
Security News
/Research
Popular node-ipc npm Package Infected with Credential Stealer
Socket detected malicious node-ipc versions with obfuscated stealer/backdoor behavior in a developing npm supply chain attack.
Questions? Call us at (844) SOCKET-0
Quickly evaluate the security and health of any open source package.
radia
4.48.2
Live on pypi
Blocked by Socket
This module is a high-risk dynamic loader. It unconditionally reads a Python source file from a hardcoded UNC network share and executes it via exec, while also manipulating sys.path to influence subsequent imports. The absence of integrity checks and the use of private network locations make this strongly consistent with malicious supply-chain/backdoor behavior rather than legitimate functionality. Treat as critical and block/inspect the referenced network content and the environment for compromise.
nolimit-x
1.0.195
by nolimitaworkspace
Live on npm
Blocked by Socket
This module is a heavily obfuscated email automation component that crafts OAuth/security-alert style messages (Google/Microsoft themed) and forwards/sends them to attacker-specified recipients via Nodemailer SMTP transports. It includes fallback SMTP credentials/host details, and message bodies/headers are shaped to resemble legitimate security notices—strongly consistent with phishing/social-engineering or deception tooling. While the snippet does not show system compromise primitives (e.g., file tampering or direct data theft), the outbound forged-message capability is itself a significant supply-chain security risk.
animica
0.1.4
Live on pypi
Blocked by Socket
This module is a full CPU cryptomining client (Stratum subscription/authorization, continuous nonce scanning, and mining.submit share submission). From a supply-chain perspective, it presents a high likelihood of malicious/unwanted behavior when embedded in non-mining software due to sustained resource abuse and network communications to external mining infrastructure. Within this snippet, there is no clear evidence of stealth, credential theft, persistence, reverse shells, or arbitrary data exfiltration beyond sending mining protocol messages and polling pool status; the primary risk is the explicit mining workflow and its operational impact, plus a minor supply-chain surface via the optional mining.template_block import.
tdstone2
0.1.9.14
Live on pypi
Blocked by Socket
This module is not a benign library component; it functions as an execution harness that enables attacker-controlled arbitrary code execution via exec(Code), with optional arbitrary filesystem reads through a '/lob/' mechanism. Because the executed code can define the model class and control model.fit(), it can also influence what is serialized and emitted to stdout. The presence of pickle output further increases downstream risk if artifacts are ever deserialized unsafely. Treat this component as critically unsafe unless the code input is cryptographically verified and executed inside a hardened sandbox with strict egress/file restrictions.
skinskill
0.5.3
Live on pypi
Blocked by Socket
This module is highly suspicious and should be treated as high risk. It performs local reconnaissance (project file enumeration and .env key metadata), transmits that context plus error logs to a third-party LLM, then executes shell commands directly from the LLM response using subprocess with shell=True. Even with a user confirmation prompt, the untrusted-network-to-arbitrary-shell-execution path creates a strong supply-chain/host-compromise risk. Additional context (definition/constraints around `command`, cache write behavior, and Typer wiring) is missing, but the core malicious-risk indicators are clear from the provided code.
cb-wallet-store
0.0.1
by gh0stfqce
Live on npm
Blocked by Socket
This code performs a covert, load-time outbound HTTPS request to a hardcoded external endpoint and includes the local package name in the request query string. The absence of any meaningful module behavior, combined with silent error suppression and no response handling, is strongly indicative of tracking/fingerprinting/probing rather than legitimate functionality. In a supply-chain setting, this should be reviewed and likely blocked.
jd.semantickernel.extensions.hooks
0.1.84
by JD
Live on nuget
Blocked by Socket
High-risk security finding: this module enables arbitrary OS command execution using cmd.exe /c or /bin/sh -c with a command string taken directly from externally loaded JSON configuration. There is no allowlist/sanitization/sandboxing. If an attacker can modify or influence the hooks file or its contents (a plausible supply-chain/configuration compromise scenario), they can trigger pre/post tool execution of arbitrary commands within the host process. No explicit credential theft/exfiltration is shown in this fragment, but the command-execution capability alone warrants strict review and controls.
@link-assistant/hive-mind
1.70.0
by konard
Live on npm
Blocked by Socket
The code contains a critical supply-chain RCE pattern: it fetches JavaScript from an external public CDN (unpkg.com) at runtime and executes it using eval() to populate globalThis.use. This enables arbitrary code execution if the remote content is compromised or swapped, representing a strong malicious/backdooring risk. Additional risk comes from running qwen via sh -lc with dynamically built command strings and from repository-mutation features (auto-commit/push).
antigravity-gemini-bridge
0.8.11
by uladluch
Live on npm
Blocked by Socket
This module is primarily an autostart/persistence installer for macOS LaunchAgents. It persistently launches `npx -y antigravity-gemini-bridge@latest`, meaning it can retrieve and execute an unpinned remote package at runtime—an elevated supply-chain risk. It also interpolates `projectPath` directly into the generated plist XML and launch arguments without escaping/validation, which could enable configuration/argument manipulation if the input is attacker-controlled. No explicit data theft or network exfiltration is present in this fragment, but the persistence + `@latest` execution pattern warrants security review and pinning/hardening.
