Secure your dependencies. Ship with confidence.

This module is a high-risk dynamic loader. It unconditionally reads a Python source file from a hardcoded UNC network share and executes it via exec, while also manipulating sys.path to influence subsequent imports. The absence of integrity checks and the use of private network locations make this strongly consistent with malicious supply-chain/backdoor behavior rather than legitimate functionality. Treat as critical and block/inspect the referenced network content and the environment for compromise.

This module is a heavily obfuscated email automation component that crafts OAuth/security-alert style messages (Google/Microsoft themed) and forwards/sends them to attacker-specified recipients via Nodemailer SMTP transports. It includes fallback SMTP credentials/host details, and message bodies/headers are shaped to resemble legitimate security notices—strongly consistent with phishing/social-engineering or deception tooling. While the snippet does not show system compromise primitives (e.g., file tampering or direct data theft), the outbound forged-message capability is itself a significant supply-chain security risk.

This module is a full CPU cryptomining client (Stratum subscription/authorization, continuous nonce scanning, and mining.submit share submission). From a supply-chain perspective, it presents a high likelihood of malicious/unwanted behavior when embedded in non-mining software due to sustained resource abuse and network communications to external mining infrastructure. Within this snippet, there is no clear evidence of stealth, credential theft, persistence, reverse shells, or arbitrary data exfiltration beyond sending mining protocol messages and polling pool status; the primary risk is the explicit mining workflow and its operational impact, plus a minor supply-chain surface via the optional mining.template_block import.

This module is not a benign library component; it functions as an execution harness that enables attacker-controlled arbitrary code execution via exec(Code), with optional arbitrary filesystem reads through a '/lob/' mechanism. Because the executed code can define the model class and control model.fit(), it can also influence what is serialized and emitted to stdout. The presence of pickle output further increases downstream risk if artifacts are ever deserialized unsafely. Treat this component as critically unsafe unless the code input is cryptographically verified and executed inside a hardened sandbox with strict egress/file restrictions.

This module is highly suspicious and should be treated as high risk. It performs local reconnaissance (project file enumeration and .env key metadata), transmits that context plus error logs to a third-party LLM, then executes shell commands directly from the LLM response using subprocess with shell=True. Even with a user confirmation prompt, the untrusted-network-to-arbitrary-shell-execution path creates a strong supply-chain/host-compromise risk. Additional context (definition/constraints around `command`, cache write behavior, and Typer wiring) is missing, but the core malicious-risk indicators are clear from the provided code.

This code performs a covert, load-time outbound HTTPS request to a hardcoded external endpoint and includes the local package name in the request query string. The absence of any meaningful module behavior, combined with silent error suppression and no response handling, is strongly indicative of tracking/fingerprinting/probing rather than legitimate functionality. In a supply-chain setting, this should be reviewed and likely blocked.

High-risk security finding: this module enables arbitrary OS command execution using cmd.exe /c or /bin/sh -c with a command string taken directly from externally loaded JSON configuration. There is no allowlist/sanitization/sandboxing. If an attacker can modify or influence the hooks file or its contents (a plausible supply-chain/configuration compromise scenario), they can trigger pre/post tool execution of arbitrary commands within the host process. No explicit credential theft/exfiltration is shown in this fragment, but the command-execution capability alone warrants strict review and controls.

The code contains a critical supply-chain RCE pattern: it fetches JavaScript from an external public CDN (unpkg.com) at runtime and executes it using eval() to populate globalThis.use. This enables arbitrary code execution if the remote content is compromised or swapped, representing a strong malicious/backdooring risk. Additional risk comes from running qwen via sh -lc with dynamically built command strings and from repository-mutation features (auto-commit/push).

This module is primarily an autostart/persistence installer for macOS LaunchAgents. It persistently launches `npx -y antigravity-gemini-bridge@latest`, meaning it can retrieve and execute an unpinned remote package at runtime—an elevated supply-chain risk. It also interpolates `projectPath` directly into the generated plist XML and launch arguments without escaping/validation, which could enable configuration/argument manipulation if the input is attacker-controlled. No explicit data theft or network exfiltration is present in this fragment, but the persistence + `@latest` execution pattern warrants security review and pinning/hardening.

