Secure your dependencies. Ship with confidence.

This module exposes multiple high-risk capabilities: arbitrary shell execution (subprocess.run with shell=True), process spawning from untrusted input, and unrestricted filesystem modification (create, move, copy, delete) based on user-provided parameters. There are no input validations, privilege checks or limits. I assess this as not clearly malicious by intent (it implements utility functions), but it is easily abuseable and dangerous in contexts where inputs are untrusted. Treat this code as high security risk if incorporated into environments that handle external input or run with elevated privileges.

[Skill Scanner] Installation of third-party script detected (AITech 9.1.4) [SC006]

The code executes a bundled shell script with sudo during runtime, which is a high-risk supply-chain behavior. The snippet itself does not show explicit data exfiltration or obfuscation, but because it runs a privileged shell script with no validation or user prompt, it can perform arbitrary malicious actions depending on the script contents. Review the contents of bash/postinstall.sh and avoid running this package in environments where elevated privileges or sensitive data are present.

The code embeds a cryptocurrency mining script (CoinHive) into all served pages, constituting cryptojacking malware. It serves a local miner.js script with an incorrect content-type header. The behavior is malicious and poses a high security risk due to unauthorized resource usage and potential privacy violations. The code is not obfuscated but the miner.js content is unknown. The existing reports are invalid and do not reflect these findings.

This batch file itself is not obfuscated and contains no direct hardcoded secrets, but it builds and immediately runs a binary named 'evilginx.exe' with phishlet/redirector configuration — strongly consistent with a phishing/proxy toolkit (Evilginx-like). Use of this script will produce and execute code that is likely intended to capture credentials or proxy traffic. Treat as high-risk; do not run on production or personal machines unless in an isolated, lawful test environment. Further review of the Go source that is being built is required to determine exact malicious functionality.

This code implements a systematic fraud automation system designed to submit false unemployment insurance claims to government benefit systems. It contains extensive arrays of fake Ohio company names, fabricated addresses, and artificial employee identities used to generate fraudulent employer and employee data. The system includes automated captcha bypass functionality with pre-programmed question-answer pairs, DOM manipulation to populate specific government form fields, and functions that automatically select responses to maximize benefit eligibility while avoiding disqualification. The complete automation pipeline from fake data generation through captcha circumvention to fraudulent submission demonstrates clear malicious intent to defraud government benefit programs at scale, potentially causing significant financial harm to taxpayers and undermining public benefit systems.

The script creates a persistent, predictable remote access vector by adding a user with a hardcoded password and by replacing SSH configuration to enable password and root logins and forwarding. This behavior is high-risk and consistent with a backdoor/persistence implant; treat any occurrence as malicious unless used in a tightly controlled, ephemeral testing environment with compensating controls. Do not run this script on production systems; if it has run, assume compromise, remove the user, restore secure SSH configuration, and rotate credentials.

Live on pypi for 117 days, 4 hours and 18 minutes before removal. Socket users were protected even while the package was live.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This module contains high-risk behaviors for a client-side library: hardcoded bearer-like token and HMAC/OSS credentials, disabled TLS verification (verify=False), and multiple code paths that upload arbitrary local files and internal state to remote domains. These are strong indicators of potential supply-chain exfiltration capabilities. There is no obvious obfuscation or code injection, but embedded secrets and silent error handling make this package unsafe to include without review and removal/rotation of credentials and enabling proper TLS verification. Recommend not using the package as-is and treating the embedded credentials and endpoints as compromised until rotated and justified.

Live on pypi for 1 hour and 51 minutes before removal. Socket users were protected even while the package was live.

