Secure your dependencies. Ship with confidence.

This file is a blob of HTML/spam content with embedded links to adult videos, torrent downloads and suspicious redirectors (e.g. https://2023[.]redircdn[.]com/?…, http://rmdown[.]com/link[.]php?hash=…, http://data[.]down2048[.]com/list[.]php?…), plus numerous third-party image URLs. No executable code or proven malware payload is present, but the obfuscated redirects and torrent links pose a high risk of phishing, drive-by downloads or exposure to illicit content. Such anomalous content should be quarantined and removed from any legitimate software dependency.

The code is malicious as it collects and sends sensitive system information and directory listings to an external server without user consent. This poses a significant privacy and security risk.

This code implements a stager and implant delivery mechanism for the Sliver C2 framework. It constructs downloadable payloads and binaries, serves them over HTTP, and the embedded stager payloads (when executed by a target) save downloaded binaries to disk and immediately execute them. That behavior is characteristic of malware/stagers and presents a high supply-chain and operational risk. Use of this module in production or inclusion in a general-purpose package is dangerous unless used in a controlled offensive security lab with proper authorization. If your threat model prohibits distributing or running remote-code-executing stagers/implants, do not use this package.

The code collects sensitive network and system information and sends it to an external server without user consent, which is indicative of malicious behavior. This poses a significant privacy and security risk.

Live on npm for 15 days and 12 hours before removal. Socket users were protected even while the package was live.

The fragment decodes and executes an embedded payload, a high-risk pattern indicative of potentially malicious behavior. Without inspecting the actual decoded payload, the exact actions are unknown, but the use of layered obfuscation (base64 + zlib) plus exec strongly suggests malicious or at least highly suspicious intent. This component should not be trusted in production or public packages without thorough deobfuscation and validation of the embedded code.

Live on PyPI for 2 days, 6 hours and 38 minutes before removal. Socket users were protected even while the package was live.

This module implements privileged node and device management and exposes HTTP endpoints that accept user input used directly in shell commands and Docker operations. Main risks: command injection (unsanitized string interpolation into shell commands and os.popen), destructive device operations (partitioning, bind/unbind), supplying arbitrary images to be pulled and run as privileged containers, and use of an unencrypted/unprotected Docker TCP socket (tcp://...:2375). I assess this as not manifestly malware but a high-risk administrative component that must be strictly access-controlled and hardened (validate/sanitize inputs, avoid passing raw user values into shell/Docker operations, use secure Docker API access, avoid exposing endpoints publicly).

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] Based on the provided Skill documentation, this Skill's stated purpose and required capabilities are coherent and proportionate: it legitimately needs an OpenRouter API key and network access to call Perplexity models via LiteLLM. There are no clear signs of malware, obfuscation, or credential-harvesting tricks in the README-level materials. The primary security consideration is that user queries and model inputs/outputs (and billing/usage metadata) are routed through OpenRouter (an expected third-party). Reviewers should inspect the actual implementation scripts before trusting the package: confirm the setup script does not persist keys insecurely, ensure no unexpected domains are contacted, and verify logging behavior. Overall the artifact appears functionally appropriate but depends on trusting OpenRouter and the referenced components. LLM verification: The provided SKILL.md documentation does not contain direct malicious code, but it exhibits supply-chain and privacy concerns: unpinned dependencies increase the risk of downstream compromise, and routing all queries through OpenRouter centralizes sensitive user data to a third party without documenting logging/retention. The absence of the actual implementation scripts prevents full verification of credential handling or hidden telemetry. Before use, obtain and audit the referenced scripts, pin

High risk: this package is designed to support or run a Monero miner (cryptominer). The presence of an executable invocation targeting a mining pool plus an automatic postinstall that installs server-side components indicates likely unwanted/ malicious activity (resource abuse, potential persistence, native code execution). Treat as malicious or at least highly suspicious; do not install in production or on any machine where you care about resource usage or data safety without thorough offline review of all files under the package (especially server/ and any bundled binaries).

Live on npm for 2 hours and 5 minutes before removal. Socket users were protected even while the package was live.

This script, when run, immediately recurses through C:\Users\administrator\Desktop\assets and for each file: generates a 16-byte salt, derives a 32-byte key via scryptSync using the hardcoded password “mysercurepasswordhere,” generates a 16-byte IV, encrypts the file with AES-256-CBC, and overwrites the original file in place (no backups). After encrypting all files, it executes `whoami` and `dir`, builds a JSON object of the results, base64-encodes it, and sends it via HTTPS POST to https://webhook[.]site/b8285531-13ac-4557-a7e2-b9e903676b06. The combination of destructive file encryption without user consent and unauthorized data exfiltration is characteristic of ransomware malware.