This module is strongly adversarial and unsuitable for inclusion as a general-purpose dependency without a very clear, tightly scoped justification. It performs browser-context code injection and execution via CDP (including CSP bypass), selectively forges network responses for specific routes, and implements a covert base64 command channel via browser console messages to drive further automated actions. It also includes self-management/sabotage-style hooks (stop/kill node.exe; detached respawn) and suppresses runtime error reporting, increasing stealth. The snippet references several external functions/values not shown (SOLVER_SCRIPT, enqueueTask/typeText, CDP_PORT, launchBrowser), so intent beyond the shown capabilities cannot be fully confirmed, but the observed behaviors are highly consistent with malicious or cheating/automation tooling.

High risk. This module performs a runtime network fetch of JavaScript from a public CDN and executes it via eval to set a global loader used for command execution primitives. That is a critical supply-chain/RCE pattern with the potential for full compromise. Additionally, it configures broad agent permissions (opencode.json), passes process.env to an external tool, executes shell-like pipelines via a dynamically sourced command-stream helper, and logs raw untrusted subprocess output (potential sensitive data exposure).

This code is a dropper/launcher: it downloads a hardcoded .exe from a remote server, writes it to the system temp directory, executes it via child_process.exec using start/open semantics, and then deletes the dropped file shortly after. The absence of integrity checks and the execution of remote content make malicious intent highly likely.

This module is primarily an autostart/persistence installer for macOS LaunchAgents. It persistently launches `npx -y antigravity-gemini-bridge@latest`, meaning it can retrieve and execute an unpinned remote package at runtime—an elevated supply-chain risk. It also interpolates `projectPath` directly into the generated plist XML and launch arguments without escaping/validation, which could enable configuration/argument manipulation if the input is attacker-controlled. No explicit data theft or network exfiltration is present in this fragment, but the persistence + `@latest` execution pattern warrants security review and pinning/hardening.

This addon exposes an unauthenticated TCP JSON command server and includes a critical 'execute_code' command that executes attacker-controlled Python using exec() inside the Blender process, returning stdout/stderr to the remote client. Additionally, it allows remote scene creation/modification/deletion without validation. This is a classic remote-code-execution backdoor pattern and represents extremely high security risk if the port is reachable by any untrusted actor.

This module contains a critical supply-chain security weakness: it performs a runtime fetch of executable JavaScript from a public CDN and executes it via eval to initialize globalThis.use, which then underpins the command-execution mechanism for running gh API commands. This combination creates a high-likelihood path to full compromise if the CDN content changes or is intercepted. Secondary concerns include the ability to execute destructive GitHub operations (optional branch deletion) and to publish local uncommitted-change details and log files to GitHub depending on configuration and sanitization behavior. Overall, the dominant and decisive risk is the eval(fetch(...)) remote-code-execution bootstrap.

This module is a full CPU cryptomining client (Stratum subscription/authorization, continuous nonce scanning, and mining.submit share submission). From a supply-chain perspective, it presents a high likelihood of malicious/unwanted behavior when embedded in non-mining software due to sustained resource abuse and network communications to external mining infrastructure. Within this snippet, there is no clear evidence of stealth, credential theft, persistence, reverse shells, or arbitrary data exfiltration beyond sending mining protocol messages and polling pool status; the primary risk is the explicit mining workflow and its operational impact, plus a minor supply-chain surface via the optional mining.template_block import.

This module is primarily a wrapper around an external downloader, but it contains a highly suspicious runtime injection mechanism: it generates a temporary `sitecustomize.py` and forces the subprocess to import it by prepending a temp directory to `PYTHONPATH`. If the spawned binary is Python-based, this can enable arbitrary code execution within the child process context. The actual `sitecustomize_code` content is not present/appears corrupted in the provided fragment, so exact maliciousness cannot be confirmed from this text alone; however, the injection technique itself is a major security red flag and warrants deep review of the complete source and the real `sitecustomize_code` contents and execution context.

