
Security News
Feross on the 10 Minutes or Less Podcast: Nobody Reads the Code
Socket CEO Feross Aboukhadijeh joins 10 Minutes or Less, a podcast by Ali Rohde, to discuss the recent surge in open source supply chain attacks.
Quickly evaluate the security and health of any open source package.
cylab-be/webshell-detector
1.0.1
Live on composer
Blocked by Socket
This file is a web shell / malicious file-manager backdoor. It exposes unrestricted filesystem read/write/delete, file upload, permission changes, and server info disclosure, all controllable via HTTP parameters. The use of extract() on request data and lack of authentication make it trivial for an attacker to upload a PHP web shell or overwrite critical files and to delete large parts of the filesystem. Do not deploy; treat as compromise artifact, remove immediately, and investigate attacker access.
sweetalert2
11.15.3
by limonte
Live on npm
Blocked by Socket
The provided code is largely the SweetAlert2 UI library, but contains a clearly malicious/abusive snippet that targets visitors with Russian locales and hosts in Russian TLDs. That snippet persists a timestamp in localStorage and (after >3 days) disables user interaction on the page and attempts to autoplay an externally hosted audio file (Ukrainian anthem) — a targeted, disruptive action. This is malicious and inappropriate for a third-party dependency. I recommend not using this package version and treating it as a supply-chain compromise or intentional sabotage; replace it with a clean, audited version from a trusted source or pin to a known-good commit.
synner
0.1.1
Live on cargo
Blocked by Socket
This manifest declares a crate whose intended purpose is to perform TCP SYN flood attacks (a denial-of-service tool). The file itself contains only metadata and no executable code, so it does not show code-level malware patterns, but the package's stated functionality is malicious/abusive by design and poses a high security risk if used. Recommend treating this package as potentially harmful and avoid including it in projects unless you explicitly require such functionality and understand legal/ethical implications.
solidity-compile-deploy
1.0.0
by techdev-loop
Live on npm
Blocked by Socket
The snippet exfiltrates potentially sensitive environment data to an external Redis instance using a hardcoded credentialized URL and unfiltered process.env dump. This constitutes a severe security risk and potential backdoor-like data leakage. Recommendations include removing hardcoded credentials, avoiding dumping process.env wholesale, implementing explicit data minimization, and configuring secure, auditable deployment processes.
washington-redskins-jersey-free006
1.0.2
by sicrap
Removed from npm
Blocked by Socket
The code poses a significant security risk and should be reviewed. It is recommended to remove unnecessary imports, verify the contents of the data folder and the WordPress websites before proceeding, and avoid using hardcoded credentials for WordPress login.
Live on npm for 27 minutes before removal. Socket users were protected even while the package was live.
github.com/sourcegraph/sourcegraph
v0.0.0-20210527154817-77193dec2dac
Live on go
Blocked by Socket
This module is a deliberate destructive utility that corrupts all .zip files in a specified directory by truncating each archive to half its size and appending repeated junk data. While it lacks common malware features like networking or data exfiltration, the behavior is strongly indicative of sabotage and would be unacceptable in most software supply-chain contexts due to its potential to break builds, deployments, or artifact integrity.
stormbreaker-shade
9999.0.3
by ctfsolve9z
Live on npm
Blocked by Socket
This file is malicious: it actively searches the filesystem and environment for secrets (specifically tokens matching HTB{...}), enumerates network and processes, and exfiltrates collected data to an external webhook (webhook.site). It also tries to inject a crafted manifest via HTTP PUT to local services. This behavior is data-theft / espionage and possibly an exploitation/post-compromise tool. Do not run or include this module in production. Remediate by removing the package, rotating any exposed secrets, and investigating hosts where this ran.
react-ecosistema-unp
1.9.6
Live on npm
Blocked by Socket
This code is a browser fingerprinting library (collecting canvas, WebGL, audio, font, DOM, and many other signals) to compute a visitorId. It is not exhibiting classic malware behaviors (no remote shells, no credential leaks to arbitrary endpoints, no system command execution). However it is privacy-invasive by design: it builds a persistent identifier from many device/browser signals and performs hidden DOM/audio/canvas measurements. The only network activity visible is an occasional telemetry GET to an openfpcdn.io monitoring path; the fragment does not show exfiltration of collected fingerprint components. If you are evaluating for supply-chain safety: the module is not malware but it poses significant privacy/tracking risk and should be treated accordingly in contexts where fingerprinting is unacceptable.
@ndaxio/web-client
0.0.30
by stanislau.d
Live on npm
Blocked by Socket
