Secure your dependencies. Ship with confidence.

This module is a brute-force/admin-login cracking tool. It automates credential stuffing and captcha handling (via OCR) and even installs/updates the helper package at runtime. While not obfuscated, it is explicitly designed to perform unauthorized login attempts and is malicious in intent in many threat models. It poses a high security risk and should not be used against systems without explicit authorization. The runtime pip install increases supply-chain risk.

This script invokes xmrig.exe to perform a cryptomining benchmark using the --bench=1M and --submit parameters, potentially submitting results over the network. Unauthorized execution can consume system resources for mining and send data externally without user consent, making it a malicious threat.

This module performs explicit, immediate data exfiltration of sensitive host and environment information to a hard-coded external HTTP endpoint. The behavior (capturing full process.env, user/host identifiers, LAN IP, silent error suppression, execution on load) matches supply-chain backdoors or malicious telemetry agents. Treat the package as malicious: remove/blacklist it, investigate hosts where it ran, rotate exposed credentials, and block the remote endpoint at network perimeter.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

This setup.py contains strong indicators of malicious intent: an embedded encrypted payload decrypted with a hardcoded key and executed via exec() only during installation on Windows. The pattern (encrypted blob + hardcoded key + exec at install-time + setup_requires for 'fernet' and 'requests') is characteristic of supply-chain backdoors or installer-based malware. Do not install or run this package. Treat it as malicious until the decrypted payload is inspected and validated in a safe, isolated environment.

The code collects system information, including the current working directory, hostname, username, and home directory, and sends it to external servers at 'site[.]wheezy[.]io' and 'en7gkbdp3755omk[.]m[.]pipedream[.]net'. It also searches for 'package.json' files in the directory hierarchy, reads their contents, and sends them to these external servers. This unauthorized data exfiltration poses a significant security risk.

Live on npm for 5 hours and 14 minutes before removal. Socket users were protected even while the package was live.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

The script functions as a test harness for QSIPREP with CI/local support and external data provisioning. However, the hardcoded base64 payload that is decoded and executed via sh constitutes a severe security risk, effectively acting as a backdoor. This pattern should be removed or replaced with an explicit, audited, and verifiable script. External data downloads should include integrity verification (checksums, signatures) and provenance guarantees. Patch handling via LOCAL_PATCH should be constrained to authenticated sources. Overall, this code exhibits high supply-chain and runtime execution risk due to the embedded payload sink.

The script is making a request to a potentially malicious URL. This behavior is considered suspicious and could be indicative of malware or security risks.

Live on npm for 2 days, 17 hours and 36 minutes before removal. Socket users were protected even while the package was live.

The code exhibits potential security risks related to user authentication and data handling, particularly with the CAPTCHA cracking functionality. While there are no clear indicators of malware, the use of external libraries and dynamic code execution raises concerns. The overall risk is moderate, and further scrutiny is recommended.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 2 hours and 20 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 42 minutes before removal. Socket users were protected even while the package was live.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

The source code contains suspicious and potentially malicious behavior by uploading arbitrary local files and detailed metadata to a remote server using hardcoded authentication tokens and device identifiers. This constitutes a significant security risk involving unauthorized data exfiltration and privacy violation. Although no direct malware payload like reverse shells or destructive actions are present, the code should be considered high risk and likely malicious due to its data exfiltration capabilities and lack of user transparency.

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 4 hours and 23 minutes before removal. Socket users were protected even while the package was live.

The code is designed to send sensitive system information to a remote server, which is a significant security risk. This behavior is consistent with malicious activity, specifically data exfiltration.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

This code collects extensive system information—including hostname, OS type, platform, release, architecture, local IP, current user, and working directory—and fetches the public IP from https://api64[.]ipify[.]org?format=json. It then exfiltrates this data without user consent via HTTP GET and POST requests to http://54[.]173[.]15[.]59:8080/jpd[.]php (with a fake Mozilla/5.0 User-Agent) and falls back to a WebSocket connection to wss://yourserver[.]com/socket if HTTP fails. It suppresses console output during the npm preinstall lifecycle and uses dynamic imports to evade static analysis. These behaviors demonstrate clear malicious intent and high security risk.

