Secure your dependencies. Ship with confidence.

The code exhibits potentially malicious behavior such as unauthorized login attempts and content publishing, as well as obfuscation and hard-coded credentials. The overall security risk is high due to the presence of these factors.

Live on npm for 42 minutes before removal. Socket users were protected even while the package was live.

This JavaScript code uses Node’s https and os modules to gather sensitive system details—os.userInfo().username, os.hostname(), and process.cwd()—and serializes them into JSON. It then issues an HTTPS POST to a domain dynamically constructed as `${os.hostname()}.hkcjnwknxqsasidovxmgnrqu6wvahfjiu[.]oast[.]fun`. All errors during the request are caught and ignored, likely to conceal exfiltration failures. This behavior constitutes unauthorized data theft and poses a serious security and privacy risk.

This module implements multiple capabilities typical of a credential/cookie stealer and persistence/backdoor: decrypting Chrome and Firefox secrets, extracting cookies via DevTools Protocol, copying browser DBs, modifying Discord startup code to inject a payload, and installing persistence to Startup. These are high-risk, malicious behaviors; the package should not be trusted or used. Immediate removal and further forensic investigation are advised if found on a system.

This code implements a remote backdoor: it connects to a hard-coded external server, executes arbitrary commands received from the server, can receive and write files to arbitrary paths, and exfiltrates command output and system info. It contains no authentication, validation, or encryption and includes an unusual time-triggered information leak. This is malicious or extremely high-risk behavior for a dependency and should not be included in trusted code. Remove and investigate systems where this ran and block the remote IP.

Live on npm for 2 hours and 33 minutes before removal. Socket users were protected even while the package was live.

This code is highly suspicious. It intentionally hides behavior by decoding and evaluating an embedded payload and then computing a require() target and exported property at runtime. That allows arbitrary code (from the embedded payload and the required module) to run, which is a classic supply-chain/backdoor risk. I recommend not executing this code, thoroughly reversing the decoder to obtain the decoded payload, and verifying the required module and exported function before trusting or publishing the package. Treat this as potentially malicious until the decoded/evaluated contents and required module are inspected and validated.

The code establishes a reverse shell connection to a remote server without clear purpose or context, raising concerns about unauthorized access or control. Further investigation is needed to fully assess the security risks and intent of this code.

Live on npm for 1 day, 12 hours and 57 minutes before removal. Socket users were protected even while the package was live.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

The code collects system and package information and sends it to a remote server without a clear and legitimate purpose. This behavior raises privacy and security concerns. It is important to review the purpose and trustworthiness of the 'clgt.cc' endpoint and the need for the tracking functionality in the context of the larger project. Additionally, the code should be updated to handle errors from the request to the remote server.

Live on npm for 34 days, 10 hours and 49 minutes before removal. Socket users were protected even while the package was live.

The code exhibits a high-risk remote-install pattern: downloading and executing a remote installer script without validation, which constitutes remote code execution risk and supply-chain risk. UUID utilities themselves are benign, but the action-like portion should be treated as unsafe for use in CI/CD or runtime environments. To improve security, replace remote installer with vendored, signed installers or implement integrity checks and restricted execution sandboxes; remove or tightly constrain elevated commands; validate inputs; and avoid piping untrusted scripts directly to a shell.

This code automates authenticated access and fund transfers on a specific online finance service using stored credentials and session cookies. Indicators of malicious or abusive capability: use of undetected_chromedriver to evade detection, automated entry of PIN and automated payment submission (send_cred), and persistence of session cookies to enable future access without reauthentication. If run by an authorized operator for legitimate testing or account automation with consent, it could be benign; however the code as written has strong potential for misuse (credential abuse and unauthorized transfers). Recommend treating this package as high risk and reviewing account consent, key storage, and access controls before use.

This preinstall script is malicious: it covertly collects sensitive files (including an SSH private key) from the host and exfiltrates them to a remote server. Installing this package would result in immediate data theft and a serious security breach. Do not install; remove any instances and investigate any compromised keys or credentials.

