Secure your dependencies. Ship with confidence.

The script is designed to upload sensitive files from the system to an external server, which poses a significant security risk and is indicative of malicious behavior.

Live on npm for 11 days, 23 hours and 26 minutes before removal. Socket users were protected even while the package was live.

The provided fragment is a privacy-invasive tool intended to access a user's Chrome Default profile to read browsing history, downloads, searches and possibly stored credentials, and to wipe the Chrome History file. Even though the code is syntactically incomplete in the sample, the CLEAR_LOG_INFO function clearly performs destructive truncation of the History SQLite file, and the rest of the fragment strongly implies credential and history harvesting. This is malicious or at minimum dangerously privacy-violating behavior. Treat this code (or any package containing equivalent complete functionality) as high risk: remove it from trusted dependencies, and audit the full source if encountered in a project.

The code contains a potentially malicious or high-risk behavior by redirecting API calls from a legitimate domain to a suspicious proxy domain. This can lead to serious security risks including data interception and supply chain compromise. No direct malware code is present, but the proxy domain redirection is a critical concern. Users should be cautious and investigate the proxy domain before use.

This code is part of a browser extension that scrapes Disney+ session/profile/viewing data (and uses the user's access token to query Disney APIs), stores it locally, and uploads the aggregated data to an external domain (BASE_ROUTE/nodeRootUrl = https://me3x.online/). The external domain is not an official Disney endpoint and serves configuration and receives uploaded user data, which strongly suggests unauthorized data exfiltration or telemetry to a third-party. This constitutes a supply-chain / privacy risk and should be treated as malicious or at least highly suspicious. I recommend blocking/uninstalling the extension and investigating origin (source package, publisher) immediately.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

This script appears to be a simple packaging/upload helper, not obviously malicious, but it contains insecure and potentially dangerous patterns: unsanitized shell interpolation (command injection risk), use of 'sudo rm -rf' (destructive with elevation), changing working directory before destructive operations, and passing credentials on the command line (credential leakage). These issues make it risky to run in untrusted contexts or CI without hardening. There is no clear evidence of deliberate malware, but the script could be abused if inputs (pyproject.toml or environment) are tampered with.

This script is highly suspicious and likely to be malicious. It collects sensitive information about the system, user, and potentially secure keys, and sends them to an external server. It's highly recommended not to use this script in a secure environment.

Live on npm for 4 days, 22 hours and 25 minutes before removal. Socket users were protected even while the package was live.

This file is an explicit exploit module for Struts2 OGNL remote code execution (S2-048 style). It actively sends payloads designed to disable OGNL protections and execute arbitrary system commands on a vulnerable remote server, then looks for command output/error markers in responses. It is dangerous to run against targets without explicit authorization. While it does not phone home or exfiltrate the scanner host's secrets, it facilitates remote compromise. Treat as offensive/exploit code; only use in controlled, authorized testing. Recommend removing from general-purpose runtime/CI artifacts, isolating and auditing usage, and adding clear authorization checks if kept in a scanning framework.

The code fragment exhibits a high likelihood of malicious activity and supply-chain risk due to extreme obfuscation, polyfill injection, and data flows directed toward external endpoints (UPLOAD_ENDPOINT, TikTok-origin). Although some parts may serve legitimate polyfill/test purposes, the combination of obfuscated payload construction, multiple network sinks, and environment-driven execution warrants thorough sandboxed analysis and precautionary removal or substitution in production builds. Treat as suspicious until validated in a controlled environment.

The provided source code exhibits clear malicious behavior by sending sensitive system information and file contents to external servers. This poses a significant security risk and should be addressed immediately.

Live on npm for 4 minutes before removal. Socket users were protected even while the package was live.

The code contains a malicious behavior where it intercepts network requests and sends the response data to an external server, posing a significant security risk.

Possible typosquat of azure-graph

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

This source file contains legitimate LibEmbedder.Fody weaving code but also includes a malicious injected module initializer that downloads remote content and executes it via shell commands, writes values to HKCU, and creates a scheduled task for persistence. The obfuscated strings and silent exception handling further indicate deliberate concealment. Treat this as a supply-chain compromise: do not use this package, replace with a verified clean upstream copy, and treat systems that loaded this assembly as potentially compromised (investigate, rotate credentials, and remediate).

The code is highly suspicious and likely malicious, as it attempts to exfiltrate sensitive information to an external server. The actions indicate a significant security risk.

Live on npm for 14 hours and 2 minutes before removal. Socket users were protected even while the package was live.