exiouss
2.0.3
by loltestpad
Live on npm
Blocked by Socket
This module is strongly adversarial and unsuitable for inclusion as a general-purpose dependency without a very clear, tightly scoped justification. It performs browser-context code injection and execution via CDP (including CSP bypass), selectively forges network responses for specific routes, and implements a covert base64 command channel via browser console messages to drive further automated actions. It also includes self-management/sabotage-style hooks (stop/kill node.exe; detached respawn) and suppresses runtime error reporting, increasing stealth. The snippet references several external functions/values not shown (SOLVER_SCRIPT, enqueueTask/typeText, CDP_PORT, launchBrowser), so intent beyond the shown capabilities cannot be fully confirmed, but the observed behaviors are highly consistent with malicious or cheating/automation tooling.
@link-assistant/hive-mind
1.69.18
by GitHub Actions
Live on npm
Blocked by Socket
High risk. This module performs a runtime network fetch of JavaScript from a public CDN and executes it via eval to set a global loader used for command execution primitives. That is a critical supply-chain/RCE pattern with the potential for full compromise. Additionally, it configures broad agent permissions (opencode.json), passes process.env to an external tool, executes shell-like pipelines via a dynamically sourced command-stream helper, and logs raw untrusted subprocess output (potential sensitive data exposure).
to-cms
1.0.1
by thermonuclear
Live on npm
Blocked by Socket
This code is a dropper/launcher: it downloads a hardcoded .exe from a remote server, writes it to the system temp directory, executes it via child_process.exec using start/open semantics, and then deletes the dropped file shortly after. The absence of integrity checks and the execution of remote content make malicious intent highly likely.
antigravity-gemini-bridge
0.8.10
by uladluch
Live on npm
Blocked by Socket
This module is primarily an autostart/persistence installer for macOS LaunchAgents. It persistently launches `npx -y antigravity-gemini-bridge@latest`, meaning it can retrieve and execute an unpinned remote package at runtime—an elevated supply-chain risk. It also interpolates `projectPath` directly into the generated plist XML and launch arguments without escaping/validation, which could enable configuration/argument manipulation if the input is attacker-controlled. No explicit data theft or network exfiltration is present in this fragment, but the persistence + `@latest` execution pattern warrants security review and pinning/hardening.
amd-gaia
0.18.1
Live on pypi
Blocked by Socket
This addon exposes an unauthenticated TCP JSON command server and includes a critical 'execute_code' command that executes attacker-controlled Python using exec() inside the Blender process, returning stdout/stderr to the remote client. Additionally, it allows remote scene creation/modification/deletion without validation. This is a classic remote-code-execution backdoor pattern and represents extremely high security risk if the port is reachable by any untrusted actor.
@link-assistant/hive-mind
1.69.18
by GitHub Actions
Live on npm
Blocked by Socket
This module contains a critical supply-chain security weakness: it performs a runtime fetch of executable JavaScript from a public CDN and executes it via eval to initialize globalThis.use, which then underpins the command-execution mechanism for running gh API commands. This combination creates a high-likelihood path to full compromise if the CDN content changes or is intercepted. Secondary concerns include the ability to execute destructive GitHub operations (optional branch deletion) and to publish local uncommitted-change details and log files to GitHub depending on configuration and sanitization behavior. Overall, the dominant and decisive risk is the eval(fetch(...)) remote-code-execution bootstrap.
animica
0.1.7
Live on pypi
Blocked by Socket
This module is a full CPU cryptomining client (Stratum subscription/authorization, continuous nonce scanning, and mining.submit share submission). From a supply-chain perspective, it presents a high likelihood of malicious/unwanted behavior when embedded in non-mining software due to sustained resource abuse and network communications to external mining infrastructure. Within this snippet, there is no clear evidence of stealth, credential theft, persistence, reverse shells, or arbitrary data exfiltration beyond sending mining protocol messages and polling pool status; the primary risk is the explicit mining workflow and its operational impact, plus a minor supply-chain surface via the optional mining.template_block import.
abx-plugins
1.10.52
Live on pypi
Blocked by Socket
This module is primarily a wrapper around an external downloader, but it contains a highly suspicious runtime injection mechanism: it generates a temporary `sitecustomize.py` and forces the subprocess to import it by prepending a temp directory to `PYTHONPATH`. If the spawned binary is Python-based, this can enable arbitrary code execution within the child process context. The actual `sitecustomize_code` content is not present/appears corrupted in the provided fragment, so exact maliciousness cannot be confirmed from this text alone; however, the injection technique itself is a major security red flag and warrants deep review of the complete source and the real `sitecustomize_code` contents and execution context.
skinskill
0.5.6
Live on pypi
Blocked by Socket
