Secure your dependencies. Ship with confidence.

The code is a security middleware for an Express application that performs security checks and protects against vulnerabilities. However, there are potential security risks and unused code that need further review and validation.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

The script is not necessarily malicious, but it does involve dubious practices like automated publishing of npm packages and programmatically updating a WordPress site. It is also insecure due to the hardcoding of credentials and the potential misuse of automated npm package publishing.

Live on npm for 53 minutes before removal. Socket users were protected even while the package was live.

The code implements a MITM proxy server with the capability to intercept and modify network traffic. While it can be used for legitimate testing purposes, it poses a significant security risk if used maliciously. The presence of hardcoded values and the ability to bypass TLS verification increase the potential for misuse.

The script is designed to collect and send sensitive system information to a remote server, which poses a significant security risk and indicates malicious intent.

Live on npm for 4 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of azure - Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.

Live on npm for 11 minutes before removal. Socket users were protected even while the package was live.

The code is exfiltrating system information to a remote server without clear user consent. The hardcoded exfiltration URL and potential command injection in the PowerShell script generation pose security risks. There is a medium risk of data leakage and potential for unauthorized access to sensitive system information.

Live on npm for 14 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The analyzed source code is primarily a legitimate implementation of the SweetAlert2 modal popup library. However, it contains a malicious hidden code block that targets Russian users visiting Russian domains by disabling all pointer events on the page and forcibly playing the Ukrainian anthem audio on loop after 3 days from first visit. This behavior constitutes a serious supply chain security incident involving forced denial of user interaction and unwanted network activity without user consent. The code is not obfuscated but includes a politically motivated sabotage. Users of this library should be aware of this malicious behavior and consider it a high security risk.

This package runs a local postinstall script (node postinstall.js) which must be inspected before installation. The presence of an npm package named "child_process" in dependencies is a strong red flag (likely malicious or typosquatted) and raises the probability that installation could execute untrusted code, perform telemetry, or perform destructive actions. Do not install or run the package without reviewing postinstall.js and verifying the legitimacy of the "child_process" dependency.

This package exhibits clear malicious behavior by performing unauthorized data collection and transmission. It systematically gathers sensitive system information, user details, and repository data, then transmits this to external servers without user consent. This constitutes a supply chain attack disguised as a build metrics tool, with high privacy violation and security risks.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

The fragment constitutes a broad cross-origin cookie writing mechanism driven by the current page context and an extensive domain map. While not showing explicit exfiltration or remote command/control, the ability to set cookies across many origins—especially with silent error handling and wildcard expansions—presents meaningful privacy and tracking risks. In a supply-chain scenario, this pattern warrants careful review of surrounding code, data sources (hostnamesMap, argsList), and user consent policies before any deployment in production. Treat as potentially harmful and require remediation or explicit consent/validation mechanisms.

This CI configuration contains a high-risk supply-chain anti-pattern: it downloads and executes an external PHAR over unencrypted HTTP with no integrity verification, and runs composer which may execute installer scripts. That grants remote code control over the CI environment and access to repository data and secrets. Remediation: stop executing remotely fetched artifacts; fetch over HTTPS; verify signatures or checksums; pin dependencies and enable composer integrity (lockfiles/hashes); remove sudo: required and limit secret exposure. Treat as potentially dangerous until the fetched artifact and its trust are validated.

The code is malicious: it is a credential-exfiltration/backdoor component that harvests cryptocurrency private keys and other sensitive file contents and sends them to an external Telegram bot. It persists as a detached background Node process and performs anti-forensic deletion of the dropped script. This module should be treated as high risk/malicious. Immediate actions: do not run the package; remove it from any supply chain; if it executed, assume secrets may be compromised — rotate and revoke keys and credentials, inspect systems for spawned background processes and for network traffic to api.telegram.org, and perform a full incident response.

Live on npm for 24 minutes before removal. Socket users were protected even while the package was live.