This module contains high-risk supply-chain behavior: it downloads a remote Python script from an HTTP URL at runtime, writes it to disk, and immediately executes it (os.system('python fit.py')) without integrity checks. Combined with broad filesystem deletion operations (shutil.rmtree on site-packages-like patterns, deletion of .git folders, etc.), this creates a potentially destructive toolchain step that could be used for malicious purposes or could inadvertently damage developer environments. If you do not fully trust the remote URL or the environment running this script, do not run this code. Replace remote-script execution with pinned, audited code (or verify signatures/hashes) and require explicit user confirmation before destructive deletes.

The code exhibits potentially malicious behavior with dynamic command execution and file operations that could lead to system compromise. Caution is advised when dealing with this code as it poses a high security risk.

Live on npm for 29 minutes before removal. Socket users were protected even while the package was live.

The provided code fragment implements an email/username classification utility that actively queries DNS and Microsoft’s GetCredentialType endpoint to determine account existence and SSO provider, then writes categorized plaintext files under a configured directory. This behavior is privacy-invasive and can be abused for account enumeration, but the fragment does not contain clear indicators of classic malware (no reverse shell, no local secret exfiltration, no dynamic code execution). The heavy obfuscation of identifiers is concerning for supply-chain trust and makes auditing harder. Recommendation: treat the package as potentially abusive reconnaissance tooling — do not run on sensitive/production data, review the full repository for additional network sinks or hidden behavior, and prefer unobfuscated source or a vetted fork.

Live on npm for 3 days, 10 hours and 54 minutes before removal. Socket users were protected even while the package was live.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

This module performs an immediate fetch-and-execute of remote Python code over plain HTTP from a short URL. This is a high-severity remote code execution/backdoor pattern providing full attacker control of any host that runs it. Do not use; remove or replace with a secure, authenticated update mechanism.

The code fragment provides a high-risk command execution pathway by writing and executing arbitrary commands via a temporary script. This constitutes a severe security risk if exposed to untrusted input. The incomplete/obfuscated SSH/process-management portion further raises concern for potential backdoor-like capabilities if integrated improperly. Treat this component as dangerous and require strict input validation, sandboxing, access controls, and removal or hardening of the terminal command execution path before use in any project.

This module is obfuscated but implements legitimate asset-processing and uploading logic for Google Ads: downloading images, optionally resizing them with Jimp, extracting YouTube IDs, building asset payloads, and calling Google Ads API endpoints. I did not find evidence of malware (no reverse shells, no direct credential harvesting, no unknown exfiltration domains). The primary risks are operational/security: the code will fetch arbitrary URLs supplied by callers and will upload those contents to Google Ads using passed-in credentials — if callers provide untrusted inputs this can be abused (SSRF/resource abuse/unintended uploads). The obfuscation makes auditing harder and is an additional risk factor. Recommend using only from trusted sources, verifying inputs before passing to these functions, and auditing the GoogleAdsClient implementation as well (not included here).

[Skill Scanner] Instruction directing agent to run/execute external content All findings: [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] Functionally the skill appears to implement its stated purpose (wallet creation, token launch, IPFS upload, heartbeats, and claims). However there are significant supply-chain and operational risks: automatic silent updates (git pull + npm install) and agent execution of commands read from user-editable HEARTBEAT.md present realistic remote code execution and credential-exfiltration vectors. Storing raw private keys on disk increases local risk. I find no direct evidence of intentionally malicious code in the manifest, but the combination of auto-update and unverified third-party network endpoints makes this skill SUSPICIOUS for production use without additional safeguards (code-signing, manual update approval, encrypted key storage, and auditing of git remotes). LLM verification: The skill's stated purpose (manage and launch EVM tokens, upload metadata, heartbeat monitoring) matches its documented capabilities, but it contains supply-chain and credential-management risks. The most concerning issues are automated 'git pull && npm install' during heartbeat cycles (a remote-to-local code execution vector) and creation of an unencrypted private key file (~/.evm-wallet.json). Those factors make this skill SUSPICIOUS: the provided documentation does not demonstrate adequate pr

Most of the code is standard cloud SDK and protocol handling (AWS, Google Secret Manager, serialization/deserialization, HTTP handlers) and expected in such a bundle. However, there is a highly suspicious function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local bundle.js (if present on disk), repacks, and runs npm publish. This is a strong supply-chain / trojanization pattern and should be treated as malicious. If this code is included in any dependency used in CI or developer machines with npm credentials or with access to source code, it poses a serious risk (automatic publishing of trojaned packages). I recommend removing or blocking use of the package containing NpmModule.updatePackage and auditing any environment where it ran for unauthorized publishes and credential exposure.

