Secure your dependencies. Ship with confidence.

The code contains potential security risks due to the presence of eval statements. Further review and refactoring of the code is recommended to ensure security best practices are followed.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

This code fragment contains a critical remote code execution vector: it evaluates/executes HTTP request bodies directly via eval() and exec() and exposes results via HTTP. If this endpoint is reachable by untrusted users, it enables full takeover of the process and access to system resources, credentials, and network. It is highly dangerous in typical deployment and should not be exposed publicly. Even if the current fragment has a small bug (incorrect return name), the pattern is clearly malicious or severely insecure. Immediate remediation: remove or gate the REPL endpoint behind strong authentication and sandboxing, avoid eval/exec on untrusted input, and fix mutable default arguments and the handler return typo.

The dominant security concern is the explicit use of eval on data-derived JSON within CarbonPHP.handlebars, which can enable arbitrary code execution if data is attacker-controlled. Additional concerns include unsanitized dynamic script/template loading and a busy-wait sleep that can degrade performance and potentially expose timing information. Overall risk is high due to the eval pattern and dynamic content loading without strong sanitization.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This module implements privileged node and device management and exposes HTTP endpoints that accept user input used directly in shell commands and Docker operations. Main risks: command injection (unsanitized string interpolation into shell commands and os.popen), destructive device operations (partitioning, bind/unbind), supplying arbitrary images to be pulled and run as privileged containers, and use of an unencrypted/unprotected Docker TCP socket (tcp://...:2375). I assess this as not manifestly malware but a high-risk administrative component that must be strictly access-controlled and hardened (validate/sanitize inputs, avoid passing raw user values into shell/Docker operations, use secure Docker API access, avoid exposing endpoints publicly).

The mcporter CLI’s documented capabilities (arbitrary HTTP calls, --stdio process execution, and local credential storage) align with its stated purpose but present a moderate attack surface: misuse can lead to credential leakage or arbitrary code execution if inputs are untrusted or the environment is hostile. The fragment contains no explicit malicious code, obfuscation, or hard-coded attacker infrastructure. Recommended actions: review implementation for secure storage of tokens, minimize or sanitize construction of command strings, consider allowlisting target domains or prompting before sending credentials to unknown endpoints, and audit generated outputs for sensitive data leakage. Treat as functional but moderately risky in adversarial contexts.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] Report 2 is the best among the three for outlining a structured, auditable Codex-driven multi-agent orchestration with explicit conflict strategies and outputs. The improved assessment adds explicit security considerations and a tightened operational checklist to reduce risk when deploying in real pipelines. LLM verification: The skill is consistent with its stated purpose (orchestrating Codex sub-agents and CLI invocations) and contains no explicit malicious code. However, it instructs running local agent code and installing a third-party CLI, and it exposes an easy way to grant agents broad filesystem access (--add-dir) and high-privilege sandboxes. These operational features are proportionate to a multi-agent orchestrator but raise a medium security risk by design: misuse or running in an untrusted environment cou

This file is a high-risk obfuscated wrapper that directly executes hidden code. Without inspecting the decompressed payload we cannot state specific malicious actions, but the packaging pattern (base64 + zlib + exec) combined with execution-on-import is a strong indicator of potentially malicious or at least suspicious behavior. Do not execute in production; decompress and audit the payload in isolation before allowing use. Immediate remediation: block or remove this component until it is inspected and verified.

Live on PyPI for 2 days, 11 hours and 58 minutes before removal. Socket users were protected even while the package was live.

High risk due to untrusted deserialization via pickle.load from a path supplied externally (sys.argv[1]). The pattern can enable remote code execution if a crafted payload is supplied. The subsequent BM25 call on the untrusted object is suspicious but secondary to the deserialization risk. The syntax error should be resolved, but the core vulnerability remains and warrants removal of pickle-based loading or strict validation/sandboxing.

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 50 minutes before removal. Socket users were protected even while the package was live.

This module orchestrates deliberate offensive actions: deauthentication/jamming, creation of a rogue access point, DHCP/DNS and iptables manipulation to redirect victim traffic to a local phishing webserver, and capture of credentials/payload delivery. It requires root, forcibly stops networking services and processes, and copies user-specified payloads into content that will be served to victims. The code is not obfuscated, but its behavior is clearly designed to perform credential harvesting and network attacks. Use of this package poses a high security risk and it should only be used in authorized testing environments with consent.