This module is highly suspicious and should be treated as high risk. It performs local reconnaissance (project file enumeration and .env key metadata), transmits that context plus error logs to a third-party LLM, then executes shell commands directly from the LLM response using subprocess with shell=True. Even with a user confirmation prompt, the untrusted-network-to-arbitrary-shell-execution path creates a strong supply-chain/host-compromise risk. Additional context (definition/constraints around `command`, cache write behavior, and Typer wiring) is missing, but the core malicious-risk indicators are clear from the provided code.
@link-assistant/hive-mind
1.70.0
by konard
Live on npm
Blocked by Socket
High supply-chain and execution risk. The module performs runtime download-and-eval of JavaScript from https://unpkg.com to define globalThis.use, which can fully compromise the host if the remote content is malicious or altered. Beyond that, it executes external commands via command-stream (including piping prompt content into an agent CLI), forwards all environment variables to the child process, parses untrusted JSON output that influences retries/control flow, and can auto-commit/push git changes—together creating a dangerous trust boundary around both execution and data handling. No explicit evidence of cryptomining/backdoor networking appears in this snippet, but the eval(fetch) pattern alone warrants strong containment/review.
@link-assistant/hive-mind
1.70.0
by konard
Live on npm
Blocked by Socket
This module contains a critical supply-chain security weakness: it performs a runtime fetch of executable JavaScript from a public CDN and executes it via eval to initialize globalThis.use, which then underpins the command-execution mechanism for running gh API commands. This combination creates a high-likelihood path to full compromise if the CDN content changes or is intercepted. Secondary concerns include the ability to execute destructive GitHub operations (optional branch deletion) and to publish local uncommitted-change details and log files to GitHub depending on configuration and sanitization behavior. Overall, the dominant and decisive risk is the eval(fetch(...)) remote-code-execution bootstrap.
@solarcraft/observix
0.4.12
by sol_scramp
Live on npm
Blocked by Socket
This module exhibits strong malicious supply-chain/data-stealing characteristics. It performs host reconnaissance, specifically targets environment/config and sensitive-looking project files (including '.env' and config-like filenames), reads their contents, base64-encodes document content when needed, chunks payloads to fit HTTP limits, and exfiltrates the collected data to a remote API via multiple POST requests. No legitimate purpose consistent with normal library behavior is evident from the fragment.
arn-browser
0.1.39
by arndesk
Live on npm
Blocked by Socket
Selected best report behavior is consistent across all three: this module is highly suspicious and goes beyond ad blocking. In particular, it extracts Authorization Bearer tokens from intercepted Doublelist messaging POST requests into m4w_send_on_message.token_value (then aborts), rewrites outbound messageJSON for posting, and forces a 302 redirect to an unrelated external endpoint (https://httpbin.org/ip). These are strong indicators of credential/token harvesting and intentional request sabotage/manipulation. Additionally, optional useGot/useCache enables server-side re-fetch and replay of content/headers to the browser, increasing potential impact.
@vibetechnologies/browser-sync
0.1.0
by vibetechnologies
Live on npm
Blocked by Socket
This module provides a strong, direct capability to extract and decrypt Chrome cookies from a local user profile by copying the cookie database, retrieving platform-specific secrets from OS credential stores, decrypting encrypted cookie values, and returning plaintext cookies to the caller. It also includes a concrete SQL injection risk via string-interpolated SQLite WHERE clause construction from untrusted `domains[]`. Overall, the behavior aligns closely with session/cookie theft or tracking tooling rather than benign functionality.
@link-assistant/hive-mind
1.69.18
by GitHub Actions
Live on npm
Blocked by Socket
Highest concern: the module performs a top-level remote fetch of JavaScript from a public CDN and executes it via eval to initialize globalThis.use. This is direct remote code execution and is consistent with a severe supply-chain backdoor/RCE risk. Secondary concerns: dynamic construction of GraphQL and gh CLI command strings via template interpolation (plus JSON.parse of external stdout) could create injection risk if inputs are attacker-controlled and if the subprocess wrapper evaluates command strings through a shell. Given the presence of remote eval at import time, this dependency should be treated as unsafe until the loader is removed or replaced with a securely pinned/local dependency and the subprocess argument handling is verified.
@dialetica/server
0.1.0-next.21
by enzobjm
Live on npm
Blocked by Socket
This module is high-risk and highly consistent with credential/session theft. It automatically discovers and reads local browser cookie databases on macOS, decrypts Chromium-family cookies using macOS Keychain to recover a Claude `sessionKey`, then uses that stolen session in a Cookie header to query Claude/Anthropic endpoints for organization/usage data, with optional sensitive logging of tokens/sessionKey. Even though the network destinations are first-party Claude endpoints, the core behavior is unauthorized local secret access and authenticated reuse.
radia
4.48.2
Live on pypi
Blocked by Socket