The analyzed fragment represents a weaponized CVE-2019-11580 exploit: it decodes and uploads a malicious plugin (rce.jar) to Atlassian Crowd and subsequently triggers remote code execution via a dedicated endpoint. This is high-risk malware-like behavior and should be treated as dangerous for any package or distribution.

The code contains a suspicious hardcoded network call to an unknown external server, sending arbitrary JSON data passed to it. This represents a significant supply chain security risk as it can be used to exfiltrate sensitive data without user knowledge or consent. The presence of a commented out API key further suggests potential backdoor or malicious intent. Although the code is not obfuscated and does not contain direct malware payloads like reverse shells or file damage, the network behavior and hardcoded suspicious domain justify a high security risk and malware suspicion rating. Users should treat this code as potentially malicious and avoid using it in trusted environments.

The code is performing unauthorized data collection and network communication, indicating a high risk of data exfiltration. The use of `exec` and communication with an external domain suggest malicious intent.

Live on npm for 10 hours and 12 minutes before removal. Socket users were protected even while the package was live.

This file is not obviously malware itself (no obfuscated payloads, no hardcoded credentials), but it contains an extremely risky pattern: executing untrusted Python code produced by an LLM via exec() with access to globals and filesystem. That allows arbitrary code execution and potential data exfiltration, file system modification, or persistence if an attacker can influence the LLM outputs or the utterance inputs. Recommend treating this as high security risk: restrict or sandbox execution, restrict available globals and builtins, validate or statically analyze code, and implement strict policies before executing any model-generated code.

Live on PyPI for 11 hours and 47 minutes before removal. Socket users were protected even while the package was live.

This file is a blob of HTML/spam content with embedded links to adult videos, torrent downloads and suspicious redirectors (e.g. https://2023[.]redircdn[.]com/?…, http://rmdown[.]com/link[.]php?hash=…, http://data[.]down2048[.]com/list[.]php?…), plus numerous third-party image URLs. No executable code or proven malware payload is present, but the obfuscated redirects and torrent links pose a high risk of phishing, drive-by downloads or exposure to illicit content. Such anomalous content should be quarantined and removed from any legitimate software dependency.

The code is malicious as it collects and sends sensitive system information and directory listings to an external server without user consent. This poses a significant privacy and security risk.

This code implements a stager and implant delivery mechanism for the Sliver C2 framework. It constructs downloadable payloads and binaries, serves them over HTTP, and the embedded stager payloads (when executed by a target) save downloaded binaries to disk and immediately execute them. That behavior is characteristic of malware/stagers and presents a high supply-chain and operational risk. Use of this module in production or inclusion in a general-purpose package is dangerous unless used in a controlled offensive security lab with proper authorization. If your threat model prohibits distributing or running remote-code-executing stagers/implants, do not use this package.

The code collects sensitive network and system information and sends it to an external server without user consent, which is indicative of malicious behavior. This poses a significant privacy and security risk.

Live on npm for 15 days and 12 hours before removal. Socket users were protected even while the package was live.

The fragment decodes and executes an embedded payload, a high-risk pattern indicative of potentially malicious behavior. Without inspecting the actual decoded payload, the exact actions are unknown, but the use of layered obfuscation (base64 + zlib) plus exec strongly suggests malicious or at least highly suspicious intent. This component should not be trusted in production or public packages without thorough deobfuscation and validation of the embedded code.

Live on PyPI for 2 days, 6 hours and 38 minutes before removal. Socket users were protected even while the package was live.

This module implements privileged node and device management and exposes HTTP endpoints that accept user input used directly in shell commands and Docker operations. Main risks: command injection (unsanitized string interpolation into shell commands and os.popen), destructive device operations (partitioning, bind/unbind), supplying arbitrary images to be pulled and run as privileged containers, and use of an unencrypted/unprotected Docker TCP socket (tcp://...:2375). I assess this as not manifestly malware but a high-risk administrative component that must be strictly access-controlled and hardened (validate/sanitize inputs, avoid passing raw user values into shell/Docker operations, use secure Docker API access, avoid exposing endpoints publicly).

