Secure your dependencies. Ship with confidence.

The script downloads a file from a remote server that is dynamically constructed using the current user's username, which raises significant security concerns and indicates potential malicious intent.

Live on npm for 34 minutes before removal. Socket users were protected even while the package was live.

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

This middleware captures full HTTP request and response contents (including headers, bodies, IPs, query strings) and unconditionally sends them to a hardcoded external AWS Lambda URL, while also logging the serialized payload. That is an explicit data-exfiltration behavior. Unless you knowingly installed this package and intend to send all traffic data to that endpoint, treat this as highly suspicious and dangerous. Remove or disable the middleware, or ensure it is replaced by a version with explicit configuration, redaction, and consent controls.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

The code presents explicit high-risk capabilities: it can fetch remote content and overwrite the system hosts file and provides an arbitrary shell execution sink. Without strict input validation, integrity checks, and least-privilege execution, this module poses a serious security threat in untrusted environments. It should be avoided or severely hardened (disable remote host replacement, remove or restrict shell execution, add input validation, and implement integrity verification).

This instrumentor silently forwards OpenAI request parameters (which often include sensitive prompts or files), model outputs, and a provided API key to an external /api/intake endpoint. That constitutes high-risk data exfiltration and credential leakage. If this code runs in an environment where users or owners did not explicitly configure and consent to sending prompts, completions, and an API key to the configured base_url, it should be considered malicious or at minimum unacceptable privacy-invasive telemetry. Recommend removal or disabling unless the destination is fully trusted, explicit consent exists, and additional safeguards (error handling, data minimization, clear opt-in) are implemented.

This module intentionally exposes powerful remote-execution and file access capabilities via Pyro. If the Flame service is registered and reachable by untrusted clients (or if Pyro is misconfigured to accept remote connections with pickle deserialization), it effectively provides a remote backdoor: arbitrary code execution (exec/eval), arbitrary file write/read, module injection, and an interactive remote console. There is no input sanitization or access control visible in this code fragment. Use of this package or enabling the service on production systems constitutes a high security risk unless strictly constrained to trusted, authenticated, and isolated environments. The code itself does not show explicit obfuscation or stolen credentials, but it implements functionality commonly used maliciously (remote control and data exfiltration).

The code is heavily obfuscated and interacts with an Ethereum smart contract to retrieve data. It constructs a download URL based on the operating system and the fetched data, then downloads an executable file from this URL and executes it in the background without user consent or verification. This poses a significant security risk, as it allows for the execution of arbitrary or malicious code on the user's system. The download URLs are dynamically constructed and may point to malicious sources (e.g., hxxp://malicious[.]example[.]com/download).

Live on npm for 5 days, 21 hours and 5 minutes before removal. Socket users were protected even while the package was live.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

This Windows-targeting script elevates itself to administrator via ShellExecuteW("runas"), creates a hidden folder at C:\ProgramData\Microsoft\Services\Update, copies a bundled executable (dummy.exe) to winupdate.exe (marking both +h +s), and drops a watchdog.vbs in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup for session persistence. It then runs a PowerShell Add-MpPreference command to exclude the hidden folder from Windows Defender scans. Finally, it creates and starts a service named WinUpdateService that launches cmd.exe to run winupdate.exe with these arguments: --url rx[.]unmineable[.]com:3333 --user BNB:0x7CFd98f04BFFdf869576032147ce1a61d032BAf4.LAPTOP_MINER -p x --cpu-max-threads-hint 75. These steps establish covert persistence, defense evasion, and unauthorized cryptocurrency mining.

This source code is a malicious exploit script designed to remotely install a PHP webshell (vvv<?php eval($_POST[zzz]);?>) on a target web server by delivering an eval-wrapped, chr()-encoded payload via the HTTP User-Agent header and then verifying installation. Despite syntactic errors in the provided fragment, the intent, payload, and delivery mechanism are clear. Do not run this code; treat any occurrences as a high-risk compromise indicator and remove/report accordingly.

This module performs clear data exfiltration: it runs a local shell command (uname -a) and sends the result to a hardcoded remote IP via unencrypted HTTP, and it does so automatically at module load time. The behavior is highly suspicious and consistent with malicious intent. Do not use this package; treat any systems where it has been installed or run as potentially compromised and investigate outbound connections to 35.222.62.189.