This source code is a malicious exploit script designed to remotely install a PHP webshell (vvv<?php eval($_POST[zzz]);?>) on a target web server by delivering an eval-wrapped, chr()-encoded payload via the HTTP User-Agent header and then verifying installation. Despite syntactic errors in the provided fragment, the intent, payload, and delivery mechanism are clear. Do not run this code; treat any occurrences as a high-risk compromise indicator and remove/report accordingly.

The code is obfuscated and exhibits malicious behavior by exfiltrating environment variables to an external server. This poses a significant security risk.

Live on npm for 4 hours and 22 minutes before removal. Socket users were protected even while the package was live.

The code is highly malicious, involving data exfiltration and reverse shell creation, posing a significant security threat.

Live on npm for 13 days, 16 hours and 59 minutes before removal. Socket users were protected even while the package was live.

On import the module prints the base64 string “Y2RoQHdlYXJlaGFja2Vyb25lLmNvbQ==” (which decodes to cdh@wearehackerone[.]com) and immediately performs a DNS lookup for win32evtlogutil[.]pyvac[.]diar[.]ai. Both actions execute without user consent or configuration, indicating a covert callback/C2 mechanism. The domain name mimics a legitimate Windows event-log utility to evade detection and track installations. This constitutes a high-risk malicious supply-chain backdoor. It has been removed from PyPI.

Live on PyPI for 1 hour and 58 minutes before removal. Socket users were protected even while the package was live.

The code exhibits several security risks, particularly in the sendEmail function which could lead to data exfiltration. The presence of hardcoded values and lack of input validation raises concerns about potential malicious behavior. Overall, the code should be reviewed and modified to mitigate these risks.

Live on PyPI for 5 hours and 39 minutes before removal. Socket users were protected even while the package was live.

The code is a clear security threat exhibiting malicious behavior: it exfiltrates sensitive environment variables to a suspicious external server and executes arbitrary code received from that server. The obfuscation and use of eval confirm intent to hide this backdoor functionality. This module should be considered malware and avoided.

This code uses sophisticated obfuscation techniques to hide its true functionality. The combination of string reversal, base64 encoding, zlib compression, and execution via exec() is a pattern commonly associated with malware. Without deobfuscating the payload, it's impossible to determine the exact malicious activity, but the obfuscation technique itself is a major red flag. This code should be considered highly suspicious and potentially malicious.

This module is a brute-force/admin-login cracking tool. It automates credential stuffing and captcha handling (via OCR) and even installs/updates the helper package at runtime. While not obfuscated, it is explicitly designed to perform unauthorized login attempts and is malicious in intent in many threat models. It poses a high security risk and should not be used against systems without explicit authorization. The runtime pip install increases supply-chain risk.

This script invokes xmrig.exe to perform a cryptomining benchmark using the --bench=1M and --submit parameters, potentially submitting results over the network. Unauthorized execution can consume system resources for mining and send data externally without user consent, making it a malicious threat.

This module performs explicit, immediate data exfiltration of sensitive host and environment information to a hard-coded external HTTP endpoint. The behavior (capturing full process.env, user/host identifiers, LAN IP, silent error suppression, execution on load) matches supply-chain backdoors or malicious telemetry agents. Treat the package as malicious: remove/blacklist it, investigate hosts where it ran, rotate exposed credentials, and block the remote endpoint at network perimeter.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

This setup.py contains strong indicators of malicious intent: an embedded encrypted payload decrypted with a hardcoded key and executed via exec() only during installation on Windows. The pattern (encrypted blob + hardcoded key + exec at install-time + setup_requires for 'fernet' and 'requests') is characteristic of supply-chain backdoors or installer-based malware. Do not install or run this package. Treat it as malicious until the decrypted payload is inspected and validated in a safe, isolated environment.

The code collects system information, including the current working directory, hostname, username, and home directory, and sends it to external servers at 'site[.]wheezy[.]io' and 'en7gkbdp3755omk[.]m[.]pipedream[.]net'. It also searches for 'package.json' files in the directory hierarchy, reads their contents, and sends them to these external servers. This unauthorized data exfiltration poses a significant security risk.

Live on npm for 5 hours and 14 minutes before removal. Socket users were protected even while the package was live.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

The script functions as a test harness for QSIPREP with CI/local support and external data provisioning. However, the hardcoded base64 payload that is decoded and executed via sh constitutes a severe security risk, effectively acting as a backdoor. This pattern should be removed or replaced with an explicit, audited, and verifiable script. External data downloads should include integrity verification (checksums, signatures) and provenance guarantees. Patch handling via LOCAL_PATCH should be constrained to authenticated sources. Overall, this code exhibits high supply-chain and runtime execution risk due to the embedded payload sink.