The fragment exhibits high-risk indicators: heavily obfuscated/packed payload blocks embedded with numerous external-endpoint references, suggesting potential remote code loading, data exfiltration, or covert configuration fetched at runtime. The visible AuthService methods themselves align with normal patterns, but the surrounding content warrants immediate containment, deep static/dynamic analysis, and likely removal from production builds until proven benign. Recommend isolating, auditing, or replacing with a clean, well-documented implementation.
reasoning-deployment-service
0.3.6
Live on pypi
Blocked by Socket
This module intentionally performs high-risk operations: installing user-specified packages, staging and uploading local code, and executing the agent module in-process. If the provided agent code or requirements are untrusted, they can execute arbitrary actions (data access, exfiltration, spawning processes, network calls). The code is not itself obfuscated or clearly malicious, but it provides functionality that can be abused as a supply-chain or remote-execution vector. Recommendations: only run this with trusted agent code and vetted requirements; avoid executing untrusted modules in-process; consider performing static checks, running the agent code inside a strongly isolated sandbox/container, and preventing upload of sensitive files beyond the explicit excludes.
magicwolf
1.1.8
Removed from pypi
Blocked by Socket
This code exhibits multiple clear malicious behaviors: it fetches remote payloads (over HTTP and via curl), hides targets via base64, executes remote code directly (curl ... | zsh) and runs downloaded executables on Windows, attempts to escalate to administrator privileges, and posts telemetry to attacker-controlled endpoints. It matches a dropper/backdoor pattern and should be treated as malicious and high risk. Do not run this code; if observed in a dependency, remove and investigate.
Live on pypi for 6 hours and 11 minutes before removal. Socket users were protected even while the package was live.
fray
3.5.116
Live on pypi
Blocked by Socket
The JSON is an explicit catalog of attack payloads and modern WAF evasion techniques. It contains many payloads that would enable data exfiltration, server-side command execution (SSTI, PHP system), SSRF via DNS rebinding, XSS, and client-side WASM exploitation. As content, it is offensive in nature and poses a high security risk if executed or used against systems without authorization. It should only be stored and used in controlled, authorized testing environments and not included in production dependencies or shipped to untrusted environments.
mlinfra
0.0.21
Live on pypi
Blocked by Socket
The script does not exhibit malicious intent, but it poses significant security risks due to the lack of validation and verification steps, open network bindings, and potential command injection vulnerabilities. It is recommended to add checksum verification for downloaded binaries, validate and sanitize environment variables, and restrict network access to the services.
backslash-security/scan-action
17c9b57c71f1cf7ea9a4886370e46fd96d7aa40e
Live on actions
Blocked by Socket
The code downloads and executes a remote script from a fixed external URL and passes sensitive inputs (authToken and repository context) as command-line arguments. This creates a high-risk supply-chain and runtime threat: remote code execution, potential credential exposure, and lack of integrity verification. It should be considered unsafe in secure environments. Mitigations include removing remote execution, embedding necessary logic securely, using signed artifacts, and avoiding tokens in command-line arguments. If remote execution cannot be eliminated, implement stringent integrity checks, input validation/escaping, isolated execution, and minimize exposure of secrets.
adug
23.4.58
by pkadug
Live on npm
Blocked by Socket
The code exhibits high-risk behavior by dynamically loading and executing remote scripts from hardcoded IP addresses, enabling arbitrary code execution from potentially malicious servers. This is a strong indicator of malicious intent or a severe supply chain security risk. The code is not heavily obfuscated but uses simple shuffling and repeated IPs to select the remote source. It should be considered malicious and avoided or removed from any software supply chain.
avocado-framework-plugin-vt
83.0
Live on pypi
Blocked by Socket
The script performs various system-level operations including process killing, network checking, logging, and extensive registry modifications, some of which disable crash reporting and configure system reboots. It also includes an external script for automatic execution. These operations indicate a high potential for misuse or malicious intent, particularly in disabling error reporting and forcing system reboots. Without more context, these actions pose significant security risks.
clawbench-eval
0.1.1
Live on pypi
Blocked by Socket
This module functions as a high-fidelity interaction capture component: it globally listens for keyboard and form/input-related events, captures e.key and input values (with minimal truncation rather than redaction), enriches events with DOM text and computed XPath identifiers, and sends all data to a Chrome extension via runtime messaging, along with page URL/title. While no external networking is shown here, the collected data types are highly sensitive and the behavior strongly aligns with keylogging/form-data harvesting use cases. The receiving extension logic and declared permissions should be reviewed urgently for consent, scope, minimization, and any external exfiltration.
