Secure your dependencies. Ship with confidence.

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

The code seems to be suspicious as it reads system information and sends it to a remote server without a clear purpose. The presence of a hardcoded remote server address and the lack of user consent raise concerns about the intent of the code. Additionally, the 'debugger' keyword suggests that the code may have been used for debugging purposes and should not be present in production code.

The code is obfuscated and exhibits malicious behavior by collecting and transmitting environment variables to suspicious domains. This poses a significant security risk.

Live on npm for 19 minutes before removal. Socket users were protected even while the package was live.

The code in 'postinstall.js' is heavily obfuscated and collects system information using the 'runSystemChecks()' function. It then encodes the collected data using 'toBase32()' and sends it over the network via 'triggerDNSLookup()', which performs DNS requests with the encoded data. This behavior suggests covert data exfiltration through DNS, a technique commonly used in malware to leak sensitive information without detection. The use of obfuscation further indicates an attempt to conceal malicious activity.

The analyzed source code is malicious. It performs unauthorized data collection and exfiltration by gathering sensitive system and environment information, executing system commands, and sending all this data to an external webhook URL during package installation. This behavior poses a high security risk and should be considered malware. The code is not obfuscated but is clearly designed to steal information stealthily in a supply chain context.

This module contains several dangerous programming patterns (exec, eval, dynamic import from file paths, runtime pip install, and pickle load/dump) that enable arbitrary code execution and supply-chain risks when inputs are not fully trusted. There is no explicit evidence of intentionally malicious code (hardcoded C2, backdoor, obfuscation, credential harvesting), but the unsafe constructs make the module high-risk in environments where user-provided data or files can reach these functions. Treat this package as potentially dangerous until inputs to these APIs are validated or these patterns are refactored to safe alternatives.

The code contains a command that attempts to download and execute a script from a remote server, which is a clear indicator of a reverse shell attack. This poses a significant security risk and is indicative of malicious behavior.

Live on npm for 7 minutes before removal. Socket users were protected even while the package was live.

High risk due to dynamic remote code execution via eval driven by a public componentAddr. This is a textbook supply-chain-style risk within a component loader: remote code is executed in the consumer's environment, with potential data exposure, backdoors, or malware installation. The synchronous XHR and absence of CSP/sanitization further amplify risk. This fragment should be treated as suspicious and removed or strictly sandboxed with strict integrity checks, CSP, and non-dynamic bundling.

This code is an administrative automation component that deliberately executes arbitrary ServiceNow server-side scripts and manipulates system tables. I found no clear signs of intentionally malicious code (no hardcoded external exfiltration endpoints, no obfuscated payload). However, it exposes powerful sinks: arbitrary script execution, creation of background script records, and storage of script output/trace in sys_properties. The primary security risk is abuse/misconfiguration (e.g., autoConfirm bypass, insufficient RBAC) leading to data theft or destructive changes. Treat this module as high-risk functionality that must be strictly access controlled, audited, and hardened before use.

This code establishes remote SSH access by enabling root login, setting the root password, downloading and executing a remote ngrok binary, and publishing the resulting public endpoint to an external JSONBin service. Those behaviors create a high risk of unauthorized remote access and exfiltration of the access point. The pattern is dangerous and can be abused as a backdoor; treat this code as malicious or at least high-risk tooling and avoid running it in production or sensitive environments.

This module implements covert telemetry/exfiltration: it silently collects local username and IP-based location and uploads daily aggregated records to a hardcoded GitHub repository. That behavior is privacy-invasive and constitutes a supply-chain risk for consumers of the package. The implementation uses weak obfuscation (base64), brittle JSON handling, and swallows exceptions, increasing the likelihood of stealthy, unintended data leakage. Actionable advice: treat this as malicious/unwanted telemetry unless documented explicit opt-in exists; remove or disable the telemetry code, or require explicit user consent and secure the transport (authentication and encryption), and fix robust JSON/file handling and error reporting before use.

This code is intentionally obfuscated and uses DNS queries to exfiltrate system information, which could be a significant security risk. The hardcoded domain and the potential data exfiltration raise concerns about privacy violations. This package should be reviewed carefully before being used.

