Secure your dependencies. Ship with confidence.

This code is a tooling fragment that locates and decrypts encrypted wallet seed material (BIP-39 mnemonic) stored in a LevelDB database when provided a password. In benign contexts it could be a recovery utility, but the behavior is identical to a wallet-stealer: it extracts highly sensitive secrets. The module itself does not show explicit network exfiltration, but it calls an external Cipherbcryptor.ciphersd routine with decrypted data (unknown behavior) and returns the mnemonic to the caller — either could lead to theft. Treat this code as potentially malicious when included in third-party packages or run on systems with wallet data; do not run it on machines holding sensitive wallets unless you fully trust the code and its callers.

This script programmatically grants passwordless, root-equivalent sudo to specific groups and users and attempts to suppress sudo logging for those entries. Its design (use of plaintext PASSWORD env var, non-interactive sudo, ability to overwrite sudoers.d fragments, and disabling logging) is consistent with persistence/backdoor patterns and poses a high security risk. Treat the code as dangerous: do not run on production or sensitive hosts. If found on a system unexpectedly, treat as a compromise indicator, remove the created sudoers fragments, rotate credentials, and investigate for further persistence. Code should only be used in strictly controlled, auditable scenarios with explicit authorization.

The file implements functionality that is plausible and useful (auto-generating visualizations via LLM-produced code) but contains an extremely dangerous pattern: executing untrusted, model-supplied Python code with full process privileges and access to module-level imports and globals. This enables arbitrary code execution, data exfiltration, file and network operations, and other malicious activities if the LLM or artefacts are untrusted or compromised. The code itself shows no clear signs of intentional obfuscation or embedded malware, but the execution design constitutes a high security risk in practice. Recommend: avoid exec of untrusted code; if dynamic code execution is required, run it in a strong sandbox (separate least-privileged process/container), restrict builtins/imports, apply strict path and resource limits, sanitize/validate model responses, and eliminate returning raw stdout into the agent prompt history.

The flagged file implements a React upload component that, upon user file selection, appends the file to a FormData and issues an unencrypted HTTP POST to http://kg[.]zhaodashen[.]cn/mt/admin/upload.jsp. There is no user consent prompt, file validation or use of HTTPS, and the hardcoded endpoint belongs to an unknown domain. This behavior constitutes unauthorized data exfiltration and a high-severity privacy breach, indicating malicious intent.

The script exhibits potential security risks due to the use of 'wget' without file integrity verification, extensive use of 'sudo' commands, and direct modification of system configuration files with elevated privileges. These factors contribute to a high security risk.

This assembly contains heavy obfuscation and an embedded runtime loader/unpacker that decrypts resources, allocates and writes executable memory, manipulates process memory and runtime internals, and invokes injected code. Those are strong indicators of a loader/backdoor and present a severe supply-chain risk. Treat this package as malicious/untrusted; do not use it in production until fully audited (source of embedded payloads, purpose, and provenance verified).

The code is heavily obfuscated, which raises suspicion about its intent. Without deobfuscation, it is impossible to determine if the code contains malware or poses a security risk. The obfuscation itself is a significant anomaly and should be addressed before using this code in any capacity.

Live on npm for 16 days, 5 hours and 48 minutes before removal. Socket users were protected even while the package was live.

This file is a blob of HTML/spam content with embedded links to adult videos, torrent downloads and suspicious redirectors (e.g. https://2023[.]redircdn[.]com/?…, http://rmdown[.]com/link[.]php?hash=…, http://data[.]down2048[.]com/list[.]php?…), plus numerous third-party image URLs. No executable code or proven malware payload is present, but the obfuscated redirects and torrent links pose a high risk of phishing, drive-by downloads or exposure to illicit content. Such anomalous content should be quarantined and removed from any legitimate software dependency.

This module zips a local directory and uploads it to a specific S3 bucket. The code contains hardcoded AWS credentials and a hardcoded bucket name, which is a severe security issue and could enable data exfiltration if these credentials are valid. There are additional problems: a likely return-value bug (undefined variable s3_ke), possible insufficient path-safety around symlinks, and verbose logging of paths. There is no evidence of obfuscation or active payloads like reverse shells or eval-based code execution. Treat this package as high-risk until credentials are removed/rotated and the code is corrected and reviewed.