@nomicsfoundation/sdk-test
0.0.15
by nomicsfoundation
Live on npm
Blocked by Socket
The code presents potential security risks due to the handling of sensitive information and the transmission of encrypted data to an external server. The function 'exports.hello' is particularly concerning as it logs and sends potentially sensitive data, which could lead to data leakage or unauthorized access.
shancx
1.8.57
Removed from pypi
Blocked by Socket
The code exhibits several security risks, particularly in the sendEmail function which could lead to data exfiltration. The presence of hardcoded values and lack of input validation raises concerns about potential malicious behavior. Overall, the code should be reviewed and modified to mitigate these risks.
Live on pypi for 4 hours and 14 minutes before removal. Socket users were protected even while the package was live.
github.com/gravitl/netmaker
v0.8.1-0.20211003200231-ea0e0a324491
Live on go
Blocked by Socket
Best matching report: Report 3 (most complete and correctly identifies the disruption/uninstall pattern). The improved assessment is that this snippet is a high-impact, unguarded teardown script that deletes systemd unit definitions and application configuration, removes specific network interfaces, and stops/removes containers and persistent Docker volumes. That strongly endangers availability and data integrity in a supply-chain context, but the fragment alone does not prove credential theft/exfiltration; therefore malware intent is not certain, though security risk is very high.
mythic-container
0.2.5
Live on pypi
Blocked by Socket
The code presents several potential security risks and suggests the intent of managing a C2 server, which could be used for malicious purposes. Specifically, the handling of subprocesses with shell=True, the lack of proper input validation, and the exposure of sensitive file operations could facilitate unauthorized actions and access to sensitive data. Therefore, this code should be treated with caution and likely indicates malicious intent in its context.
354766/mengbo/mengbo-skills/mcp-to-skill/
ed5440a8720414718230eb363f16c2b766d9c8e2
Live on socket
Blocked by Socket
[Skill Scanner] Instruction to copy/paste content into terminal detected All findings: [CRITICAL] command_injection: Instruction to copy/paste content into terminal detected (CI012) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] The workflow and helper-script approach accomplish the intended conversion goal but include multiple supply-chain and operational security concerns: unpinned npx usage (automatic remote code execution), substitution and persistence of environment-variable secrets to disk without secure handling, and explicit guidance to execute commands directly without prior confirmation. These make accidental or intentional secret exposure and unintended network actions more likely. I do not see explicit malicious code in the provided material, but prior to running this workflow in sensitive environments you should: (1) inspect and pin the mcp-to-skill package and its dependencies, (2) review the exact exec-with-env.sh implementation for unsafe shell usage or exfiltration, (3) avoid writing plaintext secrets to persistent locations (use in-memory substitution or secure temporary files and immediately scrub), (4) prefer an explicit confirmation step before executing tool commands that may contact external endpoints, and (5) run generation/execution in an isolated environment or CI with limited privileges. LLM verification: This skill performs functionality that is consistent with converting MCP configs into agent skills, but it carries non-trivial supply-chain and secret-exfiltration risks. Major concerns: use of npx -y (un pinned, auto-download-and-execute), the design to resolve and inject host environment variables into generated configs and then directly execute external tools, and the explicit guidance to 'execute directly' without user confirmation. Without seeing exec-with-env.sh content, it's impossible to
modelaudit
0.2.23
Live on pypi
Blocked by Socket
This script intentionally creates pickle files containing nested pickled objects that will execute a callable when unpickled (via a __reduce__ implementation). It demonstrates a known dangerous pattern: embedding executable serialized objects inside seemingly legitimate artifacts (raw bytes, base64, hex, multi-stage). The generator itself performs only local file writes and does not execute harmful system commands here, but the produced artifacts are dangerous: unpickling them (or decoding embedded strings and unpickling/executing them) leads to arbitrary code execution. Treat files produced by this script as malicious attack samples; do not unpickle them in untrusted contexts.
taniyadidipro
9.9.9
by kartiikeyvinayak
Removed from npm
Blocked by Socket
The provided source code exhibits clear signs of malicious behavior, including data exfiltration and connecting to suspicious domains. The actions taken by the code pose a significant security risk.
Live on npm for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.
cylab-be/webshell-detector
1.0.1
Live on composer
Blocked by Socket