The code is not malicious by design but is highly dangerous due to dynamic code execution from untrusted input. It presents a severe security risk and needs refactoring to remove or constrain exec/eval paths, implement robust input validation, and adopt a safe invocation model for the DSL. Correcting parsing logic and improving error handling are essential reliability improvements.

This code establishes remote SSH access by enabling root login, setting the root password, downloading and executing a remote ngrok binary, and publishing the resulting public endpoint to an external JSONBin service. Those behaviors create a high risk of unauthorized remote access and exfiltration of the access point. The pattern is dangerous and can be abused as a backdoor; treat this code as malicious or at least high-risk tooling and avoid running it in production or sensitive environments.

This module is not overtly malicious (no encoded payloads, no external exfiltration, no reverse shell), but it contains high-risk insecure patterns: user-controlled values are directly interpolated into shell command strings and passed to node_utils.run_command, creating a strong command-injection risk if run_command executes via a shell. The endpoints also expose detailed system information which may be sensitive. Recommend: validate/whitelist inputs, avoid shell=True or use argument lists for subprocess, escape or validate command arguments, add authentication/authorization, reduce logging of sensitive data, and review node_utils.run_command implementation. Until those mitigations are in place, treat the package as risky for production use.

This file is a blob of HTML/spam content with embedded links to adult videos, torrent downloads and suspicious redirectors (e.g. https://2023[.]redircdn[.]com/?…, http://rmdown[.]com/link[.]php?hash=…, http://data[.]down2048[.]com/list[.]php?…), plus numerous third-party image URLs. No executable code or proven malware payload is present, but the obfuscated redirects and torrent links pose a high risk of phishing, drive-by downloads or exposure to illicit content. Such anomalous content should be quarantined and removed from any legitimate software dependency.

This setup.py implements a concealed code-execution mechanism: it decrypts an embedded ciphertext with a hardcoded Fernet key and exec()s the result during installation on Windows. The combination of typosquatted name, gibberish metadata, embedded key+blob, runtime exec, and forced dependencies for decryption/networking makes this highly likely to be malicious. Do not install; remove and investigate any systems where it was run.

The code contains security vulnerabilities due to unsanitized inputs, dangerous child process commands, and missing input validation. Therefore, it poses a significant security risk and should be reviewed.

Live on npm for 126 days, 13 hours and 3 minutes before removal. Socket users were protected even while the package was live.

This module contains critical security vulnerabilities: use of eval() on multiple untrusted inputs allows arbitrary code execution (RCE) in the process. Database persistence calls create an additional exfiltration path depending on DatabaseV1 behavior. The code should never eval untrusted data; instead it should parse structured, safe formats (e.g., JSON arrays) and validate types and shapes. Treat this code as unsafe to run on untrusted input until eval usage is removed or replaced with a safe parser/executor.

This install script performs a destructive filesystem operation (removing the katex directory) and then executes an unknown command. Even if not overtly labeled as malware, it poses a high risk: it can cause data loss and enables execution of arbitrary code. You should not run this without inspecting the package contents and verifying what `copy-files-from-to` refers to and why katex is being removed.

This file conditionally reads system environment variables and sends them, in base64-encoded form, to an external domain (eo2x6z3vtvxheqc[.]m[.]pipedream[.]net) when certain conditions are met. The behavior is indicative of intentional data exfiltration and poses a significant security risk.

This module implements an obfuscated runtime loader/loader helper. It reads encrypted embedded resources or files, decrypts and verifies them, allocates executable memory and writes payload bytes into that memory, and invokes them (or writes into other processes). Those capabilities (VirtualAlloc, WriteProcessMemory, VirtualProtect, OpenProcess, creating delegates from function pointers) are characteristic of reflective loaders/in-memory code injection. Combined with heavy obfuscation and hard-coded cryptographic keys/IV and signature checks, this represents a high supply-chain risk: the package can unpack and execute arbitrary code at runtime and could be used to deliver a backdoor or other malicious payloads. I recommend treating this package as malicious/untrusted unless provenance and audited behavior can be demonstrated.

This module mixes normal data models with a clearly obfuscated internal runtime that reads embedded resources, performs cryptographic/decryption operations and uses native memory APIs (VirtualProtect, GetHINSTANCE, Marshal/IntPtr) to build and write to memory addresses computed from decrypted data. That combination is highly suspicious: it matches in-memory payload unpackers/loaders and backdoor-style behavior. I recommend treating the package as malicious/untrusted until the decrypted payload and runtime effects are fully inspected in a safe environment.