The source code contains suspicious and potentially malicious behavior by uploading arbitrary local files and detailed metadata to a remote server using hardcoded authentication tokens and device identifiers. This constitutes a significant security risk involving unauthorized data exfiltration and privacy violation. Although no direct malware payload like reverse shells or destructive actions are present, the code should be considered high risk and likely malicious due to its data exfiltration capabilities and lack of user transparency.

The code exhibits several security risks, particularly in the sendEmail function which could lead to data exfiltration. The presence of hardcoded values and lack of input validation raises concerns about potential malicious behavior. Overall, the code should be reviewed and modified to mitigate these risks.

Live on PyPI for 10 hours and 1 minute before removal. Socket users were protected even while the package was live.

The source code contains suspicious and potentially malicious behavior by uploading arbitrary local files and detailed metadata to a remote server using hardcoded authentication tokens and device identifiers. This constitutes a significant security risk involving unauthorized data exfiltration and privacy violation. Although no direct malware payload like reverse shells or destructive actions are present, the code should be considered high risk and likely malicious due to its data exfiltration capabilities and lack of user transparency.

The code is malicious as it exfiltrates sensitive user data to an external server without consent. This behavior indicates a high security risk and potential data theft.

Live on npm for 2 days, 8 hours and 27 minutes before removal. Socket users were protected even while the package was live.

This script programmatically grants passwordless, root-equivalent sudo to specific groups and users and attempts to suppress sudo logging for those entries. Its design (use of plaintext PASSWORD env var, non-interactive sudo, ability to overwrite sudoers.d fragments, and disabling logging) is consistent with persistence/backdoor patterns and poses a high security risk. Treat the code as dangerous: do not run on production or sensitive hosts. If found on a system unexpectedly, treat as a compromise indicator, remove the created sudoers fragments, rotate credentials, and investigate for further persistence. Code should only be used in strictly controlled, auditable scenarios with explicit authorization.

This module performs unsolicited collection of host identifying information (uname -a) and exfiltrates it, with a timestamp, to a hardcoded external IP over plaintext HTTP immediately on module load. The behavior fits likely malicious telemetry/backdoor patterns. Do not use this package in trusted supply chains; remove and audit any systems that have imported it.

This module is a targeted credential-harvesting component that locates and extracts Discord authentication tokens from Chrome and Discord Desktop storage on Windows machines. It uses multiple methods (raw file scanning, direct LevelDB access, and OS-level copying) combined with validation heuristics to identify likely tokens. While it does not itself exfiltrate data over the network, it returns sensitive tokens to the caller and therefore is highly dangerous if used by malicious code. Treat tokens discovered by or accessible to this module as compromised. Avoid including or executing this module in trusted environments.

The code contains patches that could weaken SSH security by disabling key verification and has the potential to hide tracks by deleting the .git directory. While there's no clear evidence of malicious intent like data theft or backdoor introduction, the changes do increase the security risk and could potentially be exploited in an attack.

This code implements an unauthenticated HTTP control surface for a viewer object that accepts arbitrary commands from request paths and bodies, dynamically looks up and calls attributes on internal objects, loads JSON from requests and triggers callbacks, and serves local files. These behaviors make it high risk for supply-chain or runtime compromise: untrusted clients can invoke methods and mutate state which could lead to data exfiltration, filesystem access, or other damaging actions depending on the viewer's API. It should not be exposed to untrusted networks or used without strict authentication/authorization and input validation.

Live on PyPI for 12 hours and 54 minutes before removal. Socket users were protected even while the package was live.

The code contains significant security risks, primarily due to the use of eval and exec, which can lead to arbitrary code execution. The handling of cookies also poses a risk if not properly validated. Overall, the code should be reviewed and modified to mitigate these vulnerabilities.

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

This module zips a local directory and uploads it to a specific S3 bucket. The code contains hardcoded AWS credentials and a hardcoded bucket name, which is a severe security issue and could enable data exfiltration if these credentials are valid. There are additional problems: a likely return-value bug (undefined variable s3_ke), possible insufficient path-safety around symlinks, and verbose logging of paths. There is no evidence of obfuscation or active payloads like reverse shells or eval-based code execution. Treat this package as high-risk until credentials are removed/rotated and the code is corrected and reviewed.

Live on PyPI for 5 days, 16 hours and 51 minutes before removal. Socket users were protected even while the package was live.

