Secure your dependencies. Ship with confidence.

The code is suspicious due to its unnecessary complexity and unclear purpose. While no explicit malicious behavior is observed, such as network communication, data theft, or system harm, the unusual pattern could hide potential malicious activity if it is part of a larger, more complex attack.

This module is an explicit DNS-spoofing tool that intercepts UDP/53 traffic via NetfilterQueue and forges DNS replies using Scapy. It modifies iptables to divert DNS queries, crafts replies with attacker-provided rdata, and reinjects them — enabling MITM redirection and potential data/credential theft. The code contains no safeguards, lacks initialization of some attributes, and the provided snippet appears truncated (syntax error). Treat as high-risk/likely malicious; only use in authorized, isolated test environments.

This component exhibits strong backdoor-like behavior: hardcoded superadmin credentials in client-side code, outbound POST to a numeric IP, automatic insertion of a static token on mount, storing returned access tokens into sessionStorage, and suppression of errors so the app proceeds regardless of remote auth success. These are high-risk supply-chain indicators. Treat this as malicious or compromised: remove or isolate the package, block network traffic to the indicated IP, audit repository history and publisher, and perform a full package audit. If deployed, consider rotating credentials and tokens used by the service.

This module is highly suspicious: it intentionally conceals a secondary Python program in a base64+zlib blob and executes it immediately at import time. That pattern is a canonical supply-chain/malicious-obfuscation indicator. Treat the package as high risk: do not import/run it in production or on sensitive hosts. Decode and analyze the decompressed payload in an isolated environment before any use. If the decompressed payload contains network callbacks, credential access, or persistence logic, consider removing the package and treating it as malicious.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] BENIGN with standard operational security considerations. The Hypogenic description coherently maps to a legitimate multi-component hypothesis-generation framework. Security concerns focus on credential management for APIs/Redis, provenance verification, and integrity checks for literature processing components. No malicious behavior detected in the fragment itself. LLM verification: Based on the provided SKILL.md fragment, there is no direct evidence of malicious code or intentional backdoors. The documentation and capabilities are coherent with the stated purpose. The main supply-chain risks are operational: unpinned pip install instructions (encourages pulling latest unverified releases), external git clones, and implicit requirement to provide LLM API keys (sensitive). Because the actual code that performs network calls and credential handling was not provided, there rem

This module is a payload-management library that intentionally defines and manages templates for malicious prompt-based attacks (self-replication, data exfiltration, goal hijacking). The code does not itself perform network exfiltration or spawn processes, but it provides structured, high-severity payload templates and allows arbitrary custom templates to be stored and rendered with Jinja2. That makes it dangerous in any project that uses rendered payloads as prompts or instructions for agents. I assess a high security risk: the package should be treated as malicious or at least strongly suspect and removed or sandboxed. Further review of where render() outputs are used in the host application is required to determine actual compromise.

Live on PyPI for 23 hours and 49 minutes before removal. Socket users were protected even while the package was live.

The code fragment exhibits explicit backdoor-oriented behavior with bulk asset management (cards and mini-programs) and remote cleanup actions. While some aspects could be legitimate admin tooling, the explicit backdoor language, combined with credential handling, bulk uploads, and cleanup operations, indicate a high security risk and potential for abuse in a supply-chain context. Proceed with extreme caution, require explicit disclosure, and restrict usage to trusted environments with strong controls.

The code imports multiple modules and calls a function named functame from each of them. The unconventional names of the modules and functions, along with the lack of documentation or descriptive variable names, raise some suspicion. However, without more information on the imported modules, it is difficult to definitively conclude whether the code is malicious or not. There are no explicit signs of data leakage, credential theft, or system damage in the provided code fragment.

Live on npm for 57 days, 12 hours and 43 minutes before removal. Socket users were protected even while the package was live.