This module contains an explicit data exfiltration backdoor that sends any value passed to the decode() function as a message to a hardcoded Telegram bot. The malicious behavior includes: (1) hardcoded Telegram bot token '8177895028:AAFhOHz_gjUGtFKbHnV2h5AFfMy7WlJUbx0' and chat ID '7631491367' embedded in plaintext, (2) unconditional transmission of input data to api[.]telegram[.]org via HTTP POST before performing the expected decoding operation, (3) silent error suppression through empty catch blocks to avoid detection, and (4) no user consent, validation, or indication of the network activity. Any sensitive data passed to this function (API keys, credentials, tokens, private keys, PII) will be immediately transmitted to the attacker-controlled Telegram account. The module maintains functional behavior by still performing the expected bs58 decoding, which helps mask the malicious side-effect. This represents a high-severity supply chain attack designed to harvest secrets and sensitive information.

This install script phones home with hostname, username, and OS details to an external URL. That is direct data exfiltration/telemetry performed during installation and constitutes a significant privacy and security risk. Treat this behavior as malicious unless you have verified the endpoint and the package's intent.

This code contains multiple high-risk operations consistent with malicious or abusive automation: it downloads and injects files into app data, copies and uploads private app directories to a remote server, executes arbitrary adb/su shell commands, and embeds API keys for third-party services. These behaviors enable credential harvesting, app data exfiltration, remote control, and large-scale automated account abuse (captcha bypass, automated signups/logins). Treat this package as dangerous and untrusted unless you fully control and audit the remote endpoints (link_sms) and remove/mitigate the root-level file operations and hardcoded keys.

This code is not obviously a self-contained malware dropper, but it provides a high-privilege execution surface: it runs arbitrary shell commands (shell=True) and writes/appends to files based on external plans or user input without sanitization. That makes it dangerous in contexts where steps/plans or inputs are untrusted or come from remote services. If upstream agents or data are compromised, this module can be abused to execute arbitrary code, modify repository or system files, or launch persistent processes. Recommend treating inputs as untrusted, adding strict validation/sanitization for commands and file paths, avoiding shell=True or using explicit argument lists, and adding allowlists and dry-run / manual approval for changes.

Live on PyPI for 5 days, 9 hours and 51 minutes before removal. Socket users were protected even while the package was live.

This script is a high-risk supply chain component that downloads and executes arbitrary remote code at runtime without validation or sandboxing. This constitutes a serious security risk and potential malware vector, as it allows the remote server to run any code with the user's privileges. The code is not obfuscated, but the dynamic remote code execution behavior is inherently dangerous. Use of this package should be treated with extreme caution and considered a critical security threat.

This file defines a large local dumpJSON array and then, unconditionally when imported, uses a hard-coded cookie (including a login_token JWT) plus static aiStudioUrl (https://bbqa2t5pfyfroyobmzknmktshckzto4btkfagxyjqwy[.]did[.]abtnet[.]io/ai-studio) and datasetId to authenticate and issue fetch GET to /api/datasets/{datasetId}/documents?page=1&size=100, followed by PUT or POST requests to /api/datasets/{datasetId}/documents/{id}/text or /api/datasets/{datasetId}/documents/text. Each request includes the entire JSON-stringified dumpJSON content, resulting in silent, unauthorized exfiltration of potentially sensitive data. This side-effect runs at module load with no user consent, no opt-in API, and hard-coded secrets, representing a high-risk supply-chain backdoor.

The source code demonstrates behaviors typically associated with malware, such as data exfiltration and VM evasion. It collects extensive system information and sends it to an external server, which is a significant security risk. The code is not obfuscated, but its actions are suspicious and warrant a high-risk score.

The code presents a strong supply-chain and remote-execution risk by automatically downloading and executing remote Python payloads without integrity checks or sandboxing. It also creates and runs external services (Jupyter, Visdom, RStudio) based on user inputs, which can amplify impact if the remote payload is malicious. Mitigations include removing remote code execution paths, adding cryptographic verification (signatures or hash checks), isolating execution (sandboxes or containerization), validating inputs, and avoiding untrusted downloads or executions.

