Secure your dependencies. Ship with confidence.

The code poses a significant security risk due to the use of suspicious URLs, hardcoded API key, and lack of validation for downloaded images. Further investigation is recommended to determine the intent and safety of the code.

This package runs two local Node scripts during installation. That behavior is potentially dangerous because it executes arbitrary code on the host. The missing pre.js from the published files is suspicious. Inspect the contents of index.js and pre.js before installing; treat this as a high-risk install-time script until proven safe.

Live on npm for 2 days, 2 hours and 16 minutes before removal. Socket users were protected even while the package was live.

This code fragment is highly obfuscated and constructs structured messages that include admin and system information, then asynchronously sends those payloads to external endpoints. That behavior matches data-exfiltration/notification patterns. Because implementations of the send functions and the final destinations are not included, I cannot definitively classify it as malicious. Treat this module as suspicious: if you cannot confirm the recipients and purpose, do not run it in sensitive environments. Review the deobfuscation routine and the send functions to determine actual endpoints and whether sensitive data is transmitted to unauthorized parties.

This module is a deliberate offensive tool designed to achieve remote code execution against Dolibarr instances by creating content pages containing arbitrary PHP, triggering their execution, collecting output, and then attempting destructive cleanup via rm on the remote host. Inclusion of this code in a dependency is a critical supply-chain risk. Treat as malicious/unwanted in almost all production contexts unless explicitly used for authorized security testing; remove, investigate, and rotate any potentially compromised credentials/endpoints if found.

This code collects system-identifying data (username, hostname, file path), hex-encodes it, constructs a domain under a hardcoded external base ('furb.pw') embedding that data into subdomain labels, and issues an HTTPS GET to that domain — a clear data-exfiltration pattern. The behavior is malicious or at minimum privacy-invasive telemetry sent to an external third party. The package should not be trusted or used without removal of the network exfiltration logic and a full audit.

This Ruby script gathers sensitive host data (username via ENV or `whoami`, hostname via Socket.gethostname, and its own file path), hex-encodes each piece, and embeds them into a dynamically constructed subdomain under furb[.]pw (e.g. a<username_hex>.a<hostname_hex>.a<filepath_hex>.furb[.]pw). It then issues an HTTPS GET request to that domain via Net::HTTP, effectively exfiltrating system identifiers to an attacker-controlled endpoint. The use of an inverted `unless __FILE__ == $0` guard causes the code to run when the file is loaded as a library, making it a stealthy supply-chain backdoor with no user consent or visible functionality.

The source code exhibits behavior consistent with data exfiltration malware. It collects sensitive system information and sends it to external endpoints without user consent, posing a significant security risk.

Live on npm for 19 days and 41 minutes before removal. Socket users were protected even while the package was live.

The script misleadingly claims to add the current user to a system group by referring to the ${USER} environment variable, yet it actually adds a hardcoded username ('snorri') to the 'users' group. It then prompts the user for confirmation to change their primary group to 'users' using sudo usermod commands. This behavior, which deviates from the claimed action, may indicate an attempt to silently establish a backdoor with elevated privileges and facilitate unauthorized access. No domains, IP addresses, or external URLs are involved.

The script is sending system information to a remote server without clear justification. This behavior is highly suspicious and potentially malicious.

Live on npm for 31 days, 21 hours and 46 minutes before removal. Socket users were protected even while the package was live.

This file is offensive/exploit tooling: it performs automated reconnaissance, crafts and sends SQLi and PHP eval payloads against Joomla sites, extracts credentials/session data, and attempts to install a PHP webshell for persistence. Those behaviors constitute malicious activity (unauthorized access, credential theft, backdoor installation). Treat this code as malicious/exploitative; do not include it in trusted dependencies or run it on networks you do not own/authorize. The snippet contains some syntactic errors suggesting a truncated copy, but intent and many operational parts are explicit.

The script is designed to send sensitive information from the system to an external server, which is malicious behavior and poses a severe security risk.

Live on npm for 13 days, 22 hours and 42 minutes before removal. Socket users were protected even while the package was live.