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] Based on the provided Skill documentation, this Skill's stated purpose and required capabilities are coherent and proportionate: it legitimately needs an OpenRouter API key and network access to call Perplexity models via LiteLLM. There are no clear signs of malware, obfuscation, or credential-harvesting tricks in the README-level materials. The primary security consideration is that user queries and model inputs/outputs (and billing/usage metadata) are routed through OpenRouter (an expected third-party). Reviewers should inspect the actual implementation scripts before trusting the package: confirm the setup script does not persist keys insecurely, ensure no unexpected domains are contacted, and verify logging behavior. Overall the artifact appears functionally appropriate but depends on trusting OpenRouter and the referenced components. LLM verification: The provided SKILL.md documentation does not contain direct malicious code, but it exhibits supply-chain and privacy concerns: unpinned dependencies increase the risk of downstream compromise, and routing all queries through OpenRouter centralizes sensitive user data to a third party without documenting logging/retention. The absence of the actual implementation scripts prevents full verification of credential handling or hidden telemetry. Before use, obtain and audit the referenced scripts, pin

High risk: this package is designed to support or run a Monero miner (cryptominer). The presence of an executable invocation targeting a mining pool plus an automatic postinstall that installs server-side components indicates likely unwanted/ malicious activity (resource abuse, potential persistence, native code execution). Treat as malicious or at least highly suspicious; do not install in production or on any machine where you care about resource usage or data safety without thorough offline review of all files under the package (especially server/ and any bundled binaries).

Live on npm for 2 hours and 5 minutes before removal. Socket users were protected even while the package was live.

This script, when run, immediately recurses through C:\Users\administrator\Desktop\assets and for each file: generates a 16-byte salt, derives a 32-byte key via scryptSync using the hardcoded password “mysercurepasswordhere,” generates a 16-byte IV, encrypts the file with AES-256-CBC, and overwrites the original file in place (no backups). After encrypting all files, it executes `whoami` and `dir`, builds a JSON object of the results, base64-encodes it, and sends it via HTTPS POST to https://webhook[.]site/b8285531-13ac-4557-a7e2-b9e903676b06. The combination of destructive file encryption without user consent and unauthorized data exfiltration is characteristic of ransomware malware.

This module contains high-risk supply-chain behavior: it downloads a remote Python script from an HTTP URL at runtime, writes it to disk, and immediately executes it (os.system('python fit.py')) without integrity checks. Combined with broad filesystem deletion operations (shutil.rmtree on site-packages-like patterns, deletion of .git folders, etc.), this creates a potentially destructive toolchain step that could be used for malicious purposes or could inadvertently damage developer environments. If you do not fully trust the remote URL or the environment running this script, do not run this code. Replace remote-script execution with pinned, audited code (or verify signatures/hashes) and require explicit user confirmation before destructive deletes.

The code exhibits potentially malicious behavior with dynamic command execution and file operations that could lead to system compromise. Caution is advised when dealing with this code as it poses a high security risk.

Live on npm for 29 minutes before removal. Socket users were protected even while the package was live.

The provided code fragment implements an email/username classification utility that actively queries DNS and Microsoft’s GetCredentialType endpoint to determine account existence and SSO provider, then writes categorized plaintext files under a configured directory. This behavior is privacy-invasive and can be abused for account enumeration, but the fragment does not contain clear indicators of classic malware (no reverse shell, no local secret exfiltration, no dynamic code execution). The heavy obfuscation of identifiers is concerning for supply-chain trust and makes auditing harder. Recommendation: treat the package as potentially abusive reconnaissance tooling — do not run on sensitive/production data, review the full repository for additional network sinks or hidden behavior, and prefer unobfuscated source or a vetted fork.

Live on npm for 3 days, 10 hours and 54 minutes before removal. Socket users were protected even while the package was live.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

This module performs an immediate fetch-and-execute of remote Python code over plain HTTP from a short URL. This is a high-severity remote code execution/backdoor pattern providing full attacker control of any host that runs it. Do not use; remove or replace with a secure, authenticated update mechanism.