This module contains high-risk operations: it constructs and executes shell commands using unvalidated inputs (pod_name, local path), disables SSH host key checking, uses a hardcoded private key path, and uses a blunt 'pkill ssh' to unmount. Those behaviors create serious command injection, data-exfiltration, and availability risks. There is no sign of deliberate obfuscation or a hidden backdoor, and the functionality could be legitimate for a trusted environment, but from a supply-chain and deployment-security perspective this module should be treated as dangerous unless deployed only in strictly controlled/trusted environments with careful validation and credential management. Recommended mitigations: validate and sanitize pod_name and paths, avoid shell interpolation (use subprocess with argument lists), require explicit user consent and logging for mounts, avoid disabling StrictHostKeyChecking, avoid pkill and instead track/kill only the created process, and ensure the private key is managed securely.

The code is designed to send sensitive system information to a remote server, which is a significant security risk. This behavior is consistent with malicious activity, specifically data exfiltration.

Live on npm for 1 hour and 5 minutes before removal. Socket users were protected even while the package was live.

This assembly contains a heavily obfuscated runtime loader/packer that reads encrypted embedded data, verifies it, and performs in-memory allocation and execution of code (including modifying process memory and method pointers). These behaviors are not appropriate for a UI validator component and are strong indicators of malicious supply-chain behavior (runtime loader/backdoor). Do not trust or use this package without full provenance verification and code provenance review; treat it as malicious. Recommended actions: remove package, revoke any deployments using it, perform incident response on systems that ran it, and audit repository/package history.

The code intends a standard observability module for runtime errors but is currently riddled with syntax and API misuse that would prevent functioning. There are no explicit malicious behaviors, but there is notable risk related to data leakage of traces and parameters if exports/logs are not restricted. Fixing database initialization, correct SQL calls, and implementing data sanitization would bring this into a functional and securer state. Overall, the security posture remains moderate until syntax/logical issues are resolved.

This file contains a large obfuscated runtime loader/packer that decrypts embedded resources and writes/executess code in process memory using native APIs and dynamic IL generation. That behavior is highly suspicious and matches common patterns for packers/loaders used by malware or backdoors. Treat this package as high risk: if you did not expect runtime-decrypted executable payloads or native JIT-hooking behavior in this dependency, do not use it. Further dynamic analysis (runtime tracing in a safe sandbox) and full repository provenance checks are recommended before trusting this package.

This module performs automated data collection and exfiltration: it downloads videos from arbitrary URLs, processes them into large serialized artifacts, and uploads them to a remote Mega account using hardcoded credentials. Runtime installation of packages and runtime model downloads increase supply-chain risk. Treat this code as malicious or at minimum highly dangerous — do not run it in trusted environments. Remove hardcoded credentials and any automated upload behavior; perform all installs and model downloads explicitly and with user consent; add robust input validation, error handling, and logging; and review any systems where this ran for potential data leakage.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

The code is obfuscated and performs data exfiltration by sending environment variables to an external server, which is a serious security concern.

Live on npm for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

This module contains deliberate, malicious-like behavior: it reads /etc/passwd and prints the last line(s) immediately at module load while exporting innocuous-looking parsing functions to hide the side-effect. Although no network exfiltration is present in the snippet, stdout logging is a realistic exfiltration vector in modern deployment environments. Treat this package as malicious or a high-risk supply-chain backdoor; do not include or require it in production or CI environments. Replace with a trusted library and investigate any systems that have required this package for potential leakage.

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

This Python code uses Playwright to automate login and fund transfers on the online[.]mtsdengi[.]ru site. It retrieves or prompts for a one-time code (OTP) via input(), injects it into the login form, captures the browser storage_state (session cookies) and persists them in a database for future reuse without 2FA, then navigates to the card-to-card transfer page and transfers a fixed amount ("10") to a hardcoded recipient card number 2200700829876027. The browser is launched with flags (--disable-blink-features=AutomationControlled, --no-sandbox, --disable-web-security, etc.) to evade automation detection and security controls. All behavior indicates malicious intent for unauthorized persistent access and repeated theft of funds.