[Skill Scanner] Installation of third-party script detected This skill's stated purpose (control interactive CLI sessions, TUIs, and persistent shells) matches its capabilities — it must spawn PTYs and forward keystrokes/output to fulfill that role. That said, those exact capabilities make it a high-risk tool to expose to untrusted agents or automated policies: it enables arbitrary command execution, access to persisted environment variables (which may contain secrets), and returns terminal output (which may include sensitive data). No malicious code or obfuscation is evident in the provided manifest and documentation, but the operational risk of credential exposure and arbitrary command execution is significant if the skill is used by untrusted agents or without strict sandboxing and policy controls. Recommendations: restrict who/what can call this skill, add explicit least-privilege controls (command allowlist, confirmation prompts for file/env access, option to disable env persistence), and log/notify human operators for high-risk commands. LLM verification: The skill documentation describes a powerful tool that legitimately enables interactive shell/TUI automation. There is no explicit malicious code or obfuscation in the provided text. However, by design it grants arbitrary command execution and persists environment state, which makes it straightforward for an agent (or a compromised agent) to read secrets or exfiltrate data. Treat clrun as a high-privilege capability: only enable it for fully trusted actors or inside strongly isolated environment

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This instrumentor silently forwards OpenAI request parameters (which often include sensitive prompts or files), model outputs, and a provided API key to an external /api/intake endpoint. That constitutes high-risk data exfiltration and credential leakage. If this code runs in an environment where users or owners did not explicitly configure and consent to sending prompts, completions, and an API key to the configured base_url, it should be considered malicious or at minimum unacceptable privacy-invasive telemetry. Recommend removal or disabling unless the destination is fully trusted, explicit consent exists, and additional safeguards (error handling, data minimization, clear opt-in) are implemented.

The code is a high-risk auto-installer that automatically fetches and installs a binary package from external sources without verifying integrity or provenance. While this behavior could be legitimate in controlled environments, it constitutes a significant supply-chain risk due to potential tampering, dependency confusion, or redirection to malicious payloads. The insecure temporary file handling (mktemp -u) and absence of validation further amplify risk. Recommend prohibiting automatic remote installation in public packages, requiring cryptographic verification, version pinning, and user-confirmed installations.

The code is not obviously malware, but contains a high-risk pattern: unsanitized eval() applied to substrings extracted from log files, creating a clear remote code execution vector if an attacker can supply or modify a log file. Additional issues include lack of error handling for file operations and overly broad exception suppression. Recommend immediate replacement of eval() with safe parsing (ast.literal_eval or custom parser), improved exception handling and logging, and audit of the incomplete reset() function before deploying in environments that process untrusted logs.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

This assembly contains an obfuscated runtime loader/packer: it reads encrypted/packed blobs from resources or files, verifies/decrypts them, maps them into process memory (or hooks native resolution to serve them), and invokes them through native delegates or emitted IL. These behaviors are malicious-capability primitives (in-memory code injection/loader) commonly used by droppers, backdoors or evasive payloads. Treat the package as high-risk: do not run it in production, remove it from build/dependencies, and investigate any systems that executed it. If further confirmation is required, perform dynamic analysis in an isolated sandbox to observe network activity, persistence, and exact payload behavior.

This script contains clear, high-risk operations: it creates a new system user and elevates it to the admin group, writes system-wide configuration from attacker-controllable /tmp files without validation, and installs a persistent LaunchDaemon. These are exactly the kinds of actions an attacker or a malicious package would use to establish persistence and privilege on a macOS host. Treat this code as malicious or at minimum extremely suspicious and do not run it on production systems. Remove or closely audit the source of the plist and the /tmp config files; ensure such operations are performed only with validated inputs and least privilege.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

The script exhibits a high-risk secret-exfiltration pattern: it uses an access token to clone a repository, reads a file (likely containing credentials/cookies), publishes its contents as a workflow output (exposing the secret to subsequent steps and potentially to logs or external actors), and then deletes the cloned files. Treat this script as malicious or at minimum extremely suspicious. Do not run it with real credentials; audit the repository, revoke any tokens exposed this way, and replace with secure patterns (actions/checkout, secrets management, avoid emitting raw secrets).

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This module is highly suspicious: it intentionally conceals a secondary Python program in a base64+zlib blob and executes it immediately at import time. That pattern is a canonical supply-chain/malicious-obfuscation indicator. Treat the package as high risk: do not import/run it in production or on sensitive hosts. Decode and analyze the decompressed payload in an isolated environment before any use. If the decompressed payload contains network callbacks, credential access, or persistence logic, consider removing the package and treating it as malicious.

Live on pypi for 1 day, 6 hours and 22 minutes before removal. Socket users were protected even while the package was live.