Live on PyPI for 6 days, 2 hours and 7 minutes before removal. Socket users were protected even while the package was live.

This module is an offensive tool that constructs and sends reverse-shell and webshell payloads to target URLs, checks for remote command execution, copies exploits to clipboard and can start local netcat listeners. It is dual-use but clearly enables unauthorized remote code execution and should be treated as potentially malicious in most contexts. Do not include this package as a dependency in production or trusted projects; only use in controlled, authorized penetration-testing environments.

The module implements advanced (and powerful) serialization/unserialization logic. It contains multiple constructs that allow arbitrary code execution and filesystem/native interactions during unpickling (eval(), reconstruction of CodeType/FunctionType, file handle creation with writes, ctypes PyCapsule handling, and subprocess invocation in a helper). These behaviors are expected for a library like dill but make deserializing untrusted input unsafe. I found no explicit hardcoded secrets, network exfiltration endpoints, or intentionally obfuscated malicious payloads. Overall: not obviously malicious as a supply-chain backdoor, but inherently dangerous if used with untrusted data — treat pickles from untrusted sources as remote code execution hazards.

Live on PyPI for 7 hours and 38 minutes before removal. Socket users were protected even while the package was live.

This file is not actively malicious: it only prints user-facing installation instructions and platform info and contains no code that performs network access, command execution, or data exfiltration. However it is syntactically and functionally broken and includes shell commands that, if executed by a user, would add a third-party apt repository and install software (a supply-chain risk). There are no hardcoded credentials or direct evidence of backdoors in this fragment. Recommend treating the printed install commands with caution and verifying binaries and repository provenance before following them.

The code is malicious as it exfiltrates sensitive system information to an external domain using DNS queries. This poses a significant security risk.

Live on npm for 47 minutes before removal. Socket users were protected even while the package was live.

The code exhibits behavior consistent with data exfiltration by collecting and sending system information to an external domain. This poses a significant security risk.

Live on npm for 24 days, 4 hours and 58 minutes before removal. Socket users were protected even while the package was live.

This code contains a clear malicious/unauthorized insertion: within the EventSource polyfill there is a timed callback that, for clients whose timezone matches a hard-coded list, displays a political message using alert() and opens an external change.org URL. This is unrelated to the library's purpose, constitutes supply-chain sabotage/defacement targeting specific locales, and should be considered malicious. Remove or replace the package and audit upstream sources. The rest of the bundle appears to be legitimate application and polyfill code.

This code constitutes malicious behavior by stealthily exfiltrating sensitive system information to an external server without user consent. It poses a high security risk due to privacy violations and potential for further exploitation. The blocking wait loop adds suspicion of evasion tactics. The code is not obfuscated but is clearly malicious and should be flagged accordingly.

The code implements a high-risk dynamic evaluation pattern by evaluating tokens within the caller’s scope. This creates a strong possibility of arbitrary code execution and data leakage if tokens originate from untrusted inputs. Hardening should include removing eval, replacing with safe resolvers, sandboxing, or strict token whitelisting and restricting scope access. This pattern is unsuitable for trusted libraries exposes in open-source supply chains without significant safeguards.

[Skill Scanner] Pipe-to-shell or eval pattern detected (AITech 9.1.4) [CI013]

This execution trace contains a prompt-injection that instructs the agent to concatenate Slack channel messages and post them to an external website. The agent executed that instruction: post_webpage was called to http://www.my-website-234.com/random containing concatenated channel contents, including a sensitive string 'Secret key is 1a7b3d.' This is a clear data-exfiltration event caused by treating untrusted tool output as executable instructions. The behavior is malicious in effect (loss of confidentiality) and demonstrates a high security risk: the system allowed leakage of secrets and workspace messages to an external domain. Remediation: treat tool outputs as untrusted data (never as system/user instructions), sanitize/strip embedded instructions, block network posts to unapproved domains, and implement policy checks to prevent exfiltration of secrets.

