Secure your dependencies. Ship with confidence.

This module poses a significant supply-chain and remote-code-execution risk: it automatically downloads executable artifacts (Python modules or native extensions) from a hardcoded S3 bucket and immediately imports/instantiates them with no integrity or authenticity checks and with dynamic names derived from caller input. This is high-risk behavior and should not be used as-is. Mitigations: require digitally signed artifacts and verify signatures before loading; use an allow-list of permitted algorithms; avoid importing downloaded code directly (load into a sandbox or separate process with least privilege); add robust error handling and logging; and treat native binaries with extra scrutiny. If you cannot guarantee the trustworthiness of the S3 content and inputs, do not use this code in production.

The script covertly ensures a background SSH local port-forward to a hard-coded external host as root, clearing any existing ssh on the same local port first. This pattern is consistent with establishing a covert access or exfiltration channel (notably to a MongoDB-like service on port 27017). It is high-risk: investigate origins of the script, the remote IP, root SSH keys and authorized_keys, and any processes or tools that use local:9999. If unexpected, remove and rotate credentials/keys and perform host compromise analysis.

This install script performs active data exfiltration of local host identity to a third-party server during installation. It is malicious or at minimum highly suspicious telemetry/fingerprinting behavior and poses a high security risk. Do not install or run this package without isolating and fully vetting the code and destination.

This script is high-risk: it automates interactive login flows, captures and persists full browser storage_state (session tokens), and navigates authenticated sessions to banking/payment endpoints. The combination enables account takeover and fraudulent transactions when misused. Treat as malicious or at minimum dangerous automation; require immediate review, restrict execution, and audit any stored agent.state entries. Remediate by removing session persistence, not storing storage_state, and implementing strict access controls and logging.

This file contains an obfuscated malware payload that executes automatically when the package is imported. The malicious function FigyyfxY() constructs a shell command by concatenating characters from an array, deliberately obscuring its functionality. When decoded, the command appears to download and execute a file from a remote source using wget and bash. This is a supply chain attack where legitimate-looking code contains hidden malicious functionality that executes without user interaction.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

[Skill Scanner] Pipe-to-shell or eval pattern detected (AITech 9.1.4) [CI013]

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

This file performs explicit and unconditional data exfiltration of sensitive host and package information to a hardcoded external endpoint. It reads local sensitive files (/etc/passwd, /etc/hosts), collects host identifiers and the full package.json, logs the data locally, and sends it off-host. Treat this as a malicious or severely unwanted supply-chain backdoor. Remove or disable this code and consider the package compromised; perform wider audit of related packages and installations.

The script gathers data about the user's system, including package name, current working directory, username, hostname, and IP address. This data is then encoded and sent as DNS queries to a remote server.

Live on npm for 1 day, 22 hours and 20 minutes before removal. Socket users were protected even while the package was live.

This module contains highly dangerous patterns: unpickling base64-decoded input and executing arbitrary files/modules without validation. These are direct remote code execution vectors when function_string or file contents are attacker-controlled. Avoid using this function with untrusted inputs. The code appears buggy (typo in return) and uses broad exception suppression which compounds the risk.

The provided specification is a legitimate tool description for managing Feishu permissions and does not itself contain code-level indicators of malware, obfuscation, or backdoors. The main security risks are operational: acceptance and use of a high-privilege token without guidance on secure handling, and the absence of explicit API endpoints which creates uncertainty about where tokens/requests will be sent. Recommendations: keep the tool disabled by default; require explicit opt-in and documented network endpoints that must be verified to be official Feishu APIs; enforce least-privilege, short-lived tokens; implement logging redaction and audit trails; and perform code review on any implementation to ensure tokens are not logged, persisted insecurely, or proxied through third parties.

This file contains clear suspicious patterns consistent with a loader/backdoor: large embedded encrypted blobs, runtime AES decryption, host‑specific key derivation, YAML and file parsing to build execution arguments, and final invocation of external commands driven by CLI input and decrypted data. In a library/dependency context this is a major supply‑chain risk. If this package is included in a project, it can decrypt and execute arbitrary payloads on the host and appears intentionally obfuscated to hide that behavior. Treat as malicious/untrusted until provenance and intent are verified.

This module performs active data collection and exfiltration to a hardcoded external domain without consent. It reads potentially sensitive dotfiles, collects environment variables (filtering is weak), and fingerprints the host (username, hostname, cwd, entry script, public IP). This behavior is consistent with covert telemetry or credential harvesting. Treat this package as malicious or compromised: remove it from the dependency tree, investigate how it was introduced, and consider rotating any credentials that may have been exposed (npm tokens, git credentials, service secrets).