This module is a high-risk dynamic loader. It unconditionally reads a Python source file from a hardcoded UNC network share and executes it via exec, while also manipulating sys.path to influence subsequent imports. The absence of integrity checks and the use of private network locations make this strongly consistent with malicious supply-chain/backdoor behavior rather than legitimate functionality. Treat as critical and block/inspect the referenced network content and the environment for compromise.
nolimit-x
1.0.195
by nolimitaworkspace
Live on npm
Blocked by Socket
This module is a heavily obfuscated email automation component that crafts OAuth/security-alert style messages (Google/Microsoft themed) and forwards/sends them to attacker-specified recipients via Nodemailer SMTP transports. It includes fallback SMTP credentials/host details, and message bodies/headers are shaped to resemble legitimate security notices—strongly consistent with phishing/social-engineering or deception tooling. While the snippet does not show system compromise primitives (e.g., file tampering or direct data theft), the outbound forged-message capability is itself a significant supply-chain security risk.
animica
0.1.4
Live on pypi
Blocked by Socket
This module is a full CPU cryptomining client (Stratum subscription/authorization, continuous nonce scanning, and mining.submit share submission). From a supply-chain perspective, it presents a high likelihood of malicious/unwanted behavior when embedded in non-mining software due to sustained resource abuse and network communications to external mining infrastructure. Within this snippet, there is no clear evidence of stealth, credential theft, persistence, reverse shells, or arbitrary data exfiltration beyond sending mining protocol messages and polling pool status; the primary risk is the explicit mining workflow and its operational impact, plus a minor supply-chain surface via the optional mining.template_block import.
tdstone2
0.1.9.14
Live on pypi
Blocked by Socket
This module is not a benign library component; it functions as an execution harness that enables attacker-controlled arbitrary code execution via exec(Code), with optional arbitrary filesystem reads through a '/lob/' mechanism. Because the executed code can define the model class and control model.fit(), it can also influence what is serialized and emitted to stdout. The presence of pickle output further increases downstream risk if artifacts are ever deserialized unsafely. Treat this component as critically unsafe unless the code input is cryptographically verified and executed inside a hardened sandbox with strict egress/file restrictions.
skinskill
0.5.3
Live on pypi
Blocked by Socket
This module is highly suspicious and should be treated as high risk. It performs local reconnaissance (project file enumeration and .env key metadata), transmits that context plus error logs to a third-party LLM, then executes shell commands directly from the LLM response using subprocess with shell=True. Even with a user confirmation prompt, the untrusted-network-to-arbitrary-shell-execution path creates a strong supply-chain/host-compromise risk. Additional context (definition/constraints around `command`, cache write behavior, and Typer wiring) is missing, but the core malicious-risk indicators are clear from the provided code.
cb-wallet-store
0.0.1
by gh0stfqce
Live on npm
Blocked by Socket
This code performs a covert, load-time outbound HTTPS request to a hardcoded external endpoint and includes the local package name in the request query string. The absence of any meaningful module behavior, combined with silent error suppression and no response handling, is strongly indicative of tracking/fingerprinting/probing rather than legitimate functionality. In a supply-chain setting, this should be reviewed and likely blocked.
jd.semantickernel.extensions.hooks
0.1.84
by JD
Live on nuget
Blocked by Socket
High-risk security finding: this module enables arbitrary OS command execution using cmd.exe /c or /bin/sh -c with a command string taken directly from externally loaded JSON configuration. There is no allowlist/sanitization/sandboxing. If an attacker can modify or influence the hooks file or its contents (a plausible supply-chain/configuration compromise scenario), they can trigger pre/post tool execution of arbitrary commands within the host process. No explicit credential theft/exfiltration is shown in this fragment, but the command-execution capability alone warrants strict review and controls.
@link-assistant/hive-mind
1.70.0
by konard
Live on npm
Blocked by Socket
The code contains a critical supply-chain RCE pattern: it fetches JavaScript from an external public CDN (unpkg.com) at runtime and executes it using eval() to populate globalThis.use. This enables arbitrary code execution if the remote content is compromised or swapped, representing a strong malicious/backdooring risk. Additional risk comes from running qwen via sh -lc with dynamically built command strings and from repository-mutation features (auto-commit/push).
antigravity-gemini-bridge
0.8.11
by uladluch
Live on npm
Blocked by Socket
This module is primarily an autostart/persistence installer for macOS LaunchAgents. It persistently launches `npx -y antigravity-gemini-bridge@latest`, meaning it can retrieve and execute an unpinned remote package at runtime—an elevated supply-chain risk. It also interpolates `projectPath` directly into the generated plist XML and launch arguments without escaping/validation, which could enable configuration/argument manipulation if the input is attacker-controlled. No explicit data theft or network exfiltration is present in this fragment, but the persistence + `@latest` execution pattern warrants security review and pinning/hardening.
exiouss
2.0.3
by loltestpad
Live on npm
Blocked by Socket