The code is a security middleware for an Express application that performs security checks and protects against vulnerabilities. However, there are potential security risks and unused code that need further review and validation.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

The script is not necessarily malicious, but it does involve dubious practices like automated publishing of npm packages and programmatically updating a WordPress site. It is also insecure due to the hardcoding of credentials and the potential misuse of automated npm package publishing.

Live on npm for 53 minutes before removal. Socket users were protected even while the package was live.

The code implements a MITM proxy server with the capability to intercept and modify network traffic. While it can be used for legitimate testing purposes, it poses a significant security risk if used maliciously. The presence of hardcoded values and the ability to bypass TLS verification increase the potential for misuse.

The script is designed to collect and send sensitive system information to a remote server, which poses a significant security risk and indicates malicious intent.

Live on npm for 4 minutes before removal. Socket users were protected even while the package was live.

Possible typosquat of azure - Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.

Live on npm for 11 minutes before removal. Socket users were protected even while the package was live.

The code is exfiltrating system information to a remote server without clear user consent. The hardcoded exfiltration URL and potential command injection in the PowerShell script generation pose security risks. There is a medium risk of data leakage and potential for unauthorized access to sensitive system information.

Live on npm for 14 hours and 31 minutes before removal. Socket users were protected even while the package was live.

The analyzed source code is primarily a legitimate implementation of the SweetAlert2 modal popup library. However, it contains a malicious hidden code block that targets Russian users visiting Russian domains by disabling all pointer events on the page and forcibly playing the Ukrainian anthem audio on loop after 3 days from first visit. This behavior constitutes a serious supply chain security incident involving forced denial of user interaction and unwanted network activity without user consent. The code is not obfuscated but includes a politically motivated sabotage. Users of this library should be aware of this malicious behavior and consider it a high security risk.

This package runs a local postinstall script (node postinstall.js) which must be inspected before installation. The presence of an npm package named "child_process" in dependencies is a strong red flag (likely malicious or typosquatted) and raises the probability that installation could execute untrusted code, perform telemetry, or perform destructive actions. Do not install or run the package without reviewing postinstall.js and verifying the legitimacy of the "child_process" dependency.

This package exhibits clear malicious behavior by performing unauthorized data collection and transmission. It systematically gathers sensitive system information, user details, and repository data, then transmits this to external servers without user consent. This constitutes a supply chain attack disguised as a build metrics tool, with high privacy violation and security risks.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

The fragment constitutes a broad cross-origin cookie writing mechanism driven by the current page context and an extensive domain map. While not showing explicit exfiltration or remote command/control, the ability to set cookies across many origins—especially with silent error handling and wildcard expansions—presents meaningful privacy and tracking risks. In a supply-chain scenario, this pattern warrants careful review of surrounding code, data sources (hostnamesMap, argsList), and user consent policies before any deployment in production. Treat as potentially harmful and require remediation or explicit consent/validation mechanisms.

This CI configuration contains a high-risk supply-chain anti-pattern: it downloads and executes an external PHAR over unencrypted HTTP with no integrity verification, and runs composer which may execute installer scripts. That grants remote code control over the CI environment and access to repository data and secrets. Remediation: stop executing remotely fetched artifacts; fetch over HTTPS; verify signatures or checksums; pin dependencies and enable composer integrity (lockfiles/hashes); remove sudo: required and limit secret exposure. Treat as potentially dangerous until the fetched artifact and its trust are validated.

The code is malicious: it is a credential-exfiltration/backdoor component that harvests cryptocurrency private keys and other sensitive file contents and sends them to an external Telegram bot. It persists as a detached background Node process and performs anti-forensic deletion of the dropped script. This module should be treated as high risk/malicious. Immediate actions: do not run the package; remove it from any supply chain; if it executed, assume secrets may be compromised — rotate and revoke keys and credentials, inspect systems for spawned background processes and for network traffic to api.telegram.org, and perform a full incident response.

Live on npm for 24 minutes before removal. Socket users were protected even while the package was live.

