Secure your dependencies. Ship with confidence.

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 17 minutes before removal. Socket users were protected even while the package was live.

The code exhibits several characteristics typical of potentially malicious software, including obfuscation, downloading and executing files, and recursive error handling. These behaviors suggest a high risk of executing untrusted code, which could compromise the system.

This code poses a serious security risk and should not be used.

Live on npm for 38 minutes before removal. Socket users were protected even while the package was live.

This code exhibits malicious behavior by collecting sensitive system information (OS type, username, current working directory, hostname, and IP addresses), encoding this data in base64, and sending it to a remote server (http://149[.]104[.]26[.]89/cmd.dat). It also attempts to download and execute a binary payload from the same server, which could lead to further compromise. The code includes environment checks to determine if it's running in a sandbox, suggesting an attempt to evade detection. After execution, it attempts to delete files to cover its tracks. The code is heavily obfuscated to make analysis difficult.

Live on npm for 4 days, 4 hours and 23 minutes before removal. Socket users were protected even while the package was live.

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 1 hour and 55 minutes before removal. Socket users were protected even while the package was live.

The code snippet exhibits malicious behavior by sending the current working directory to an external domain without user consent. This poses a significant security risk due to unauthorized data exfiltration.

The source code exhibits behavior typical of malicious software by collecting and sending sensitive system information to a remote server without user consent. This poses a significant security risk and could potentially be used for data theft or unauthorized tracking.

Live on npm for 6 hours and 15 minutes before removal. Socket users were protected even while the package was live.

The code is attempting to exfiltrate system information by sending it over the network using the ping command. This behavior is potentially malicious as it may result in data leakage or unauthorized access to sensitive information.

Live on npm for 38 minutes before removal. Socket users were protected even while the package was live.

The script triggers an outbound network request during its preinstall phase by executing a curl command on a shortened URL (example[.]com/JR006D). The use of such a URL is concerning because link shortening services can obscure the true destination and are often employed for tracking user data, exfiltration, or delivering malicious payloads. This behavior indicates a potential attempt to compromise system security and user privacy.

Live on npm for 36 days and 4 hours before removal. Socket users were protected even while the package was live.

This code is highly suspicious and potentially malicious. It should not be used without further investigation and review.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

This code is malicious and poses a high security risk. It covertly collects and sends sensitive system and environment information to a remote Telegram bot without user consent, constituting data theft. The presence of hardcoded credentials and use of a public messaging platform for exfiltration further confirm its malicious intent. The code is not obfuscated but is designed for stealthy data exfiltration. It should be treated as malware and avoided.

Live on npm for 11 days, 19 hours and 44 minutes before removal. Socket users were protected even while the package was live.

This package contains a critical code injection vulnerability through the eval() function that executes arbitrary JavaScript from user-specified files. This represents an extremely high security risk that could lead to complete system compromise, data theft, or backdoor installation.

The source code is performing clear malicious activities by exfiltrating system data to a remote server. This justifies high scores in malware, obfuscation, and risk categories. The provided reports do not contain useful information, but the code itself clearly indicates a serious security incident.

Live on npm for 1 hour and 7 minutes before removal. Socket users were protected even while the package was live.

The code sends sensitive system information over the network without user consent, which poses a significant privacy risk. This behavior is indicative of potentially malicious intent.

This file collects sensitive system and user information (home directory, username, hostname, DNS servers, etc.) and sends it to a remote server at hg1as3ob4o9c1ew54a142gz02r8iw8kx[.]oastify[.]com without user knowledge or consent. It also writes this data to a local file (poc.txt). Such unauthorized data collection and transmission is malicious and poses a high security risk.

Live on npm for 8 days, 9 hours and 23 minutes before removal. Socket users were protected even while the package was live.

The code appears to be malicious. It exfiltrates sensitive system information and project-specific data to external servers. The use of continuous directory traversal and sending potentially confidential data to suspicious domains indicates high probability of malicious intent.

Live on npm for 1 hour before removal. Socket users were protected even while the package was live.

The code poses a potential security risk due to the execution of system commands without clear input validation and sanitization. However, without a detailed report and more context, the actual risk and intent are difficult to assess.

Live on PyPI for 4 hours and 56 minutes before removal. Socket users were protected even while the package was live.