This assembly contains a highly obfuscated runtime loader/unpacker embedded alongside a nominal Modbus API surface. The loader decrypts/verifies embedded blobs, allocates unmanaged memory, writes pointers/bytes into process structures, uses reflection to create and install delegates, and invokes native code — behaviors unnecessary for a legitimate Modbus library and consistent with in-process code injection, unpacking, or backdoor loaders. Treat the package as malicious/high-risk. Do not run it in trusted environments; perform isolated dynamic analysis (sandbox) to extract and inspect decrypted payloads if further investigation is required.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] The fragment presents a coherent, purpose-aligned citation-management workflow with appropriate use of public bibliographic APIs and BibTeX tooling. The primary concern is compliance and reliability when automating Google Scholar. For a production-grade, low-risk release, implement API-first workflows (CrossRef, PubMed, arXiv) by default, and make Google Scholar automation optional with explicit terms-of-service compliance, rate-limiting, and clear user consent. Ensure credential handling is explicit, and add sandboxed execution for external calls with robust input validation. LLM verification: The documentation and examples match the declared citation-management purpose. No explicit malicious behavior is visible in the provided content. The primary security concerns are supply-chain risks from multiple unpinned pip dependencies and increased attack surface from web scraping (Selenium/scholarly) which can access browser state and rely on third-party HTML. I recommend pinning dependencies, adding integrity checks, documenting browser and driver setup, and advising users about scraping-r

[Skill Scanner] Installation of third-party script detected This skill's stated purpose (remote fine-tuning via a Colab bridge) matches its capabilities, but the required capabilities are high-privilege and therefore risky. The main concerns are: (1) a bi-directional WebSocket bridge that can exfiltrate runtime files/credentials, (2) automatic installation/execution of third-party packages (unsloth and others) without documented provenance, and (3) lack of documented least-privilege controls for enterprise/cloud credentials. I label this as SUSPICIOUS in practical risk — the documentation describes legitimate functionality, but the design exposes users to supply-chain and credential-exfiltration risks unless additional security controls (package provenance, endpoint verification, least privilege guidance, and explicit warnings about secrets) are implemented. LLM verification: The document is a legitimate-sounding skill manifest to enable remote Colab fine-tuning, but it describes high-risk capabilities (arbitrary remote execution, runtime package installs, and a WebSocket bridge) that create realistic opportunities for credential leakage or supply-chain compromise. There is no direct evidence of malware in the provided text, but the combination of automatic pip installs without integrity checks and an unspecified bridge topology elevates supply-chain and data-exfiltr

The code contains potential security risks due to the presence of eval statements. Further review and refactoring of the code is recommended to ensure security best practices are followed.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

This code fragment contains a critical remote code execution vector: it evaluates/executes HTTP request bodies directly via eval() and exec() and exposes results via HTTP. If this endpoint is reachable by untrusted users, it enables full takeover of the process and access to system resources, credentials, and network. It is highly dangerous in typical deployment and should not be exposed publicly. Even if the current fragment has a small bug (incorrect return name), the pattern is clearly malicious or severely insecure. Immediate remediation: remove or gate the REPL endpoint behind strong authentication and sandboxing, avoid eval/exec on untrusted input, and fix mutable default arguments and the handler return typo.

The dominant security concern is the explicit use of eval on data-derived JSON within CarbonPHP.handlebars, which can enable arbitrary code execution if data is attacker-controlled. Additional concerns include unsanitized dynamic script/template loading and a busy-wait sleep that can degrade performance and potentially expose timing information. Overall risk is high due to the eval pattern and dynamic content loading without strong sanitization.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This module implements privileged node and device management and exposes HTTP endpoints that accept user input used directly in shell commands and Docker operations. Main risks: command injection (unsanitized string interpolation into shell commands and os.popen), destructive device operations (partitioning, bind/unbind), supplying arbitrary images to be pulled and run as privileged containers, and use of an unencrypted/unprotected Docker TCP socket (tcp://...:2375). I assess this as not manifestly malware but a high-risk administrative component that must be strictly access-controlled and hardened (validate/sanitize inputs, avoid passing raw user values into shell/Docker operations, use secure Docker API access, avoid exposing endpoints publicly).

