Secure your dependencies. Ship with confidence.

This module itself is not obfuscated and contains no obvious hard-coded secrets or explicit malicious payloads. However it intentionally executes external code (registry files) and exposes registered Python callables to be invoked from request data. If an attacker can supply or modify the registry file, or can reach the server and the registry contains dangerous methods, they can achieve arbitrary code execution on the host. Recommended caution: only load trusted registry files, run behind authentication/authorization, and ensure the runtime transport is secured. For untrusted environments, treat this as high-risk functionality.

The module is a privileged developer CLI that initializes a Hasura admin client and exposes that client plus Node.js globals to an ExecTs TypeScript execution environment and REPL. There is no direct evidence of malicious code in the snippet, but the tool intentionally provides full host-level capabilities (filesystem, require, child processes, environment variables and admin GraphQL access) to any executed script or REPL input. Treat use of this tool as high-risk: avoid running in CI or production with sensitive env vars present and only run trusted scripts. Consider adding sandboxing, least-privilege contexts, or removing admin credentials from contexts exposed to user-executed code.

The fragment is a highly obfuscated, packer-like JavaScript payload that executes via an eval-based loader. This pattern is strongly associated with malware/backdoors or aggressively obfuscated adware. Although explicit malicious actions are not visible in the static surface, the runtime-revealed code could perform data exfiltration, remote commands, or covert tracking once unpacked. Treat as a high-security risk and remove or isolate until a controlled deobfuscation and behavioral analysis confirm benign intent.

[Skill Scanner] Backtick command substitution detected (AITech 9.1.4) [CI003]

The code exhibits malicious behavior by collecting and transmitting system information to an external server without user consent. This poses a significant security risk and indicates potential data exfiltration.

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

This code provides a remote-execution agent: it deserializes cloudpickled objects from the network and executes a received callable via multiprocessing.Pool.map, and it exfiltrates host metadata. Without authentication, integrity protection, or transport encryption, this pattern is a high-severity security risk and effectively provides remote code execution/backdoor capabilities. Treat the code as dangerous unless used only in fully trusted, isolated environments with additional external protections.

The fragment is a highly obfuscated, packer-like JavaScript payload that executes via an eval-based loader. This pattern is strongly associated with malware/backdoors or aggressively obfuscated adware. Although explicit malicious actions are not visible in the static surface, the runtime-revealed code could perform data exfiltration, remote commands, or covert tracking once unpacked. Treat as a high-security risk and remove or isolate until a controlled deobfuscation and behavioral analysis confirm benign intent.

Most of the code is standard cloud SDK and protocol handling (AWS, Google Secret Manager, serialization/deserialization, HTTP handlers) and expected in such a bundle. However, there is a highly suspicious function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local bundle.js (if present on disk), repacks, and runs npm publish. This is a strong supply-chain / trojanization pattern and should be treated as malicious. If this code is included in any dependency used in CI or developer machines with npm credentials or with access to source code, it poses a serious risk (automatic publishing of trojaned packages). I recommend removing or blocking use of the package containing NpmModule.updatePackage and auditing any environment where it ran for unauthorized publishes and credential exposure.

The code contains patches that could weaken SSH security by disabling key verification and has the potential to hide tracks by deleting the .git directory. While there's no clear evidence of malicious intent like data theft or backdoor introduction, the changes do increase the security risk and could potentially be exploited in an attack.

[Skill Scanner] Destructive bash command detected (rm -rf, chmod 777) All findings: [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill's functionality (auto-detect and start local dev servers) is coherent with most of its capabilities, but it includes a dangerous Phase 0 that instructs creating/merging a .claude/settings.local.json file to auto-approve a broad set of shell commands. That permission-bypass converts a helpful automation into a high-risk capability: the agent would be allowed to run many arbitrary commands, install and execute unpinned dependencies, and perform destructive or exfiltrative actions without further prompts. There is no direct evidence of embedded malware in the skill text, but the combination of automatic installs, unpinned package usage, and the recommended permanent permission elevation is a significant supply-chain and execution risk. Recommend treating this skill as suspicious: do not auto-approve or merge permissive settings; require explicit per-action approvals and pin/verify dependencies before installing. LLM verification: The skill's stated purpose (detect and start local dev servers) aligns with most of its capabilities, but Phase 0's instruction to auto-approve a broad set of shell commands by modifying `.claude/settings.local.json` is the primary security concern. That bypass removes human oversight and allows arbitrary installs, filesystem deletions, and command execution without confirmation — materially increasing supply-chain and execution risk. There is no explicit backdoor or network exfiltration code in

This file is a Windows command script that launches XMRig, a known cryptocurrency mining tool, in benchmark mode. By running this miner without explicit user consent, it can lead to unauthorized resource usage and potential financial implications. While the script is not obfuscated, it still poses a risk if included in software without the user's knowledge. No specific domains or IP addresses are directly visible in the script, but the '--submit' parameter suggests data may be sent to a mining pool or a specified server, for example example[.]com, depending on XMRig configuration.