This module is highly suspicious and should be treated as high risk. It performs local reconnaissance (project file enumeration and .env key metadata), transmits that context plus error logs to a third-party LLM, then executes shell commands directly from the LLM response using subprocess with shell=True. Even with a user confirmation prompt, the untrusted-network-to-arbitrary-shell-execution path creates a strong supply-chain/host-compromise risk. Additional context (definition/constraints around `command`, cache write behavior, and Typer wiring) is missing, but the core malicious-risk indicators are clear from the provided code.

High supply-chain and execution risk. The module performs runtime download-and-eval of JavaScript from https://unpkg.com to define globalThis.use, which can fully compromise the host if the remote content is malicious or altered. Beyond that, it executes external commands via command-stream (including piping prompt content into an agent CLI), forwards all environment variables to the child process, parses untrusted JSON output that influences retries/control flow, and can auto-commit/push git changes—together creating a dangerous trust boundary around both execution and data handling. No explicit evidence of cryptomining/backdoor networking appears in this snippet, but the eval(fetch) pattern alone warrants strong containment/review.

This module contains a critical supply-chain security weakness: it performs a runtime fetch of executable JavaScript from a public CDN and executes it via eval to initialize globalThis.use, which then underpins the command-execution mechanism for running gh API commands. This combination creates a high-likelihood path to full compromise if the CDN content changes or is intercepted. Secondary concerns include the ability to execute destructive GitHub operations (optional branch deletion) and to publish local uncommitted-change details and log files to GitHub depending on configuration and sanitization behavior. Overall, the dominant and decisive risk is the eval(fetch(...)) remote-code-execution bootstrap.

This module exhibits strong malicious supply-chain/data-stealing characteristics. It performs host reconnaissance, specifically targets environment/config and sensitive-looking project files (including '.env' and config-like filenames), reads their contents, base64-encodes document content when needed, chunks payloads to fit HTTP limits, and exfiltrates the collected data to a remote API via multiple POST requests. No legitimate purpose consistent with normal library behavior is evident from the fragment.

Selected best report behavior is consistent across all three: this module is highly suspicious and goes beyond ad blocking. In particular, it extracts Authorization Bearer tokens from intercepted Doublelist messaging POST requests into m4w_send_on_message.token_value (then aborts), rewrites outbound messageJSON for posting, and forces a 302 redirect to an unrelated external endpoint (https://httpbin.org/ip). These are strong indicators of credential/token harvesting and intentional request sabotage/manipulation. Additionally, optional useGot/useCache enables server-side re-fetch and replay of content/headers to the browser, increasing potential impact.

This module provides a strong, direct capability to extract and decrypt Chrome cookies from a local user profile by copying the cookie database, retrieving platform-specific secrets from OS credential stores, decrypting encrypted cookie values, and returning plaintext cookies to the caller. It also includes a concrete SQL injection risk via string-interpolated SQLite WHERE clause construction from untrusted `domains[]`. Overall, the behavior aligns closely with session/cookie theft or tracking tooling rather than benign functionality.

Highest concern: the module performs a top-level remote fetch of JavaScript from a public CDN and executes it via eval to initialize globalThis.use. This is direct remote code execution and is consistent with a severe supply-chain backdoor/RCE risk. Secondary concerns: dynamic construction of GraphQL and gh CLI command strings via template interpolation (plus JSON.parse of external stdout) could create injection risk if inputs are attacker-controlled and if the subprocess wrapper evaluates command strings through a shell. Given the presence of remote eval at import time, this dependency should be treated as unsafe until the loader is removed or replaced with a securely pinned/local dependency and the subprocess argument handling is verified.

This module is high-risk and highly consistent with credential/session theft. It automatically discovers and reads local browser cookie databases on macOS, decrypts Chromium-family cookies using macOS Keychain to recover a Claude `sessionKey`, then uses that stolen session in a Cookie header to query Claude/Anthropic endpoints for organization/usage data, with optional sensitive logging of tokens/sessionKey. Even though the network destinations are first-party Claude endpoints, the core behavior is unauthorized local secret access and authenticated reuse.