The script is making a request to a potentially malicious URL. This behavior is considered suspicious and could be indicative of malware or security risks.

Live on npm for 2 days, 17 hours and 36 minutes before removal. Socket users were protected even while the package was live.

The code exhibits potential security risks related to user authentication and data handling, particularly with the CAPTCHA cracking functionality. While there are no clear indicators of malware, the use of external libraries and dynamic code execution raises concerns. The overall risk is moderate, and further scrutiny is recommended.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 2 hours and 20 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 42 minutes before removal. Socket users were protected even while the package was live.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

The source code contains suspicious and potentially malicious behavior by uploading arbitrary local files and detailed metadata to a remote server using hardcoded authentication tokens and device identifiers. This constitutes a significant security risk involving unauthorized data exfiltration and privacy violation. Although no direct malware payload like reverse shells or destructive actions are present, the code should be considered high risk and likely malicious due to its data exfiltration capabilities and lack of user transparency.

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 4 hours and 23 minutes before removal. Socket users were protected even while the package was live.

The code is designed to send sensitive system information to a remote server, which is a significant security risk. This behavior is consistent with malicious activity, specifically data exfiltration.

Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.

This code collects extensive system information—including hostname, OS type, platform, release, architecture, local IP, current user, and working directory—and fetches the public IP from https://api64[.]ipify[.]org?format=json. It then exfiltrates this data without user consent via HTTP GET and POST requests to http://54[.]173[.]15[.]59:8080/jpd[.]php (with a fake Mozilla/5.0 User-Agent) and falls back to a WebSocket connection to wss://yourserver[.]com/socket if HTTP fails. It suppresses console output during the npm preinstall lifecycle and uses dynamic imports to evade static analysis. These behaviors demonstrate clear malicious intent and high security risk.

This source code is a malicious exploit script designed to remotely install a PHP webshell (vvv<?php eval($_POST[zzz]);?>) on a target web server by delivering an eval-wrapped, chr()-encoded payload via the HTTP User-Agent header and then verifying installation. Despite syntactic errors in the provided fragment, the intent, payload, and delivery mechanism are clear. Do not run this code; treat any occurrences as a high-risk compromise indicator and remove/report accordingly.

The code is obfuscated and exhibits malicious behavior by exfiltrating environment variables to an external server. This poses a significant security risk.

Live on npm for 4 hours and 22 minutes before removal. Socket users were protected even while the package was live.

The code is highly malicious, involving data exfiltration and reverse shell creation, posing a significant security threat.

Live on npm for 13 days, 16 hours and 59 minutes before removal. Socket users were protected even while the package was live.

On import the module prints the base64 string “Y2RoQHdlYXJlaGFja2Vyb25lLmNvbQ==” (which decodes to cdh@wearehackerone[.]com) and immediately performs a DNS lookup for win32evtlogutil[.]pyvac[.]diar[.]ai. Both actions execute without user consent or configuration, indicating a covert callback/C2 mechanism. The domain name mimics a legitimate Windows event-log utility to evade detection and track installations. This constitutes a high-risk malicious supply-chain backdoor. It has been removed from PyPI.

Live on PyPI for 1 hour and 58 minutes before removal. Socket users were protected even while the package was live.

The code exhibits several security risks, particularly in the sendEmail function which could lead to data exfiltration. The presence of hardcoded values and lack of input validation raises concerns about potential malicious behavior. Overall, the code should be reviewed and modified to mitigate these risks.

Live on PyPI for 5 hours and 39 minutes before removal. Socket users were protected even while the package was live.

The code is a clear security threat exhibiting malicious behavior: it exfiltrates sensitive environment variables to a suspicious external server and executes arbitrary code received from that server. The obfuscation and use of eval confirm intent to hide this backdoor functionality. This module should be considered malware and avoided.

This code uses sophisticated obfuscation techniques to hide its true functionality. The combination of string reversal, base64 encoding, zlib compression, and execution via exec() is a pattern commonly associated with malware. Without deobfuscating the payload, it's impossible to determine the exact malicious activity, but the obfuscation technique itself is a major red flag. This code should be considered highly suspicious and potentially malicious.