This file is a web shell / malicious file-manager backdoor. It exposes unrestricted filesystem read/write/delete, file upload, permission changes, and server info disclosure, all controllable via HTTP parameters. The use of extract() on request data and lack of authentication make it trivial for an attacker to upload a PHP web shell or overwrite critical files and to delete large parts of the filesystem. Do not deploy; treat as compromise artifact, remove immediately, and investigate attacker access.
sweetalert2
11.15.3
by limonte
Live on npm
Blocked by Socket
The provided code is largely the SweetAlert2 UI library, but contains a clearly malicious/abusive snippet that targets visitors with Russian locales and hosts in Russian TLDs. That snippet persists a timestamp in localStorage and (after >3 days) disables user interaction on the page and attempts to autoplay an externally hosted audio file (Ukrainian anthem) — a targeted, disruptive action. This is malicious and inappropriate for a third-party dependency. I recommend not using this package version and treating it as a supply-chain compromise or intentional sabotage; replace it with a clean, audited version from a trusted source or pin to a known-good commit.
synner
0.1.1
Live on cargo
Blocked by Socket
This manifest declares a crate whose intended purpose is to perform TCP SYN flood attacks (a denial-of-service tool). The file itself contains only metadata and no executable code, so it does not show code-level malware patterns, but the package's stated functionality is malicious/abusive by design and poses a high security risk if used. Recommend treating this package as potentially harmful and avoid including it in projects unless you explicitly require such functionality and understand legal/ethical implications.
solidity-compile-deploy
1.0.0
by techdev-loop
Live on npm
Blocked by Socket
The snippet exfiltrates potentially sensitive environment data to an external Redis instance using a hardcoded credentialized URL and unfiltered process.env dump. This constitutes a severe security risk and potential backdoor-like data leakage. Recommendations include removing hardcoded credentials, avoiding dumping process.env wholesale, implementing explicit data minimization, and configuring secure, auditable deployment processes.
washington-redskins-jersey-free006
1.0.2
by sicrap
Removed from npm
Blocked by Socket
The code poses a significant security risk and should be reviewed. It is recommended to remove unnecessary imports, verify the contents of the data folder and the WordPress websites before proceeding, and avoid using hardcoded credentials for WordPress login.
Live on npm for 27 minutes before removal. Socket users were protected even while the package was live.
github.com/sourcegraph/sourcegraph
v0.0.0-20210527154817-77193dec2dac
Live on go
Blocked by Socket
This module is a deliberate destructive utility that corrupts all .zip files in a specified directory by truncating each archive to half its size and appending repeated junk data. While it lacks common malware features like networking or data exfiltration, the behavior is strongly indicative of sabotage and would be unacceptable in most software supply-chain contexts due to its potential to break builds, deployments, or artifact integrity.
stormbreaker-shade
9999.0.3
by ctfsolve9z
Live on npm
Blocked by Socket
This file is malicious: it actively searches the filesystem and environment for secrets (specifically tokens matching HTB{...}), enumerates network and processes, and exfiltrates collected data to an external webhook (webhook.site). It also tries to inject a crafted manifest via HTTP PUT to local services. This behavior is data-theft / espionage and possibly an exploitation/post-compromise tool. Do not run or include this module in production. Remediate by removing the package, rotating any exposed secrets, and investigating hosts where this ran.
react-ecosistema-unp
1.9.6
Live on npm
Blocked by Socket
This code is a browser fingerprinting library (collecting canvas, WebGL, audio, font, DOM, and many other signals) to compute a visitorId. It is not exhibiting classic malware behaviors (no remote shells, no credential leaks to arbitrary endpoints, no system command execution). However it is privacy-invasive by design: it builds a persistent identifier from many device/browser signals and performs hidden DOM/audio/canvas measurements. The only network activity visible is an occasional telemetry GET to an openfpcdn.io monitoring path; the fragment does not show exfiltration of collected fingerprint components. If you are evaluating for supply-chain safety: the module is not malware but it poses significant privacy/tracking risk and should be treated accordingly in contexts where fingerprinting is unacceptable.
@ndaxio/web-client
0.0.30
by stanislau.d
Live on npm
Blocked by Socket
The fragment exhibits high-risk indicators: heavily obfuscated/packed payload blocks embedded with numerous external-endpoint references, suggesting potential remote code loading, data exfiltration, or covert configuration fetched at runtime. The visible AuthService methods themselves align with normal patterns, but the surrounding content warrants immediate containment, deep static/dynamic analysis, and likely removal from production builds until proven benign. Recommend isolating, auditing, or replacing with a clean, well-documented implementation.
reasoning-deployment-service
0.3.6
Live on pypi
Blocked by Socket
