Secure your dependencies. Ship with confidence.

The script is making a request to a potentially malicious domain. This behavior raises a high security risk as it could be used for data exfiltration or to download and execute malicious code.

Live on npm for 26 days, 18 hours and 4 minutes before removal. Socket users were protected even while the package was live.

The code appears to be obfuscated and uses unusual naming patterns for variables and methods, which could indicate potential malicious behavior. However, without more information on what the 'functame' method does in each of these modules, it's not possible to conclusively determine if the code is malicious.

Live on npm for 57 days, 5 hours and 48 minutes before removal. Socket users were protected even while the package was live.

The code is highly suspicious due to its unauthorized collection and transmission of system and project data to external servers. This behavior aligns with malicious intent, posing a significant security risk.

Live on npm for 39 minutes before removal. Socket users were protected even while the package was live.

The package 'duckc2-v5.5.5' contains heavily obfuscated JavaScript code that executes shell commands using the 'exec' function from the 'child_process' module. The code attempts to manipulate critical system files such as '/etc/passwd' and '/etc/shadow' to create a new user with root privileges, effectively installing a backdoor in the system. It establishes TLS connections and makes HTTP/2 requests to multiple hardcoded external domains, potentially for command and control or data exfiltration purposes. Some of the domains and IP addresses referenced in the code include king-hrdevil[.]rhcloud[.]com, go[.]mail[.]ru, and IP addresses like 192[.]168[.]0[.]1. The code also contains a 'KillScript' function that terminates the process, possibly to evade detection. The combination of these behaviors indicates malicious intent and poses a high security risk to any system where this package is installed.

The script is downloading a file from an external source, which can be potentially risky. The safety of this script depends on the content of the downloaded file and the intentions of the source.

The code exhibits potential malicious behavior with data exfiltration and tracking activities, posing a significant security risk. It should be further investigated and potentially removed.

Live on npm for 33 minutes before removal. Socket users were protected even while the package was live.

The script collects information from the /etc/passwd file, username, current working directory and public IP address, then sends this data to a remote server.

Live on npm for 21 hours and 59 minutes before removal. Socket users were protected even while the package was live.

The code fragment contains highly suspicious behavior indicative of a supply chain attack where a seemingly benign text styling library is used as a cover for downloading and executing a potentially malicious binary. The use of threading to execute the binary and the misleading path name are strong indicators of an intent to deceive and execute unauthorized actions without the user's knowledge.

Live on pypi for 17 days and 40 minutes before removal. Socket users were protected even while the package was live.

The code collects sensitive system information without user consent and sends it to an external server via a Discord webhook. The code gathers data such as the user's internal IP address, external IP address (obtained via an HTTP request to 'https[:]//ipinfo[.]io/json'), hostname, username, home directory, DNS server information, and package details from 'package.json'. This information is then formatted into a JSON object and transmitted to a hardcoded Discord webhook URL ('https[:]//discord[.]com/api/webhooks/...'). This behavior constitutes unauthorized data exfiltration and poses significant privacy and security risks.

Malicious code in social-media-icons-react (npm) Source: ghsa-malware (ca362d17a667da1d094b044be149065c8d362cc8ae8e0dbd43bfdb0e9c537df7) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 6 minutes before removal. Socket users were protected even while the package was live.

Malicious code in lita_telegram-plus (RubyGems)

The code imports and invokes methods from multiple suspiciously named external libraries without clear purpose or context. This raises concerns about potential malicious behavior as the functionality of these libraries is not transparent.

Live on npm for 57 days, 13 hours and 5 minutes before removal. Socket users were protected even while the package was live.

The code exhibits sophisticated malicious behavior through multiple layers of obfuscation. It utilizes a complex chain of eval() functions combined with custom encoding algorithms to conceal its true functionality. The obfuscation includes XOR-based string manipulation, rotating encryption keys, and URI encoding layers. Additionally, it implements anti-debugging measures and error suppression techniques to evade detection and analysis. The presence of system reconnaissance capabilities, data exfiltration functions, and encrypted C2 communication patterns reveals its malicious nature. While complete analysis requires dynamic execution, the code's structure and obfuscation techniques strongly indicate it's a professionally crafted malware designed for stealth and persistence. The combination of legitimate npm package usage as cover and sophisticated anti-analysis features suggests this is part of a larger, coordinated malicious operation.

This script is attempting to exfiltrate sensitive data (contents of /etc/passwd) to a remote server. This behavior is highly suspicious and poses a significant security risk.

Live on npm for 28 minutes before removal. Socket users were protected even while the package was live.

Given the heavy obfuscation and potential for file and network operations to be performed in a non-transparent manner, there is a significant risk that this code could be malicious or part of a supply chain attack. Caution is advised, and the code should not be used without a thorough deobfuscation and review.

The code exhibits clear signs of malicious behavior involving data theft and exfiltration. It encodes and sends sensitive system and user data to a suspicious domain via both DNS queries and HTTPS POST requests.

Live on npm for 34 minutes before removal. Socket users were protected even while the package was live.