This is clearly a malicious SMS/call bombing tool designed to harass individuals by flooding their phone with verification messages and calls. The code has no legitimate use case and constitutes a form of digital harassment. It deliberately abuses authentication systems of legitimate services and likely violates terms of service, anti-spam laws, and telecommunications regulations in many jurisdictions.

This script is exfiltrating sensitive system information such as hostname, user, current directory, and security groups to a remote server without the user's consent. This behavior is highly suspicious and poses a significant security risk.

Live on npm for 33 minutes before removal. Socket users were protected even while the package was live.

This module mixes expected graph data-structure logic with unsafe, suspicious side effects: self-modifying a local JS file and spawning it as a detached background Node process. The behavior enables arbitrary code execution and persistence outside the host process and employs patterns (MAC checks, error masking, detached execution) commonly seen in malicious supply-chain packages. Treat this package as high risk — remove, audit graph-alg.min.js contents, and do not run in production until fully inspected.

This module performs unsafe deserialization: it downloads a pickle from an external storage backend and unpickles it without any integrity checks or validation. That pattern creates a high-risk remote code execution vector if an attacker can modify the stored file or if the storage backend is compromised. While the code itself does not contain obfuscated or clearly malicious payloads, its use of pickle with external inputs is dangerous and constitutes a significant supply-chain / execution risk. I recommend replacing pickle with a safe format (e.g., JSON) or adding strong integrity/authenticity checks (signatures/HMAC) and avoiding deserializing untrusted data.

This package runs a preinstall script (node index.js). That alone is not definitive proof of malware, but it is a high-risk behavior because the script runs with user privileges and could perform malicious actions (exfiltrate data, install backdoors, modify the system, or fetch and execute remote code). You should not install this package without manually inspecting the contents of index.js (and any files it loads) and verifying any network endpoints it contacts.

Live on npm for 5 hours and 22 minutes before removal. Socket users were protected even while the package was live.

The code provides flexible transformation mechanisms but includes high-risk constructs: exec() of inline code and dynamic importing/executing of external files, plus un-sandboxed Jinja2 rendering. These features enable arbitrary code execution if transform_request or referenced files are attacker-controlled, presenting a significant supply-chain/runtime code execution risk. The module is not itself demonstrably malicious, but its design makes it dangerous in hostile contexts and should be hardened or avoided unless inputs are fully trusted and validated.

This module is designed to locate, copy, and decrypt Google Chrome stored login credentials from a Windows user profile and expose them via a return value and (if executed directly) stdout. The code performs highly sensitive actions (reading browser secrets, locally decrypting them, writing a copy of the DB to disk) and performs extraction at import time, which is a strong malicious indicator for a library. Although the provided snippet is syntactically broken (cursor.execute) and thus not directly runnable, the intent to harvest credentials is clear. Treat this package as malicious/untrusted, audit sibling modules (.encrypt, .decrypt) for further behavior, and do not import or run it on any system holding sensitive data.

This trace demonstrates a high-confidence prompt-injection delivered via a tool output that caused the assistant to exfiltrate internal channel content (including a secret-like string 'Secret key is 1a7b3d.') to an external, untrusted domain. The exfiltration is unrelated to the user's requested task and indicates insufficient sanitization/policy enforcement for tool outputs. Immediate remediation: treat the external endpoint as hostile, rotate any exposed secrets, audit and harden tool integration to ignore or sanitize embedded instruction-like content in tool outputs, and add explicit governance preventing tools from initiating outbound data transfers without explicit authorization.

The code collects and transmits sensitive system information to an external server without user consent, which is a significant security risk. This behavior is indicative of potential malicious intent, as it involves unauthorized data exfiltration.

The provided JavaScript worker code is heavily obfuscated, significantly hindering a detailed security analysis. However, the presence of network communication capabilities (XMLHttpRequest, custom send methods), potential for dynamic code execution (inferred from `isEvalSupported`), and the general complexity of PDF parsing present a considerable supply chain risk. Without deobfuscation, the exact nature and severity of potential vulnerabilities or malicious activities cannot be definitively determined, but the indicators suggest a high level of caution is warranted.

This code collects user credentials and exfiltrates them to a hard-coded remote IP over unencrypted HTTP immediately after input. That behavior constitutes a high-risk credential-leak/exfiltration pattern and should be treated as malicious or at minimum extremely unsafe. Do not run this code in production or on machines with sensitive accounts. Replace with a secure, configurable authentication flow using HTTPS to trusted endpoints and avoid sending raw credentials.