The mcporter CLI’s documented capabilities (arbitrary HTTP calls, --stdio process execution, and local credential storage) align with its stated purpose but present a moderate attack surface: misuse can lead to credential leakage or arbitrary code execution if inputs are untrusted or the environment is hostile. The fragment contains no explicit malicious code, obfuscation, or hard-coded attacker infrastructure. Recommended actions: review implementation for secure storage of tokens, minimize or sanitize construction of command strings, consider allowlisting target domains or prompting before sending credentials to unknown endpoints, and audit generated outputs for sensitive data leakage. Treat as functional but moderately risky in adversarial contexts.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] Report 2 is the best among the three for outlining a structured, auditable Codex-driven multi-agent orchestration with explicit conflict strategies and outputs. The improved assessment adds explicit security considerations and a tightened operational checklist to reduce risk when deploying in real pipelines. LLM verification: The skill is consistent with its stated purpose (orchestrating Codex sub-agents and CLI invocations) and contains no explicit malicious code. However, it instructs running local agent code and installing a third-party CLI, and it exposes an easy way to grant agents broad filesystem access (--add-dir) and high-privilege sandboxes. These operational features are proportionate to a multi-agent orchestrator but raise a medium security risk by design: misuse or running in an untrusted environment cou

This file is a high-risk obfuscated wrapper that directly executes hidden code. Without inspecting the decompressed payload we cannot state specific malicious actions, but the packaging pattern (base64 + zlib + exec) combined with execution-on-import is a strong indicator of potentially malicious or at least suspicious behavior. Do not execute in production; decompress and audit the payload in isolation before allowing use. Immediate remediation: block or remove this component until it is inspected and verified.

Live on PyPI for 2 days, 11 hours and 58 minutes before removal. Socket users were protected even while the package was live.

High risk due to untrusted deserialization via pickle.load from a path supplied externally (sys.argv[1]). The pattern can enable remote code execution if a crafted payload is supplied. The subsequent BM25 call on the untrusted object is suspicious but secondary to the deserialization risk. The syntax error should be resolved, but the core vulnerability remains and warrants removal of pickle-based loading or strict validation/sandboxing.

The code is designed to exfiltrate system information by sending it to an external domain via DNS queries. This is a clear indication of malicious behavior, as it involves unauthorized data transmission without user consent.

Live on npm for 50 minutes before removal. Socket users were protected even while the package was live.

This module orchestrates deliberate offensive actions: deauthentication/jamming, creation of a rogue access point, DHCP/DNS and iptables manipulation to redirect victim traffic to a local phishing webserver, and capture of credentials/payload delivery. It requires root, forcibly stops networking services and processes, and copies user-specified payloads into content that will be served to victims. The code is not obfuscated, but its behavior is clearly designed to perform credential harvesting and network attacks. Use of this package poses a high security risk and it should only be used in authorized testing environments with consent.

This module contains an explicit data exfiltration backdoor that sends any value passed to the decode() function as a message to a hardcoded Telegram bot. The malicious behavior includes: (1) hardcoded Telegram bot token '8177895028:AAFhOHz_gjUGtFKbHnV2h5AFfMy7WlJUbx0' and chat ID '7631491367' embedded in plaintext, (2) unconditional transmission of input data to api[.]telegram[.]org via HTTP POST before performing the expected decoding operation, (3) silent error suppression through empty catch blocks to avoid detection, and (4) no user consent, validation, or indication of the network activity. Any sensitive data passed to this function (API keys, credentials, tokens, private keys, PII) will be immediately transmitted to the attacker-controlled Telegram account. The module maintains functional behavior by still performing the expected bs58 decoding, which helps mask the malicious side-effect. This represents a high-severity supply chain attack designed to harvest secrets and sensitive information.

This install script phones home with hostname, username, and OS details to an external URL. That is direct data exfiltration/telemetry performed during installation and constitutes a significant privacy and security risk. Treat this behavior as malicious unless you have verified the endpoint and the package's intent.

This code contains multiple high-risk operations consistent with malicious or abusive automation: it downloads and injects files into app data, copies and uploads private app directories to a remote server, executes arbitrary adb/su shell commands, and embeds API keys for third-party services. These behaviors enable credential harvesting, app data exfiltration, remote control, and large-scale automated account abuse (captcha bypass, automated signups/logins). Treat this package as dangerous and untrusted unless you fully control and audit the remote endpoints (link_sms) and remove/mitigate the root-level file operations and hardcoded keys.

This code is not obviously a self-contained malware dropper, but it provides a high-privilege execution surface: it runs arbitrary shell commands (shell=True) and writes/appends to files based on external plans or user input without sanitization. That makes it dangerous in contexts where steps/plans or inputs are untrusted or come from remote services. If upstream agents or data are compromised, this module can be abused to execute arbitrary code, modify repository or system files, or launch persistent processes. Recommend treating inputs as untrusted, adding strict validation/sanitization for commands and file paths, avoiding shell=True or using explicit argument lists, and adding allowlists and dry-run / manual approval for changes.