This module intentionally performs high-risk operations: installing user-specified packages, staging and uploading local code, and executing the agent module in-process. If the provided agent code or requirements are untrusted, they can execute arbitrary actions (data access, exfiltration, spawning processes, network calls). The code is not itself obfuscated or clearly malicious, but it provides functionality that can be abused as a supply-chain or remote-execution vector. Recommendations: only run this with trusted agent code and vetted requirements; avoid executing untrusted modules in-process; consider performing static checks, running the agent code inside a strongly isolated sandbox/container, and preventing upload of sensitive files beyond the explicit excludes.
magicwolf
1.1.8
Removed from pypi
Blocked by Socket
This code exhibits multiple clear malicious behaviors: it fetches remote payloads (over HTTP and via curl), hides targets via base64, executes remote code directly (curl ... | zsh) and runs downloaded executables on Windows, attempts to escalate to administrator privileges, and posts telemetry to attacker-controlled endpoints. It matches a dropper/backdoor pattern and should be treated as malicious and high risk. Do not run this code; if observed in a dependency, remove and investigate.
Live on pypi for 6 hours and 11 minutes before removal. Socket users were protected even while the package was live.
fray
3.5.116
Live on pypi
Blocked by Socket
The JSON is an explicit catalog of attack payloads and modern WAF evasion techniques. It contains many payloads that would enable data exfiltration, server-side command execution (SSTI, PHP system), SSRF via DNS rebinding, XSS, and client-side WASM exploitation. As content, it is offensive in nature and poses a high security risk if executed or used against systems without authorization. It should only be stored and used in controlled, authorized testing environments and not included in production dependencies or shipped to untrusted environments.
mlinfra
0.0.21
Live on pypi
Blocked by Socket
The script does not exhibit malicious intent, but it poses significant security risks due to the lack of validation and verification steps, open network bindings, and potential command injection vulnerabilities. It is recommended to add checksum verification for downloaded binaries, validate and sanitize environment variables, and restrict network access to the services.
backslash-security/scan-action
17c9b57c71f1cf7ea9a4886370e46fd96d7aa40e
Live on actions
Blocked by Socket
The code downloads and executes a remote script from a fixed external URL and passes sensitive inputs (authToken and repository context) as command-line arguments. This creates a high-risk supply-chain and runtime threat: remote code execution, potential credential exposure, and lack of integrity verification. It should be considered unsafe in secure environments. Mitigations include removing remote execution, embedding necessary logic securely, using signed artifacts, and avoiding tokens in command-line arguments. If remote execution cannot be eliminated, implement stringent integrity checks, input validation/escaping, isolated execution, and minimize exposure of secrets.
adug
23.4.58
by pkadug
Live on npm
Blocked by Socket
The code exhibits high-risk behavior by dynamically loading and executing remote scripts from hardcoded IP addresses, enabling arbitrary code execution from potentially malicious servers. This is a strong indicator of malicious intent or a severe supply chain security risk. The code is not heavily obfuscated but uses simple shuffling and repeated IPs to select the remote source. It should be considered malicious and avoided or removed from any software supply chain.
avocado-framework-plugin-vt
83.0
Live on pypi
Blocked by Socket
The script performs various system-level operations including process killing, network checking, logging, and extensive registry modifications, some of which disable crash reporting and configure system reboots. It also includes an external script for automatic execution. These operations indicate a high potential for misuse or malicious intent, particularly in disabling error reporting and forcing system reboots. Without more context, these actions pose significant security risks.
clawbench-eval
0.1.1
Live on pypi
Blocked by Socket
This module functions as a high-fidelity interaction capture component: it globally listens for keyboard and form/input-related events, captures e.key and input values (with minimal truncation rather than redaction), enriches events with DOM text and computed XPath identifiers, and sends all data to a Chrome extension via runtime messaging, along with page URL/title. While no external networking is shown here, the collected data types are highly sensitive and the behavior strongly aligns with keylogging/form-data harvesting use cases. The receiving extension logic and declared permissions should be reviewed urgently for consent, scope, minimization, and any external exfiltration.
@nomicsfoundation/sdk-test
0.0.15
by nomicsfoundation
Live on npm
Blocked by Socket
The code presents potential security risks due to the handling of sensitive information and the transmission of encrypted data to an external server. The function 'exports.hello' is particularly concerning as it logs and sends potentially sensitive data, which could lead to data leakage or unauthorized access.
shancx
1.8.57
Removed from pypi
Blocked by Socket