This script embeds two Base64-encoded, AES-GCM–encrypted blobs that it decrypts at runtime to obtain a command-and-control hostname and then a payload URL. It resolves the decrypted hostname via DNS (requires exactly one A record), uses that IP as the decryption key for the second blob, and retrieves a remote JavaScript payload over HTTP(S). The payload is saved as “startup.js” inside the user’s Chrome data Scripts folder, patched to reference the correct absolute Node.js path, marked executable, and launched in a detached Node.js process without user consent. After a short delay it deletes its own source file (__filename), removes the accompanying graph-settings.min.js, and patches graph.js to strip out its initialization calls—clearly a self-deleting downloader/backdoor implant.

Live on npm for 6 days, 2 hours and 52 minutes before removal. Socket users were protected even while the package was live.

The script collects information like hostname, platform, user info, and current working directory, then sends it as base64-encoded JSON to a remote server.

Live on npm for 3 days, 6 hours and 30 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of npm-conf

Live on npm for 1 hour and 46 minutes before removal. Socket users were protected even while the package was live.

This script is attempting to exfiltrate system information to a remote server. This behavior is highly suspicious and poses a significant security risk.

Live on npm for 52 minutes before removal. Socket users were protected even while the package was live.

This package's 'postinstall' script executes 'ip a' to retrieve network interface information and sends it to a remote server via an HTTP POST request to 'http://nkbri3r9b8ddoze1m3pfjzhcc3it6i[.]burp[.]gdsburp[.]com/'. If this request fails, it attempts to download data from the same server using 'wget'. This behavior exfiltrates potentially sensitive system information without user consent and is indicative of malware.

The analyzed code is a malicious Discord token stealer that exfiltrates authentication tokens and sensitive user data to an attacker-controlled webhook. It poses a severe security risk by enabling unauthorized account access, privacy violations, and potential financial fraud. The code is not obfuscated but is clearly designed for malicious purposes. It should be considered highly dangerous and avoided.

Live on npm for 13 hours and 30 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by exfiltrating environment variables to an external domain. This poses a significant security risk due to the potential exposure of sensitive information.

Live on npm for 1 hour and 25 minutes before removal. Socket users were protected even while the package was live.

The script decodes a base64-encoded command and then executes it using the 'child_process.exec' function. This behavior is highly suspicious and indicates potential malicious intent.

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 17 minutes before removal. Socket users were protected even while the package was live.

The code exhibits several characteristics typical of potentially malicious software, including obfuscation, downloading and executing files, and recursive error handling. These behaviors suggest a high risk of executing untrusted code, which could compromise the system.

This code poses a serious security risk and should not be used.

Live on npm for 38 minutes before removal. Socket users were protected even while the package was live.

This code exhibits malicious behavior by collecting sensitive system information (OS type, username, current working directory, hostname, and IP addresses), encoding this data in base64, and sending it to a remote server (http://149[.]104[.]26[.]89/cmd.dat). It also attempts to download and execute a binary payload from the same server, which could lead to further compromise. The code includes environment checks to determine if it's running in a sandbox, suggesting an attempt to evade detection. After execution, it attempts to delete files to cover its tracks. The code is heavily obfuscated to make analysis difficult.

Live on npm for 4 days, 4 hours and 23 minutes before removal. Socket users were protected even while the package was live.

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 1 hour and 55 minutes before removal. Socket users were protected even while the package was live.

The code snippet exhibits malicious behavior by sending the current working directory to an external domain without user consent. This poses a significant security risk due to unauthorized data exfiltration.

The source code exhibits behavior typical of malicious software by collecting and sending sensitive system information to a remote server without user consent. This poses a significant security risk and could potentially be used for data theft or unauthorized tracking.

Live on npm for 6 hours and 15 minutes before removal. Socket users were protected even while the package was live.

The code is attempting to exfiltrate system information by sending it over the network using the ping command. This behavior is potentially malicious as it may result in data leakage or unauthorized access to sensitive information.

Live on npm for 38 minutes before removal. Socket users were protected even while the package was live.

The script triggers an outbound network request during its preinstall phase by executing a curl command on a shortened URL (example[.]com/JR006D). The use of such a URL is concerning because link shortening services can obscure the true destination and are often employed for tracking user data, exfiltration, or delivering malicious payloads. This behavior indicates a potential attempt to compromise system security and user privacy.

Live on npm for 36 days and 4 hours before removal. Socket users were protected even while the package was live.

This code is highly suspicious and potentially malicious. It should not be used without further investigation and review.

Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.