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

The code seems to be suspicious as it reads system information and sends it to a remote server without a clear purpose. The presence of a hardcoded remote server address and the lack of user consent raise concerns about the intent of the code. Additionally, the 'debugger' keyword suggests that the code may have been used for debugging purposes and should not be present in production code.

The code is obfuscated and exhibits malicious behavior by collecting and transmitting environment variables to suspicious domains. This poses a significant security risk.

Live on npm for 19 minutes before removal. Socket users were protected even while the package was live.

The code in 'postinstall.js' is heavily obfuscated and collects system information using the 'runSystemChecks()' function. It then encodes the collected data using 'toBase32()' and sends it over the network via 'triggerDNSLookup()', which performs DNS requests with the encoded data. This behavior suggests covert data exfiltration through DNS, a technique commonly used in malware to leak sensitive information without detection. The use of obfuscation further indicates an attempt to conceal malicious activity.

The analyzed source code is malicious. It performs unauthorized data collection and exfiltration by gathering sensitive system and environment information, executing system commands, and sending all this data to an external webhook URL during package installation. This behavior poses a high security risk and should be considered malware. The code is not obfuscated but is clearly designed to steal information stealthily in a supply chain context.

This module contains several dangerous programming patterns (exec, eval, dynamic import from file paths, runtime pip install, and pickle load/dump) that enable arbitrary code execution and supply-chain risks when inputs are not fully trusted. There is no explicit evidence of intentionally malicious code (hardcoded C2, backdoor, obfuscation, credential harvesting), but the unsafe constructs make the module high-risk in environments where user-provided data or files can reach these functions. Treat this package as potentially dangerous until inputs to these APIs are validated or these patterns are refactored to safe alternatives.

The code contains a command that attempts to download and execute a script from a remote server, which is a clear indicator of a reverse shell attack. This poses a significant security risk and is indicative of malicious behavior.

Live on npm for 7 minutes before removal. Socket users were protected even while the package was live.

High risk due to dynamic remote code execution via eval driven by a public componentAddr. This is a textbook supply-chain-style risk within a component loader: remote code is executed in the consumer's environment, with potential data exposure, backdoors, or malware installation. The synchronous XHR and absence of CSP/sanitization further amplify risk. This fragment should be treated as suspicious and removed or strictly sandboxed with strict integrity checks, CSP, and non-dynamic bundling.

This code is an administrative automation component that deliberately executes arbitrary ServiceNow server-side scripts and manipulates system tables. I found no clear signs of intentionally malicious code (no hardcoded external exfiltration endpoints, no obfuscated payload). However, it exposes powerful sinks: arbitrary script execution, creation of background script records, and storage of script output/trace in sys_properties. The primary security risk is abuse/misconfiguration (e.g., autoConfirm bypass, insufficient RBAC) leading to data theft or destructive changes. Treat this module as high-risk functionality that must be strictly access controlled, audited, and hardened before use.

This code establishes remote SSH access by enabling root login, setting the root password, downloading and executing a remote ngrok binary, and publishing the resulting public endpoint to an external JSONBin service. Those behaviors create a high risk of unauthorized remote access and exfiltration of the access point. The pattern is dangerous and can be abused as a backdoor; treat this code as malicious or at least high-risk tooling and avoid running it in production or sensitive environments.

This module implements covert telemetry/exfiltration: it silently collects local username and IP-based location and uploads daily aggregated records to a hardcoded GitHub repository. That behavior is privacy-invasive and constitutes a supply-chain risk for consumers of the package. The implementation uses weak obfuscation (base64), brittle JSON handling, and swallows exceptions, increasing the likelihood of stealthy, unintended data leakage. Actionable advice: treat this as malicious/unwanted telemetry unless documented explicit opt-in exists; remove or disable the telemetry code, or require explicit user consent and secure the transport (authentication and encryption), and fix robust JSON/file handling and error reporting before use.

This code is intentionally obfuscated and uses DNS queries to exfiltrate system information, which could be a significant security risk. The hardcoded domain and the potential data exfiltration raise concerns about privacy violations. This package should be reviewed carefully before being used.