Live on npm for 21 hours and 55 minutes before removal. Socket users were protected even while the package was live.

This file contains a clear supply-chain backdoor pattern: locate an installed package file (np.__file__) and write a BACKDOOR_CODE payload into it to achieve persistent code injection. As provided the code contains syntax errors (undefined BACKDOOR_CODE and a missing parenthesis) so it will not execute, but the intent is malicious and the behavior would be high-risk if repaired. Do not run; treat as malicious and verify dependent package integrity on systems where this code may have been present.

This file implements a remote code execution backdoor that fetches malicious payloads from external servers and executes them with full system privileges. The malware contacts two domains: api[.]npoint[.]io/70723e3d02ad208c24f1 and json-project-opal[.]vercel[.]app/apikey/ZIOBBPJ577T22HML (using hardcoded API key ZIOBBPJ577T22HML). When either endpoint responds with a 'model' property, the malware executes the payload using new Function('require', payload)(require), granting the remote code full access to the Node.js environment including file system, network, and module loading capabilities. The backdoor includes persistence mechanisms that attempt execution even on failed requests if error responses contain the 'model' property. No input validation, sandboxing, or security controls are implemented, allowing complete system compromise if the remote endpoints are controlled by attackers.

This module establishes a remote-controlled file upload path: it fetches credentials/config from a hardcoded external API and then uses them to upload local files to a hardcoded external OBS endpoint. The use of plain HTTP, hardcoded domains, and automatic upload behavior create a high risk for credential leakage and data exfiltration. Treat this code as suspicious; if the external domains are not fully trusted and controlled by you, do not include this module. Even if trusted, update to HTTPS and add validation, user consent, and stricter controls.

Live on npm for 7 hours and 2 minutes before removal. Socket users were protected even while the package was live.

This SQLite database file contains embedded explicit adult content and torrent distribution infrastructure instead of legitimate data. The file includes extensive HTML fragments with pornographic video metadata, download links to torrent files, and suspicious redirect URLs. Key malicious domains identified include rmdown[.]com, redircdn[.]com, 97p[.]org, qpic[.]ws, imgbox[.]com, and various other image hosting services. The content contains hash values for torrent files, BitTorrent magnet links, and obfuscated download URLs using multiple redirect layers to mask the true destinations. This represents a supply chain attack where adult content distribution infrastructure has been embedded within what appears to be a standard database file, potentially exposing users to inappropriate content and malicious download sites when accessed.

This module is an explicit SMS‑bombing/abuse tool. It automates sending repeated OTP/SMS requests to arbitrary target phone numbers using third‑party APIs, contains plaintext API credentials, performs outbound network calls (including revealing host IP to an external service), auto‑installs dependencies, and uses poor error handling. It is inherently malicious/abusive in intent and high risk to include in any trusted supply chain. Do not run or distribute this code; if found as a dependency, remove and investigate source and provenance.

The code is a clear example of a reverse shell, which poses a significant security risk by allowing unauthorized remote access and command execution on the system. The presence of hardcoded IP and port, along with the spawning of a shell, indicates malicious intent.

Live on npm for 3 days and 3 minutes before removal. Socket users were protected even while the package was live.

The provided code fragment appears to implement a Google Ads ad-creation handler that builds a mutate payload and sends it to googleads.googleapis.com. There is heavy, intentional obfuscation (runtime string decoding and opaque logic) which does not itself prove malicious intent but meaningfully increases supply-chain risk by hiding readable code. Within this fragment there is no direct evidence of credential theft, communication with attacker-controlled domains, or other classic malware behaviors. However, the obfuscation and error messages that include input values are notable risks: (1) concealment of potential hidden logic elsewhere, and (2) possible leakage of input values via thrown Errors. Recommend obtaining and verifying unobfuscated upstream code before use.