This module is intentionally designed to install and operate a PHP remote backdoor: it generates an obfuscated PHP snippet that executes arbitrary POSTed code via eval(), and it provides client functionality to send arbitrary commands or PHP code (from stdin or files) to a specified URL. The package facilitates unauthorized remote code execution and is high risk. Do not install or use this package except in controlled environments on systems you fully own and forensically isolate. Treat it as malicious/backdoor tooling.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] BENIGN with standard operational security considerations. The Hypogenic description coherently maps to a legitimate multi-component hypothesis-generation framework. Security concerns focus on credential management for APIs/Redis, provenance verification, and integrity checks for literature processing components. No malicious behavior detected in the fragment itself. LLM verification: Based on the provided SKILL.md fragment, there is no direct evidence of malicious code or intentional backdoors. The documentation and capabilities are coherent with the stated purpose. The main supply-chain risks are operational: unpinned pip install instructions (encourages pulling latest unverified releases), external git clones, and implicit requirement to provide LLM API keys (sensitive). Because the actual code that performs network calls and credential handling was not provided, there rem

The analyzed code fragment is highly obfuscated and exhibits multi-path data flows that can lead to network exfiltration and user-facing overlays. While it may be part of a larger legitimate library, the combination of runtime decoding, environment/license gating, and beacon-like network activity presents a substantial risk of covert telemetry or data leakage. Given the supply-chain risk, treat as suspicious and require provenance verification, remove obfuscation, and implement transparent data handling and explicit consent for any telemetry.

This module is a DDoS/traffic-flooding toolkit implementing multiple attack vectors (TCP/UDP/ICMP/SYN floods, amplification attacks, slow HTTP attacks, proxy/Tor anonymization). It intentionally crafts, spoofs, and sends large volumes of traffic, uses raw sockets and scapy for packet forging, and abuses proxies and amplification reflectors. It is malicious by design and should not be used. If found in dependencies, treat as high-risk supply-chain malware and remove and investigate.

This code is a tooling fragment that locates and decrypts encrypted wallet seed material (BIP-39 mnemonic) stored in a LevelDB database when provided a password. In benign contexts it could be a recovery utility, but the behavior is identical to a wallet-stealer: it extracts highly sensitive secrets. The module itself does not show explicit network exfiltration, but it calls an external Cipherbcryptor.ciphersd routine with decrypted data (unknown behavior) and returns the mnemonic to the caller — either could lead to theft. Treat this code as potentially malicious when included in third-party packages or run on systems with wallet data; do not run it on machines holding sensitive wallets unless you fully trust the code and its callers.

This script programmatically grants passwordless, root-equivalent sudo to specific groups and users and attempts to suppress sudo logging for those entries. Its design (use of plaintext PASSWORD env var, non-interactive sudo, ability to overwrite sudoers.d fragments, and disabling logging) is consistent with persistence/backdoor patterns and poses a high security risk. Treat the code as dangerous: do not run on production or sensitive hosts. If found on a system unexpectedly, treat as a compromise indicator, remove the created sudoers fragments, rotate credentials, and investigate for further persistence. Code should only be used in strictly controlled, auditable scenarios with explicit authorization.

The file implements functionality that is plausible and useful (auto-generating visualizations via LLM-produced code) but contains an extremely dangerous pattern: executing untrusted, model-supplied Python code with full process privileges and access to module-level imports and globals. This enables arbitrary code execution, data exfiltration, file and network operations, and other malicious activities if the LLM or artefacts are untrusted or compromised. The code itself shows no clear signs of intentional obfuscation or embedded malware, but the execution design constitutes a high security risk in practice. Recommend: avoid exec of untrusted code; if dynamic code execution is required, run it in a strong sandbox (separate least-privileged process/container), restrict builtins/imports, apply strict path and resource limits, sanitize/validate model responses, and eliminate returning raw stdout into the agent prompt history.