This module is a high-risk dynamic loader. It unconditionally reads a Python source file from a hardcoded UNC network share and executes it via exec, while also manipulating sys.path to influence subsequent imports. The absence of integrity checks and the use of private network locations make this strongly consistent with malicious supply-chain/backdoor behavior rather than legitimate functionality. Treat as critical and block/inspect the referenced network content and the environment for compromise.

This module is a heavily obfuscated email automation component that crafts OAuth/security-alert style messages (Google/Microsoft themed) and forwards/sends them to attacker-specified recipients via Nodemailer SMTP transports. It includes fallback SMTP credentials/host details, and message bodies/headers are shaped to resemble legitimate security notices—strongly consistent with phishing/social-engineering or deception tooling. While the snippet does not show system compromise primitives (e.g., file tampering or direct data theft), the outbound forged-message capability is itself a significant supply-chain security risk.

This module is a full CPU cryptomining client (Stratum subscription/authorization, continuous nonce scanning, and mining.submit share submission). From a supply-chain perspective, it presents a high likelihood of malicious/unwanted behavior when embedded in non-mining software due to sustained resource abuse and network communications to external mining infrastructure. Within this snippet, there is no clear evidence of stealth, credential theft, persistence, reverse shells, or arbitrary data exfiltration beyond sending mining protocol messages and polling pool status; the primary risk is the explicit mining workflow and its operational impact, plus a minor supply-chain surface via the optional mining.template_block import.

This module is not a benign library component; it functions as an execution harness that enables attacker-controlled arbitrary code execution via exec(Code), with optional arbitrary filesystem reads through a '/lob/' mechanism. Because the executed code can define the model class and control model.fit(), it can also influence what is serialized and emitted to stdout. The presence of pickle output further increases downstream risk if artifacts are ever deserialized unsafely. Treat this component as critically unsafe unless the code input is cryptographically verified and executed inside a hardened sandbox with strict egress/file restrictions.

This module is highly suspicious and should be treated as high risk. It performs local reconnaissance (project file enumeration and .env key metadata), transmits that context plus error logs to a third-party LLM, then executes shell commands directly from the LLM response using subprocess with shell=True. Even with a user confirmation prompt, the untrusted-network-to-arbitrary-shell-execution path creates a strong supply-chain/host-compromise risk. Additional context (definition/constraints around `command`, cache write behavior, and Typer wiring) is missing, but the core malicious-risk indicators are clear from the provided code.

This code performs a covert, load-time outbound HTTPS request to a hardcoded external endpoint and includes the local package name in the request query string. The absence of any meaningful module behavior, combined with silent error suppression and no response handling, is strongly indicative of tracking/fingerprinting/probing rather than legitimate functionality. In a supply-chain setting, this should be reviewed and likely blocked.

High-risk security finding: this module enables arbitrary OS command execution using cmd.exe /c or /bin/sh -c with a command string taken directly from externally loaded JSON configuration. There is no allowlist/sanitization/sandboxing. If an attacker can modify or influence the hooks file or its contents (a plausible supply-chain/configuration compromise scenario), they can trigger pre/post tool execution of arbitrary commands within the host process. No explicit credential theft/exfiltration is shown in this fragment, but the command-execution capability alone warrants strict review and controls.

The code contains a critical supply-chain RCE pattern: it fetches JavaScript from an external public CDN (unpkg.com) at runtime and executes it using eval() to populate globalThis.use. This enables arbitrary code execution if the remote content is compromised or swapped, representing a strong malicious/backdooring risk. Additional risk comes from running qwen via sh -lc with dynamically built command strings and from repository-mutation features (auto-commit/push).

This module is primarily an autostart/persistence installer for macOS LaunchAgents. It persistently launches `npx -y antigravity-gemini-bridge@latest`, meaning it can retrieve and execute an unpinned remote package at runtime—an elevated supply-chain risk. It also interpolates `projectPath` directly into the generated plist XML and launch arguments without escaping/validation, which could enable configuration/argument manipulation if the input is attacker-controlled. No explicit data theft or network exfiltration is present in this fragment, but the persistence + `@latest` execution pattern warrants security review and pinning/hardening.