The script poses a security risk by executing a shell script fetched from a remote URL without any integrity checks or authentication, making it susceptible to remote code execution attacks if the remote content is compromised.

This source code is malicious and constitutes a high-risk supply chain attack. It stealthily collects and exfiltrates sensitive system and environment information to a suspicious external domain using DNS beaconing and HTTPS POST requests. The behavior indicates data theft and potential credential leakage. The code should be flagged as malware and avoided.

Live on npm for 2 hours and 21 minutes before removal. Socket users were protected even while the package was live.

The source code raises significant concerns due to the presence of numerous suspicious domain names, suggesting potential malicious behavior. The reports are inaccessible, limiting the ability to provide a detailed analysis. Further investigation is warranted.

Live on PyPI for 14 minutes before removal. Socket users were protected even while the package was live.

The provided fragment cannot be confidently analyzed for malicious behavior as-is. Treat as suspicious binary/blob data requiring provenance verification, safe-handling, and deeper binary analysis (decompression/disassembly) before any runtime use. Do not execute in production; obtain a signed, verifiable artifact or readable source for thorough assessment.

The code is designed to exfiltrate data by sending the content of a local file and an environment variable to an external service using an obfuscated URL. This behavior is indicative of malicious intent.

Live on npm for 8 days, 11 hours and 27 minutes before removal. Socket users were protected even while the package was live.

The package posed a significant security risk due to the presence of malicious code, which has been removed. However, the risk of malicious activity remains high due to the package's history.

This package has a preinstall script that executes a local file (index.js). That behavior is sufficient to consider the install process risky because the script could perform arbitrary malicious actions on the host. The rest of the dependency metadata does not show non-registry sources, but the presence of an executable preinstall and suspicious metadata (author string and odd main filename) raises concern. Inspect the contents of index.js before installing or run the install in an isolated, unprivileged environment.

The code is designed to collect and send sensitive information to a remote server without the user's knowledge or consent. It poses a high risk of data exfiltration and should be reviewed thoroughly.

Live on npm for 21 minutes before removal. Socket users were protected even while the package was live.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This SSH-based bootstrapper enables remote deployment and execution of an agent binary with a simplistic lifecycle control via a PID file. It poses meaningful security risks in untrusted contexts due to unauthenticated binary transfer, no integrity verification, weak error handling, and hard-coded defaults. Treat as potentially dangerous: enforce strict authentication, sign/verify binaries, add robust error handling, implement remote state verification, and avoid hard-coded paths/ports. Consider replacing with a signed artifact deployment mechanism and explicit remote health checks.

This Python module automates brute-force credential stuffing against arbitrary web admin login pages. It reads username and password lists from local files (`dicts/user.txt`, `dicts/pass.txt`), discovers form field names and action URLs via helper functions, and spawns a 20-thread pool to post combinations via HTTP requests to the target URL. If a CAPTCHA is present, it downloads the image (`img.png`), solves it using an OCR helper, then includes the solution in the login POST. All attempts and successful credentials are printed to stdout. Notably, the code runs `os.system("pip3 install exp10it -U")` at import time to self-update from PyPI, introducing a supply-chain risk. It also writes and deletes temporary files, issues unvalidated network requests to domains like `http://example[.]com`, and performs unauthorized login attempts without consent. Use of this script against any system without explicit authorization constitutes malicious hacking activity.

The code contains a critical security flaw: untrusted input can be executed via eval(op), enabling arbitrary code execution. The presence of an incomplete assertion at the end adds unreliability and potential crashes. While there is a structured path for known operations, the fallback to eval constitutes a severe vulnerability that undermines supply-chain safety for any package exposing decode_op. Recommend removing eval usage, implementing a safe expression evaluator or whitelist, and adding robust input validation and error handling.

This Chrome extension is part of a large-scale commercial spam-automation campaign; while not classic malware, it functions as policy-abuse infrastructure that violates Chrome Web Store spam policies and WhatsApp anti-spam rules, enables bulk sending and scheduling via WhatsApp MAIN-world hooks, and exfiltrates media off-device despite marketing that minimizes or misrepresents these behaviors.