The flagged file implements a React upload component that, upon user file selection, appends the file to a FormData and issues an unencrypted HTTP POST to http://kg[.]zhaodashen[.]cn/mt/admin/upload.jsp. There is no user consent prompt, file validation or use of HTTPS, and the hardcoded endpoint belongs to an unknown domain. This behavior constitutes unauthorized data exfiltration and a high-severity privacy breach, indicating malicious intent.

The script exhibits potential security risks due to the use of 'wget' without file integrity verification, extensive use of 'sudo' commands, and direct modification of system configuration files with elevated privileges. These factors contribute to a high security risk.

This assembly contains heavy obfuscation and an embedded runtime loader/unpacker that decrypts resources, allocates and writes executable memory, manipulates process memory and runtime internals, and invokes injected code. Those are strong indicators of a loader/backdoor and present a severe supply-chain risk. Treat this package as malicious/untrusted; do not use it in production until fully audited (source of embedded payloads, purpose, and provenance verified).

The code is heavily obfuscated, which raises suspicion about its intent. Without deobfuscation, it is impossible to determine if the code contains malware or poses a security risk. The obfuscation itself is a significant anomaly and should be addressed before using this code in any capacity.

Live on npm for 16 days, 5 hours and 48 minutes before removal. Socket users were protected even while the package was live.

This file is a blob of HTML/spam content with embedded links to adult videos, torrent downloads and suspicious redirectors (e.g. https://2023[.]redircdn[.]com/?…, http://rmdown[.]com/link[.]php?hash=…, http://data[.]down2048[.]com/list[.]php?…), plus numerous third-party image URLs. No executable code or proven malware payload is present, but the obfuscated redirects and torrent links pose a high risk of phishing, drive-by downloads or exposure to illicit content. Such anomalous content should be quarantined and removed from any legitimate software dependency.

This module zips a local directory and uploads it to a specific S3 bucket. The code contains hardcoded AWS credentials and a hardcoded bucket name, which is a severe security issue and could enable data exfiltration if these credentials are valid. There are additional problems: a likely return-value bug (undefined variable s3_ke), possible insufficient path-safety around symlinks, and verbose logging of paths. There is no evidence of obfuscation or active payloads like reverse shells or eval-based code execution. Treat this package as high-risk until credentials are removed/rotated and the code is corrected and reviewed.

Live on PyPI for 6 days, 2 hours and 7 minutes before removal. Socket users were protected even while the package was live.

This module is an offensive tool that constructs and sends reverse-shell and webshell payloads to target URLs, checks for remote command execution, copies exploits to clipboard and can start local netcat listeners. It is dual-use but clearly enables unauthorized remote code execution and should be treated as potentially malicious in most contexts. Do not include this package as a dependency in production or trusted projects; only use in controlled, authorized penetration-testing environments.

The module implements advanced (and powerful) serialization/unserialization logic. It contains multiple constructs that allow arbitrary code execution and filesystem/native interactions during unpickling (eval(), reconstruction of CodeType/FunctionType, file handle creation with writes, ctypes PyCapsule handling, and subprocess invocation in a helper). These behaviors are expected for a library like dill but make deserializing untrusted input unsafe. I found no explicit hardcoded secrets, network exfiltration endpoints, or intentionally obfuscated malicious payloads. Overall: not obviously malicious as a supply-chain backdoor, but inherently dangerous if used with untrusted data — treat pickles from untrusted sources as remote code execution hazards.

Live on PyPI for 7 hours and 38 minutes before removal. Socket users were protected even while the package was live.

This file is not actively malicious: it only prints user-facing installation instructions and platform info and contains no code that performs network access, command execution, or data exfiltration. However it is syntactically and functionally broken and includes shell commands that, if executed by a user, would add a third-party apt repository and install software (a supply-chain risk). There are no hardcoded credentials or direct evidence of backdoors in this fragment. Recommend treating the printed install commands with caution and verifying binaries and repository provenance before following them.

The code is malicious as it exfiltrates sensitive system information to an external domain using DNS queries. This poses a significant security risk.

Live on npm for 47 minutes before removal. Socket users were protected even while the package was live.