This code is malicious and poses a high security risk. It covertly collects and sends sensitive system and environment information to a remote Telegram bot without user consent, constituting data theft. The presence of hardcoded credentials and use of a public messaging platform for exfiltration further confirm its malicious intent. The code is not obfuscated but is designed for stealthy data exfiltration. It should be treated as malware and avoided.

Live on npm for 11 days, 19 hours and 44 minutes before removal. Socket users were protected even while the package was live.

This package contains a critical code injection vulnerability through the eval() function that executes arbitrary JavaScript from user-specified files. This represents an extremely high security risk that could lead to complete system compromise, data theft, or backdoor installation.

The source code is performing clear malicious activities by exfiltrating system data to a remote server. This justifies high scores in malware, obfuscation, and risk categories. The provided reports do not contain useful information, but the code itself clearly indicates a serious security incident.

Live on npm for 1 hour and 7 minutes before removal. Socket users were protected even while the package was live.

The code sends sensitive system information over the network without user consent, which poses a significant privacy risk. This behavior is indicative of potentially malicious intent.

This file collects sensitive system and user information (home directory, username, hostname, DNS servers, etc.) and sends it to a remote server at hg1as3ob4o9c1ew54a142gz02r8iw8kx[.]oastify[.]com without user knowledge or consent. It also writes this data to a local file (poc.txt). Such unauthorized data collection and transmission is malicious and poses a high security risk.

Live on npm for 8 days, 9 hours and 23 minutes before removal. Socket users were protected even while the package was live.

The code appears to be malicious. It exfiltrates sensitive system information and project-specific data to external servers. The use of continuous directory traversal and sending potentially confidential data to suspicious domains indicates high probability of malicious intent.

Live on npm for 1 hour before removal. Socket users were protected even while the package was live.

The code poses a potential security risk due to the execution of system commands without clear input validation and sanitization. However, without a detailed report and more context, the actual risk and intent are difficult to assess.

Live on PyPI for 4 hours and 56 minutes before removal. Socket users were protected even while the package was live.

This script embeds two Base64-encoded, AES-GCM–encrypted blobs that it decrypts at runtime to obtain a command-and-control hostname and then a payload URL. It resolves the decrypted hostname via DNS (requires exactly one A record), uses that IP as the decryption key for the second blob, and retrieves a remote JavaScript payload over HTTP(S). The payload is saved as “startup.js” inside the user’s Chrome data Scripts folder, patched to reference the correct absolute Node.js path, marked executable, and launched in a detached Node.js process without user consent. After a short delay it deletes its own source file (__filename), removes the accompanying graph-settings.min.js, and patches graph.js to strip out its initialization calls—clearly a self-deleting downloader/backdoor implant.

Live on npm for 6 days, 2 hours and 52 minutes before removal. Socket users were protected even while the package was live.

The script collects information like hostname, platform, user info, and current working directory, then sends it as base64-encoded JSON to a remote server.

Live on npm for 3 days, 6 hours and 30 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of npm-conf

Live on npm for 1 hour and 46 minutes before removal. Socket users were protected even while the package was live.

This script is attempting to exfiltrate system information to a remote server. This behavior is highly suspicious and poses a significant security risk.

Live on npm for 52 minutes before removal. Socket users were protected even while the package was live.

This package's 'postinstall' script executes 'ip a' to retrieve network interface information and sends it to a remote server via an HTTP POST request to 'http://nkbri3r9b8ddoze1m3pfjzhcc3it6i[.]burp[.]gdsburp[.]com/'. If this request fails, it attempts to download data from the same server using 'wget'. This behavior exfiltrates potentially sensitive system information without user consent and is indicative of malware.

The analyzed code is a malicious Discord token stealer that exfiltrates authentication tokens and sensitive user data to an attacker-controlled webhook. It poses a severe security risk by enabling unauthorized account access, privacy violations, and potential financial fraud. The code is not obfuscated but is clearly designed for malicious purposes. It should be considered highly dangerous and avoided.

Live on npm for 13 hours and 30 minutes before removal. Socket users were protected even while the package was live.

The code exhibits malicious behavior by exfiltrating environment variables to an external domain. This poses a significant security risk due to the potential exposure of sensitive information.

Live on npm for 1 hour and 25 minutes before removal. Socket users were protected even while the package was live.

The script decodes a base64-encoded command and then executes it using the 'child_process.exec' function. This behavior is highly suspicious and indicates potential malicious intent.