Secure your dependencies. Ship with confidence.

This script creates a privileged 'rescue' account with root-level access and configures passwordless sudo permissions, effectively functioning as a backdoor. It reads credentials from a configuration file and writes them into system files to grant unrestricted administrative rights. Such behavior allows full system compromise without requiring authentication. No external domains or IP addresses are referenced.

The code is part of a tool that provides extensive system-level access and manipulation capabilities. While it is not inherently malicious, its functionalities can be used for both legitimate and malicious purposes, depending on the context and user intent.

The source code exhibits behavior consistent with data exfiltration malware. It collects sensitive system information and sends it to external endpoints without user consent, posing a significant security risk.

Live on npm for 36 days, 8 hours and 13 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits behavior consistent with data exfiltration by collecting extensive system information and sending it to an untrusted remote server. This is a significant security risk and indicates malicious intent.

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

The source code is malicious as it performs unauthorized collection and exfiltration of sensitive system and package information to a suspicious external server. This poses a high security risk and privacy violation. The code is straightforward and not obfuscated, but the behavior is clearly malicious.

Live on npm for 1 hour and 17 minutes before removal. Socket users were protected even while the package was live.

This code is highly suspicious and should not be used without further investigation. The code is heavily obfuscated and could potentially contain malicious code. The purpose of the code is unclear and further investigation is necessary to determine its exact behavior.

Live on npm for 11 hours and 10 minutes before removal. Socket users were protected even while the package was live.

The provided code imports several external modules and calls a function from each. The module names and function calls are unusual and lack clarity, which raises some concerns. However, there is no direct evidence of malicious behavior in the provided code fragment itself. More information about the imported modules is needed to make a definitive judgment.

Live on npm for 57 days, 12 hours and 25 minutes before removal. Socket users were protected even while the package was live.

The code collects detailed system information and sends it to a remote server without user consent, posing a significant privacy and security risk. The behavior aligns with data exfiltration, which is often associated with malicious intent.

The code is likely malicious, as it collects and transmits system information to an external domain using obfuscation techniques. This behavior indicates potential data exfiltration.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

The module provides several functions to interact with a Git repository and an external API. However, there are potential security risks due to the use of `exec` for running shell commands, which could lead to command injection vulnerabilities. Additionally, the `getAi` function sends data to an external server, which could be a vector for data exfiltration.

Live on npm for 1 hour and 51 minutes before removal. Socket users were protected even while the package was live.

The code is involved in unauthorized data exfiltration by sending system and project information to external servers. This poses a significant security risk and is considered malicious behavior.

Live on npm for 10 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of azure-graph

Live on npm for 1 hour and 23 minutes before removal. Socket users were protected even while the package was live.

This code uses sophisticated obfuscation techniques to hide its true functionality. The use of string reversing, base64 encoding, zlib compression, and dynamic execution via exec() are strong indicators of potentially malicious intent. Without deobfuscating the payload, it's impossible to determine exactly what this code does, but the obfuscation methods themselves are highly suspicious and commonly associated with malware.

The code is clearly exfiltrating sensitive system information (hostname, username, current working directory, and network interfaces) to a remote server using the ping command. This behavior is indicative of malicious activity and poses a serious security risk.

Live on npm for 1 hour and 58 minutes before removal. Socket users were protected even while the package was live.

The code is designed to execute shell commands based on a schedule. While there's no direct evidence of malicious intent, the use of 'shell=True' in subprocess.run poses a significant security risk if untrusted inputs are used. This could potentially be exploited for arbitrary command execution.

Live on PyPI for 12 minutes before removal. Socket users were protected even while the package was live.

This script is highly suspicious and indicates a malicious intent. It attempts to establish a reverse shell connection, which can be used for unauthorized access and control of the system.

Live on npm for 29 days, 15 hours and 55 minutes before removal. Socket users were protected even while the package was live.

This code uses sophisticated obfuscation techniques to hide its true functionality. The use of string reversing, base64 encoding, zlib compression, and dynamic execution via exec() are strong indicators of potentially malicious intent. Without deobfuscating the payload, it's impossible to determine exactly what this code does, but the obfuscation methods themselves are highly suspicious and commonly associated with malware.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 16 minutes before removal. Socket users were protected even while the package was live.

