users for Instagram credentials under the pretense of providing follower growth services, stores these credentials in plaintext locally, and then broadcasts the username and password to ten different Turkish bot service websites. Each of these third-party services receives full access to the victim's Instagram account, enabling them to read private messages, post content, harvest follower data, or sell the credentials on underground markets. The tool violates Instagram's Terms of Service through automated bot activity while simultaneously compromising account security, potentially resulting in account suspension, identity theft, or complete account takeover.

Live on PyPI for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

The code is designed to collect and send sensitive information to a remote server without the user's knowledge or consent. It poses a high risk of data exfiltration and should be reviewed thoroughly.

Live on npm for 2 hours and 52 minutes before removal. Socket users were protected even while the package was live.

The code poses a significant security risk by downloading and executing a file from an external source without verification. This could lead to arbitrary code execution if the URL is compromised. The use of silent exception handling further obscures potential errors.

Live on PyPI for 5 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits highly suspicious and malicious behavior by exfiltrating sensitive system and package information to an untrusted external server without user consent. This represents a serious security risk and privacy violation. The code is not obfuscated but is clearly designed to steal data stealthily. It should be considered malicious and avoided.

The code is designed to exfiltrate system information to an external server, which is a clear security risk and potentially malicious behavior.

The code is dangerous and should not be used. The file downloaded from the external source should be verified and validated before being executed, and errors and exceptions should be handled properly.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.

Live on npm for 23 hours and 28 minutes before removal. Socket users were protected even while the package was live.

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. Therefore, it is marked as malware only because it freezes interactions for many users. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.

The source code contains a serious security issue where environment variables are sent to a remote server without user consent. This is a clear indication of data exfiltration and poses a high security risk.

Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 3 hours and 1 minute before removal. Socket users were protected even while the package was live.

The code poses a significant security risk by sending sensitive system information to suspicious external domains. This behavior is consistent with data exfiltration attempts, and the use of unknown URLs suggests potential malicious intent.

Live on PyPI for 3 hours and 30 minutes before removal. Socket users were protected even while the package was live.

The code appears to be collecting sensitive system and environment information and is designed to send this data to a remote server. This behavior is indicative of a data exfiltration attempt, which can be considered malicious depending on the context in which this script is used. However, due to incomplete and malformed request execution code, as presented, the script would not successfully send data as intended.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

Given the obfuscation, use of critical node modules, and patterns consistent with malicious scripts such as dynamic execution of code, the script is likely intended to perform unauthorized actions on the system. This includes data manipulation, executing commands, or acting as a backdoor.

Live on npm for 1 day and 37 minutes before removal. Socket users were protected even while the package was live.

The script sends the hostname of the machine to a remote server, which poses a significant security risk and indicates malicious behavior.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

The code potentially allows execution of arbitrary JavaScript code by manipulating the 'time' input to point to a malicious script. The lack of validation or sanitization of the input combined with the execution rights raises security concerns.

Live on npm for 5 days, 21 hours and 40 minutes before removal. Socket users were protected even while the package was live.

The code exhibits potentially malicious behavior with dynamic command execution and file operations that could lead to system compromise. Caution is advised when dealing with this code as it poses a high security risk.

Live on npm for 29 minutes before removal. Socket users were protected even while the package was live.

The code engages in potentially malicious behavior by collecting sensitive system information and sending it to a remote server without clear user consent. The hard-coded domain, data obfuscation, and lack of transparency raise significant privacy and security concerns. The risk score is high due to the invasive nature of the code.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

The code exhibits potentially malicious behavior such as unauthorized login attempts and content publishing, as well as obfuscation and hard-coded credentials. The overall security risk is high due to the presence of these factors.

Live on npm for 57 minutes before removal. Socket users were protected even while the package was live.

The code contains a severe security vulnerability due to the use of eval() on remotely fetched data, enabling remote code execution. This represents a critical supply chain security risk. The unknown domain contacted and suspicious headers increase suspicion. The code should not be used in production or trusted environments without significant revision. Malware risk is high due to arbitrary code execution potential.

The code contains unusual naming conventions and method calls that do not align with standard practices. Without the actual content of the imported modules, it's challenging to determine the exact behavior or intent of the code. The naming and structure raise suspicion but do not definitively indicate malicious intent. There is no evidence of data leakage or clear security risks within the provided code itself. However, the lack of clarity and unusual patterns suggest that a more in-depth review of the imported modules is necessary to rule out potential threats.