This module contains high-risk operations: it constructs and executes shell commands using unvalidated inputs (pod_name, local path), disables SSH host key checking, uses a hardcoded private key path, and uses a blunt 'pkill ssh' to unmount. Those behaviors create serious command injection, data-exfiltration, and availability risks. There is no sign of deliberate obfuscation or a hidden backdoor, and the functionality could be legitimate for a trusted environment, but from a supply-chain and deployment-security perspective this module should be treated as dangerous unless deployed only in strictly controlled/trusted environments with careful validation and credential management. Recommended mitigations: validate and sanitize pod_name and paths, avoid shell interpolation (use subprocess with argument lists), require explicit user consent and logging for mounts, avoid disabling StrictHostKeyChecking, avoid pkill and instead track/kill only the created process, and ensure the private key is managed securely.

The code is designed to send sensitive system information to a remote server, which is a significant security risk. This behavior is consistent with malicious activity, specifically data exfiltration.

Live on npm for 1 hour and 5 minutes before removal. Socket users were protected even while the package was live.

This assembly contains a heavily obfuscated runtime loader/packer that reads encrypted embedded data, verifies it, and performs in-memory allocation and execution of code (including modifying process memory and method pointers). These behaviors are not appropriate for a UI validator component and are strong indicators of malicious supply-chain behavior (runtime loader/backdoor). Do not trust or use this package without full provenance verification and code provenance review; treat it as malicious. Recommended actions: remove package, revoke any deployments using it, perform incident response on systems that ran it, and audit repository/package history.

The code intends a standard observability module for runtime errors but is currently riddled with syntax and API misuse that would prevent functioning. There are no explicit malicious behaviors, but there is notable risk related to data leakage of traces and parameters if exports/logs are not restricted. Fixing database initialization, correct SQL calls, and implementing data sanitization would bring this into a functional and securer state. Overall, the security posture remains moderate until syntax/logical issues are resolved.

This file contains a large obfuscated runtime loader/packer that decrypts embedded resources and writes/executess code in process memory using native APIs and dynamic IL generation. That behavior is highly suspicious and matches common patterns for packers/loaders used by malware or backdoors. Treat this package as high risk: if you did not expect runtime-decrypted executable payloads or native JIT-hooking behavior in this dependency, do not use it. Further dynamic analysis (runtime tracing in a safe sandbox) and full repository provenance checks are recommended before trusting this package.

This module performs automated data collection and exfiltration: it downloads videos from arbitrary URLs, processes them into large serialized artifacts, and uploads them to a remote Mega account using hardcoded credentials. Runtime installation of packages and runtime model downloads increase supply-chain risk. Treat this code as malicious or at minimum highly dangerous — do not run it in trusted environments. Remove hardcoded credentials and any automated upload behavior; perform all installs and model downloads explicitly and with user consent; add robust input validation, error handling, and logging; and review any systems where this ran for potential data leakage.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

The code is obfuscated and performs data exfiltration by sending environment variables to an external server, which is a serious security concern.

Live on npm for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

This module contains deliberate, malicious-like behavior: it reads /etc/passwd and prints the last line(s) immediately at module load while exporting innocuous-looking parsing functions to hide the side-effect. Although no network exfiltration is present in the snippet, stdout logging is a realistic exfiltration vector in modern deployment environments. Treat this package as malicious or a high-risk supply-chain backdoor; do not include or require it in production or CI environments. Replace with a trusted library and investigate any systems that have required this package for potential leakage.

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

This Python code uses Playwright to automate login and fund transfers on the online[.]mtsdengi[.]ru site. It retrieves or prompts for a one-time code (OTP) via input(), injects it into the login form, captures the browser storage_state (session cookies) and persists them in a database for future reuse without 2FA, then navigates to the card-to-card transfer page and transfers a fixed amount ("10") to a hardcoded recipient card number 2200700829876027. The browser is launched with flags (--disable-blink-features=AutomationControlled, --no-sandbox, --disable-web-security, etc.) to evade automation detection and security controls. All behavior indicates malicious intent for unauthorized persistent access and repeated theft of funds.