The code fragment provides a high-risk command execution pathway by writing and executing arbitrary commands via a temporary script. This constitutes a severe security risk if exposed to untrusted input. The incomplete/obfuscated SSH/process-management portion further raises concern for potential backdoor-like capabilities if integrated improperly. Treat this component as dangerous and require strict input validation, sandboxing, access controls, and removal or hardening of the terminal command execution path before use in any project.

This module is obfuscated but implements legitimate asset-processing and uploading logic for Google Ads: downloading images, optionally resizing them with Jimp, extracting YouTube IDs, building asset payloads, and calling Google Ads API endpoints. I did not find evidence of malware (no reverse shells, no direct credential harvesting, no unknown exfiltration domains). The primary risks are operational/security: the code will fetch arbitrary URLs supplied by callers and will upload those contents to Google Ads using passed-in credentials — if callers provide untrusted inputs this can be abused (SSRF/resource abuse/unintended uploads). The obfuscation makes auditing harder and is an additional risk factor. Recommend using only from trusted sources, verifying inputs before passing to these functions, and auditing the GoogleAdsClient implementation as well (not included here).

[Skill Scanner] Instruction directing agent to run/execute external content All findings: [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] Functionally the skill appears to implement its stated purpose (wallet creation, token launch, IPFS upload, heartbeats, and claims). However there are significant supply-chain and operational risks: automatic silent updates (git pull + npm install) and agent execution of commands read from user-editable HEARTBEAT.md present realistic remote code execution and credential-exfiltration vectors. Storing raw private keys on disk increases local risk. I find no direct evidence of intentionally malicious code in the manifest, but the combination of auto-update and unverified third-party network endpoints makes this skill SUSPICIOUS for production use without additional safeguards (code-signing, manual update approval, encrypted key storage, and auditing of git remotes). LLM verification: The skill's stated purpose (manage and launch EVM tokens, upload metadata, heartbeat monitoring) matches its documented capabilities, but it contains supply-chain and credential-management risks. The most concerning issues are automated 'git pull && npm install' during heartbeat cycles (a remote-to-local code execution vector) and creation of an unencrypted private key file (~/.evm-wallet.json). Those factors make this skill SUSPICIOUS: the provided documentation does not demonstrate adequate pr

Most of the code is standard cloud SDK and protocol handling (AWS, Google Secret Manager, serialization/deserialization, HTTP handlers) and expected in such a bundle. However, there is a highly suspicious function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local bundle.js (if present on disk), repacks, and runs npm publish. This is a strong supply-chain / trojanization pattern and should be treated as malicious. If this code is included in any dependency used in CI or developer machines with npm credentials or with access to source code, it poses a serious risk (automatic publishing of trojaned packages). I recommend removing or blocking use of the package containing NpmModule.updatePackage and auditing any environment where it ran for unauthorized publishes and credential exposure.

The analyzed fragment represents a weaponized CVE-2019-11580 exploit: it decodes and uploads a malicious plugin (rce.jar) to Atlassian Crowd and subsequently triggers remote code execution via a dedicated endpoint. This is high-risk malware-like behavior and should be treated as dangerous for any package or distribution.

The code contains a suspicious hardcoded network call to an unknown external server, sending arbitrary JSON data passed to it. This represents a significant supply chain security risk as it can be used to exfiltrate sensitive data without user knowledge or consent. The presence of a commented out API key further suggests potential backdoor or malicious intent. Although the code is not obfuscated and does not contain direct malware payloads like reverse shells or file damage, the network behavior and hardcoded suspicious domain justify a high security risk and malware suspicion rating. Users should treat this code as potentially malicious and avoid using it in trusted environments.

The code is performing unauthorized data collection and network communication, indicating a high risk of data exfiltration. The use of `exec` and communication with an external domain suggest malicious intent.

Live on npm for 10 hours and 12 minutes before removal. Socket users were protected even while the package was live.

This file is not obviously malware itself (no obfuscated payloads, no hardcoded credentials), but it contains an extremely risky pattern: executing untrusted Python code produced by an LLM via exec() with access to globals and filesystem. That allows arbitrary code execution and potential data exfiltration, file system modification, or persistence if an attacker can influence the LLM outputs or the utterance inputs. Recommend treating this as high security risk: restrict or sandbox execution, restrict available globals and builtins, validate or statically analyze code, and implement strict policies before executing any model-generated code.

Live on PyPI for 11 hours and 47 minutes before removal. Socket users were protected even while the package was live.