This function is a high-risk primitive: it performs filesystem access and arbitrary SQL execution based entirely on untrusted input. While not obviously malicious (no obfuscated payloads, no hardcoded secrets, no network exfiltration code), its design enables data exfiltration and destructive operations when reachable by untrusted callers (for example, if registered as a LangChain Tool exposed to model prompts). Mitigations: restrict tool exposure to trusted callers, implement allowlists for allowed database file paths, validate or parameterize queries (or only allow predefined named queries), remove or sanitize error messages, use context managers to ensure connection closure, and disable unsafe SQLite features (LOAD_EXTENSION). Do not register this tool with agents that can be driven by untrusted input without applying strict controls.

The fragment is an offensive scanning/exploitation component targeting Oracle WebLogic SOAP endpoints to detect and likely exploit remote command execution. It issues network requests containing a payload (postStr) and records successful exploitation traces locally. Treat this code as high-risk: it performs active exploitation actions, should not be included as a trusted dependency, and requires review and containment. If you maintain or encounter this package, locate the definition of postStr and the database/CLI helpers to fully assess the exploit payload and impact; consider removing or isolating this module from production code.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This file contains plaintext sensitive configuration (JWT private key and SMTP credentials) that represent a high supply-chain and operational security risk if included in a public repository or distributed package. The fragment itself is not executable malware, but the leaked secrets enable account impersonation, forged JWTs, mailbox abuse, and extended attacker access. Treat this as a secrets leakage incident: rotate credentials, remove from public sources, and adopt secure secret management.

Live on npm for 3 hours and 14 minutes before removal. Socket users were protected even while the package was live.

This code performs unauthorized data collection and transmits local environment details to a hardcoded external host, combined with an actor contact message. The behavior is consistent with targeted data exfiltration and constitutes a supply-chain compromise or malicious backdoor. Remove or isolate the package, treat it as compromised, and verify other package versions and maintainers. If this module executed during install or import in production, consider incident response actions (rotate secrets possibly exposed, scan systems for similar modules, audit supply chain).

This code implements a remote downloader and executor: it fetches code from a hardcoded Pastebin URL and executes it via PowerShell with execution-policy bypass and hidden/suppressed process execution. This is a high-risk pattern and should be considered malicious or at minimum extremely dangerous in most contexts. Do not run this code on production or trusted systems. Replace with safe alternatives that validate, sandbox, or embed trusted code and avoid executing remote content.

Live on PyPI for 1 day, 6 hours and 27 minutes before removal. Socket users were protected even while the package was live.

This file gathers environment variables, base64-encodes them, and sends them via an HTTP POST request to events[.]hookdeck[.]com using obfuscated code. The dynamic execution and network exfiltration of potentially sensitive information demonstrate malicious intent.

The analyzed code is the central control module of a remote-access implant (Sliver). It actively fingerprints the host, communicates with remote C2 servers, receives and executes arbitrary tasks from the server, supports opening additional outbound sessions, and manages pivots/tunnels. These behaviors are consistent with malicious remote-access tools. Do not run this code on trusted systems. A full assessment requires reviewing transports, handlers, pivots and other modules for payload specifics and persistence behavior.

This module unambiguously decodes, decompresses, and execs an embedded opaque payload at import time. That behavior prevents safe static review and creates a high potential for malicious or privacy-invasive actions when imported. Without decoding the payload we cannot assert specific malicious behaviors, but the concealment + import-time exec pattern is high-risk for supply-chain and runtime security. Do not import or deploy this package until the decompressed payload is inspected in an isolated environment and provenance/trust of the package is verified.

Live on PyPI for 10 hours and 28 minutes before removal. Socket users were protected even while the package was live.

[Skill Scanner] Credential file access detected (AITech 8.2.3) [DE002]

The script seems to be part of a spamming operation and uses bad security practices, such as hardcoding paths and credentials. Therefore, it's a potential security risk.

Live on npm for 5 hours and 29 minutes before removal. Socket users were protected even while the package was live.

This file is a database-dumping tool that constructs and sends PHP payloads to a remote webshell-like backend, decodes returned data and writes full table dumps to local .sql files. Functionally this enables large-scale data exfiltration. If used against systems without explicit authorization it is malicious. The provided snippet appears incomplete/partially redacted (format placeholders broken), so full payload content and any additional hidden behavior could not be verified. Recommend treating this as high risk and auditing the referenced libs (libs.myapp, libs.config) and the exact payload templates before trusting or using.