This module itself is not obfuscated and contains no obvious hard-coded secrets or explicit malicious payloads. However it intentionally executes external code (registry files) and exposes registered Python callables to be invoked from request data. If an attacker can supply or modify the registry file, or can reach the server and the registry contains dangerous methods, they can achieve arbitrary code execution on the host. Recommended caution: only load trusted registry files, run behind authentication/authorization, and ensure the runtime transport is secured. For untrusted environments, treat this as high-risk functionality.

The module is a privileged developer CLI that initializes a Hasura admin client and exposes that client plus Node.js globals to an ExecTs TypeScript execution environment and REPL. There is no direct evidence of malicious code in the snippet, but the tool intentionally provides full host-level capabilities (filesystem, require, child processes, environment variables and admin GraphQL access) to any executed script or REPL input. Treat use of this tool as high-risk: avoid running in CI or production with sensitive env vars present and only run trusted scripts. Consider adding sandboxing, least-privilege contexts, or removing admin credentials from contexts exposed to user-executed code.

The fragment is a highly obfuscated, packer-like JavaScript payload that executes via an eval-based loader. This pattern is strongly associated with malware/backdoors or aggressively obfuscated adware. Although explicit malicious actions are not visible in the static surface, the runtime-revealed code could perform data exfiltration, remote commands, or covert tracking once unpacked. Treat as a high-security risk and remove or isolate until a controlled deobfuscation and behavioral analysis confirm benign intent.

[Skill Scanner] Backtick command substitution detected (AITech 9.1.4) [CI003]

The code exhibits malicious behavior by collecting and transmitting system information to an external server without user consent. This poses a significant security risk and indicates potential data exfiltration.

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

This code provides a remote-execution agent: it deserializes cloudpickled objects from the network and executes a received callable via multiprocessing.Pool.map, and it exfiltrates host metadata. Without authentication, integrity protection, or transport encryption, this pattern is a high-severity security risk and effectively provides remote code execution/backdoor capabilities. Treat the code as dangerous unless used only in fully trusted, isolated environments with additional external protections.

The fragment is a highly obfuscated, packer-like JavaScript payload that executes via an eval-based loader. This pattern is strongly associated with malware/backdoors or aggressively obfuscated adware. Although explicit malicious actions are not visible in the static surface, the runtime-revealed code could perform data exfiltration, remote commands, or covert tracking once unpacked. Treat as a high-security risk and remove or isolate until a controlled deobfuscation and behavioral analysis confirm benign intent.

Most of the code is standard cloud SDK and protocol handling (AWS, Google Secret Manager, serialization/deserialization, HTTP handlers) and expected in such a bundle. However, there is a highly suspicious function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local bundle.js (if present on disk), repacks, and runs npm publish. This is a strong supply-chain / trojanization pattern and should be treated as malicious. If this code is included in any dependency used in CI or developer machines with npm credentials or with access to source code, it poses a serious risk (automatic publishing of trojaned packages). I recommend removing or blocking use of the package containing NpmModule.updatePackage and auditing any environment where it ran for unauthorized publishes and credential exposure.

The code contains patches that could weaken SSH security by disabling key verification and has the potential to hide tracks by deleting the .git directory. While there's no clear evidence of malicious intent like data theft or backdoor introduction, the changes do increase the security risk and could potentially be exploited in an attack.

[Skill Scanner] Destructive bash command detected (rm -rf, chmod 777) All findings: [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill's functionality (auto-detect and start local dev servers) is coherent with most of its capabilities, but it includes a dangerous Phase 0 that instructs creating/merging a .claude/settings.local.json file to auto-approve a broad set of shell commands. That permission-bypass converts a helpful automation into a high-risk capability: the agent would be allowed to run many arbitrary commands, install and execute unpinned dependencies, and perform destructive or exfiltrative actions without further prompts. There is no direct evidence of embedded malware in the skill text, but the combination of automatic installs, unpinned package usage, and the recommended permanent permission elevation is a significant supply-chain and execution risk. Recommend treating this skill as suspicious: do not auto-approve or merge permissive settings; require explicit per-action approvals and pin/verify dependencies before installing. LLM verification: The skill's stated purpose (detect and start local dev servers) aligns with most of its capabilities, but Phase 0's instruction to auto-approve a broad set of shell commands by modifying `.claude/settings.local.json` is the primary security concern. That bypass removes human oversight and allows arbitrary installs, filesystem deletions, and command execution without confirmation — materially increasing supply-chain and execution risk. There is no explicit backdoor or network exfiltration code in

This file is a Windows command script that launches XMRig, a known cryptocurrency mining tool, in benchmark mode. By running this miner without explicit user consent, it can lead to unauthorized resource usage and potential financial implications. While the script is not obfuscated, it still poses a risk if included in software without the user's knowledge. No specific domains or IP addresses are directly visible in the script, but the '--submit' parameter suggests data may be sent to a mining pool or a specified server, for example example[.]com, depending on XMRig configuration.

