Secure your dependencies. Ship with confidence.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

This module silently downloads, installs, and starts Chrome Remote Desktop on Windows, using elevated, hidden execution and retry strategies, and binds the host using a hardcoded authorization code while reporting hostname and status to a remote Telegram chat. Those behaviors enable remote access without user consent and contain hardcoded secrets and stealthy privilege escalation techniques — in a supply-chain scenario this is effectively a remote-access backdoor and should be treated as high risk. Only allow usage if every embedded credential (AUTH_CODE and Telegram credentials) and the operator endpoint are explicitly verified and intended; otherwise remove or require interactive admin approval and secure secret handling.

This module exhibits multiple clear malicious and high-risk behaviors: hardcoded PyPI credentials written to disk, automated package publishing (twine) using those credentials, self-modifying source code, appending to a standard-library file for persistence, and executing external command output via eval. It also relies on shell=True and unsanitized command construction, enabling command injection. Do not install or run this package in any environment. Treat as malicious and remove any artifacts if executed.

The code transmits the user's private key to an external API endpoint at 'https://pumpapi[.]fun/api/trade' during token trading operations. This exposes sensitive credentials over the network, leading to potential unauthorized access and loss of user funds. The external API may not be trustworthy, and sending private keys over unsecured channels poses a significant security threat.

The code contains a critical security flaw: untrusted input can be executed via eval(op), enabling arbitrary code execution. The presence of an incomplete assertion at the end adds unreliability and potential crashes. While there is a structured path for known operations, the fallback to eval constitutes a severe vulnerability that undermines supply-chain safety for any package exposing decode_op. Recommend removing eval usage, implementing a safe expression evaluator or whitelist, and adding robust input validation and error handling.

This postinstall hook downloads code from a remote server and immediately evals it. That is effectively remote arbitrary code execution during installation and should be treated as malicious. It poses a high to critical security risk (possible data exfiltration, reverse shell, system compromise, or persisted backdoor). Do not install or run this package without offline inspection and replacing this behavior with a safe, verified alternative.

This package executes a local JavaScript file at install time. While that can be a legitimate setup step, it is a high-risk behavior because the executed script can perform telemetry, exfiltrate data, modify the filesystem, install further packages, or run arbitrary commands. You should inspect callback.js before installing or avoid installing untrusted packages that run install-time scripts.

The file contains a clear backdoor that exfiltrates private key material: when an owner is provided as a keypair (private key present), the module reads signer.secretKey and POSTs it to an external domain (decoded from a base64 string). This is an explicit credential-theft routine embedded in an otherwise legitimate Solana/Raydium helper library. Treat this package as compromised: do not use it, rotate any keys that were used with it, and investigate any systems where it was executed.

This preinstall hook is malicious: it harvests system and sensitive files (including private SSH keys and environment files) and exfiltrates them to a remote Discord webhook. Installing this package would likely leak credentials and system information and should be blocked and reported.

The assembly is heavily obfuscated and contains runtime decryption/unpacking, dynamic method generation, and native interop to allocate/write/execute memory — a loader/execution pattern. It also has network (SMTP) and database interaction points. These behaviors allow in-memory code execution and potential data exfiltration. Treat this package as high risk: if this is unexpected for the project, do not use it and perform dynamic analysis in an isolated environment. Further investigation (runtime tracing, decryption of embedded resources, and inspection of the decrypted payload) is needed to determine intent (legitimate protection vs malicious loader).

The module contains high-risk operations: executing arbitrary shell commands via subprocess with shell=True and writing/appending to files without validation. If the steps JSON or the user input is untrusted, an attacker can achieve remote code execution, modify arbitrary files, and change process state (cwd). There are no signs of network exfiltration or hardcoded credentials in this fragment, but the command execution sink is sufficient to escalate to any of those behaviors if exploited. Recommendation: treat inputs (steps, file names, user-provided suggested commands) as untrusted; remove shell=True or use argument lists, validate and canonicalize file paths, avoid executing suggested commands automatically, and employ strict prompting and auditing. Overall this code is not itself evidently obfuscated or explicitly malicious, but it poses a significant supply-chain/runtime risk when given untrusted instructions.

Live on pypi for 5 days, 8 hours and 42 minutes before removal. Socket users were protected even while the package was live.

This code is intentionally obfuscated and uses DNS queries to exfiltrate system information, which could be a significant security risk. The hardcoded domain and the potential data exfiltration raise concerns about privacy violations. This package should be reviewed carefully before being used.