The source code contains suspicious and potentially malicious behavior by uploading arbitrary local files and detailed metadata to a remote server using hardcoded authentication tokens and device identifiers. This constitutes a significant security risk involving unauthorized data exfiltration and privacy violation. Although no direct malware payload like reverse shells or destructive actions are present, the code should be considered high risk and likely malicious due to its data exfiltration capabilities and lack of user transparency.

The code exhibits several security risks, particularly in the sendEmail function which could lead to data exfiltration. The presence of hardcoded values and lack of input validation raises concerns about potential malicious behavior. Overall, the code should be reviewed and modified to mitigate these risks.

Live on PyPI for 10 hours and 1 minute before removal. Socket users were protected even while the package was live.

The source code contains suspicious and potentially malicious behavior by uploading arbitrary local files and detailed metadata to a remote server using hardcoded authentication tokens and device identifiers. This constitutes a significant security risk involving unauthorized data exfiltration and privacy violation. Although no direct malware payload like reverse shells or destructive actions are present, the code should be considered high risk and likely malicious due to its data exfiltration capabilities and lack of user transparency.

The code is malicious as it exfiltrates sensitive user data to an external server without consent. This behavior indicates a high security risk and potential data theft.

Live on npm for 2 days, 8 hours and 27 minutes before removal. Socket users were protected even while the package was live.

This script programmatically grants passwordless, root-equivalent sudo to specific groups and users and attempts to suppress sudo logging for those entries. Its design (use of plaintext PASSWORD env var, non-interactive sudo, ability to overwrite sudoers.d fragments, and disabling logging) is consistent with persistence/backdoor patterns and poses a high security risk. Treat the code as dangerous: do not run on production or sensitive hosts. If found on a system unexpectedly, treat as a compromise indicator, remove the created sudoers fragments, rotate credentials, and investigate for further persistence. Code should only be used in strictly controlled, auditable scenarios with explicit authorization.

This module performs unsolicited collection of host identifying information (uname -a) and exfiltrates it, with a timestamp, to a hardcoded external IP over plaintext HTTP immediately on module load. The behavior fits likely malicious telemetry/backdoor patterns. Do not use this package in trusted supply chains; remove and audit any systems that have imported it.

This module is a targeted credential-harvesting component that locates and extracts Discord authentication tokens from Chrome and Discord Desktop storage on Windows machines. It uses multiple methods (raw file scanning, direct LevelDB access, and OS-level copying) combined with validation heuristics to identify likely tokens. While it does not itself exfiltrate data over the network, it returns sensitive tokens to the caller and therefore is highly dangerous if used by malicious code. Treat tokens discovered by or accessible to this module as compromised. Avoid including or executing this module in trusted environments.

The code contains patches that could weaken SSH security by disabling key verification and has the potential to hide tracks by deleting the .git directory. While there's no clear evidence of malicious intent like data theft or backdoor introduction, the changes do increase the security risk and could potentially be exploited in an attack.

This code implements an unauthenticated HTTP control surface for a viewer object that accepts arbitrary commands from request paths and bodies, dynamically looks up and calls attributes on internal objects, loads JSON from requests and triggers callbacks, and serves local files. These behaviors make it high risk for supply-chain or runtime compromise: untrusted clients can invoke methods and mutate state which could lead to data exfiltration, filesystem access, or other damaging actions depending on the viewer's API. It should not be exposed to untrusted networks or used without strict authentication/authorization and input validation.

Live on PyPI for 12 hours and 54 minutes before removal. Socket users were protected even while the package was live.

The code contains significant security risks, primarily due to the use of eval and exec, which can lead to arbitrary code execution. The handling of cookies also poses a risk if not properly validated. Overall, the code should be reviewed and modified to mitigate these vulnerabilities.

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

This module zips a local directory and uploads it to a specific S3 bucket. The code contains hardcoded AWS credentials and a hardcoded bucket name, which is a severe security issue and could enable data exfiltration if these credentials are valid. There are additional problems: a likely return-value bug (undefined variable s3_ke), possible insufficient path-safety around symlinks, and verbose logging of paths. There is no evidence of obfuscation or active payloads like reverse shells or eval-based code execution. Treat this package as high-risk until credentials are removed/rotated and the code is corrected and reviewed.

Live on PyPI for 5 days, 16 hours and 51 minutes before removal. Socket users were protected even while the package was live.