This module exposes multiple high-risk capabilities: arbitrary shell execution (subprocess.run with shell=True), process spawning from untrusted input, and unrestricted filesystem modification (create, move, copy, delete) based on user-provided parameters. There are no input validations, privilege checks or limits. I assess this as not clearly malicious by intent (it implements utility functions), but it is easily abuseable and dangerous in contexts where inputs are untrusted. Treat this code as high security risk if incorporated into environments that handle external input or run with elevated privileges.

[Skill Scanner] Installation of third-party script detected (AITech 9.1.4) [SC006]

The code executes a bundled shell script with sudo during runtime, which is a high-risk supply-chain behavior. The snippet itself does not show explicit data exfiltration or obfuscation, but because it runs a privileged shell script with no validation or user prompt, it can perform arbitrary malicious actions depending on the script contents. Review the contents of bash/postinstall.sh and avoid running this package in environments where elevated privileges or sensitive data are present.

The code embeds a cryptocurrency mining script (CoinHive) into all served pages, constituting cryptojacking malware. It serves a local miner.js script with an incorrect content-type header. The behavior is malicious and poses a high security risk due to unauthorized resource usage and potential privacy violations. The code is not obfuscated but the miner.js content is unknown. The existing reports are invalid and do not reflect these findings.

This batch file itself is not obfuscated and contains no direct hardcoded secrets, but it builds and immediately runs a binary named 'evilginx.exe' with phishlet/redirector configuration — strongly consistent with a phishing/proxy toolkit (Evilginx-like). Use of this script will produce and execute code that is likely intended to capture credentials or proxy traffic. Treat as high-risk; do not run on production or personal machines unless in an isolated, lawful test environment. Further review of the Go source that is being built is required to determine exact malicious functionality.

This code implements a systematic fraud automation system designed to submit false unemployment insurance claims to government benefit systems. It contains extensive arrays of fake Ohio company names, fabricated addresses, and artificial employee identities used to generate fraudulent employer and employee data. The system includes automated captcha bypass functionality with pre-programmed question-answer pairs, DOM manipulation to populate specific government form fields, and functions that automatically select responses to maximize benefit eligibility while avoiding disqualification. The complete automation pipeline from fake data generation through captcha circumvention to fraudulent submission demonstrates clear malicious intent to defraud government benefit programs at scale, potentially causing significant financial harm to taxpayers and undermining public benefit systems.

The script creates a persistent, predictable remote access vector by adding a user with a hardcoded password and by replacing SSH configuration to enable password and root logins and forwarding. This behavior is high-risk and consistent with a backdoor/persistence implant; treat any occurrence as malicious unless used in a tightly controlled, ephemeral testing environment with compensating controls. Do not run this script on production systems; if it has run, assume compromise, remove the user, restore secure SSH configuration, and rotate credentials.

Live on pypi for 117 days, 4 hours and 18 minutes before removal. Socket users were protected even while the package was live.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This module contains high-risk behaviors for a client-side library: hardcoded bearer-like token and HMAC/OSS credentials, disabled TLS verification (verify=False), and multiple code paths that upload arbitrary local files and internal state to remote domains. These are strong indicators of potential supply-chain exfiltration capabilities. There is no obvious obfuscation or code injection, but embedded secrets and silent error handling make this package unsafe to include without review and removal/rotation of credentials and enabling proper TLS verification. Recommend not using the package as-is and treating the embedded credentials and endpoints as compromised until rotated and justified.

Live on pypi for 1 hour and 51 minutes before removal. Socket users were protected even while the package was live.