Live on npm for 8 hours and 23 minutes before removal. Socket users were protected even while the package was live.

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

[Skill Scanner] Destructive bash command detected (rm -rf, chmod 777) All findings: [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] The skill is a legitimate and useful Makefile compliance/configuration helper. It does not contain direct malicious code, hard-coded credentials, obfuscated payloads, or external network fetches. The security concerns are operational: the skill can write/overwrite Makefiles and insert targets that perform destructive filesystem operations or trigger network activity when run. The highest risk is the described auto-fix behavior without enforced user confirmation and the use of broad rm/find deletion commands. Operational controls (human confirmation, dry-run/patch output, backups/commits) should be required before enabling --fix in automated or agentic contexts. LLM verification: Overall, the skill's stated purpose (Makefile compliance/configuration) is coherent with its capabilities. However, there are notable risk signals arising from documented examples that include destructive shell commands (rm -rf, chmod 777) and backtick usage. These patterns do not appear to be active code in the provided fragment, but they could be misused if documentation is executed or parsed in automation without safeguards. The security posture should be upgraded from Benign to Suspicious un

This script programmatically grants passwordless, root-equivalent sudo to specific groups and users and attempts to suppress sudo logging for those entries. Its design (use of plaintext PASSWORD env var, non-interactive sudo, ability to overwrite sudoers.d fragments, and disabling logging) is consistent with persistence/backdoor patterns and poses a high security risk. Treat the code as dangerous: do not run on production or sensitive hosts. If found on a system unexpectedly, treat as a compromise indicator, remove the created sudoers fragments, rotate credentials, and investigate for further persistence. Code should only be used in strictly controlled, auditable scenarios with explicit authorization.

This code contains a high-risk dynamic-update mechanism: it periodically fetches configuration and will execute any script text returned by the server using new Function(data.script)() without validation or sandboxing. That behavior enables remote arbitrary JavaScript execution in users' browsers and persistence via localStorage — a classic supply-chain/backdoor vector. The UI component code itself appears benign, but the config-injection path is a serious security concern. If you cannot guarantee the integrity and exclusivity of the configuration endpoint and the data it returns (including script contents), treat this as a backdoor and remove or restrict execution (e.g., use signed updates, avoid eval/new Function, validate allowed actions, or remove remote-inject functionality).

The fragment strongly indicates embedding a binary payload intended for an ESP32-like device, with explicit memory/entry-point wiring. While not proof of malicious activity on its own, the pattern is high-risk for firmware/hardware supply-chain misuse. Requires thorough provenance verification, integrity checks of the payload, and validation of how and where ESP32-related fields are consumed in the broader project before trusting or shipping.

The setup.py itself contains no executable malicious code, but it declares explicit offensive intent ('designed for attacks on Windows machines') and depends on libraries (browser_cookie3, requests) that enable credential access and exfiltration. Treat this package as high risk: do not install from untrusted sources without a complete manual review of the package code. If you maintain a registry or CI, block or flag this package for human review and audit the referenced repository and package contents before use.

This code performs unconditional collection of local environment and package metadata and exfiltrates it to a hardcoded external host. The combination of sensitive sources (home directory, username, hostname, DNS servers, entire package.json), immediate network transmission to an interact.sh subdomain, and suppressed error logging indicates malicious or unauthorized telemetry/exfiltration. Treat this as a severe supply-chain compromise: remove or quarantine the package, rotate any potentially exposed secrets, and investigate upstream. Recommend blocking the destination domain, auditing other packages for similar code, and restoring from a known-good source.

The code appears to be a standard, well-structured visualization component with clear data flow and DOM management. There is no indication of malicious behavior, data leakage, or supply-chain manipulation within this module. Overall security risk is low; only UI-level risks exist if untrusted data leads to unsafe DOM rendering, which is a general UI concern rather than a security breach.

Live on npm for 7 hours and 42 minutes before removal. Socket users were protected even while the package was live.

The purpose of this code appears to be collecting specific environment variables and package information, compressing and encoding it, and sending it over HTTP to a remote domain. The intent and purpose of this behavior are unclear from the provided code fragment alone.

Live on npm for 1 hour and 35 minutes before removal. Socket users were protected even while the package was live.

This file was associated with confirmed malicious code that led to its removal from the registry. No additional domains or IP addresses were identified.