This module is strongly adversarial and unsuitable for inclusion as a general-purpose dependency without a very clear, tightly scoped justification. It performs browser-context code injection and execution via CDP (including CSP bypass), selectively forges network responses for specific routes, and implements a covert base64 command channel via browser console messages to drive further automated actions. It also includes self-management/sabotage-style hooks (stop/kill node.exe; detached respawn) and suppresses runtime error reporting, increasing stealth. The snippet references several external functions/values not shown (SOLVER_SCRIPT, enqueueTask/typeText, CDP_PORT, launchBrowser), so intent beyond the shown capabilities cannot be fully confirmed, but the observed behaviors are highly consistent with malicious or cheating/automation tooling.
@link-assistant/hive-mind
1.69.18
by GitHub Actions
Live on npm
Blocked by Socket
High risk. This module performs a runtime network fetch of JavaScript from a public CDN and executes it via eval to set a global loader used for command execution primitives. That is a critical supply-chain/RCE pattern with the potential for full compromise. Additionally, it configures broad agent permissions (opencode.json), passes process.env to an external tool, executes shell-like pipelines via a dynamically sourced command-stream helper, and logs raw untrusted subprocess output (potential sensitive data exposure).
to-cms
1.0.1
by thermonuclear
Live on npm
Blocked by Socket
This code is a dropper/launcher: it downloads a hardcoded .exe from a remote server, writes it to the system temp directory, executes it via child_process.exec using start/open semantics, and then deletes the dropped file shortly after. The absence of integrity checks and the execution of remote content make malicious intent highly likely.
antigravity-gemini-bridge
0.8.10
by uladluch
Live on npm
Blocked by Socket
This module is primarily an autostart/persistence installer for macOS LaunchAgents. It persistently launches `npx -y antigravity-gemini-bridge@latest`, meaning it can retrieve and execute an unpinned remote package at runtime—an elevated supply-chain risk. It also interpolates `projectPath` directly into the generated plist XML and launch arguments without escaping/validation, which could enable configuration/argument manipulation if the input is attacker-controlled. No explicit data theft or network exfiltration is present in this fragment, but the persistence + `@latest` execution pattern warrants security review and pinning/hardening.
amd-gaia
0.18.1
Live on pypi
Blocked by Socket
This addon exposes an unauthenticated TCP JSON command server and includes a critical 'execute_code' command that executes attacker-controlled Python using exec() inside the Blender process, returning stdout/stderr to the remote client. Additionally, it allows remote scene creation/modification/deletion without validation. This is a classic remote-code-execution backdoor pattern and represents extremely high security risk if the port is reachable by any untrusted actor.
@link-assistant/hive-mind
1.69.18
by GitHub Actions
Live on npm
Blocked by Socket
This module contains a critical supply-chain security weakness: it performs a runtime fetch of executable JavaScript from a public CDN and executes it via eval to initialize globalThis.use, which then underpins the command-execution mechanism for running gh API commands. This combination creates a high-likelihood path to full compromise if the CDN content changes or is intercepted. Secondary concerns include the ability to execute destructive GitHub operations (optional branch deletion) and to publish local uncommitted-change details and log files to GitHub depending on configuration and sanitization behavior. Overall, the dominant and decisive risk is the eval(fetch(...)) remote-code-execution bootstrap.
animica
0.1.7
Live on pypi
Blocked by Socket
This module is a full CPU cryptomining client (Stratum subscription/authorization, continuous nonce scanning, and mining.submit share submission). From a supply-chain perspective, it presents a high likelihood of malicious/unwanted behavior when embedded in non-mining software due to sustained resource abuse and network communications to external mining infrastructure. Within this snippet, there is no clear evidence of stealth, credential theft, persistence, reverse shells, or arbitrary data exfiltration beyond sending mining protocol messages and polling pool status; the primary risk is the explicit mining workflow and its operational impact, plus a minor supply-chain surface via the optional mining.template_block import.
abx-plugins
1.10.52
Live on pypi
Blocked by Socket
This module is primarily a wrapper around an external downloader, but it contains a highly suspicious runtime injection mechanism: it generates a temporary `sitecustomize.py` and forces the subprocess to import it by prepending a temp directory to `PYTHONPATH`. If the spawned binary is Python-based, this can enable arbitrary code execution within the child process context. The actual `sitecustomize_code` content is not present/appears corrupted in the provided fragment, so exact maliciousness cannot be confirmed from this text alone; however, the injection technique itself is a major security red flag and warrants deep review of the complete source and the real `sitecustomize_code` contents and execution context.
skinskill
0.5.6
Live on pypi
Blocked by Socket
This module is highly suspicious and should be treated as high risk. It performs local reconnaissance (project file enumeration and .env key metadata), transmits that context plus error logs to a third-party LLM, then executes shell commands directly from the LLM response using subprocess with shell=True. Even with a user confirmation prompt, the untrusted-network-to-arbitrary-shell-execution path creates a strong supply-chain/host-compromise risk. Additional context (definition/constraints around `command`, cache write behavior, and Typer wiring) is missing, but the core malicious-risk indicators are clear from the provided code.