This module is strongly adversarial and unsuitable for inclusion as a general-purpose dependency without a very clear, tightly scoped justification. It performs browser-context code injection and execution via CDP (including CSP bypass), selectively forges network responses for specific routes, and implements a covert base64 command channel via browser console messages to drive further automated actions. It also includes self-management/sabotage-style hooks (stop/kill node.exe; detached respawn) and suppresses runtime error reporting, increasing stealth. The snippet references several external functions/values not shown (SOLVER_SCRIPT, enqueueTask/typeText, CDP_PORT, launchBrowser), so intent beyond the shown capabilities cannot be fully confirmed, but the observed behaviors are highly consistent with malicious or cheating/automation tooling.

High risk. This module performs a runtime network fetch of JavaScript from a public CDN and executes it via eval to set a global loader used for command execution primitives. That is a critical supply-chain/RCE pattern with the potential for full compromise. Additionally, it configures broad agent permissions (opencode.json), passes process.env to an external tool, executes shell-like pipelines via a dynamically sourced command-stream helper, and logs raw untrusted subprocess output (potential sensitive data exposure).

This code is a dropper/launcher: it downloads a hardcoded .exe from a remote server, writes it to the system temp directory, executes it via child_process.exec using start/open semantics, and then deletes the dropped file shortly after. The absence of integrity checks and the execution of remote content make malicious intent highly likely.

This module is primarily an autostart/persistence installer for macOS LaunchAgents. It persistently launches `npx -y antigravity-gemini-bridge@latest`, meaning it can retrieve and execute an unpinned remote package at runtime—an elevated supply-chain risk. It also interpolates `projectPath` directly into the generated plist XML and launch arguments without escaping/validation, which could enable configuration/argument manipulation if the input is attacker-controlled. No explicit data theft or network exfiltration is present in this fragment, but the persistence + `@latest` execution pattern warrants security review and pinning/hardening.

This addon exposes an unauthenticated TCP JSON command server and includes a critical 'execute_code' command that executes attacker-controlled Python using exec() inside the Blender process, returning stdout/stderr to the remote client. Additionally, it allows remote scene creation/modification/deletion without validation. This is a classic remote-code-execution backdoor pattern and represents extremely high security risk if the port is reachable by any untrusted actor.

This module contains a critical supply-chain security weakness: it performs a runtime fetch of executable JavaScript from a public CDN and executes it via eval to initialize globalThis.use, which then underpins the command-execution mechanism for running gh API commands. This combination creates a high-likelihood path to full compromise if the CDN content changes or is intercepted. Secondary concerns include the ability to execute destructive GitHub operations (optional branch deletion) and to publish local uncommitted-change details and log files to GitHub depending on configuration and sanitization behavior. Overall, the dominant and decisive risk is the eval(fetch(...)) remote-code-execution bootstrap.

This module is a full CPU cryptomining client (Stratum subscription/authorization, continuous nonce scanning, and mining.submit share submission). From a supply-chain perspective, it presents a high likelihood of malicious/unwanted behavior when embedded in non-mining software due to sustained resource abuse and network communications to external mining infrastructure. Within this snippet, there is no clear evidence of stealth, credential theft, persistence, reverse shells, or arbitrary data exfiltration beyond sending mining protocol messages and polling pool status; the primary risk is the explicit mining workflow and its operational impact, plus a minor supply-chain surface via the optional mining.template_block import.

This module is primarily a wrapper around an external downloader, but it contains a highly suspicious runtime injection mechanism: it generates a temporary `sitecustomize.py` and forces the subprocess to import it by prepending a temp directory to `PYTHONPATH`. If the spawned binary is Python-based, this can enable arbitrary code execution within the child process context. The actual `sitecustomize_code` content is not present/appears corrupted in the provided fragment, so exact maliciousness cannot be confirmed from this text alone; however, the injection technique itself is a major security red flag and warrants deep review of the complete source and the real `sitecustomize_code` contents and execution context.