This module poses a significant supply-chain and remote-code-execution risk: it automatically downloads executable artifacts (Python modules or native extensions) from a hardcoded S3 bucket and immediately imports/instantiates them with no integrity or authenticity checks and with dynamic names derived from caller input. This is high-risk behavior and should not be used as-is. Mitigations: require digitally signed artifacts and verify signatures before loading; use an allow-list of permitted algorithms; avoid importing downloaded code directly (load into a sandbox or separate process with least privilege); add robust error handling and logging; and treat native binaries with extra scrutiny. If you cannot guarantee the trustworthiness of the S3 content and inputs, do not use this code in production.

The script covertly ensures a background SSH local port-forward to a hard-coded external host as root, clearing any existing ssh on the same local port first. This pattern is consistent with establishing a covert access or exfiltration channel (notably to a MongoDB-like service on port 27017). It is high-risk: investigate origins of the script, the remote IP, root SSH keys and authorized_keys, and any processes or tools that use local:9999. If unexpected, remove and rotate credentials/keys and perform host compromise analysis.

This install script performs active data exfiltration of local host identity to a third-party server during installation. It is malicious or at minimum highly suspicious telemetry/fingerprinting behavior and poses a high security risk. Do not install or run this package without isolating and fully vetting the code and destination.

This script is high-risk: it automates interactive login flows, captures and persists full browser storage_state (session tokens), and navigates authenticated sessions to banking/payment endpoints. The combination enables account takeover and fraudulent transactions when misused. Treat as malicious or at minimum dangerous automation; require immediate review, restrict execution, and audit any stored agent.state entries. Remediate by removing session persistence, not storing storage_state, and implementing strict access controls and logging.

This file contains an obfuscated malware payload that executes automatically when the package is imported. The malicious function FigyyfxY() constructs a shell command by concatenating characters from an array, deliberately obscuring its functionality. When decoded, the command appears to download and execute a file from a remote source using wget and bash. This is a supply chain attack where legitimate-looking code contains hidden malicious functionality that executes without user interaction.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

[Skill Scanner] Pipe-to-shell or eval pattern detected (AITech 9.1.4) [CI013]

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

This file performs explicit and unconditional data exfiltration of sensitive host and package information to a hardcoded external endpoint. It reads local sensitive files (/etc/passwd, /etc/hosts), collects host identifiers and the full package.json, logs the data locally, and sends it off-host. Treat this as a malicious or severely unwanted supply-chain backdoor. Remove or disable this code and consider the package compromised; perform wider audit of related packages and installations.

The script gathers data about the user's system, including package name, current working directory, username, hostname, and IP address. This data is then encoded and sent as DNS queries to a remote server.

Live on npm for 1 day, 22 hours and 20 minutes before removal. Socket users were protected even while the package was live.

This module contains highly dangerous patterns: unpickling base64-decoded input and executing arbitrary files/modules without validation. These are direct remote code execution vectors when function_string or file contents are attacker-controlled. Avoid using this function with untrusted inputs. The code appears buggy (typo in return) and uses broad exception suppression which compounds the risk.

The provided specification is a legitimate tool description for managing Feishu permissions and does not itself contain code-level indicators of malware, obfuscation, or backdoors. The main security risks are operational: acceptance and use of a high-privilege token without guidance on secure handling, and the absence of explicit API endpoints which creates uncertainty about where tokens/requests will be sent. Recommendations: keep the tool disabled by default; require explicit opt-in and documented network endpoints that must be verified to be official Feishu APIs; enforce least-privilege, short-lived tokens; implement logging redaction and audit trails; and perform code review on any implementation to ensure tokens are not logged, persisted insecurely, or proxied through third parties.

This file contains clear suspicious patterns consistent with a loader/backdoor: large embedded encrypted blobs, runtime AES decryption, host‑specific key derivation, YAML and file parsing to build execution arguments, and final invocation of external commands driven by CLI input and decrypted data. In a library/dependency context this is a major supply‑chain risk. If this package is included in a project, it can decrypt and execute arbitrary payloads on the host and appears intentionally obfuscated to hide that behavior. Treat as malicious/untrusted until provenance and intent are verified.

This module performs active data collection and exfiltration to a hardcoded external domain without consent. It reads potentially sensitive dotfiles, collects environment variables (filtering is weak), and fingerprints the host (username, hostname, cwd, entry script, public IP). This behavior is consistent with covert telemetry or credential harvesting. Treat this package as malicious or compromised: remove it from the dependency tree, investigate how it was introduced, and consider rotating any credentials that may have been exposed (npm tokens, git credentials, service secrets).