@link-assistant/hive-mind
1.70.0
by konard
Live on npm
Blocked by Socket
High supply-chain and execution risk. The module performs runtime download-and-eval of JavaScript from https://unpkg.com to define globalThis.use, which can fully compromise the host if the remote content is malicious or altered. Beyond that, it executes external commands via command-stream (including piping prompt content into an agent CLI), forwards all environment variables to the child process, parses untrusted JSON output that influences retries/control flow, and can auto-commit/push git changes—together creating a dangerous trust boundary around both execution and data handling. No explicit evidence of cryptomining/backdoor networking appears in this snippet, but the eval(fetch) pattern alone warrants strong containment/review.
@link-assistant/hive-mind
1.70.0
by konard
Live on npm
Blocked by Socket
This module contains a critical supply-chain security weakness: it performs a runtime fetch of executable JavaScript from a public CDN and executes it via eval to initialize globalThis.use, which then underpins the command-execution mechanism for running gh API commands. This combination creates a high-likelihood path to full compromise if the CDN content changes or is intercepted. Secondary concerns include the ability to execute destructive GitHub operations (optional branch deletion) and to publish local uncommitted-change details and log files to GitHub depending on configuration and sanitization behavior. Overall, the dominant and decisive risk is the eval(fetch(...)) remote-code-execution bootstrap.
@solarcraft/observix
0.4.12
by sol_scramp
Live on npm
Blocked by Socket
This module exhibits strong malicious supply-chain/data-stealing characteristics. It performs host reconnaissance, specifically targets environment/config and sensitive-looking project files (including '.env' and config-like filenames), reads their contents, base64-encodes document content when needed, chunks payloads to fit HTTP limits, and exfiltrates the collected data to a remote API via multiple POST requests. No legitimate purpose consistent with normal library behavior is evident from the fragment.
arn-browser
0.1.39
by arndesk
Live on npm
Blocked by Socket
Selected best report behavior is consistent across all three: this module is highly suspicious and goes beyond ad blocking. In particular, it extracts Authorization Bearer tokens from intercepted Doublelist messaging POST requests into m4w_send_on_message.token_value (then aborts), rewrites outbound messageJSON for posting, and forces a 302 redirect to an unrelated external endpoint (https://httpbin.org/ip). These are strong indicators of credential/token harvesting and intentional request sabotage/manipulation. Additionally, optional useGot/useCache enables server-side re-fetch and replay of content/headers to the browser, increasing potential impact.
@vibetechnologies/browser-sync
0.1.0
by vibetechnologies
Live on npm
Blocked by Socket
This module provides a strong, direct capability to extract and decrypt Chrome cookies from a local user profile by copying the cookie database, retrieving platform-specific secrets from OS credential stores, decrypting encrypted cookie values, and returning plaintext cookies to the caller. It also includes a concrete SQL injection risk via string-interpolated SQLite WHERE clause construction from untrusted `domains[]`. Overall, the behavior aligns closely with session/cookie theft or tracking tooling rather than benign functionality.
@link-assistant/hive-mind
1.69.18
by GitHub Actions
Live on npm
Blocked by Socket
Highest concern: the module performs a top-level remote fetch of JavaScript from a public CDN and executes it via eval to initialize globalThis.use. This is direct remote code execution and is consistent with a severe supply-chain backdoor/RCE risk. Secondary concerns: dynamic construction of GraphQL and gh CLI command strings via template interpolation (plus JSON.parse of external stdout) could create injection risk if inputs are attacker-controlled and if the subprocess wrapper evaluates command strings through a shell. Given the presence of remote eval at import time, this dependency should be treated as unsafe until the loader is removed or replaced with a securely pinned/local dependency and the subprocess argument handling is verified.
@dialetica/server
0.1.0-next.21
by enzobjm
Live on npm
Blocked by Socket
This module is high-risk and highly consistent with credential/session theft. It automatically discovers and reads local browser cookie databases on macOS, decrypts Chromium-family cookies using macOS Keychain to recover a Claude `sessionKey`, then uses that stolen session in a Cookie header to query Claude/Anthropic endpoints for organization/usage data, with optional sensitive logging of tokens/sessionKey. Even though the network destinations are first-party Claude endpoints, the core behavior is unauthorized local secret access and authenticated reuse.
Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.
Possible typosquat attack
Known malware
Git dependency
GitHub dependency
HTTP dependency
Obfuscated code
Suspicious Stars on GitHub
Telemetry
Protestware or potentially unwanted behavior
Unstable ownership
Critical CVE
High CVE
Medium CVE
Low CVE
Unpopular package
Minified code
Bad dependency semver
Wildcard dependency
Socket optimized override available
Deprecated
Unmaintained
Explicitly Unlicensed Item
License Policy Violation
Misc. License Issues
Non-permissive License
Ambiguous License Classifier
Copyleft License
License exception
No License Found
Unidentified License
Socket detects and blocks malicious dependencies, often within just minutes of them being published to public registries, making it the most effective tool for blocking zero-day supply chain attacks.
Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.