This script contains high-risk behaviors. The most critical issues are: (1) unconditional torch.load() of discovered .pt files (pickle deserialization) which can execute arbitrary code if a checkpoint is malicious, and (2) constructing and executing shell commands via os.system with unsanitized path insertion (shell injection risk). Additionally, it will recursively search and resume many checkpoints, launching silent background processes that can exhaust resources. If this code runs in environments where attacker-controlled files or paths exist (typical in shared CI runners, build hosts, or during dependency installation), it is dangerous and should not be used without strict file trust guarantees and proper sanitization/quoting. Recommended fixes: avoid loading untrusted checkpoints; validate and strictly control checkpoint sources; use torch.load with appropriate map_location and safer deserialization patterns (avoid pickle when possible); avoid os.system with untrusted interpolated values — use subprocess with args list and proper quoting; do not background/redirect silently.

This file mixes legitimate barcode->PDF rendering classes with a large, intentionally obfuscated runtime component that decrypts embedded resources and exposes low-level native APIs (VirtualAlloc, WriteProcessMemory, OpenProcess, GetProcAddress, etc.) and performs runtime code generation. Those behaviors are strong indicators of malicious/suspicious capability (code injection, executing decrypted payloads, runtime hooking). Even if the barcode functionality is benign, the obfuscated runtime provides all primitives needed for in-memory payload execution and process manipulation. I assess this as high risk — treat the package as potentially malicious and do not use it without thorough auditing and removal of the obfuscated/decryption/native parts.

This code constructs and delivers a CSRF exploit page intended to change a victim's email address — it is explicitly an offensive action. It contains unsafe networking practices (verify=False, suppressed warnings) and a hard-coded CSRF token. The snippet is incomplete and syntactically broken here, but the intent is malicious: the module is an exploit helper for delivering CSRF payloads. Treat this code as potentially harmful; do not run it against real systems without explicit authorization (only use in controlled lab or testing environments).

This module exposes a UDP remote-control interface that can execute system-level operations, reinstall packages via shell commands, and exfiltrate local files. The dynamic invocation of Os/ProxyCircle methods from untrusted UDP input, file upload capability, and use of os.popen for package uninstallation/installation are high-risk behaviors consistent with a backdoor or remote administration tool. If deployed on untrusted networks or without strict cryptographic authentication in the referenced libs, it poses a severe supply-chain and system compromise risk. Recommend treating this package as dangerous until shown otherwise and auditing related modules (pubip_rsa, oscmd, FileHandle, Format/deFormat) for authentication and unsafe behavior.

This code contains highly malicious behavior, it collects sensitive system information and sends it to a remote server. It's strongly recommended not to use this code.

Live on npm for 21 days, 3 hours and 49 minutes before removal. Socket users were protected even while the package was live.

Malicious bash initialization script that performs destructive filesystem operations on macOS systems. When the external helper script 'isuserdarwin.sh' returns true, the script silently executes 'sudo rm -rf' to delete critical user directories including ~/Applications, ~/Movies, ~/Music, ~/Pictures, ~/Public, and ~/Sites without user confirmation. It also removes the macOS sleepimage file at /private/var/vm/sleepimage. The script modifies SSH directory permissions using 'sudo chmod -R go-rw' which can break SSH access or expose credentials. All destructive operations have their output suppressed with '>/dev/null 2>&1' to hide failures and make the actions stealthy. The script uses eval to execute the output of /usr/bin/dircolors, creating a command injection risk if the binary is compromised. It depends on external scripts (paper.sh, isuserdarwin.sh, debug.sh) whose contents are unknown and could execute arbitrary code. The destructive operations are embedded within what appears to be routine shell configuration code, likely to disguise the malicious intent.

The code is exfiltrating sensitive system information to an external server without user consent, which is a clear malicious activity. This poses a significant security risk.

Live on npm for 2 days, 13 hours and 23 minutes before removal. Socket users were protected even while the package was live.

This module is a remote agent that creates a persistent outbound WebSocket connection to a (default) remote server and exposes powerful remote capabilities: arbitrary shell execution, file reading, process management, desktop screenshotting, and simulated input (mouse/keyboard). The network protocol uses a weak custom encryption scheme and sends a client key in clear. The code can be legitimately used for remote support/administration, but it also has all the capabilities of a Remote Access Trojan (RAT). If this package is included in software without explicit, audited user consent and server control, it poses a high supply-chain risk. Use only with full knowledge of the server endpoint and after security review.