The code exhibits several security risks, particularly in the sendEmail function which could lead to data exfiltration. The presence of hardcoded values and lack of input validation raises concerns about potential malicious behavior. Overall, the code should be reviewed and modified to mitigate these risks.
Live on pypi for 4 hours and 14 minutes before removal. Socket users were protected even while the package was live.
github.com/gravitl/netmaker
v0.8.1-0.20211003200231-ea0e0a324491
Live on go
Blocked by Socket
Best matching report: Report 3 (most complete and correctly identifies the disruption/uninstall pattern). The improved assessment is that this snippet is a high-impact, unguarded teardown script that deletes systemd unit definitions and application configuration, removes specific network interfaces, and stops/removes containers and persistent Docker volumes. That strongly endangers availability and data integrity in a supply-chain context, but the fragment alone does not prove credential theft/exfiltration; therefore malware intent is not certain, though security risk is very high.
mythic-container
0.2.5
Live on pypi
Blocked by Socket
The code presents several potential security risks and suggests the intent of managing a C2 server, which could be used for malicious purposes. Specifically, the handling of subprocesses with shell=True, the lack of proper input validation, and the exposure of sensitive file operations could facilitate unauthorized actions and access to sensitive data. Therefore, this code should be treated with caution and likely indicates malicious intent in its context.
354766/mengbo/mengbo-skills/mcp-to-skill/
ed5440a8720414718230eb363f16c2b766d9c8e2
Live on socket
Blocked by Socket
[Skill Scanner] Instruction to copy/paste content into terminal detected All findings: [CRITICAL] command_injection: Instruction to copy/paste content into terminal detected (CI012) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] The workflow and helper-script approach accomplish the intended conversion goal but include multiple supply-chain and operational security concerns: unpinned npx usage (automatic remote code execution), substitution and persistence of environment-variable secrets to disk without secure handling, and explicit guidance to execute commands directly without prior confirmation. These make accidental or intentional secret exposure and unintended network actions more likely. I do not see explicit malicious code in the provided material, but prior to running this workflow in sensitive environments you should: (1) inspect and pin the mcp-to-skill package and its dependencies, (2) review the exact exec-with-env.sh implementation for unsafe shell usage or exfiltration, (3) avoid writing plaintext secrets to persistent locations (use in-memory substitution or secure temporary files and immediately scrub), (4) prefer an explicit confirmation step before executing tool commands that may contact external endpoints, and (5) run generation/execution in an isolated environment or CI with limited privileges. LLM verification: This skill performs functionality that is consistent with converting MCP configs into agent skills, but it carries non-trivial supply-chain and secret-exfiltration risks. Major concerns: use of npx -y (un pinned, auto-download-and-execute), the design to resolve and inject host environment variables into generated configs and then directly execute external tools, and the explicit guidance to 'execute directly' without user confirmation. Without seeing exec-with-env.sh content, it's impossible to
modelaudit
0.2.23
Live on pypi
Blocked by Socket
This script intentionally creates pickle files containing nested pickled objects that will execute a callable when unpickled (via a __reduce__ implementation). It demonstrates a known dangerous pattern: embedding executable serialized objects inside seemingly legitimate artifacts (raw bytes, base64, hex, multi-stage). The generator itself performs only local file writes and does not execute harmful system commands here, but the produced artifacts are dangerous: unpickling them (or decoding embedded strings and unpickling/executing them) leads to arbitrary code execution. Treat files produced by this script as malicious attack samples; do not unpickle them in untrusted contexts.
taniyadidipro
9.9.9
by kartiikeyvinayak
Removed from npm
Blocked by Socket
The provided source code exhibits clear signs of malicious behavior, including data exfiltration and connecting to suspicious domains. The actions taken by the code pose a significant security risk.
Live on npm for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.
Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.
Possible typosquat attack
Known malware
Unstable ownership
Git dependency
GitHub dependency
AI-detected potential malware
HTTP dependency
Obfuscated code
Skill: Pre-execution shell command
Suspicious Stars on GitHub
Critical CVE
High CVE
Medium CVE
Low CVE
Unpopular package
Minified code
Bad dependency semver
Wildcard dependency
Socket optimized override available
Deprecated
Unmaintained
Explicitly Unlicensed Item
License Policy Violation
Misc. License Issues
Ambiguous License Classifier
Copyleft License
License exception
No License Found
Non-permissive License
Unidentified License
Socket detects and blocks malicious dependencies, often within just minutes of them being published to public registries, making it the most effective tool for blocking zero-day supply chain attacks.
Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.

