Secure your dependencies. Ship with confidence.

The code exhibits behavior consistent with data exfiltration by sending sanitized system information to an external domain. This poses a significant security risk and aligns with malicious activities.

Live on npm for 9 hours and 41 minutes before removal. Socket users were protected even while the package was live.

This file contains obfuscated malicious code that uses multiple evasion techniques to hide its true functionality. The code implements a multi-stage decoder that: 1) Reverses an encoded string 2) Decodes it using base64 3) Decompresses it using zlib 4) Executes the resulting code using exec(). This pattern is a common malware technique designed to evade security scanning and hide malicious payloads. The use of exec() to execute arbitrary decoded content poses a severe security risk as it allows execution of potentially harmful code. The intentional obfuscation through multiple encoding layers combined with dynamic code execution strongly indicates this is malware rather than legitimate functionality. The code should not be executed as it likely contains a malicious payload designed for system compromise, data exfiltration, or other harmful activities.

The code is collecting sensitive information (home directory, hostname, current directory) and sending it to a potentially suspicious remote server. The presence of a message suggesting a sale and the hardcoded server details make this code highly suspicious. The code could be involved in data exfiltration.

Live on npm for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

This file collects sensitive system information (environment variables, AWS credentials, and shell command outputs) and transmits it to 356pmjg3yjoadbpk2rehv4ql5cb3z3ns[.]oastify[.]com without user consent. The code demonstrates malicious behavior, posing a significant risk of data theft and unauthorized access.

Live on npm for 13 days, 1 hour and 9 minutes before removal. Socket users were protected even while the package was live.

The code is risky due to the use of eval() for executing success/error handlers, which could lead to arbitrary code execution if an attacker can control these handlers. There is also a risk of data leakage or website defacement through the use of document.write. The dynamic creation of forms and redirection based on attributes can be exploited if the attributes are not properly sanitized. However, there's no explicit evidence of malicious intent like hardcoded credentials or connections to suspicious domains.

Live on npm for 1 hour and 10 minutes before removal. Socket users were protected even while the package was live.

The code exhibits suspicious behavior by sending data to a hardcoded external Discord webhook without user consent, which is a form of data exfiltration. While the data sent is benign and fixed, this pattern is commonly associated with malware or backdoors. The code is not obfuscated and does not contain other malicious payloads, but the security risk is moderate due to unauthorized network communication. The reports provided are uninformative and fail to identify these issues.

The code poses a security risk due to the use of exec for command execution without input validation and the transmission of data to an external URL. This behavior is indicative of potential malicious activity, particularly data exfiltration.

Live on npm for 12 days, 17 hours and 52 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by exfiltrating system and user data to external domains without user consent. This poses a significant security risk and indicates a high probability of malicious intent.

Live on npm for 30 minutes before removal. Socket users were protected even while the package was live.

The code is malicious as it collects sensitive seed phrases and sends them to a Telegram chat without user consent. This poses a high security risk due to potential data theft.

Live on PyPI for 1 hour and 42 minutes before removal. Socket users were protected even while the package was live.

The script poses a high security risk as malware due to its ability to alter disk partitions without user interaction, leading to data loss or system damage.

The code contains several concerning elements, including the installation of packages without user consent and the caching of sensitive user data. These behaviors suggest potential malicious intent and warrant a moderate to high risk assessment.

The code exhibits several functionalities that could be exploited for malicious purposes, including user impersonation, arbitrary command execution, and registry manipulation. Given these capabilities, the code poses a significant security risk and should be treated with caution.

The code is designed to exfiltrate sensitive system information to an external domain using DNS queries, which is a clear indication of malicious intent. The use of encoding and DNS queries suggests an attempt to hide this activity.

Live on npm for 14 days, 1 hour and 1 minute before removal. Socket users were protected even while the package was live.

The code appears to be intentionally exfiltrating system information to a remote server if the operating system is either Linux or Mac. It constructs a Bash script based on the operating system type to perform the exfiltration. This behavior could be considered suspicious or potentially malicious, depending on the context in which the code is used.

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior consistent with a backdoor or data exfiltration module, collecting sensitive information and sending it to a remote server with obfuscated details to avoid detection.

Live on npm for 47 minutes before removal. Socket users were protected even while the package was live.

The code is malicious as it exfiltrates console warnings and errors to external Telegram channels using a hardcoded bot token and chat IDs. This is a serious privacy and security risk. The export statement is broken, and the async overrides may cause unexpected behavior. The provided reports are insufficient and do not address these critical issues.