The code is a cross-server tool orchestrator with nested invocation support. The primary security risk stems from evaluating transform expressions via eval, which could enable arbitrary code execution if untrusted inputs are supplied. While there are safeguards (identifier checks, limited builtins), the approach remains risky for open-source or supply chain contexts. The incomplete main block hints at potential syntax issues or truncation. Overall, moderate risk with a notable high-risk vector (transform expression evaluation) that warrants safer evaluation or formal sandboxing before deployment.

Live on PyPI for 2 minutes before removal. Socket users were protected even while the package was live.

The code sends sensitive credentials from environment variables over an unencrypted HTTP connection to an external API service at api[.]sqhyw[.]net:90. It authenticates using username/password from the YEZI_USER environment variable, retrieves access tokens, and automates the process of obtaining mobile phone numbers and SMS verification codes. This behavior poses significant supply chain security risks through: (1) leakage of environment variable credentials over unencrypted HTTP, (2) interaction with a suspicious external domain on a non-standard port, (3) logging of potentially sensitive API responses including tokens and SMS codes, and (4) facilitation of SMS verification bypass which could enable fraudulent account creation or spam activities. The code continuously polls the external API for up to 120 seconds to retrieve SMS codes, creating additional operational risks. While not containing traditional malware payloads, the credential exfiltration and suspicious external communication patterns justify classification as malware due to the significant security risks posed to systems that deploy this code.

The provided code imports several modules with unusual naming conventions and calls a method `functame` on each. The purpose and behavior of the code are unclear, and the naming conventions suggest potential obfuscation. However, without more context or additional code, it is difficult to definitively identify any malicious behavior.

Live on npm for 57 days, 7 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The code contains suspicious elements like hard-coded hex strings, dynamic execution, and conditional sending of data to external servers, which could indicate potential malicious intent or data exfiltration.

Live on npm for 59 minutes before removal. Socket users were protected even while the package was live.

The code poses a significant security risk due to the use of suspicious URLs, hardcoded API key, and lack of validation for downloaded images. Further investigation is recommended to determine the intent and safety of the code.

This package runs two local Node scripts during installation. That behavior is potentially dangerous because it executes arbitrary code on the host. The missing pre.js from the published files is suspicious. Inspect the contents of index.js and pre.js before installing; treat this as a high-risk install-time script until proven safe.

Live on npm for 2 days, 2 hours and 16 minutes before removal. Socket users were protected even while the package was live.

This code fragment is highly obfuscated and constructs structured messages that include admin and system information, then asynchronously sends those payloads to external endpoints. That behavior matches data-exfiltration/notification patterns. Because implementations of the send functions and the final destinations are not included, I cannot definitively classify it as malicious. Treat this module as suspicious: if you cannot confirm the recipients and purpose, do not run it in sensitive environments. Review the deobfuscation routine and the send functions to determine actual endpoints and whether sensitive data is transmitted to unauthorized parties.

This module is a deliberate offensive tool designed to achieve remote code execution against Dolibarr instances by creating content pages containing arbitrary PHP, triggering their execution, collecting output, and then attempting destructive cleanup via rm on the remote host. Inclusion of this code in a dependency is a critical supply-chain risk. Treat as malicious/unwanted in almost all production contexts unless explicitly used for authorized security testing; remove, investigate, and rotate any potentially compromised credentials/endpoints if found.

This code collects system-identifying data (username, hostname, file path), hex-encodes it, constructs a domain under a hardcoded external base ('furb.pw') embedding that data into subdomain labels, and issues an HTTPS GET to that domain — a clear data-exfiltration pattern. The behavior is malicious or at minimum privacy-invasive telemetry sent to an external third party. The package should not be trusted or used without removal of the network exfiltration logic and a full audit.