The script exhibits potentially malicious behavior, such as creating and publishing a large number of npm packages and posting links to WordPress sites. The hardcoded credentials and use of subprocess for npm publish are significant security risks. While the intent may be to automate content creation and posting, the scale and method raise concerns of abuse and potential harm.

Live on npm for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

This code exhibits malicious behavior by exfiltrating sensitive system information to an external domain using 'ping' requests. The use of hardcoded identifiers and base64 encoding of system data further indicates an intent to hide the nature of the information being sent. Given the explicit attempt to gather and transmit system information without authorization, this code poses a significant security risk.

The code contains a heavily obfuscated script using multiple encoding layers and eval() execution. Analysis reveals it's establishing C2 (Command & Control) communication through Discord's API/webhooks via encoded string patterns ('VMLCVLLCVMVCVMVCVVLCVLkCVkV' -> 'discord'). The malware employs a custom base-encoding scheme with a multi-stage decoder (utilizing _0xe50c function and character substitution) to hide its payload. The execution flow involves string manipulation, character code operations, and URL encoding/decoding before final payload execution through eval(). The code's structure suggests capabilities for data exfiltration, system information gathering, and persistence through Discord's platform. The combination of sophisticated obfuscation, Discord API abuse, and dynamic code execution represents a significant security threat, likely part of a larger malware operation using Discord as its C2 infrastructure

The code exhibits malicious behavior by sending environment variables to a remote server, which can include sensitive information. The use of string concatenation for obfuscation and the connection to a suspicious domain further indicate malicious intent.

Live on npm for 22 minutes before removal. Socket users were protected even while the package was live.

The code poses a potential privacy violation risk as it collects and sends user data to a remote server without sanitization and user consent. The tracking data should be reviewed and sent to a trusted server if necessary.

Live on npm for 2 days, 5 hours and 47 minutes before removal. Socket users were protected even while the package was live.

High-risk browser automation evasion library that systematically spoofs browser fingerprints and hides WebDriver presence. While not containing direct malware, it enables malicious automation by bypassing anti-bot protections and could facilitate fraud, unauthorized scraping, or other malicious automated activities.

The code is malicious as it collects and sends system information to a remote server. It is heavily obfuscated to hide its true intent, which is indicative of malware.

Live on npm for 16 minutes before removal. Socket users were protected even while the package was live.

This script creates a privileged 'rescue' account with root-level access and configures passwordless sudo permissions, effectively functioning as a backdoor. It reads credentials from a configuration file and writes them into system files to grant unrestricted administrative rights. Such behavior allows full system compromise without requiring authentication. No external domains or IP addresses are referenced.

The code is part of a tool that provides extensive system-level access and manipulation capabilities. While it is not inherently malicious, its functionalities can be used for both legitimate and malicious purposes, depending on the context and user intent.

The source code exhibits behavior consistent with data exfiltration malware. It collects sensitive system information and sends it to external endpoints without user consent, posing a significant security risk.

Live on npm for 36 days, 8 hours and 13 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits behavior consistent with data exfiltration by collecting extensive system information and sending it to an untrusted remote server. This is a significant security risk and indicates malicious intent.

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

The source code is malicious as it performs unauthorized collection and exfiltration of sensitive system and package information to a suspicious external server. This poses a high security risk and privacy violation. The code is straightforward and not obfuscated, but the behavior is clearly malicious.

Live on npm for 1 hour and 17 minutes before removal. Socket users were protected even while the package was live.

This code is highly suspicious and should not be used without further investigation. The code is heavily obfuscated and could potentially contain malicious code. The purpose of the code is unclear and further investigation is necessary to determine its exact behavior.

Live on npm for 11 hours and 10 minutes before removal. Socket users were protected even while the package was live.

The provided code imports several external modules and calls a function from each. The module names and function calls are unusual and lack clarity, which raises some concerns. However, there is no direct evidence of malicious behavior in the provided code fragment itself. More information about the imported modules is needed to make a definitive judgment.

Live on npm for 57 days, 12 hours and 25 minutes before removal. Socket users were protected even while the package was live.

The code collects detailed system information and sends it to a remote server without user consent, posing a significant privacy and security risk. The behavior aligns with data exfiltration, which is often associated with malicious intent.

The code is likely malicious, as it collects and transmits system information to an external domain using obfuscation techniques. This behavior indicates potential data exfiltration.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

The module provides several functions to interact with a Git repository and an external API. However, there are potential security risks due to the use of `exec` for running shell commands, which could lead to command injection vulnerabilities. Additionally, the `getAi` function sends data to an external server, which could be a vector for data exfiltration.