Live on PyPI for 5 days, 9 hours and 51 minutes before removal. Socket users were protected even while the package was live.

This script is a high-risk supply chain component that downloads and executes arbitrary remote code at runtime without validation or sandboxing. This constitutes a serious security risk and potential malware vector, as it allows the remote server to run any code with the user's privileges. The code is not obfuscated, but the dynamic remote code execution behavior is inherently dangerous. Use of this package should be treated with extreme caution and considered a critical security threat.

This file defines a large local dumpJSON array and then, unconditionally when imported, uses a hard-coded cookie (including a login_token JWT) plus static aiStudioUrl (https://bbqa2t5pfyfroyobmzknmktshckzto4btkfagxyjqwy[.]did[.]abtnet[.]io/ai-studio) and datasetId to authenticate and issue fetch GET to /api/datasets/{datasetId}/documents?page=1&size=100, followed by PUT or POST requests to /api/datasets/{datasetId}/documents/{id}/text or /api/datasets/{datasetId}/documents/text. Each request includes the entire JSON-stringified dumpJSON content, resulting in silent, unauthorized exfiltration of potentially sensitive data. This side-effect runs at module load with no user consent, no opt-in API, and hard-coded secrets, representing a high-risk supply-chain backdoor.

The source code demonstrates behaviors typically associated with malware, such as data exfiltration and VM evasion. It collects extensive system information and sends it to an external server, which is a significant security risk. The code is not obfuscated, but its actions are suspicious and warrant a high-risk score.

The code presents a strong supply-chain and remote-execution risk by automatically downloading and executing remote Python payloads without integrity checks or sandboxing. It also creates and runs external services (Jupyter, Visdom, RStudio) based on user inputs, which can amplify impact if the remote payload is malicious. Mitigations include removing remote code execution paths, adding cryptographic verification (signatures or hash checks), isolating execution (sandboxes or containerization), validating inputs, and avoiding untrusted downloads or executions.

This assembly contains a highly obfuscated runtime loader/unpacker embedded alongside a nominal Modbus API surface. The loader decrypts/verifies embedded blobs, allocates unmanaged memory, writes pointers/bytes into process structures, uses reflection to create and install delegates, and invokes native code — behaviors unnecessary for a legitimate Modbus library and consistent with in-process code injection, unpacking, or backdoor loaders. Treat the package as malicious/high-risk. Do not run it in trusted environments; perform isolated dynamic analysis (sandbox) to extract and inspect decrypted payloads if further investigation is required.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] The fragment presents a coherent, purpose-aligned citation-management workflow with appropriate use of public bibliographic APIs and BibTeX tooling. The primary concern is compliance and reliability when automating Google Scholar. For a production-grade, low-risk release, implement API-first workflows (CrossRef, PubMed, arXiv) by default, and make Google Scholar automation optional with explicit terms-of-service compliance, rate-limiting, and clear user consent. Ensure credential handling is explicit, and add sandboxed execution for external calls with robust input validation. LLM verification: The documentation and examples match the declared citation-management purpose. No explicit malicious behavior is visible in the provided content. The primary security concerns are supply-chain risks from multiple unpinned pip dependencies and increased attack surface from web scraping (Selenium/scholarly) which can access browser state and rely on third-party HTML. I recommend pinning dependencies, adding integrity checks, documenting browser and driver setup, and advising users about scraping-r

[Skill Scanner] Installation of third-party script detected This skill's stated purpose (remote fine-tuning via a Colab bridge) matches its capabilities, but the required capabilities are high-privilege and therefore risky. The main concerns are: (1) a bi-directional WebSocket bridge that can exfiltrate runtime files/credentials, (2) automatic installation/execution of third-party packages (unsloth and others) without documented provenance, and (3) lack of documented least-privilege controls for enterprise/cloud credentials. I label this as SUSPICIOUS in practical risk — the documentation describes legitimate functionality, but the design exposes users to supply-chain and credential-exfiltration risks unless additional security controls (package provenance, endpoint verification, least privilege guidance, and explicit warnings about secrets) are implemented. LLM verification: The document is a legitimate-sounding skill manifest to enable remote Colab fine-tuning, but it describes high-risk capabilities (arbitrary remote execution, runtime package installs, and a WebSocket bridge) that create realistic opportunities for credential leakage or supply-chain compromise. There is no direct evidence of malware in the provided text, but the combination of automatic pip installs without integrity checks and an unspecified bridge topology elevates supply-chain and data-exfiltr