Live on npm for 57 days and 54 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by collecting and exfiltrating system information using DNS queries. The heavy obfuscation further suggests an intent to hide these actions. This poses a significant security risk.

Live on npm for 59 minutes before removal. Socket users were protected even while the package was live.

The code is malicious. It collects sensitive system information (hostname, current user, current working directory, and directory listing) without consent, encodes this information in base64 to obfuscate it, and sends it to an external server. This behavior is characteristic of a malware payload designed for data exfiltration.

Live on npm for 26 minutes before removal. Socket users were protected even while the package was live.

The script 'packer/provisioners/post_install.sh' exhibits malicious behavior by performing several harmful actions: - **Deletes user and root history files**: Uses secure deletion methods to remove history files, potentially to conceal malicious activities. - **Clears system log files**: Erases log files from '/var/log', hindering the ability to audit and investigate system actions. - **Disables the root account**: Locks the root account password without ensuring alternative secure administrative access, possibly preventing legitimate administrative operations. - **Sets a weak default password ('changeme') for the 'admin' user**: Introduces a significant security risk by using an easily guessable password, facilitating unauthorized access. These actions can be exploited by an attacker to gain unauthorized access, disrupt legitimate operations, and prevent system recovery. The combination of log and history deletion, disabling of root access, and setting weak credentials indicates malicious intent to compromise system security and conceal nefarious activities.

The code is designed to fetch and process JSONP data from a remote API. It contains a serious security flaw by using eval() on untrusted network data, which can lead to remote code execution vulnerabilities. There is no direct evidence of malware or obfuscation, but the security risk is high due to unsafe eval usage. The reports provided are invalid and uninformative. It is recommended to avoid eval and use safer JSONP parsing or standard JSON parsing methods. Hardcoded cookies and headers should be handled carefully to avoid leaking sensitive information.

Live on npm for 4 hours and 26 minutes before removal. Socket users were protected even while the package was live.

The code snippet transmits the local machine's hostname to an external, suspicious ngrok.io domain without user consent, silently ignoring errors and response. This constitutes a privacy violation and potential data exfiltration, which is suspicious and may be malicious depending on context. There is no obfuscation or complex code, but the use of a dynamic external endpoint and silent error handling increases the security risk. Overall, this code should be treated as potentially malicious or at least privacy-invasive.

Live on npm for 1 hour and 38 minutes before removal. Socket users were protected even while the package was live.

This Python-based credential harvester masquerades as an Instagram growth tool while implementing multiple layers of deception. The malware uses base64 encoding to conceal its code and checks a remote Netlify-hosted file for authorization before executing. Upon running, it prompts users for Instagram credentials under the pretense of providing follower growth services, stores these credentials in plaintext locally, and then broadcasts the username and password to ten different Turkish bot service websites. Each of these third-party services receives full access to the victim's Instagram account, enabling them to read private messages, post content, harvest follower data, or sell the credentials on underground markets. The tool violates Instagram's Terms of Service through automated bot activity while simultaneously compromising account security, potentially resulting in account suspension, identity theft, or complete account takeover.

Live on PyPI for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

The code is designed to collect and send sensitive information to a remote server without the user's knowledge or consent. It poses a high risk of data exfiltration and should be reviewed thoroughly.

Live on npm for 2 hours and 52 minutes before removal. Socket users were protected even while the package was live.

The code poses a significant security risk by downloading and executing a file from an external source without verification. This could lead to arbitrary code execution if the URL is compromised. The use of silent exception handling further obscures potential errors.

Live on PyPI for 5 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits highly suspicious and malicious behavior by exfiltrating sensitive system and package information to an untrusted external server without user consent. This represents a serious security risk and privacy violation. The code is not obfuscated but is clearly designed to steal data stealthily. It should be considered malicious and avoided.

The code is designed to exfiltrate system information to an external server, which is a clear security risk and potentially malicious behavior.

The code is dangerous and should not be used. The file downloaded from the external source should be verified and validated before being executed, and errors and exceptions should be handled properly.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.

Live on npm for 23 hours and 28 minutes before removal. Socket users were protected even while the package was live.

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. Therefore, it is marked as malware only because it freezes interactions for many users. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.

The source code contains a serious security issue where environment variables are sent to a remote server without user consent. This is a clear indication of data exfiltration and poses a high security risk.

Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 3 hours and 1 minute before removal. Socket users were protected even while the package was live.