This file is a DNS-based C2 client implementation (Sliver implant framework). It intentionally encodes and transmits encrypted payloads inside DNS queries/responses to remote resolvers, enabling command-and-control and data exfiltration. In typical threat models this constitutes malicious/suspicious software and should not be used in production environments. It exhibits some implementation issues (non-crypto random resolver selection, potential race on metrics map, debug logging) but the primary risk is its intended covert C2 functionality.

[Skill Scanner] Installation of third-party script detected (AITech 9.1.4) [SC006]

The 'preinstall' script sends the contents of the '/etc/passwd' file to an external server during package installation. The data is transmitted using 'curl' to the URL '$(hostname)4otj8u0gmz9ylhh439pblt715sbjz9ny[.]oastify[.]com', which allows the attacker to collect sensitive system information.

Live on npm for 12 days, 17 hours and 16 minutes before removal. Socket users were protected even while the package was live.

The fragment contains a high-risk pattern: it downloads a Python script from a remote source and immediately executes it without integrity verification or sandboxing. This creates a critical supply-chain and remote-code-execution risk, as the remote payload could perform any action on the host, including data exfiltration, credential access, or system compromise. Even though defaults use placeholders, the mechanism itself is unsafe and should be disallowed or hardened (e.g., verify hashes, use signed modules, avoid executing remote code).

The code collects local environment information (package name, hostname, home directory, module path) and exfiltrates it by encoding the JSON payload as hex and embedding it into DNS query labels sent to a hardcoded external DNS server (172.104.4.75). This is a clear DNS tunneling/data-exfiltration mechanism. The explicit DNS resolver override, inclusion of sensitive filesystem information, absence of encryption or consent, and silent error handling make this code malicious or severely untrusted. It should be removed, blocked, or executed only in a controlled, consented test environment.

Live on npm for 4 hours and 3 minutes before removal. Socket users were protected even while the package was live.

The code is suspicious due to its unnecessary complexity and unclear purpose. While no explicit malicious behavior is observed, such as network communication, data theft, or system harm, the unusual pattern could hide potential malicious activity if it is part of a larger, more complex attack.

This module is an explicit DNS-spoofing tool that intercepts UDP/53 traffic via NetfilterQueue and forges DNS replies using Scapy. It modifies iptables to divert DNS queries, crafts replies with attacker-provided rdata, and reinjects them — enabling MITM redirection and potential data/credential theft. The code contains no safeguards, lacks initialization of some attributes, and the provided snippet appears truncated (syntax error). Treat as high-risk/likely malicious; only use in authorized, isolated test environments.

This component exhibits strong backdoor-like behavior: hardcoded superadmin credentials in client-side code, outbound POST to a numeric IP, automatic insertion of a static token on mount, storing returned access tokens into sessionStorage, and suppression of errors so the app proceeds regardless of remote auth success. These are high-risk supply-chain indicators. Treat this as malicious or compromised: remove or isolate the package, block network traffic to the indicated IP, audit repository history and publisher, and perform a full package audit. If deployed, consider rotating credentials and tokens used by the service.

This module is highly suspicious: it intentionally conceals a secondary Python program in a base64+zlib blob and executes it immediately at import time. That pattern is a canonical supply-chain/malicious-obfuscation indicator. Treat the package as high risk: do not import/run it in production or on sensitive hosts. Decode and analyze the decompressed payload in an isolated environment before any use. If the decompressed payload contains network callbacks, credential access, or persistence logic, consider removing the package and treating it as malicious.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] BENIGN with standard operational security considerations. The Hypogenic description coherently maps to a legitimate multi-component hypothesis-generation framework. Security concerns focus on credential management for APIs/Redis, provenance verification, and integrity checks for literature processing components. No malicious behavior detected in the fragment itself. LLM verification: Based on the provided SKILL.md fragment, there is no direct evidence of malicious code or intentional backdoors. The documentation and capabilities are coherent with the stated purpose. The main supply-chain risks are operational: unpinned pip install instructions (encourages pulling latest unverified releases), external git clones, and implicit requirement to provide LLM API keys (sensitive). Because the actual code that performs network calls and credential handling was not provided, there rem