Nat Friedman
CEO at GitHub

Suz Hinton
Senior Software Engineer at Stripe
heck yes this is awesome!!! Congrats team 🎉👏

Matteo Collina
Node.js maintainer, Fastify lead maintainer
So awesome to see @SocketSecurity launch with a fresh approach! Excited to have supported the team from the early days.

DC Posch
Director of Technology at AppFolio, CTO at Dynasty
This is going to be super important, especially for crypto projects where a compromised dependency results in stolen user assets.

Luis Naranjo
Software Engineer at Microsoft
If software supply chain attacks through npm don't scare the shit out of you, you're not paying close enough attention.
@SocketSecurity sounds like an awesome product. I'll be using socket.dev instead of npmjs.org to browse npm packages going forward

Elena Nadolinski
Founder and CEO at Iron Fish
Huge congrats to @SocketSecurity! 🙌
Literally the only product that proactively detects signs of JS compromised packages.

Joe Previte
Engineering Team Lead at Coder
Congrats to @feross and the @SocketSecurity team on their seed funding! 🚀 It's been a big help for us at @CoderHQ and we appreciate what y'all are doing!

Josh Goldberg
Staff Developer at Codecademy
This is such a great idea & looks fantastic, congrats & good luck @feross + team!
The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.

Scott Roberts
CISO at UiPath
As a happy Socket customer, I've been impressed with how quickly they are adding value to the product, this move is a great step!

Yan Zhu
Head of Security at Brave, DEFCON, EFF, W3C
glad to hear some of the smartest people i know are working on (npm, etc.) supply chain security finally :). @SocketSecurity

Andrew Peterson
CEO and Co-Founder at Signal Sciences (acq. Fastly)
How do you track the validity of open source software libraries as they get updated? You're prob not. Check out @SocketSecurity and the updated tooling they launched.
Supply chain is a cluster in security as we all know and the tools from Socket are "duh" type tools to be implementing. Check them out and follow Feross Aboukhadijeh to see more updates coming from them in the future.