Live on npm for 1 hour and 51 minutes before removal. Socket users were protected even while the package was live.

The code is involved in unauthorized data exfiltration by sending system and project information to external servers. This poses a significant security risk and is considered malicious behavior.

Live on npm for 10 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of azure-graph

Live on npm for 1 hour and 23 minutes before removal. Socket users were protected even while the package was live.

This code uses sophisticated obfuscation techniques to hide its true functionality. The use of string reversing, base64 encoding, zlib compression, and dynamic execution via exec() are strong indicators of potentially malicious intent. Without deobfuscating the payload, it's impossible to determine exactly what this code does, but the obfuscation methods themselves are highly suspicious and commonly associated with malware.

The code is clearly exfiltrating sensitive system information (hostname, username, current working directory, and network interfaces) to a remote server using the ping command. This behavior is indicative of malicious activity and poses a serious security risk.

Live on npm for 1 hour and 58 minutes before removal. Socket users were protected even while the package was live.

The code is designed to execute shell commands based on a schedule. While there's no direct evidence of malicious intent, the use of 'shell=True' in subprocess.run poses a significant security risk if untrusted inputs are used. This could potentially be exploited for arbitrary command execution.

Live on PyPI for 12 minutes before removal. Socket users were protected even while the package was live.

This script is highly suspicious and indicates a malicious intent. It attempts to establish a reverse shell connection, which can be used for unauthorized access and control of the system.

Live on npm for 29 days, 15 hours and 55 minutes before removal. Socket users were protected even while the package was live.

This code uses sophisticated obfuscation techniques to hide its true functionality. The use of string reversing, base64 encoding, zlib compression, and dynamic execution via exec() are strong indicators of potentially malicious intent. Without deobfuscating the payload, it's impossible to determine exactly what this code does, but the obfuscation methods themselves are highly suspicious and commonly associated with malware.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 16 minutes before removal. Socket users were protected even while the package was live.

The script exhibits potentially malicious behavior, such as creating and publishing a large number of npm packages and posting links to WordPress sites. The hardcoded credentials and use of subprocess for npm publish are significant security risks. While the intent may be to automate content creation and posting, the scale and method raise concerns of abuse and potential harm.

Live on npm for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

This code exhibits malicious behavior by exfiltrating sensitive system information to an external domain using 'ping' requests. The use of hardcoded identifiers and base64 encoding of system data further indicates an intent to hide the nature of the information being sent. Given the explicit attempt to gather and transmit system information without authorization, this code poses a significant security risk.

The code contains a heavily obfuscated script using multiple encoding layers and eval() execution. Analysis reveals it's establishing C2 (Command & Control) communication through Discord's API/webhooks via encoded string patterns ('VMLCVLLCVMVCVMVCVVLCVLkCVkV' -> 'discord'). The malware employs a custom base-encoding scheme with a multi-stage decoder (utilizing _0xe50c function and character substitution) to hide its payload. The execution flow involves string manipulation, character code operations, and URL encoding/decoding before final payload execution through eval(). The code's structure suggests capabilities for data exfiltration, system information gathering, and persistence through Discord's platform. The combination of sophisticated obfuscation, Discord API abuse, and dynamic code execution represents a significant security threat, likely part of a larger malware operation using Discord as its C2 infrastructure

The code exhibits malicious behavior by sending environment variables to a remote server, which can include sensitive information. The use of string concatenation for obfuscation and the connection to a suspicious domain further indicate malicious intent.

Live on npm for 22 minutes before removal. Socket users were protected even while the package was live.

The code poses a potential privacy violation risk as it collects and sends user data to a remote server without sanitization and user consent. The tracking data should be reviewed and sent to a trusted server if necessary.

Live on npm for 2 days, 5 hours and 47 minutes before removal. Socket users were protected even while the package was live.

High-risk browser automation evasion library that systematically spoofs browser fingerprints and hides WebDriver presence. While not containing direct malware, it enables malicious automation by bypassing anti-bot protections and could facilitate fraud, unauthorized scraping, or other malicious automated activities.

The code is malicious as it collects and sends system information to a remote server. It is heavily obfuscated to hide its true intent, which is indicative of malware.

Live on npm for 16 minutes before removal. Socket users were protected even while the package was live.