This module is functionally a supervisor that uses pickle-based serialization over ZeroMQ. The code contains high-risk unsafe deserialization: it accepts pickle-formatted data from sockets (recv_multipart / recv_pyobj) and unpickles it without validation, then performs dynamic dispatch based on untrusted data. The temporary monkey-patch of torch.storage._load_from_bytes inside pickle_loads increases the attack surface for malicious payloads that embed torch storage objects. There are no authentication or integrity checks on incoming messages. Therefore the code is unsafe to use in untrusted-network environments: an attacker who can send messages to the supervisor sockets (or control SUPERVISOR_PIPE/SUPERVISOR_IDENT) can achieve remote code execution. No other explicit exfiltration, cryptomining, or backdoor code is present in this fragment, but the deserialization pattern makes arbitrary malicious behavior possible.

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. Therefore, it is marked as malware only because it freezes interactions for many users. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.

The code exhibits clear signs of malicious behavior by sending sensitive system and project data to remote servers. The actions performed by the code pose a significant security risk due to the exposure of sensitive information. The code is not obfuscated, so the obfuscation score is low.

Live on npm for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

The code implements a high-risk dynamic evaluation pattern by evaluating tokens within the caller’s scope. This creates a strong possibility of arbitrary code execution and data leakage if tokens originate from untrusted inputs. Hardening should include removing eval, replacing with safe resolvers, sandboxing, or strict token whitelisting and restricting scope access. This pattern is unsuitable for trusted libraries exposes in open-source supply chains without significant safeguards.

This file is an offensive exploitation toolkit. It automates uploading a PHP web shell concealed inside an image to WordPress, controls that web shell via a base64(JSON) GET parameter command channel, and contains built-in support for initiating a reverse shell to a hardcoded attacker host and managing interactive post-exploitation tasks (PTY, su, exec). The presence of a concrete remote attacker IP:port and tailored attack flow indicate malicious intent. Treat this code as high risk; do not run in production or against systems you do not own/authorize.

This code performs explicit, immediate data exfiltration: it reads local files under /opt, base64-encodes them, and transmits them to a hard-coded external endpoint. Treat this as malicious/supply-chain compromise. Do not run or include this package; remove it, rotate any potentially exposed secrets, block the destination, and investigate origin and impact.

The code is highly suspicious and exhibits behavior consistent with malware. It collects extensive system information and sends it to external servers without user consent, using both HTTPS and DNS queries. The methods used for data transmission are covert, indicating a high risk of data exfiltration and privacy invasion.

Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.

An automated, hardcoded download-and-install of a JetBrains plugin into the IDE's plugin directories from a remote ZIP URL, executed without explicit user consent and without cryptographic verification, potentially enabling arbitrary code execution in the IDE. The behavior may include removing existing plugins with the same target name, representing a supply-chain style threat.

This module is a deliberate destructive utility that corrupts all .zip files in a specified directory by truncating each archive to half its size and appending repeated junk data. While it lacks common malware features like networking or data exfiltration, the behavior is strongly indicative of sabotage and would be unacceptable in most software supply-chain contexts due to its potential to break builds, deployments, or artifact integrity.

This module zips a local directory and uploads it to a specific S3 bucket. The code contains hardcoded AWS credentials and a hardcoded bucket name, which is a severe security issue and could enable data exfiltration if these credentials are valid. There are additional problems: a likely return-value bug (undefined variable s3_ke), possible insufficient path-safety around symlinks, and verbose logging of paths. There is no evidence of obfuscation or active payloads like reverse shells or eval-based code execution. Treat this package as high-risk until credentials are removed/rotated and the code is corrected and reviewed.

Live on pypi for 5 days, 9 hours and 4 minutes before removal. Socket users were protected even while the package was live.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

This module silently downloads, installs, and starts Chrome Remote Desktop on Windows, using elevated, hidden execution and retry strategies, and binds the host using a hardcoded authorization code while reporting hostname and status to a remote Telegram chat. Those behaviors enable remote access without user consent and contain hardcoded secrets and stealthy privilege escalation techniques — in a supply-chain scenario this is effectively a remote-access backdoor and should be treated as high risk. Only allow usage if every embedded credential (AUTH_CODE and Telegram credentials) and the operator endpoint are explicitly verified and intended; otherwise remove or require interactive admin approval and secure secret handling.

This module exhibits multiple clear malicious and high-risk behaviors: hardcoded PyPI credentials written to disk, automated package publishing (twine) using those credentials, self-modifying source code, appending to a standard-library file for persistence, and executing external command output via eval. It also relies on shell=True and unsanitized command construction, enabling command injection. Do not install or run this package in any environment. Treat as malicious and remove any artifacts if executed.

The code transmits the user's private key to an external API endpoint at 'https://pumpapi[.]fun/api/trade' during token trading operations. This exposes sensitive credentials over the network, leading to potential unauthorized access and loss of user funds. The external API may not be trustworthy, and sending private keys over unsecured channels poses a significant security threat.