This code exhibits several suspicious behaviors, such as hidden process creation, potential manipulation of library installations, and executing an undefined script. These actions could be indicative of a preparation phase for a supply chain attack or other malicious activities.

The code is designed to collect sensitive system information and transmit it to an external server using obfuscated methods. This behavior is indicative of malicious activity, specifically data exfiltration.

Live on npm for 28 minutes before removal. Socket users were protected even while the package was live.

The code exhibits various risky patterns and practices that could lead to security vulnerabilities. There is a high likelihood of malicious behavior and significant security risks associated with this code. Further analysis and validation are recommended to assess the full extent of the security implications.

Live on npm for 54 minutes before removal. Socket users were protected even while the package was live.

The script 'packer/provisioners/post_install.sh' exhibits malicious behavior by performing several harmful actions: - **Deletes user and root history files**: Uses secure deletion methods to remove history files, potentially to conceal malicious activities. - **Clears system log files**: Erases log files from '/var/log', hindering the ability to audit and investigate system actions. - **Disables the root account**: Locks the root account password without ensuring alternative secure administrative access, possibly preventing legitimate administrative operations. - **Sets a weak default password ('changeme') for the 'admin' user**: Introduces a significant security risk by using an easily guessable password, facilitating unauthorized access. These actions can be exploited by an attacker to gain unauthorized access, disrupt legitimate operations, and prevent system recovery. The combination of log and history deletion, disabling of root access, and setting weak credentials indicates malicious intent to compromise system security and conceal nefarious activities.

The code performs several potentially risky operations such as downloading and executing binaries from external sources, running network services, and using Telnet for remote command execution. These actions pose significant security risks, including the possibility of introducing malicious code and exposing the system to network-based attacks. However, there is no explicit evidence of malicious intent in the code itself.

Malicious code in jaconda-telegram (RubyGems)

The script performs automated and potentially malicious actions such as spamming or SEO manipulation by creating and publishing npm packages and posting links on WordPress sites. The hardcoded credentials and lack of user interaction or validation increase the risk and potential for misuse.

Live on npm for 26 minutes before removal. Socket users were protected even while the package was live.

The code exhibits several security risks, particularly in how it handles sensitive user data and communicates with external services. It should be refactored to improve security practices, such as encrypting sensitive data and avoiding untrusted external connections.

Live on npm for 1 hour and 59 minutes before removal. Socket users were protected even while the package was live.

The script collects information like package name, directory path, home directory, hostname, username, DNS servers, and package.json data, and sends it to a remote server.

Live on npm for 1 day and 40 minutes before removal. Socket users were protected even while the package was live.

The script is making a request to a potentially malicious domain. This behavior raises a high security risk as it could be used for data exfiltration or to download and execute malicious code.

Live on npm for 26 days, 18 hours and 4 minutes before removal. Socket users were protected even while the package was live.

The code appears to be obfuscated and uses unusual naming patterns for variables and methods, which could indicate potential malicious behavior. However, without more information on what the 'functame' method does in each of these modules, it's not possible to conclusively determine if the code is malicious.

Live on npm for 57 days, 5 hours and 48 minutes before removal. Socket users were protected even while the package was live.

The code is highly suspicious due to its unauthorized collection and transmission of system and project data to external servers. This behavior aligns with malicious intent, posing a significant security risk.

Live on npm for 39 minutes before removal. Socket users were protected even while the package was live.

The package 'duckc2-v5.5.5' contains heavily obfuscated JavaScript code that executes shell commands using the 'exec' function from the 'child_process' module. The code attempts to manipulate critical system files such as '/etc/passwd' and '/etc/shadow' to create a new user with root privileges, effectively installing a backdoor in the system. It establishes TLS connections and makes HTTP/2 requests to multiple hardcoded external domains, potentially for command and control or data exfiltration purposes. Some of the domains and IP addresses referenced in the code include king-hrdevil[.]rhcloud[.]com, go[.]mail[.]ru, and IP addresses like 192[.]168[.]0[.]1. The code also contains a 'KillScript' function that terminates the process, possibly to evade detection. The combination of these behaviors indicates malicious intent and poses a high security risk to any system where this package is installed.

The script is downloading a file from an external source, which can be potentially risky. The safety of this script depends on the content of the downloaded file and the intentions of the source.

The code exhibits potential malicious behavior with data exfiltration and tracking activities, posing a significant security risk. It should be further investigated and potentially removed.

Live on npm for 33 minutes before removal. Socket users were protected even while the package was live.

The script collects information from the /etc/passwd file, username, current working directory and public IP address, then sends this data to a remote server.

Live on npm for 21 hours and 59 minutes before removal. Socket users were protected even while the package was live.

The code fragment contains highly suspicious behavior indicative of a supply chain attack where a seemingly benign text styling library is used as a cover for downloading and executing a potentially malicious binary. The use of threading to execute the binary and the misleading path name are strong indicators of an intent to deceive and execute unauthorized actions without the user's knowledge.

Live on pypi for 17 days and 40 minutes before removal. Socket users were protected even while the package was live.