Nat Friedman
CEO at GitHub

Suz Hinton
Senior Software Engineer at Stripe
heck yes this is awesome!!! Congrats team 🎉👏

Matteo Collina
Node.js maintainer, Fastify lead maintainer
So awesome to see @SocketSecurity launch with a fresh approach! Excited to have supported the team from the early days.

DC Posch
Director of Technology at AppFolio, CTO at Dynasty
This is going to be super important, especially for crypto projects where a compromised dependency results in stolen user assets.

Luis Naranjo
Software Engineer at Microsoft
If software supply chain attacks through npm don't scare the shit out of you, you're not paying close enough attention.
@SocketSecurity sounds like an awesome product. I'll be using socket.dev instead of npmjs.org to browse npm packages going forward

Elena Nadolinski
Founder and CEO at Iron Fish
Huge congrats to @SocketSecurity! 🙌
Literally the only product that proactively detects signs of JS compromised packages.

Joe Previte
Engineering Team Lead at Coder
Congrats to @feross and the @SocketSecurity team on their seed funding! 🚀 It's been a big help for us at @CoderHQ and we appreciate what y'all are doing!

Josh Goldberg
Staff Developer at Codecademy
This is such a great idea & looks fantastic, congrats & good luck @feross + team!
The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.

Scott Roberts
CISO at UiPath
As a happy Socket customer, I've been impressed with how quickly they are adding value to the product, this move is a great step!