The script is designed to upload sensitive files from the system to an external server, which poses a significant security risk and is indicative of malicious behavior.

Live on npm for 11 days, 23 hours and 26 minutes before removal. Socket users were protected even while the package was live.

The provided fragment is a privacy-invasive tool intended to access a user's Chrome Default profile to read browsing history, downloads, searches and possibly stored credentials, and to wipe the Chrome History file. Even though the code is syntactically incomplete in the sample, the CLEAR_LOG_INFO function clearly performs destructive truncation of the History SQLite file, and the rest of the fragment strongly implies credential and history harvesting. This is malicious or at minimum dangerously privacy-violating behavior. Treat this code (or any package containing equivalent complete functionality) as high risk: remove it from trusted dependencies, and audit the full source if encountered in a project.

The code contains a potentially malicious or high-risk behavior by redirecting API calls from a legitimate domain to a suspicious proxy domain. This can lead to serious security risks including data interception and supply chain compromise. No direct malware code is present, but the proxy domain redirection is a critical concern. Users should be cautious and investigate the proxy domain before use.

This code is part of a browser extension that scrapes Disney+ session/profile/viewing data (and uses the user's access token to query Disney APIs), stores it locally, and uploads the aggregated data to an external domain (BASE_ROUTE/nodeRootUrl = https://me3x.online/). The external domain is not an official Disney endpoint and serves configuration and receives uploaded user data, which strongly suggests unauthorized data exfiltration or telemetry to a third-party. This constitutes a supply-chain / privacy risk and should be treated as malicious or at least highly suspicious. I recommend blocking/uninstalling the extension and investigating origin (source package, publisher) immediately.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

This script appears to be a simple packaging/upload helper, not obviously malicious, but it contains insecure and potentially dangerous patterns: unsanitized shell interpolation (command injection risk), use of 'sudo rm -rf' (destructive with elevation), changing working directory before destructive operations, and passing credentials on the command line (credential leakage). These issues make it risky to run in untrusted contexts or CI without hardening. There is no clear evidence of deliberate malware, but the script could be abused if inputs (pyproject.toml or environment) are tampered with.

This script is highly suspicious and likely to be malicious. It collects sensitive information about the system, user, and potentially secure keys, and sends them to an external server. It's highly recommended not to use this script in a secure environment.

Live on npm for 4 days, 22 hours and 25 minutes before removal. Socket users were protected even while the package was live.

This file is an explicit exploit module for Struts2 OGNL remote code execution (S2-048 style). It actively sends payloads designed to disable OGNL protections and execute arbitrary system commands on a vulnerable remote server, then looks for command output/error markers in responses. It is dangerous to run against targets without explicit authorization. While it does not phone home or exfiltrate the scanner host's secrets, it facilitates remote compromise. Treat as offensive/exploit code; only use in controlled, authorized testing. Recommend removing from general-purpose runtime/CI artifacts, isolating and auditing usage, and adding clear authorization checks if kept in a scanning framework.

The code fragment exhibits a high likelihood of malicious activity and supply-chain risk due to extreme obfuscation, polyfill injection, and data flows directed toward external endpoints (UPLOAD_ENDPOINT, TikTok-origin). Although some parts may serve legitimate polyfill/test purposes, the combination of obfuscated payload construction, multiple network sinks, and environment-driven execution warrants thorough sandboxed analysis and precautionary removal or substitution in production builds. Treat as suspicious until validated in a controlled environment.

The provided source code exhibits clear malicious behavior by sending sensitive system information and file contents to external servers. This poses a significant security risk and should be addressed immediately.

Live on npm for 4 minutes before removal. Socket users were protected even while the package was live.

The code contains a malicious behavior where it intercepts network requests and sends the response data to an external server, posing a significant security risk.

Possible typosquat of azure-graph

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

This source file contains legitimate LibEmbedder.Fody weaving code but also includes a malicious injected module initializer that downloads remote content and executes it via shell commands, writes values to HKCU, and creates a scheduled task for persistence. The obfuscated strings and silent exception handling further indicate deliberate concealment. Treat this as a supply-chain compromise: do not use this package, replace with a verified clean upstream copy, and treat systems that loaded this assembly as potentially compromised (investigate, rotate credentials, and remediate).

The code is highly suspicious and likely malicious, as it attempts to exfiltrate sensitive information to an external server. The actions indicate a significant security risk.

Live on npm for 14 hours and 2 minutes before removal. Socket users were protected even while the package was live.