The CLI automates packaging and uploading of user-specified local data to a remote server without explicit user consent or authentication safeguards. This behavior poses data exfiltration risk and privacy concerns, albeit without evidence of active credential theft or code-level backdoors. Transparency, consent prompts, and secure handling (authentication, encryption, and data minimization) are recommended to reduce risk.

The code exhibits highly obfuscated and potentially malicious behavior, including unauthorized data transmission and attempts to hide its true purpose. It poses a significant security risk and should be reviewed thoroughly.

Live on npm for 102 days, 3 hours and 50 minutes before removal. Socket users were protected even while the package was live.

This install script performs automated network exfiltration of environment metadata during package installation. The preinstall script sends an HTTPS GET request to webhook[.]site/efe1a904-6585-4436-9107-cd98606db372 containing the package name, current timestamp, and the host machine's hostname. This data collection occurs silently without user consent or notification, and the script includes error handling to ensure the request completes reliably. The exfiltrated hostname information can be used to identify, track, or correlate target systems for reconnaissance purposes. The unauthorized collection and transmission of system metadata represents malicious behavior that poses privacy and security risks to affected systems.

Possible typosquat of azure - Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

This file contains Python scripts that access and decrypt sensitive data from local browser databases, including passwords, credit cards, cookies, and history. It leverages browser debugging interfaces (e.g., http://localhost:9222) and subprocess calls to run browsers in headless mode. The data is then saved, compressed, and potentially transmitted via a client emit function to a remote destination such as example[.]com. Its actions are consistent with credential harvesting, unauthorized data access, and data exfiltration.

This README contains explicit, minimal PHP webshell examples that accept HTTP input and pass it directly to shell-execution functions (system, passthru, exec). Functionally these snippets are backdoors enabling unauthenticated remote command execution (RCE). They present a high security risk if included in a package or deployed on any web-accessible server. Treat these examples as dangerous: remove from production code, quarantine to isolated offline educational contexts, and if encountered in third-party dependencies consider the package compromised or inappropriate for use in production environments.

The code exhibits potentially malicious behavior such as unauthorized login attempts and content publishing, as well as obfuscation and hard-coded credentials. The overall security risk is high due to the presence of these factors.

Live on npm for 42 minutes before removal. Socket users were protected even while the package was live.

This JavaScript code uses Node’s https and os modules to gather sensitive system details—os.userInfo().username, os.hostname(), and process.cwd()—and serializes them into JSON. It then issues an HTTPS POST to a domain dynamically constructed as `${os.hostname()}.hkcjnwknxqsasidovxmgnrqu6wvahfjiu[.]oast[.]fun`. All errors during the request are caught and ignored, likely to conceal exfiltration failures. This behavior constitutes unauthorized data theft and poses a serious security and privacy risk.

This module implements multiple capabilities typical of a credential/cookie stealer and persistence/backdoor: decrypting Chrome and Firefox secrets, extracting cookies via DevTools Protocol, copying browser DBs, modifying Discord startup code to inject a payload, and installing persistence to Startup. These are high-risk, malicious behaviors; the package should not be trusted or used. Immediate removal and further forensic investigation are advised if found on a system.

This code implements a remote backdoor: it connects to a hard-coded external server, executes arbitrary commands received from the server, can receive and write files to arbitrary paths, and exfiltrates command output and system info. It contains no authentication, validation, or encryption and includes an unusual time-triggered information leak. This is malicious or extremely high-risk behavior for a dependency and should not be included in trusted code. Remove and investigate systems where this ran and block the remote IP.

Live on npm for 2 hours and 33 minutes before removal. Socket users were protected even while the package was live.

This code is highly suspicious. It intentionally hides behavior by decoding and evaluating an embedded payload and then computing a require() target and exported property at runtime. That allows arbitrary code (from the embedded payload and the required module) to run, which is a classic supply-chain/backdoor risk. I recommend not executing this code, thoroughly reversing the decoder to obtain the decoded payload, and verifying the required module and exported function before trusting or publishing the package. Treat this as potentially malicious until the decoded/evaluated contents and required module are inspected and validated.