This module is a payload-management library that intentionally defines and manages templates for malicious prompt-based attacks (self-replication, data exfiltration, goal hijacking). The code does not itself perform network exfiltration or spawn processes, but it provides structured, high-severity payload templates and allows arbitrary custom templates to be stored and rendered with Jinja2. That makes it dangerous in any project that uses rendered payloads as prompts or instructions for agents. I assess a high security risk: the package should be treated as malicious or at least strongly suspect and removed or sandboxed. Further review of where render() outputs are used in the host application is required to determine actual compromise.

Live on PyPI for 23 hours and 49 minutes before removal. Socket users were protected even while the package was live.

The code fragment exhibits explicit backdoor-oriented behavior with bulk asset management (cards and mini-programs) and remote cleanup actions. While some aspects could be legitimate admin tooling, the explicit backdoor language, combined with credential handling, bulk uploads, and cleanup operations, indicate a high security risk and potential for abuse in a supply-chain context. Proceed with extreme caution, require explicit disclosure, and restrict usage to trusted environments with strong controls.

The code imports multiple modules and calls a function named functame from each of them. The unconventional names of the modules and functions, along with the lack of documentation or descriptive variable names, raise some suspicion. However, without more information on the imported modules, it is difficult to definitively conclude whether the code is malicious or not. There are no explicit signs of data leakage, credential theft, or system damage in the provided code fragment.

Live on npm for 57 days, 12 hours and 43 minutes before removal. Socket users were protected even while the package was live.

This function is a high-risk primitive: it performs filesystem access and arbitrary SQL execution based entirely on untrusted input. While not obviously malicious (no obfuscated payloads, no hardcoded secrets, no network exfiltration code), its design enables data exfiltration and destructive operations when reachable by untrusted callers (for example, if registered as a LangChain Tool exposed to model prompts). Mitigations: restrict tool exposure to trusted callers, implement allowlists for allowed database file paths, validate or parameterize queries (or only allow predefined named queries), remove or sanitize error messages, use context managers to ensure connection closure, and disable unsafe SQLite features (LOAD_EXTENSION). Do not register this tool with agents that can be driven by untrusted input without applying strict controls.

The fragment is an offensive scanning/exploitation component targeting Oracle WebLogic SOAP endpoints to detect and likely exploit remote command execution. It issues network requests containing a payload (postStr) and records successful exploitation traces locally. Treat this code as high-risk: it performs active exploitation actions, should not be included as a trusted dependency, and requires review and containment. If you maintain or encounter this package, locate the definition of postStr and the database/CLI helpers to fully assess the exploit payload and impact; consider removing or isolating this module from production code.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This file contains plaintext sensitive configuration (JWT private key and SMTP credentials) that represent a high supply-chain and operational security risk if included in a public repository or distributed package. The fragment itself is not executable malware, but the leaked secrets enable account impersonation, forged JWTs, mailbox abuse, and extended attacker access. Treat this as a secrets leakage incident: rotate credentials, remove from public sources, and adopt secure secret management.

Live on npm for 3 hours and 14 minutes before removal. Socket users were protected even while the package was live.

This code performs unauthorized data collection and transmits local environment details to a hardcoded external host, combined with an actor contact message. The behavior is consistent with targeted data exfiltration and constitutes a supply-chain compromise or malicious backdoor. Remove or isolate the package, treat it as compromised, and verify other package versions and maintainers. If this module executed during install or import in production, consider incident response actions (rotate secrets possibly exposed, scan systems for similar modules, audit supply chain).

This code implements a remote downloader and executor: it fetches code from a hardcoded Pastebin URL and executes it via PowerShell with execution-policy bypass and hidden/suppressed process execution. This is a high-risk pattern and should be considered malicious or at minimum extremely dangerous in most contexts. Do not run this code on production or trusted systems. Replace with safe alternatives that validate, sandbox, or embed trusted code and avoid executing remote content.