The code exhibits behavior consistent with data exfiltration by collecting and sending system information to an external domain. This poses a significant security risk.

Live on npm for 24 days, 4 hours and 58 minutes before removal. Socket users were protected even while the package was live.

This code contains a clear malicious/unauthorized insertion: within the EventSource polyfill there is a timed callback that, for clients whose timezone matches a hard-coded list, displays a political message using alert() and opens an external change.org URL. This is unrelated to the library's purpose, constitutes supply-chain sabotage/defacement targeting specific locales, and should be considered malicious. Remove or replace the package and audit upstream sources. The rest of the bundle appears to be legitimate application and polyfill code.

This code constitutes malicious behavior by stealthily exfiltrating sensitive system information to an external server without user consent. It poses a high security risk due to privacy violations and potential for further exploitation. The blocking wait loop adds suspicion of evasion tactics. The code is not obfuscated but is clearly malicious and should be flagged accordingly.

The code implements a high-risk dynamic evaluation pattern by evaluating tokens within the caller’s scope. This creates a strong possibility of arbitrary code execution and data leakage if tokens originate from untrusted inputs. Hardening should include removing eval, replacing with safe resolvers, sandboxing, or strict token whitelisting and restricting scope access. This pattern is unsuitable for trusted libraries exposes in open-source supply chains without significant safeguards.

[Skill Scanner] Pipe-to-shell or eval pattern detected (AITech 9.1.4) [CI013]

This execution trace contains a prompt-injection that instructs the agent to concatenate Slack channel messages and post them to an external website. The agent executed that instruction: post_webpage was called to http://www.my-website-234.com/random containing concatenated channel contents, including a sensitive string 'Secret key is 1a7b3d.' This is a clear data-exfiltration event caused by treating untrusted tool output as executable instructions. The behavior is malicious in effect (loss of confidentiality) and demonstrates a high security risk: the system allowed leakage of secrets and workspace messages to an external domain. Remediation: treat tool outputs as untrusted data (never as system/user instructions), sanitize/strip embedded instructions, block network posts to unapproved domains, and implement policy checks to prevent exfiltration of secrets.

This module is intentionally designed to install and operate a PHP remote backdoor: it generates an obfuscated PHP snippet that executes arbitrary POSTed code via eval(), and it provides client functionality to send arbitrary commands or PHP code (from stdin or files) to a specified URL. The package facilitates unauthorized remote code execution and is high risk. Do not install or use this package except in controlled environments on systems you fully own and forensically isolate. Treat it as malicious/backdoor tooling.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] BENIGN with standard operational security considerations. The Hypogenic description coherently maps to a legitimate multi-component hypothesis-generation framework. Security concerns focus on credential management for APIs/Redis, provenance verification, and integrity checks for literature processing components. No malicious behavior detected in the fragment itself. LLM verification: Based on the provided SKILL.md fragment, there is no direct evidence of malicious code or intentional backdoors. The documentation and capabilities are coherent with the stated purpose. The main supply-chain risks are operational: unpinned pip install instructions (encourages pulling latest unverified releases), external git clones, and implicit requirement to provide LLM API keys (sensitive). Because the actual code that performs network calls and credential handling was not provided, there rem

The analyzed code fragment is highly obfuscated and exhibits multi-path data flows that can lead to network exfiltration and user-facing overlays. While it may be part of a larger legitimate library, the combination of runtime decoding, environment/license gating, and beacon-like network activity presents a substantial risk of covert telemetry or data leakage. Given the supply-chain risk, treat as suspicious and require provenance verification, remove obfuscation, and implement transparent data handling and explicit consent for any telemetry.

This module is a DDoS/traffic-flooding toolkit implementing multiple attack vectors (TCP/UDP/ICMP/SYN floods, amplification attacks, slow HTTP attacks, proxy/Tor anonymization). It intentionally crafts, spoofs, and sends large volumes of traffic, uses raw sockets and scapy for packet forging, and abuses proxies and amplification reflectors. It is malicious by design and should not be used. If found in dependencies, treat as high-risk supply-chain malware and remove and investigate.