The code collects sensitive system information without user consent and sends it to an external server via a Discord webhook. The code gathers data such as the user's internal IP address, external IP address (obtained via an HTTP request to 'https[:]//ipinfo[.]io/json'), hostname, username, home directory, DNS server information, and package details from 'package.json'. This information is then formatted into a JSON object and transmitted to a hardcoded Discord webhook URL ('https[:]//discord[.]com/api/webhooks/...'). This behavior constitutes unauthorized data exfiltration and poses significant privacy and security risks.

Malicious code in social-media-icons-react (npm) Source: ghsa-malware (ca362d17a667da1d094b044be149065c8d362cc8ae8e0dbd43bfdb0e9c537df7) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Live on npm for 2 hours and 6 minutes before removal. Socket users were protected even while the package was live.

Malicious code in lita_telegram-plus (RubyGems)

The code imports and invokes methods from multiple suspiciously named external libraries without clear purpose or context. This raises concerns about potential malicious behavior as the functionality of these libraries is not transparent.

Live on npm for 57 days, 13 hours and 5 minutes before removal. Socket users were protected even while the package was live.

The code exhibits sophisticated malicious behavior through multiple layers of obfuscation. It utilizes a complex chain of eval() functions combined with custom encoding algorithms to conceal its true functionality. The obfuscation includes XOR-based string manipulation, rotating encryption keys, and URI encoding layers. Additionally, it implements anti-debugging measures and error suppression techniques to evade detection and analysis. The presence of system reconnaissance capabilities, data exfiltration functions, and encrypted C2 communication patterns reveals its malicious nature. While complete analysis requires dynamic execution, the code's structure and obfuscation techniques strongly indicate it's a professionally crafted malware designed for stealth and persistence. The combination of legitimate npm package usage as cover and sophisticated anti-analysis features suggests this is part of a larger, coordinated malicious operation.

This script is attempting to exfiltrate sensitive data (contents of /etc/passwd) to a remote server. This behavior is highly suspicious and poses a significant security risk.

Live on npm for 28 minutes before removal. Socket users were protected even while the package was live.

Given the heavy obfuscation and potential for file and network operations to be performed in a non-transparent manner, there is a significant risk that this code could be malicious or part of a supply chain attack. Caution is advised, and the code should not be used without a thorough deobfuscation and review.

The code exhibits clear signs of malicious behavior involving data theft and exfiltration. It encodes and sends sensitive system and user data to a suspicious domain via both DNS queries and HTTPS POST requests.

Live on npm for 34 minutes before removal. Socket users were protected even while the package was live.

This code exhibits several suspicious behaviors, such as hidden process creation, potential manipulation of library installations, and executing an undefined script. These actions could be indicative of a preparation phase for a supply chain attack or other malicious activities.

The code is designed to collect sensitive system information and transmit it to an external server using obfuscated methods. This behavior is indicative of malicious activity, specifically data exfiltration.

Live on npm for 28 minutes before removal. Socket users were protected even while the package was live.

The code exhibits various risky patterns and practices that could lead to security vulnerabilities. There is a high likelihood of malicious behavior and significant security risks associated with this code. Further analysis and validation are recommended to assess the full extent of the security implications.

Live on npm for 54 minutes before removal. Socket users were protected even while the package was live.

The script 'packer/provisioners/post_install.sh' exhibits malicious behavior by performing several harmful actions: - **Deletes user and root history files**: Uses secure deletion methods to remove history files, potentially to conceal malicious activities. - **Clears system log files**: Erases log files from '/var/log', hindering the ability to audit and investigate system actions. - **Disables the root account**: Locks the root account password without ensuring alternative secure administrative access, possibly preventing legitimate administrative operations. - **Sets a weak default password ('changeme') for the 'admin' user**: Introduces a significant security risk by using an easily guessable password, facilitating unauthorized access. These actions can be exploited by an attacker to gain unauthorized access, disrupt legitimate operations, and prevent system recovery. The combination of log and history deletion, disabling of root access, and setting weak credentials indicates malicious intent to compromise system security and conceal nefarious activities.

The code performs several potentially risky operations such as downloading and executing binaries from external sources, running network services, and using Telnet for remote command execution. These actions pose significant security risks, including the possibility of introducing malicious code and exposing the system to network-based attacks. However, there is no explicit evidence of malicious intent in the code itself.

Malicious code in jaconda-telegram (RubyGems)

The script performs automated and potentially malicious actions such as spamming or SEO manipulation by creating and publishing npm packages and posting links on WordPress sites. The hardcoded credentials and lack of user interaction or validation increase the risk and potential for misuse.

Live on npm for 26 minutes before removal. Socket users were protected even while the package was live.

The code exhibits several security risks, particularly in how it handles sensitive user data and communicates with external services. It should be refactored to improve security practices, such as encrypting sensitive data and avoiding untrusted external connections.

Live on npm for 1 hour and 59 minutes before removal. Socket users were protected even while the package was live.

The script collects information like package name, directory path, home directory, hostname, username, DNS servers, and package.json data, and sends it to a remote server.

Live on npm for 1 day and 40 minutes before removal. Socket users were protected even while the package was live.