This Ruby script gathers sensitive host data (username via ENV or `whoami`, hostname via Socket.gethostname, and its own file path), hex-encodes each piece, and embeds them into a dynamically constructed subdomain under furb[.]pw (e.g. a<username_hex>.a<hostname_hex>.a<filepath_hex>.furb[.]pw). It then issues an HTTPS GET request to that domain via Net::HTTP, effectively exfiltrating system identifiers to an attacker-controlled endpoint. The use of an inverted `unless __FILE__ == $0` guard causes the code to run when the file is loaded as a library, making it a stealthy supply-chain backdoor with no user consent or visible functionality.

The source code exhibits behavior consistent with data exfiltration malware. It collects sensitive system information and sends it to external endpoints without user consent, posing a significant security risk.

Live on npm for 19 days and 41 minutes before removal. Socket users were protected even while the package was live.

The script misleadingly claims to add the current user to a system group by referring to the ${USER} environment variable, yet it actually adds a hardcoded username ('snorri') to the 'users' group. It then prompts the user for confirmation to change their primary group to 'users' using sudo usermod commands. This behavior, which deviates from the claimed action, may indicate an attempt to silently establish a backdoor with elevated privileges and facilitate unauthorized access. No domains, IP addresses, or external URLs are involved.

The script is sending system information to a remote server without clear justification. This behavior is highly suspicious and potentially malicious.

Live on npm for 31 days, 21 hours and 46 minutes before removal. Socket users were protected even while the package was live.

This file is offensive/exploit tooling: it performs automated reconnaissance, crafts and sends SQLi and PHP eval payloads against Joomla sites, extracts credentials/session data, and attempts to install a PHP webshell for persistence. Those behaviors constitute malicious activity (unauthorized access, credential theft, backdoor installation). Treat this code as malicious/exploitative; do not include it in trusted dependencies or run it on networks you do not own/authorize. The snippet contains some syntactic errors suggesting a truncated copy, but intent and many operational parts are explicit.

The script is designed to send sensitive information from the system to an external server, which is malicious behavior and poses a severe security risk.

Live on npm for 13 days, 22 hours and 42 minutes before removal. Socket users were protected even while the package was live.

This script contains high-risk behaviors. The most critical issues are: (1) unconditional torch.load() of discovered .pt files (pickle deserialization) which can execute arbitrary code if a checkpoint is malicious, and (2) constructing and executing shell commands via os.system with unsanitized path insertion (shell injection risk). Additionally, it will recursively search and resume many checkpoints, launching silent background processes that can exhaust resources. If this code runs in environments where attacker-controlled files or paths exist (typical in shared CI runners, build hosts, or during dependency installation), it is dangerous and should not be used without strict file trust guarantees and proper sanitization/quoting. Recommended fixes: avoid loading untrusted checkpoints; validate and strictly control checkpoint sources; use torch.load with appropriate map_location and safer deserialization patterns (avoid pickle when possible); avoid os.system with untrusted interpolated values — use subprocess with args list and proper quoting; do not background/redirect silently.

This file mixes legitimate barcode->PDF rendering classes with a large, intentionally obfuscated runtime component that decrypts embedded resources and exposes low-level native APIs (VirtualAlloc, WriteProcessMemory, OpenProcess, GetProcAddress, etc.) and performs runtime code generation. Those behaviors are strong indicators of malicious/suspicious capability (code injection, executing decrypted payloads, runtime hooking). Even if the barcode functionality is benign, the obfuscated runtime provides all primitives needed for in-memory payload execution and process manipulation. I assess this as high risk — treat the package as potentially malicious and do not use it without thorough auditing and removal of the obfuscated/decryption/native parts.

This code constructs and delivers a CSRF exploit page intended to change a victim's email address — it is explicitly an offensive action. It contains unsafe networking practices (verify=False, suppressed warnings) and a hard-coded CSRF token. The snippet is incomplete and syntactically broken here, but the intent is malicious: the module is an exploit helper for delivering CSRF payloads. Treat this code as potentially harmful; do not run it against real systems without explicit authorization (only use in controlled lab or testing environments).