[Skill Scanner] Installation of third-party script detected This skill's stated purpose (control interactive CLI sessions, TUIs, and persistent shells) matches its capabilities — it must spawn PTYs and forward keystrokes/output to fulfill that role. That said, those exact capabilities make it a high-risk tool to expose to untrusted agents or automated policies: it enables arbitrary command execution, access to persisted environment variables (which may contain secrets), and returns terminal output (which may include sensitive data). No malicious code or obfuscation is evident in the provided manifest and documentation, but the operational risk of credential exposure and arbitrary command execution is significant if the skill is used by untrusted agents or without strict sandboxing and policy controls. Recommendations: restrict who/what can call this skill, add explicit least-privilege controls (command allowlist, confirmation prompts for file/env access, option to disable env persistence), and log/notify human operators for high-risk commands. LLM verification: The skill documentation describes a powerful tool that legitimately enables interactive shell/TUI automation. There is no explicit malicious code or obfuscation in the provided text. However, by design it grants arbitrary command execution and persists environment state, which makes it straightforward for an agent (or a compromised agent) to read secrets or exfiltrate data. Treat clrun as a high-privilege capability: only enable it for fully trusted actors or inside strongly isolated environment

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This instrumentor silently forwards OpenAI request parameters (which often include sensitive prompts or files), model outputs, and a provided API key to an external /api/intake endpoint. That constitutes high-risk data exfiltration and credential leakage. If this code runs in an environment where users or owners did not explicitly configure and consent to sending prompts, completions, and an API key to the configured base_url, it should be considered malicious or at minimum unacceptable privacy-invasive telemetry. Recommend removal or disabling unless the destination is fully trusted, explicit consent exists, and additional safeguards (error handling, data minimization, clear opt-in) are implemented.

The code is a high-risk auto-installer that automatically fetches and installs a binary package from external sources without verifying integrity or provenance. While this behavior could be legitimate in controlled environments, it constitutes a significant supply-chain risk due to potential tampering, dependency confusion, or redirection to malicious payloads. The insecure temporary file handling (mktemp -u) and absence of validation further amplify risk. Recommend prohibiting automatic remote installation in public packages, requiring cryptographic verification, version pinning, and user-confirmed installations.

The code is not obviously malware, but contains a high-risk pattern: unsanitized eval() applied to substrings extracted from log files, creating a clear remote code execution vector if an attacker can supply or modify a log file. Additional issues include lack of error handling for file operations and overly broad exception suppression. Recommend immediate replacement of eval() with safe parsing (ast.literal_eval or custom parser), improved exception handling and logging, and audit of the incomplete reset() function before deploying in environments that process untrusted logs.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

This assembly contains an obfuscated runtime loader/packer: it reads encrypted/packed blobs from resources or files, verifies/decrypts them, maps them into process memory (or hooks native resolution to serve them), and invokes them through native delegates or emitted IL. These behaviors are malicious-capability primitives (in-memory code injection/loader) commonly used by droppers, backdoors or evasive payloads. Treat the package as high-risk: do not run it in production, remove it from build/dependencies, and investigate any systems that executed it. If further confirmation is required, perform dynamic analysis in an isolated sandbox to observe network activity, persistence, and exact payload behavior.

This script contains clear, high-risk operations: it creates a new system user and elevates it to the admin group, writes system-wide configuration from attacker-controllable /tmp files without validation, and installs a persistent LaunchDaemon. These are exactly the kinds of actions an attacker or a malicious package would use to establish persistence and privilege on a macOS host. Treat this code as malicious or at minimum extremely suspicious and do not run it on production systems. Remove or closely audit the source of the plist and the /tmp config files; ensure such operations are performed only with validated inputs and least privilege.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

The script exhibits a high-risk secret-exfiltration pattern: it uses an access token to clone a repository, reads a file (likely containing credentials/cookies), publishes its contents as a workflow output (exposing the secret to subsequent steps and potentially to logs or external actors), and then deletes the cloned files. Treat this script as malicious or at minimum extremely suspicious. Do not run it with real credentials; audit the repository, revoke any tokens exposed this way, and replace with secure patterns (actions/checkout, secrets management, avoid emitting raw secrets).

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This module is highly suspicious: it intentionally conceals a secondary Python program in a base64+zlib blob and executes it immediately at import time. That pattern is a canonical supply-chain/malicious-obfuscation indicator. Treat the package as high risk: do not import/run it in production or on sensitive hosts. Decode and analyze the decompressed payload in an isolated environment before any use. If the decompressed payload contains network callbacks, credential access, or persistence logic, consider removing the package and treating it as malicious.

Live on pypi for 1 day, 6 hours and 22 minutes before removal. Socket users were protected even while the package was live.