The script is likely used for malicious purposes, collecting sensitive data and sending it to specific IPs, which can be interpreted as a data exfiltration attempt. The usage of obfuscated code and hardcoded IP addresses further supports the suspicion of malicious intent.

This script is attempting to exfiltrate sensitive data by sending the contents of the /etc/passwd file to a remote server. This is a high security risk and is considered malicious.

Live on npm for 4 hours and 16 minutes before removal. Socket users were protected even while the package was live.

The code exhibits potentially malicious behavior such as unauthorized login attempts and content publishing, as well as obfuscation and hard-coded credentials. The overall security risk is high due to the presence of these factors.

Live on npm for 1 hour and 57 minutes before removal. Socket users were protected even while the package was live.

The script logs a message and sends telemetry data to an external server, which poses a security risk by potentially leaking sensitive information.

Live on npm for 10 days, 4 hours and 53 minutes before removal. Socket users were protected even while the package was live.

The code contains a significant security flaw by sending sensitive environment variables over the network to a Telegram chat, which could lead to unauthorized access and data breaches. The hardcoded bot token and chat ID further exacerbate the risk.

The script performs automated and potentially malicious actions such as spamming or SEO manipulation by creating and publishing npm packages and posting links on WordPress sites. The hardcoded credentials and lack of user interaction or validation increase the risk and potential for misuse.

Live on npm for 3 hours and 20 minutes before removal. Socket users were protected even while the package was live.

This module exports a function that, after a hard-coded trigger date (May 20 2023 08:00:01), installs a recurring timer (every 2 seconds) to recursively delete the entire “vite” and “react” subdirectories inside node_modules. It uses a silent try-catch to suppress errors, requires no user consent, and repeatedly sabotages dependent projects by removing critical dependencies, causing denial of service and build breakage.

The code is intended to authenticate users with the GLPI API. However, the presence of a `console.table` statement that logs user credentials is a severe security flaw. There is no evidence of intentional obfuscation or malware, but this security risk needs immediate attention.

Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.

The code demonstrates risky behaviors such as executing shell commands based on environment variables and global configurations without proper validation, automatic installation, and execution of packages from external sources, and potential for command injection. These behaviors can be exploited for malicious purposes, making the code potentially unsafe.

Live on npm for 3 hours and 43 minutes before removal. Socket users were protected even while the package was live.

The code exhibits behavior consistent with data exfiltration by sending sanitized system information to an external domain. This poses a significant security risk and aligns with malicious activities.

Live on npm for 9 hours and 41 minutes before removal. Socket users were protected even while the package was live.

This file contains obfuscated malicious code that uses multiple evasion techniques to hide its true functionality. The code implements a multi-stage decoder that: 1) Reverses an encoded string 2) Decodes it using base64 3) Decompresses it using zlib 4) Executes the resulting code using exec(). This pattern is a common malware technique designed to evade security scanning and hide malicious payloads. The use of exec() to execute arbitrary decoded content poses a severe security risk as it allows execution of potentially harmful code. The intentional obfuscation through multiple encoding layers combined with dynamic code execution strongly indicates this is malware rather than legitimate functionality. The code should not be executed as it likely contains a malicious payload designed for system compromise, data exfiltration, or other harmful activities.

The code is collecting sensitive information (home directory, hostname, current directory) and sending it to a potentially suspicious remote server. The presence of a message suggesting a sale and the hardcoded server details make this code highly suspicious. The code could be involved in data exfiltration.

Live on npm for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

This file collects sensitive system information (environment variables, AWS credentials, and shell command outputs) and transmits it to 356pmjg3yjoadbpk2rehv4ql5cb3z3ns[.]oastify[.]com without user consent. The code demonstrates malicious behavior, posing a significant risk of data theft and unauthorized access.

Live on npm for 13 days, 1 hour and 9 minutes before removal. Socket users were protected even while the package was live.

The code is risky due to the use of eval() for executing success/error handlers, which could lead to arbitrary code execution if an attacker can control these handlers. There is also a risk of data leakage or website defacement through the use of document.write. The dynamic creation of forms and redirection based on attributes can be exploited if the attributes are not properly sanitized. However, there's no explicit evidence of malicious intent like hardcoded credentials or connections to suspicious domains.

Live on npm for 1 hour and 10 minutes before removal. Socket users were protected even while the package was live.

The code exhibits suspicious behavior by sending data to a hardcoded external Discord webhook without user consent, which is a form of data exfiltration. While the data sent is benign and fixed, this pattern is commonly associated with malware or backdoors. The code is not obfuscated and does not contain other malicious payloads, but the security risk is moderate due to unauthorized network communication. The reports provided are uninformative and fail to identify these issues.