The code is not malicious by design but is highly dangerous due to dynamic code execution from untrusted input. It presents a severe security risk and needs refactoring to remove or constrain exec/eval paths, implement robust input validation, and adopt a safe invocation model for the DSL. Correcting parsing logic and improving error handling are essential reliability improvements.

This code establishes remote SSH access by enabling root login, setting the root password, downloading and executing a remote ngrok binary, and publishing the resulting public endpoint to an external JSONBin service. Those behaviors create a high risk of unauthorized remote access and exfiltration of the access point. The pattern is dangerous and can be abused as a backdoor; treat this code as malicious or at least high-risk tooling and avoid running it in production or sensitive environments.

This module is not overtly malicious (no encoded payloads, no external exfiltration, no reverse shell), but it contains high-risk insecure patterns: user-controlled values are directly interpolated into shell command strings and passed to node_utils.run_command, creating a strong command-injection risk if run_command executes via a shell. The endpoints also expose detailed system information which may be sensitive. Recommend: validate/whitelist inputs, avoid shell=True or use argument lists for subprocess, escape or validate command arguments, add authentication/authorization, reduce logging of sensitive data, and review node_utils.run_command implementation. Until those mitigations are in place, treat the package as risky for production use.

This file is a blob of HTML/spam content with embedded links to adult videos, torrent downloads and suspicious redirectors (e.g. https://2023[.]redircdn[.]com/?…, http://rmdown[.]com/link[.]php?hash=…, http://data[.]down2048[.]com/list[.]php?…), plus numerous third-party image URLs. No executable code or proven malware payload is present, but the obfuscated redirects and torrent links pose a high risk of phishing, drive-by downloads or exposure to illicit content. Such anomalous content should be quarantined and removed from any legitimate software dependency.

This setup.py implements a concealed code-execution mechanism: it decrypts an embedded ciphertext with a hardcoded Fernet key and exec()s the result during installation on Windows. The combination of typosquatted name, gibberish metadata, embedded key+blob, runtime exec, and forced dependencies for decryption/networking makes this highly likely to be malicious. Do not install; remove and investigate any systems where it was run.

The code contains security vulnerabilities due to unsanitized inputs, dangerous child process commands, and missing input validation. Therefore, it poses a significant security risk and should be reviewed.

Live on npm for 126 days, 13 hours and 3 minutes before removal. Socket users were protected even while the package was live.

This module contains critical security vulnerabilities: use of eval() on multiple untrusted inputs allows arbitrary code execution (RCE) in the process. Database persistence calls create an additional exfiltration path depending on DatabaseV1 behavior. The code should never eval untrusted data; instead it should parse structured, safe formats (e.g., JSON arrays) and validate types and shapes. Treat this code as unsafe to run on untrusted input until eval usage is removed or replaced with a safe parser/executor.

This install script performs a destructive filesystem operation (removing the katex directory) and then executes an unknown command. Even if not overtly labeled as malware, it poses a high risk: it can cause data loss and enables execution of arbitrary code. You should not run this without inspecting the package contents and verifying what `copy-files-from-to` refers to and why katex is being removed.

This file conditionally reads system environment variables and sends them, in base64-encoded form, to an external domain (eo2x6z3vtvxheqc[.]m[.]pipedream[.]net) when certain conditions are met. The behavior is indicative of intentional data exfiltration and poses a significant security risk.

This module implements an obfuscated runtime loader/loader helper. It reads encrypted embedded resources or files, decrypts and verifies them, allocates executable memory and writes payload bytes into that memory, and invokes them (or writes into other processes). Those capabilities (VirtualAlloc, WriteProcessMemory, VirtualProtect, OpenProcess, creating delegates from function pointers) are characteristic of reflective loaders/in-memory code injection. Combined with heavy obfuscation and hard-coded cryptographic keys/IV and signature checks, this represents a high supply-chain risk: the package can unpack and execute arbitrary code at runtime and could be used to deliver a backdoor or other malicious payloads. I recommend treating this package as malicious/untrusted unless provenance and audited behavior can be demonstrated.

This module mixes normal data models with a clearly obfuscated internal runtime that reads embedded resources, performs cryptographic/decryption operations and uses native memory APIs (VirtualProtect, GetHINSTANCE, Marshal/IntPtr) to build and write to memory addresses computed from decrypted data. That combination is highly suspicious: it matches in-memory payload unpackers/loaders and backdoor-style behavior. I recommend treating the package as malicious/untrusted until the decrypted payload and runtime effects are fully inspected in a safe environment.