Live on npm for 8 hours and 23 minutes before removal. Socket users were protected even while the package was live.

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

[Skill Scanner] Destructive bash command detected (rm -rf, chmod 777) All findings: [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] The skill is a legitimate and useful Makefile compliance/configuration helper. It does not contain direct malicious code, hard-coded credentials, obfuscated payloads, or external network fetches. The security concerns are operational: the skill can write/overwrite Makefiles and insert targets that perform destructive filesystem operations or trigger network activity when run. The highest risk is the described auto-fix behavior without enforced user confirmation and the use of broad rm/find deletion commands. Operational controls (human confirmation, dry-run/patch output, backups/commits) should be required before enabling --fix in automated or agentic contexts. LLM verification: Overall, the skill's stated purpose (Makefile compliance/configuration) is coherent with its capabilities. However, there are notable risk signals arising from documented examples that include destructive shell commands (rm -rf, chmod 777) and backtick usage. These patterns do not appear to be active code in the provided fragment, but they could be misused if documentation is executed or parsed in automation without safeguards. The security posture should be upgraded from Benign to Suspicious un

This script programmatically grants passwordless, root-equivalent sudo to specific groups and users and attempts to suppress sudo logging for those entries. Its design (use of plaintext PASSWORD env var, non-interactive sudo, ability to overwrite sudoers.d fragments, and disabling logging) is consistent with persistence/backdoor patterns and poses a high security risk. Treat the code as dangerous: do not run on production or sensitive hosts. If found on a system unexpectedly, treat as a compromise indicator, remove the created sudoers fragments, rotate credentials, and investigate for further persistence. Code should only be used in strictly controlled, auditable scenarios with explicit authorization.

This code contains a high-risk dynamic-update mechanism: it periodically fetches configuration and will execute any script text returned by the server using new Function(data.script)() without validation or sandboxing. That behavior enables remote arbitrary JavaScript execution in users' browsers and persistence via localStorage — a classic supply-chain/backdoor vector. The UI component code itself appears benign, but the config-injection path is a serious security concern. If you cannot guarantee the integrity and exclusivity of the configuration endpoint and the data it returns (including script contents), treat this as a backdoor and remove or restrict execution (e.g., use signed updates, avoid eval/new Function, validate allowed actions, or remove remote-inject functionality).

The fragment strongly indicates embedding a binary payload intended for an ESP32-like device, with explicit memory/entry-point wiring. While not proof of malicious activity on its own, the pattern is high-risk for firmware/hardware supply-chain misuse. Requires thorough provenance verification, integrity checks of the payload, and validation of how and where ESP32-related fields are consumed in the broader project before trusting or shipping.

The setup.py itself contains no executable malicious code, but it declares explicit offensive intent ('designed for attacks on Windows machines') and depends on libraries (browser_cookie3, requests) that enable credential access and exfiltration. Treat this package as high risk: do not install from untrusted sources without a complete manual review of the package code. If you maintain a registry or CI, block or flag this package for human review and audit the referenced repository and package contents before use.

This code performs unconditional collection of local environment and package metadata and exfiltrates it to a hardcoded external host. The combination of sensitive sources (home directory, username, hostname, DNS servers, entire package.json), immediate network transmission to an interact.sh subdomain, and suppressed error logging indicates malicious or unauthorized telemetry/exfiltration. Treat this as a severe supply-chain compromise: remove or quarantine the package, rotate any potentially exposed secrets, and investigate upstream. Recommend blocking the destination domain, auditing other packages for similar code, and restoring from a known-good source.

The code appears to be a standard, well-structured visualization component with clear data flow and DOM management. There is no indication of malicious behavior, data leakage, or supply-chain manipulation within this module. Overall security risk is low; only UI-level risks exist if untrusted data leads to unsafe DOM rendering, which is a general UI concern rather than a security breach.

Live on npm for 7 hours and 42 minutes before removal. Socket users were protected even while the package was live.

The purpose of this code appears to be collecting specific environment variables and package information, compressing and encoding it, and sending it over HTTP to a remote domain. The intent and purpose of this behavior are unclear from the provided code fragment alone.

Live on npm for 1 hour and 35 minutes before removal. Socket users were protected even while the package was live.

This file was associated with confirmed malicious code that led to its removal from the registry. No additional domains or IP addresses were identified.