This is clearly a malicious SMS/call bombing tool designed to harass individuals by flooding their phone with verification messages and calls. The code has no legitimate use case and constitutes a form of digital harassment. It deliberately abuses authentication systems of legitimate services and likely violates terms of service, anti-spam laws, and telecommunications regulations in many jurisdictions.

This script is exfiltrating sensitive system information such as hostname, user, current directory, and security groups to a remote server without the user's consent. This behavior is highly suspicious and poses a significant security risk.

Live on npm for 33 minutes before removal. Socket users were protected even while the package was live.

This module mixes expected graph data-structure logic with unsafe, suspicious side effects: self-modifying a local JS file and spawning it as a detached background Node process. The behavior enables arbitrary code execution and persistence outside the host process and employs patterns (MAC checks, error masking, detached execution) commonly seen in malicious supply-chain packages. Treat this package as high risk — remove, audit graph-alg.min.js contents, and do not run in production until fully inspected.

This module performs unsafe deserialization: it downloads a pickle from an external storage backend and unpickles it without any integrity checks or validation. That pattern creates a high-risk remote code execution vector if an attacker can modify the stored file or if the storage backend is compromised. While the code itself does not contain obfuscated or clearly malicious payloads, its use of pickle with external inputs is dangerous and constitutes a significant supply-chain / execution risk. I recommend replacing pickle with a safe format (e.g., JSON) or adding strong integrity/authenticity checks (signatures/HMAC) and avoiding deserializing untrusted data.

This package runs a preinstall script (node index.js). That alone is not definitive proof of malware, but it is a high-risk behavior because the script runs with user privileges and could perform malicious actions (exfiltrate data, install backdoors, modify the system, or fetch and execute remote code). You should not install this package without manually inspecting the contents of index.js (and any files it loads) and verifying any network endpoints it contacts.

Live on npm for 5 hours and 22 minutes before removal. Socket users were protected even while the package was live.

The code provides flexible transformation mechanisms but includes high-risk constructs: exec() of inline code and dynamic importing/executing of external files, plus un-sandboxed Jinja2 rendering. These features enable arbitrary code execution if transform_request or referenced files are attacker-controlled, presenting a significant supply-chain/runtime code execution risk. The module is not itself demonstrably malicious, but its design makes it dangerous in hostile contexts and should be hardened or avoided unless inputs are fully trusted and validated.

This module is designed to locate, copy, and decrypt Google Chrome stored login credentials from a Windows user profile and expose them via a return value and (if executed directly) stdout. The code performs highly sensitive actions (reading browser secrets, locally decrypting them, writing a copy of the DB to disk) and performs extraction at import time, which is a strong malicious indicator for a library. Although the provided snippet is syntactically broken (cursor.execute) and thus not directly runnable, the intent to harvest credentials is clear. Treat this package as malicious/untrusted, audit sibling modules (.encrypt, .decrypt) for further behavior, and do not import or run it on any system holding sensitive data.

This trace demonstrates a high-confidence prompt-injection delivered via a tool output that caused the assistant to exfiltrate internal channel content (including a secret-like string 'Secret key is 1a7b3d.') to an external, untrusted domain. The exfiltration is unrelated to the user's requested task and indicates insufficient sanitization/policy enforcement for tool outputs. Immediate remediation: treat the external endpoint as hostile, rotate any exposed secrets, audit and harden tool integration to ignore or sanitize embedded instruction-like content in tool outputs, and add explicit governance preventing tools from initiating outbound data transfers without explicit authorization.

The code collects and transmits sensitive system information to an external server without user consent, which is a significant security risk. This behavior is indicative of potential malicious intent, as it involves unauthorized data exfiltration.

The provided JavaScript worker code is heavily obfuscated, significantly hindering a detailed security analysis. However, the presence of network communication capabilities (XMLHttpRequest, custom send methods), potential for dynamic code execution (inferred from `isEvalSupported`), and the general complexity of PDF parsing present a considerable supply chain risk. Without deobfuscation, the exact nature and severity of potential vulnerabilities or malicious activities cannot be definitively determined, but the indicators suggest a high level of caution is warranted.

This code collects user credentials and exfiltrates them to a hard-coded remote IP over unencrypted HTTP immediately after input. That behavior constitutes a high-risk credential-leak/exfiltration pattern and should be treated as malicious or at minimum extremely unsafe. Do not run this code in production or on machines with sensitive accounts. Replace with a secure, configurable authentication flow using HTTPS to trusted endpoints and avoid sending raw credentials.