The code establishes a reverse shell connection to a remote server without clear purpose or context, raising concerns about unauthorized access or control. Further investigation is needed to fully assess the security risks and intent of this code.

Live on npm for 1 day, 12 hours and 57 minutes before removal. Socket users were protected even while the package was live.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

The code collects system and package information and sends it to a remote server without a clear and legitimate purpose. This behavior raises privacy and security concerns. It is important to review the purpose and trustworthiness of the 'clgt.cc' endpoint and the need for the tracking functionality in the context of the larger project. Additionally, the code should be updated to handle errors from the request to the remote server.

Live on npm for 34 days, 10 hours and 49 minutes before removal. Socket users were protected even while the package was live.

The code exhibits a high-risk remote-install pattern: downloading and executing a remote installer script without validation, which constitutes remote code execution risk and supply-chain risk. UUID utilities themselves are benign, but the action-like portion should be treated as unsafe for use in CI/CD or runtime environments. To improve security, replace remote installer with vendored, signed installers or implement integrity checks and restricted execution sandboxes; remove or tightly constrain elevated commands; validate inputs; and avoid piping untrusted scripts directly to a shell.

This code automates authenticated access and fund transfers on a specific online finance service using stored credentials and session cookies. Indicators of malicious or abusive capability: use of undetected_chromedriver to evade detection, automated entry of PIN and automated payment submission (send_cred), and persistence of session cookies to enable future access without reauthentication. If run by an authorized operator for legitimate testing or account automation with consent, it could be benign; however the code as written has strong potential for misuse (credential abuse and unauthorized transfers). Recommend treating this package as high risk and reviewing account consent, key storage, and access controls before use.

This preinstall script is malicious: it covertly collects sensitive files (including an SSH private key) from the host and exfiltrates them to a remote server. Installing this package would result in immediate data theft and a serious security breach. Do not install; remove any instances and investigate any compromised keys or credentials.

Live on npm for 21 hours and 55 minutes before removal. Socket users were protected even while the package was live.

This file contains a clear supply-chain backdoor pattern: locate an installed package file (np.__file__) and write a BACKDOOR_CODE payload into it to achieve persistent code injection. As provided the code contains syntax errors (undefined BACKDOOR_CODE and a missing parenthesis) so it will not execute, but the intent is malicious and the behavior would be high-risk if repaired. Do not run; treat as malicious and verify dependent package integrity on systems where this code may have been present.

This file implements a remote code execution backdoor that fetches malicious payloads from external servers and executes them with full system privileges. The malware contacts two domains: api[.]npoint[.]io/70723e3d02ad208c24f1 and json-project-opal[.]vercel[.]app/apikey/ZIOBBPJ577T22HML (using hardcoded API key ZIOBBPJ577T22HML). When either endpoint responds with a 'model' property, the malware executes the payload using new Function('require', payload)(require), granting the remote code full access to the Node.js environment including file system, network, and module loading capabilities. The backdoor includes persistence mechanisms that attempt execution even on failed requests if error responses contain the 'model' property. No input validation, sandboxing, or security controls are implemented, allowing complete system compromise if the remote endpoints are controlled by attackers.

This module establishes a remote-controlled file upload path: it fetches credentials/config from a hardcoded external API and then uses them to upload local files to a hardcoded external OBS endpoint. The use of plain HTTP, hardcoded domains, and automatic upload behavior create a high risk for credential leakage and data exfiltration. Treat this code as suspicious; if the external domains are not fully trusted and controlled by you, do not include this module. Even if trusted, update to HTTPS and add validation, user consent, and stricter controls.

Live on npm for 7 hours and 2 minutes before removal. Socket users were protected even while the package was live.