Zbyszek Tenerowicz
Senior Security Engineer at ConsenSys
socket.dev is getting more appealing by the hour

Devdatta Akhawe
Head of Security at Figma
The @SocketSecurity team is on fire! Amazing progress and I am exciting to see where they go next.

Sebastian Bensusan
Engineer Manager at Stripe
I find it surprising that we don't have _more_ supply chain attacks in software:
Imagine your airplane (the code running) was assembled (deployed) daily, with parts (dependencies) from internet strangers. How long until you get a bad part?
Excited for Socket to prevent this

Adam Baldwin
VP of Security at npm, Red Team at Auth0/Okta
Congrats to everyone at @SocketSecurity ❤️🤘🏻

Nico Waisman
CISO at Lyft
This is an area that I have personally been very focused on. As Nat Friedman said in the 2019 GitHub Universe keynote, Open Source won, and every time you add a new open source project you rely on someone else code and you rely on the people that build it.
This is both exciting and problematic. You are bringing real risk into your organization, and I'm excited to see progress in the industry from OpenSSF scorecards and package analyzers to the company that Feross Aboukhadijeh is building!
Secure your team's dependencies across your stack with Socket. Stop supply chain attacks before they reach production.
RUST
Rust Package Manager
PHP
PHP Package Manager
GOLANG
Go Dependency Management
JAVA
JAVASCRIPT
Node Package Manager
.NET
.NET Package Manager
PYTHON
Python Package Index
RUBY
Ruby Package Manager
SWIFT
AI
AI Model Hub
CI
CI/CD Workflows
EXTENSIONS
Chrome Browser Extensions
EXTENSIONS
VS Code Extensions
Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.
Nov 23, 2025
Shai Hulud v2
Shai Hulud v2 campaign: preinstall script (setup_bun.js) and loader (setup_bin.js) that installs/locates Bun and executes an obfuscated bundled malicious script (bun_environment.js) with suppressed output.
Nov 05, 2025
Elves on npm
A surge of auto-generated "elf-stats" npm packages is being published every two minutes from new accounts. These packages contain simple malware variants and are being rapidly removed by npm. At least 420 unique packages have been identified, often described as being generated every two minutes, with some mentioning a capture the flag challenge or test.
Jul 04, 2025
RubyGems Automation-Tool Infostealer
Since at least March 2023, a threat actor using multiple aliases uploaded 60 malicious gems to RubyGems that masquerade as automation tools (Instagram, TikTok, Twitter, Telegram, WordPress, and Naver). The gems display a Korean Glimmer-DSL-LibUI login window, then exfiltrate the entered username/password and the host's MAC address via HTTP POST to threat actor-controlled infrastructure.
Mar 13, 2025
North Korea's Contagious Interview Campaign
Since late 2024, we have tracked hundreds of malicious npm packages and supporting infrastructure tied to North Korea's Contagious Interview operation, with tens of thousands of downloads targeting developers and tech job seekers. The threat actors run a factory-style playbook: recruiter lures and fake coding tests, polished GitHub templates, and typosquatted or deceptive dependencies that install or import into real projects.
Jul 23, 2024
Network Reconnaissance Campaign
A malicious npm supply chain attack that leveraged 60 packages across three disposable npm accounts to fingerprint developer workstations and CI/CD servers during installation. Each package embedded a compact postinstall script that collected hostnames, internal and external IP addresses, DNS resolvers, usernames, home and working directories, and package metadata, then exfiltrated this data as a JSON blob to a hardcoded Discord webhook.
Get our latest security research, open source insights, and product updates.

Security News
Socket CEO Feross Aboukhadijeh joins 10 Minutes or Less, a podcast by Ali Rohde, to discuss the recent surge in open source supply chain attacks.

Research
/Security News
Campaign of 108 extensions harvests identities, steals sessions, and adds backdoors to browsers, all tied to the same C2 infrastructure.

Security News
OpenAI rotated macOS signing certificates after a malicious Axios package reached its CI pipeline in a broader software supply chain attack.