Live on PyPI for 1 day, 6 hours and 27 minutes before removal. Socket users were protected even while the package was live.

This file gathers environment variables, base64-encodes them, and sends them via an HTTP POST request to events[.]hookdeck[.]com using obfuscated code. The dynamic execution and network exfiltration of potentially sensitive information demonstrate malicious intent.

The analyzed code is the central control module of a remote-access implant (Sliver). It actively fingerprints the host, communicates with remote C2 servers, receives and executes arbitrary tasks from the server, supports opening additional outbound sessions, and manages pivots/tunnels. These behaviors are consistent with malicious remote-access tools. Do not run this code on trusted systems. A full assessment requires reviewing transports, handlers, pivots and other modules for payload specifics and persistence behavior.

This module unambiguously decodes, decompresses, and execs an embedded opaque payload at import time. That behavior prevents safe static review and creates a high potential for malicious or privacy-invasive actions when imported. Without decoding the payload we cannot assert specific malicious behaviors, but the concealment + import-time exec pattern is high-risk for supply-chain and runtime security. Do not import or deploy this package until the decompressed payload is inspected in an isolated environment and provenance/trust of the package is verified.

Live on PyPI for 10 hours and 28 minutes before removal. Socket users were protected even while the package was live.

[Skill Scanner] Credential file access detected (AITech 8.2.3) [DE002]

The script seems to be part of a spamming operation and uses bad security practices, such as hardcoding paths and credentials. Therefore, it's a potential security risk.

Live on npm for 5 hours and 29 minutes before removal. Socket users were protected even while the package was live.

This file is a database-dumping tool that constructs and sends PHP payloads to a remote webshell-like backend, decodes returned data and writes full table dumps to local .sql files. Functionally this enables large-scale data exfiltration. If used against systems without explicit authorization it is malicious. The provided snippet appears incomplete/partially redacted (format placeholders broken), so full payload content and any additional hidden behavior could not be verified. Recommend treating this as high risk and auditing the referenced libs (libs.myapp, libs.config) and the exact payload templates before trusting or using.

This file is a DNS-based C2 client implementation (Sliver implant framework). It intentionally encodes and transmits encrypted payloads inside DNS queries/responses to remote resolvers, enabling command-and-control and data exfiltration. In typical threat models this constitutes malicious/suspicious software and should not be used in production environments. It exhibits some implementation issues (non-crypto random resolver selection, potential race on metrics map, debug logging) but the primary risk is its intended covert C2 functionality.

[Skill Scanner] Installation of third-party script detected (AITech 9.1.4) [SC006]

The 'preinstall' script sends the contents of the '/etc/passwd' file to an external server during package installation. The data is transmitted using 'curl' to the URL '$(hostname)4otj8u0gmz9ylhh439pblt715sbjz9ny[.]oastify[.]com', which allows the attacker to collect sensitive system information.

Live on npm for 12 days, 17 hours and 16 minutes before removal. Socket users were protected even while the package was live.

The fragment contains a high-risk pattern: it downloads a Python script from a remote source and immediately executes it without integrity verification or sandboxing. This creates a critical supply-chain and remote-code-execution risk, as the remote payload could perform any action on the host, including data exfiltration, credential access, or system compromise. Even though defaults use placeholders, the mechanism itself is unsafe and should be disallowed or hardened (e.g., verify hashes, use signed modules, avoid executing remote code).

The code collects local environment information (package name, hostname, home directory, module path) and exfiltrates it by encoding the JSON payload as hex and embedding it into DNS query labels sent to a hardcoded external DNS server (172.104.4.75). This is a clear DNS tunneling/data-exfiltration mechanism. The explicit DNS resolver override, inclusion of sensitive filesystem information, absence of encryption or consent, and silent error handling make this code malicious or severely untrusted. It should be removed, blocked, or executed only in a controlled, consented test environment.

Live on npm for 4 hours and 3 minutes before removal. Socket users were protected even while the package was live.