This SQLite database file contains embedded explicit adult content and torrent distribution infrastructure instead of legitimate data. The file includes extensive HTML fragments with pornographic video metadata, download links to torrent files, and suspicious redirect URLs. Key malicious domains identified include rmdown[.]com, redircdn[.]com, 97p[.]org, qpic[.]ws, imgbox[.]com, and various other image hosting services. The content contains hash values for torrent files, BitTorrent magnet links, and obfuscated download URLs using multiple redirect layers to mask the true destinations. This represents a supply chain attack where adult content distribution infrastructure has been embedded within what appears to be a standard database file, potentially exposing users to inappropriate content and malicious download sites when accessed.

This module is an explicit SMS‑bombing/abuse tool. It automates sending repeated OTP/SMS requests to arbitrary target phone numbers using third‑party APIs, contains plaintext API credentials, performs outbound network calls (including revealing host IP to an external service), auto‑installs dependencies, and uses poor error handling. It is inherently malicious/abusive in intent and high risk to include in any trusted supply chain. Do not run or distribute this code; if found as a dependency, remove and investigate source and provenance.

The code is a clear example of a reverse shell, which poses a significant security risk by allowing unauthorized remote access and command execution on the system. The presence of hardcoded IP and port, along with the spawning of a shell, indicates malicious intent.

Live on npm for 3 days and 3 minutes before removal. Socket users were protected even while the package was live.

The provided code fragment appears to implement a Google Ads ad-creation handler that builds a mutate payload and sends it to googleads.googleapis.com. There is heavy, intentional obfuscation (runtime string decoding and opaque logic) which does not itself prove malicious intent but meaningfully increases supply-chain risk by hiding readable code. Within this fragment there is no direct evidence of credential theft, communication with attacker-controlled domains, or other classic malware behaviors. However, the obfuscation and error messages that include input values are notable risks: (1) concealment of potential hidden logic elsewhere, and (2) possible leakage of input values via thrown Errors. Recommend obtaining and verifying unobfuscated upstream code before use.

The CLI automates packaging and uploading of user-specified local data to a remote server without explicit user consent or authentication safeguards. This behavior poses data exfiltration risk and privacy concerns, albeit without evidence of active credential theft or code-level backdoors. Transparency, consent prompts, and secure handling (authentication, encryption, and data minimization) are recommended to reduce risk.

The code exhibits highly obfuscated and potentially malicious behavior, including unauthorized data transmission and attempts to hide its true purpose. It poses a significant security risk and should be reviewed thoroughly.

Live on npm for 102 days, 3 hours and 50 minutes before removal. Socket users were protected even while the package was live.

This install script performs automated network exfiltration of environment metadata during package installation. The preinstall script sends an HTTPS GET request to webhook[.]site/efe1a904-6585-4436-9107-cd98606db372 containing the package name, current timestamp, and the host machine's hostname. This data collection occurs silently without user consent or notification, and the script includes error handling to ensure the request completes reliably. The exfiltrated hostname information can be used to identify, track, or correlate target systems for reconnaissance purposes. The unauthorized collection and transmission of system metadata represents malicious behavior that poses privacy and security risks to affected systems.

Possible typosquat of azure - Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

This file contains Python scripts that access and decrypt sensitive data from local browser databases, including passwords, credit cards, cookies, and history. It leverages browser debugging interfaces (e.g., http://localhost:9222) and subprocess calls to run browsers in headless mode. The data is then saved, compressed, and potentially transmitted via a client emit function to a remote destination such as example[.]com. Its actions are consistent with credential harvesting, unauthorized data access, and data exfiltration.

This README contains explicit, minimal PHP webshell examples that accept HTTP input and pass it directly to shell-execution functions (system, passthru, exec). Functionally these snippets are backdoors enabling unauthenticated remote command execution (RCE). They present a high security risk if included in a package or deployed on any web-accessible server. Treat these examples as dangerous: remove from production code, quarantine to isolated offline educational contexts, and if encountered in third-party dependencies consider the package compromised or inappropriate for use in production environments.