The code poses a security risk due to the use of exec for command execution without input validation and the transmission of data to an external URL. This behavior is indicative of potential malicious activity, particularly data exfiltration.

Live on npm for 12 days, 17 hours and 52 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by exfiltrating system and user data to external domains without user consent. This poses a significant security risk and indicates a high probability of malicious intent.

Live on npm for 30 minutes before removal. Socket users were protected even while the package was live.

The code is malicious as it collects sensitive seed phrases and sends them to a Telegram chat without user consent. This poses a high security risk due to potential data theft.

Live on PyPI for 1 hour and 42 minutes before removal. Socket users were protected even while the package was live.

The script poses a high security risk as malware due to its ability to alter disk partitions without user interaction, leading to data loss or system damage.

The code contains several concerning elements, including the installation of packages without user consent and the caching of sensitive user data. These behaviors suggest potential malicious intent and warrant a moderate to high risk assessment.

The code exhibits several functionalities that could be exploited for malicious purposes, including user impersonation, arbitrary command execution, and registry manipulation. Given these capabilities, the code poses a significant security risk and should be treated with caution.

The code is designed to exfiltrate sensitive system information to an external domain using DNS queries, which is a clear indication of malicious intent. The use of encoding and DNS queries suggests an attempt to hide this activity.

Live on npm for 14 days, 1 hour and 1 minute before removal. Socket users were protected even while the package was live.

The code appears to be intentionally exfiltrating system information to a remote server if the operating system is either Linux or Mac. It constructs a Bash script based on the operating system type to perform the exfiltration. This behavior could be considered suspicious or potentially malicious, depending on the context in which the code is used.

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior consistent with a backdoor or data exfiltration module, collecting sensitive information and sending it to a remote server with obfuscated details to avoid detection.

Live on npm for 47 minutes before removal. Socket users were protected even while the package was live.

The code is malicious as it exfiltrates console warnings and errors to external Telegram channels using a hardcoded bot token and chat IDs. This is a serious privacy and security risk. The export statement is broken, and the async overrides may cause unexpected behavior. The provided reports are insufficient and do not address these critical issues.

The script is likely used for malicious purposes, collecting sensitive data and sending it to specific IPs, which can be interpreted as a data exfiltration attempt. The usage of obfuscated code and hardcoded IP addresses further supports the suspicion of malicious intent.

This script is attempting to exfiltrate sensitive data by sending the contents of the /etc/passwd file to a remote server. This is a high security risk and is considered malicious.

Live on npm for 4 hours and 16 minutes before removal. Socket users were protected even while the package was live.

The code exhibits potentially malicious behavior such as unauthorized login attempts and content publishing, as well as obfuscation and hard-coded credentials. The overall security risk is high due to the presence of these factors.

Live on npm for 1 hour and 57 minutes before removal. Socket users were protected even while the package was live.

The script logs a message and sends telemetry data to an external server, which poses a security risk by potentially leaking sensitive information.

Live on npm for 10 days, 4 hours and 53 minutes before removal. Socket users were protected even while the package was live.

The code contains a significant security flaw by sending sensitive environment variables over the network to a Telegram chat, which could lead to unauthorized access and data breaches. The hardcoded bot token and chat ID further exacerbate the risk.

The script performs automated and potentially malicious actions such as spamming or SEO manipulation by creating and publishing npm packages and posting links on WordPress sites. The hardcoded credentials and lack of user interaction or validation increase the risk and potential for misuse.

Live on npm for 3 hours and 20 minutes before removal. Socket users were protected even while the package was live.

This module exports a function that, after a hard-coded trigger date (May 20 2023 08:00:01), installs a recurring timer (every 2 seconds) to recursively delete the entire “vite” and “react” subdirectories inside node_modules. It uses a silent try-catch to suppress errors, requires no user consent, and repeatedly sabotages dependent projects by removing critical dependencies, causing denial of service and build breakage.

The code is intended to authenticate users with the GLPI API. However, the presence of a `console.table` statement that logs user credentials is a severe security flaw. There is no evidence of intentional obfuscation or malware, but this security risk needs immediate attention.

Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.

The code demonstrates risky behaviors such as executing shell commands based on environment variables and global configurations without proper validation, automatic installation, and execution of packages from external sources, and potential for command injection. These behaviors can be exploited for malicious purposes, making the code potentially unsafe.

Live on npm for 3 hours and 43 minutes before removal. Socket users were protected even while the package was live.