The script downloads a file from a remote server that is dynamically constructed using the current user's username, which raises significant security concerns and indicates potential malicious intent.

Live on npm for 34 minutes before removal. Socket users were protected even while the package was live.

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

This middleware captures full HTTP request and response contents (including headers, bodies, IPs, query strings) and unconditionally sends them to a hardcoded external AWS Lambda URL, while also logging the serialized payload. That is an explicit data-exfiltration behavior. Unless you knowingly installed this package and intend to send all traffic data to that endpoint, treat this as highly suspicious and dangerous. Remove or disable the middleware, or ensure it is replaced by a version with explicit configuration, redaction, and consent controls.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

The code presents explicit high-risk capabilities: it can fetch remote content and overwrite the system hosts file and provides an arbitrary shell execution sink. Without strict input validation, integrity checks, and least-privilege execution, this module poses a serious security threat in untrusted environments. It should be avoided or severely hardened (disable remote host replacement, remove or restrict shell execution, add input validation, and implement integrity verification).

This instrumentor silently forwards OpenAI request parameters (which often include sensitive prompts or files), model outputs, and a provided API key to an external /api/intake endpoint. That constitutes high-risk data exfiltration and credential leakage. If this code runs in an environment where users or owners did not explicitly configure and consent to sending prompts, completions, and an API key to the configured base_url, it should be considered malicious or at minimum unacceptable privacy-invasive telemetry. Recommend removal or disabling unless the destination is fully trusted, explicit consent exists, and additional safeguards (error handling, data minimization, clear opt-in) are implemented.

This module intentionally exposes powerful remote-execution and file access capabilities via Pyro. If the Flame service is registered and reachable by untrusted clients (or if Pyro is misconfigured to accept remote connections with pickle deserialization), it effectively provides a remote backdoor: arbitrary code execution (exec/eval), arbitrary file write/read, module injection, and an interactive remote console. There is no input sanitization or access control visible in this code fragment. Use of this package or enabling the service on production systems constitutes a high security risk unless strictly constrained to trusted, authenticated, and isolated environments. The code itself does not show explicit obfuscation or stolen credentials, but it implements functionality commonly used maliciously (remote control and data exfiltration).

The code is heavily obfuscated and interacts with an Ethereum smart contract to retrieve data. It constructs a download URL based on the operating system and the fetched data, then downloads an executable file from this URL and executes it in the background without user consent or verification. This poses a significant security risk, as it allows for the execution of arbitrary or malicious code on the user's system. The download URLs are dynamically constructed and may point to malicious sources (e.g., hxxp://malicious[.]example[.]com/download).

Live on npm for 5 days, 21 hours and 5 minutes before removal. Socket users were protected even while the package was live.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

This Windows-targeting script elevates itself to administrator via ShellExecuteW("runas"), creates a hidden folder at C:\ProgramData\Microsoft\Services\Update, copies a bundled executable (dummy.exe) to winupdate.exe (marking both +h +s), and drops a watchdog.vbs in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup for session persistence. It then runs a PowerShell Add-MpPreference command to exclude the hidden folder from Windows Defender scans. Finally, it creates and starts a service named WinUpdateService that launches cmd.exe to run winupdate.exe with these arguments: --url rx[.]unmineable[.]com:3333 --user BNB:0x7CFd98f04BFFdf869576032147ce1a61d032BAf4.LAPTOP_MINER -p x --cpu-max-threads-hint 75. These steps establish covert persistence, defense evasion, and unauthorized cryptocurrency mining.

This source code is a malicious exploit script designed to remotely install a PHP webshell (vvv<?php eval($_POST[zzz]);?>) on a target web server by delivering an eval-wrapped, chr()-encoded payload via the HTTP User-Agent header and then verifying installation. Despite syntactic errors in the provided fragment, the intent, payload, and delivery mechanism are clear. Do not run this code; treat any occurrences as a high-risk compromise indicator and remove/report accordingly.

This module performs clear data exfiltration: it runs a local shell command (uname -a) and sends the result to a hardcoded remote IP via unencrypted HTTP, and it does so automatically at module load time. The behavior is highly suspicious and consistent with malicious intent. Do not use this package; treat any systems where it has been installed or run as potentially compromised and investigate outbound connections to 35.222.62.189.