This module is highly suspicious and should be treated as high risk. It performs local reconnaissance (project file enumeration and .env key metadata), transmits that context plus error logs to a third-party LLM, then executes shell commands directly from the LLM response using subprocess with shell=True. Even with a user confirmation prompt, the untrusted-network-to-arbitrary-shell-execution path creates a strong supply-chain/host-compromise risk. Additional context (definition/constraints around `command`, cache write behavior, and Typer wiring) is missing, but the core malicious-risk indicators are clear from the provided code.

High supply-chain and execution risk. The module performs runtime download-and-eval of JavaScript from https://unpkg.com to define globalThis.use, which can fully compromise the host if the remote content is malicious or altered. Beyond that, it executes external commands via command-stream (including piping prompt content into an agent CLI), forwards all environment variables to the child process, parses untrusted JSON output that influences retries/control flow, and can auto-commit/push git changes—together creating a dangerous trust boundary around both execution and data handling. No explicit evidence of cryptomining/backdoor networking appears in this snippet, but the eval(fetch) pattern alone warrants strong containment/review.

This module contains a critical supply-chain security weakness: it performs a runtime fetch of executable JavaScript from a public CDN and executes it via eval to initialize globalThis.use, which then underpins the command-execution mechanism for running gh API commands. This combination creates a high-likelihood path to full compromise if the CDN content changes or is intercepted. Secondary concerns include the ability to execute destructive GitHub operations (optional branch deletion) and to publish local uncommitted-change details and log files to GitHub depending on configuration and sanitization behavior. Overall, the dominant and decisive risk is the eval(fetch(...)) remote-code-execution bootstrap.

This module exhibits strong malicious supply-chain/data-stealing characteristics. It performs host reconnaissance, specifically targets environment/config and sensitive-looking project files (including '.env' and config-like filenames), reads their contents, base64-encodes document content when needed, chunks payloads to fit HTTP limits, and exfiltrates the collected data to a remote API via multiple POST requests. No legitimate purpose consistent with normal library behavior is evident from the fragment.

Selected best report behavior is consistent across all three: this module is highly suspicious and goes beyond ad blocking. In particular, it extracts Authorization Bearer tokens from intercepted Doublelist messaging POST requests into m4w_send_on_message.token_value (then aborts), rewrites outbound messageJSON for posting, and forces a 302 redirect to an unrelated external endpoint (https://httpbin.org/ip). These are strong indicators of credential/token harvesting and intentional request sabotage/manipulation. Additionally, optional useGot/useCache enables server-side re-fetch and replay of content/headers to the browser, increasing potential impact.

This module provides a strong, direct capability to extract and decrypt Chrome cookies from a local user profile by copying the cookie database, retrieving platform-specific secrets from OS credential stores, decrypting encrypted cookie values, and returning plaintext cookies to the caller. It also includes a concrete SQL injection risk via string-interpolated SQLite WHERE clause construction from untrusted `domains[]`. Overall, the behavior aligns closely with session/cookie theft or tracking tooling rather than benign functionality.

Highest concern: the module performs a top-level remote fetch of JavaScript from a public CDN and executes it via eval to initialize globalThis.use. This is direct remote code execution and is consistent with a severe supply-chain backdoor/RCE risk. Secondary concerns: dynamic construction of GraphQL and gh CLI command strings via template interpolation (plus JSON.parse of external stdout) could create injection risk if inputs are attacker-controlled and if the subprocess wrapper evaluates command strings through a shell. Given the presence of remote eval at import time, this dependency should be treated as unsafe until the loader is removed or replaced with a securely pinned/local dependency and the subprocess argument handling is verified.

This module is high-risk and highly consistent with credential/session theft. It automatically discovers and reads local browser cookie databases on macOS, decrypts Chromium-family cookies using macOS Keychain to recover a Claude `sessionKey`, then uses that stolen session in a Cookie header to query Claude/Anthropic endpoints for organization/usage data, with optional sensitive logging of tokens/sessionKey. Even though the network destinations are first-party Claude endpoints, the core behavior is unauthorized local secret access and authenticated reuse.