This module exposes a UDP remote-control interface that can execute system-level operations, reinstall packages via shell commands, and exfiltrate local files. The dynamic invocation of Os/ProxyCircle methods from untrusted UDP input, file upload capability, and use of os.popen for package uninstallation/installation are high-risk behaviors consistent with a backdoor or remote administration tool. If deployed on untrusted networks or without strict cryptographic authentication in the referenced libs, it poses a severe supply-chain and system compromise risk. Recommend treating this package as dangerous until shown otherwise and auditing related modules (pubip_rsa, oscmd, FileHandle, Format/deFormat) for authentication and unsafe behavior.

This code contains highly malicious behavior, it collects sensitive system information and sends it to a remote server. It's strongly recommended not to use this code.

Live on npm for 21 days, 3 hours and 49 minutes before removal. Socket users were protected even while the package was live.

Malicious bash initialization script that performs destructive filesystem operations on macOS systems. When the external helper script 'isuserdarwin.sh' returns true, the script silently executes 'sudo rm -rf' to delete critical user directories including ~/Applications, ~/Movies, ~/Music, ~/Pictures, ~/Public, and ~/Sites without user confirmation. It also removes the macOS sleepimage file at /private/var/vm/sleepimage. The script modifies SSH directory permissions using 'sudo chmod -R go-rw' which can break SSH access or expose credentials. All destructive operations have their output suppressed with '>/dev/null 2>&1' to hide failures and make the actions stealthy. The script uses eval to execute the output of /usr/bin/dircolors, creating a command injection risk if the binary is compromised. It depends on external scripts (paper.sh, isuserdarwin.sh, debug.sh) whose contents are unknown and could execute arbitrary code. The destructive operations are embedded within what appears to be routine shell configuration code, likely to disguise the malicious intent.

The code is exfiltrating sensitive system information to an external server without user consent, which is a clear malicious activity. This poses a significant security risk.

Live on npm for 2 days, 13 hours and 23 minutes before removal. Socket users were protected even while the package was live.

This module is a remote agent that creates a persistent outbound WebSocket connection to a (default) remote server and exposes powerful remote capabilities: arbitrary shell execution, file reading, process management, desktop screenshotting, and simulated input (mouse/keyboard). The network protocol uses a weak custom encryption scheme and sends a client key in clear. The code can be legitimately used for remote support/administration, but it also has all the capabilities of a Remote Access Trojan (RAT). If this package is included in software without explicit, audited user consent and server control, it poses a high supply-chain risk. Use only with full knowledge of the server endpoint and after security review.

The code is a cross-server tool orchestrator with nested invocation support. The primary security risk stems from evaluating transform expressions via eval, which could enable arbitrary code execution if untrusted inputs are supplied. While there are safeguards (identifier checks, limited builtins), the approach remains risky for open-source or supply chain contexts. The incomplete main block hints at potential syntax issues or truncation. Overall, moderate risk with a notable high-risk vector (transform expression evaluation) that warrants safer evaluation or formal sandboxing before deployment.

Live on PyPI for 2 minutes before removal. Socket users were protected even while the package was live.

The code sends sensitive credentials from environment variables over an unencrypted HTTP connection to an external API service at api[.]sqhyw[.]net:90. It authenticates using username/password from the YEZI_USER environment variable, retrieves access tokens, and automates the process of obtaining mobile phone numbers and SMS verification codes. This behavior poses significant supply chain security risks through: (1) leakage of environment variable credentials over unencrypted HTTP, (2) interaction with a suspicious external domain on a non-standard port, (3) logging of potentially sensitive API responses including tokens and SMS codes, and (4) facilitation of SMS verification bypass which could enable fraudulent account creation or spam activities. The code continuously polls the external API for up to 120 seconds to retrieve SMS codes, creating additional operational risks. While not containing traditional malware payloads, the credential exfiltration and suspicious external communication patterns justify classification as malware due to the significant security risks posed to systems that deploy this code.

The provided code imports several modules with unusual naming conventions and calls a method `functame` on each. The purpose and behavior of the code are unclear, and the naming conventions suggest potential obfuscation. However, without more context or additional code, it is difficult to definitively identify any malicious behavior.

Live on npm for 57 days, 7 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The code contains suspicious elements like hard-coded hex strings, dynamic execution, and conditional sending of data to external servers, which could indicate potential malicious intent or data exfiltration.

Live on npm for 59 minutes before removal. Socket users were protected even while the package was live.