The script poses a security risk by executing a shell script fetched from a remote URL without any integrity checks or authentication, making it susceptible to remote code execution attacks if the remote content is compromised.

This source code is malicious and constitutes a high-risk supply chain attack. It stealthily collects and exfiltrates sensitive system and environment information to a suspicious external domain using DNS beaconing and HTTPS POST requests. The behavior indicates data theft and potential credential leakage. The code should be flagged as malware and avoided.

Live on npm for 2 hours and 21 minutes before removal. Socket users were protected even while the package was live.

The source code raises significant concerns due to the presence of numerous suspicious domain names, suggesting potential malicious behavior. The reports are inaccessible, limiting the ability to provide a detailed analysis. Further investigation is warranted.

Live on PyPI for 14 minutes before removal. Socket users were protected even while the package was live.

The provided fragment cannot be confidently analyzed for malicious behavior as-is. Treat as suspicious binary/blob data requiring provenance verification, safe-handling, and deeper binary analysis (decompression/disassembly) before any runtime use. Do not execute in production; obtain a signed, verifiable artifact or readable source for thorough assessment.

The code is designed to exfiltrate data by sending the content of a local file and an environment variable to an external service using an obfuscated URL. This behavior is indicative of malicious intent.

Live on npm for 8 days, 11 hours and 27 minutes before removal. Socket users were protected even while the package was live.

The package posed a significant security risk due to the presence of malicious code, which has been removed. However, the risk of malicious activity remains high due to the package's history.

This package has a preinstall script that executes a local file (index.js). That behavior is sufficient to consider the install process risky because the script could perform arbitrary malicious actions on the host. The rest of the dependency metadata does not show non-registry sources, but the presence of an executable preinstall and suspicious metadata (author string and odd main filename) raises concern. Inspect the contents of index.js before installing or run the install in an isolated, unprivileged environment.

The code is designed to collect and send sensitive information to a remote server without the user's knowledge or consent. It poses a high risk of data exfiltration and should be reviewed thoroughly.

Live on npm for 21 minutes before removal. Socket users were protected even while the package was live.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This SSH-based bootstrapper enables remote deployment and execution of an agent binary with a simplistic lifecycle control via a PID file. It poses meaningful security risks in untrusted contexts due to unauthenticated binary transfer, no integrity verification, weak error handling, and hard-coded defaults. Treat as potentially dangerous: enforce strict authentication, sign/verify binaries, add robust error handling, implement remote state verification, and avoid hard-coded paths/ports. Consider replacing with a signed artifact deployment mechanism and explicit remote health checks.

This Python module automates brute-force credential stuffing against arbitrary web admin login pages. It reads username and password lists from local files (`dicts/user.txt`, `dicts/pass.txt`), discovers form field names and action URLs via helper functions, and spawns a 20-thread pool to post combinations via HTTP requests to the target URL. If a CAPTCHA is present, it downloads the image (`img.png`), solves it using an OCR helper, then includes the solution in the login POST. All attempts and successful credentials are printed to stdout. Notably, the code runs `os.system("pip3 install exp10it -U")` at import time to self-update from PyPI, introducing a supply-chain risk. It also writes and deletes temporary files, issues unvalidated network requests to domains like `http://example[.]com`, and performs unauthorized login attempts without consent. Use of this script against any system without explicit authorization constitutes malicious hacking activity.

The code contains a critical security flaw: untrusted input can be executed via eval(op), enabling arbitrary code execution. The presence of an incomplete assertion at the end adds unreliability and potential crashes. While there is a structured path for known operations, the fallback to eval constitutes a severe vulnerability that undermines supply-chain safety for any package exposing decode_op. Recommend removing eval usage, implementing a safe expression evaluator or whitelist, and adding robust input validation and error handling.

This Chrome extension is part of a large-scale commercial spam-automation campaign; while not classic malware, it functions as policy-abuse infrastructure that violates Chrome Web Store spam policies and WhatsApp anti-spam rules, enables bulk sending and scheduling via WhatsApp MAIN-world hooks, and exfiltrates media off-device despite marketing that minimizes or misrepresents these behaviors.