Yan Zhu
Head of Security at Brave, DEFCON, EFF, W3C
glad to hear some of the smartest people i know are working on (npm, etc.) supply chain security finally :). @SocketSecurity

Andrew Peterson
CEO and Co-Founder at Signal Sciences (acq. Fastly)
How do you track the validity of open source software libraries as they get updated? You're prob not. Check out @SocketSecurity and the updated tooling they launched.
Supply chain is a cluster in security as we all know and the tools from Socket are "duh" type tools to be implementing. Check them out and follow Feross Aboukhadijeh to see more updates coming from them in the future.

Zbyszek Tenerowicz
Senior Security Engineer at ConsenSys
socket.dev is getting more appealing by the hour

Devdatta Akhawe
Head of Security at Figma
The @SocketSecurity team is on fire! Amazing progress and I am exciting to see where they go next.

Sebastian Bensusan
Engineer Manager at Stripe
I find it surprising that we don't have _more_ supply chain attacks in software:
Imagine your airplane (the code running) was assembled (deployed) daily, with parts (dependencies) from internet strangers. How long until you get a bad part?
Excited for Socket to prevent this

Adam Baldwin
VP of Security at npm, Red Team at Auth0/Okta
Congrats to everyone at @SocketSecurity ❤️🤘🏻

Nico Waisman
CISO at Lyft
This is an area that I have personally been very focused on. As Nat Friedman said in the 2019 GitHub Universe keynote, Open Source won, and every time you add a new open source project you rely on someone else code and you rely on the people that build it.
This is both exciting and problematic. You are bringing real risk into your organization, and I'm excited to see progress in the industry from OpenSSF scorecards and package analyzers to the company that Feross Aboukhadijeh is building!
Questions? Call us at (844) SOCKET-0
Secure your team's dependencies across your stack with Socket. Stop supply chain attacks before they reach production.
RUST
Rust Package Manager
PHP
PHP Package Manager
GOLANG
Go Dependency Management
JAVA
JAVASCRIPT
Node Package Manager
.NET
.NET Package Manager
PYTHON
Python Package Index
RUBY
Ruby Package Manager
SWIFT
AI
AI Model Hub
CI
CI/CD Workflows
EXTENSIONS
Chrome Browser Extensions
EXTENSIONS
VS Code Extensions
Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.
Nov 23, 2025
Shai Hulud v2
Shai Hulud v2 campaign: preinstall script (setup_bun.js) and loader (setup_bin.js) that installs/locates Bun and executes an obfuscated bundled malicious script (bun_environment.js) with suppressed output.
Nov 05, 2025
Elves on npm
A surge of auto-generated "elf-stats" npm packages is being published every two minutes from new accounts. These packages contain simple malware variants and are being rapidly removed by npm. At least 420 unique packages have been identified, often described as being generated every two minutes, with some mentioning a capture the flag challenge or test.
Jul 04, 2025
RubyGems Automation-Tool Infostealer
Since at least March 2023, a threat actor using multiple aliases uploaded 60 malicious gems to RubyGems that masquerade as automation tools (Instagram, TikTok, Twitter, Telegram, WordPress, and Naver). The gems display a Korean Glimmer-DSL-LibUI login window, then exfiltrate the entered username/password and the host's MAC address via HTTP POST to threat actor-controlled infrastructure.
Mar 13, 2025
North Korea's Contagious Interview Campaign
Since late 2024, we have tracked hundreds of malicious npm packages and supporting infrastructure tied to North Korea's Contagious Interview operation, with tens of thousands of downloads targeting developers and tech job seekers. The threat actors run a factory-style playbook: recruiter lures and fake coding tests, polished GitHub templates, and typosquatted or deceptive dependencies that install or import into real projects.
Jul 23, 2024
Network Reconnaissance Campaign
A malicious npm supply chain attack that leveraged 60 packages across three disposable npm accounts to fingerprint developer workstations and CI/CD servers during installation. Each package embedded a compact postinstall script that collected hostnames, internal and external IP addresses, DNS resolvers, usernames, home and working directories, and package metadata, then exfiltrated this data as a JSON blob to a hardcoded Discord webhook.
Questions? Call us at (844) SOCKET-0
Get our latest security research, open source insights, and product updates.

Security News
/Research
Socket detected malicious node-ipc versions with obfuscated stealer/backdoor behavior in a developing npm supply chain attack.

Security News
TeamPCP and BreachForums are promoting a Shai-Hulud supply chain attack contest with a $1,000 prize for the biggest package compromise.

Security News
Packagist urges PHP projects to update Composer after a GitHub token format change exposed some GitHub Actions tokens in CI logs.