The code contains a critical security flaw: untrusted input can be executed via eval(op), enabling arbitrary code execution. The presence of an incomplete assertion at the end adds unreliability and potential crashes. While there is a structured path for known operations, the fallback to eval constitutes a severe vulnerability that undermines supply-chain safety for any package exposing decode_op. Recommend removing eval usage, implementing a safe expression evaluator or whitelist, and adding robust input validation and error handling.

This postinstall hook downloads code from a remote server and immediately evals it. That is effectively remote arbitrary code execution during installation and should be treated as malicious. It poses a high to critical security risk (possible data exfiltration, reverse shell, system compromise, or persisted backdoor). Do not install or run this package without offline inspection and replacing this behavior with a safe, verified alternative.

This package executes a local JavaScript file at install time. While that can be a legitimate setup step, it is a high-risk behavior because the executed script can perform telemetry, exfiltrate data, modify the filesystem, install further packages, or run arbitrary commands. You should inspect callback.js before installing or avoid installing untrusted packages that run install-time scripts.

The file contains a clear backdoor that exfiltrates private key material: when an owner is provided as a keypair (private key present), the module reads signer.secretKey and POSTs it to an external domain (decoded from a base64 string). This is an explicit credential-theft routine embedded in an otherwise legitimate Solana/Raydium helper library. Treat this package as compromised: do not use it, rotate any keys that were used with it, and investigate any systems where it was executed.

This preinstall hook is malicious: it harvests system and sensitive files (including private SSH keys and environment files) and exfiltrates them to a remote Discord webhook. Installing this package would likely leak credentials and system information and should be blocked and reported.

The assembly is heavily obfuscated and contains runtime decryption/unpacking, dynamic method generation, and native interop to allocate/write/execute memory — a loader/execution pattern. It also has network (SMTP) and database interaction points. These behaviors allow in-memory code execution and potential data exfiltration. Treat this package as high risk: if this is unexpected for the project, do not use it and perform dynamic analysis in an isolated environment. Further investigation (runtime tracing, decryption of embedded resources, and inspection of the decrypted payload) is needed to determine intent (legitimate protection vs malicious loader).

The module contains high-risk operations: executing arbitrary shell commands via subprocess with shell=True and writing/appending to files without validation. If the steps JSON or the user input is untrusted, an attacker can achieve remote code execution, modify arbitrary files, and change process state (cwd). There are no signs of network exfiltration or hardcoded credentials in this fragment, but the command execution sink is sufficient to escalate to any of those behaviors if exploited. Recommendation: treat inputs (steps, file names, user-provided suggested commands) as untrusted; remove shell=True or use argument lists, validate and canonicalize file paths, avoid executing suggested commands automatically, and employ strict prompting and auditing. Overall this code is not itself evidently obfuscated or explicitly malicious, but it poses a significant supply-chain/runtime risk when given untrusted instructions.

Live on pypi for 5 days, 8 hours and 42 minutes before removal. Socket users were protected even while the package was live.

This code is intentionally obfuscated and uses DNS queries to exfiltrate system information, which could be a significant security risk. The hardcoded domain and the potential data exfiltration raise concerns about privacy violations. This package should be reviewed carefully before being used.

This module is functionally a supervisor that uses pickle-based serialization over ZeroMQ. The code contains high-risk unsafe deserialization: it accepts pickle-formatted data from sockets (recv_multipart / recv_pyobj) and unpickles it without validation, then performs dynamic dispatch based on untrusted data. The temporary monkey-patch of torch.storage._load_from_bytes inside pickle_loads increases the attack surface for malicious payloads that embed torch storage objects. There are no authentication or integrity checks on incoming messages. Therefore the code is unsafe to use in untrusted-network environments: an attacker who can send messages to the supervisor sockets (or control SUPERVISOR_PIPE/SUPERVISOR_IDENT) can achieve remote code execution. No other explicit exfiltration, cryptomining, or backdoor code is present in this fragment, but the deserialization pattern makes arbitrary malicious behavior possible.

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. Therefore, it is marked as malware only because it freezes interactions for many users. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.

The code exhibits clear signs of malicious behavior by sending sensitive system and project data to remote servers. The actions performed by the code pose a significant security risk due to the exposure of sensitive information. The code is not obfuscated, so the obfuscation score is low.

Live on npm for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

The code implements a high-risk dynamic evaluation pattern by evaluating tokens within the caller’s scope. This creates a strong possibility of arbitrary code execution and data leakage if tokens originate from untrusted inputs. Hardening should include removing eval, replacing with safe resolvers, sandboxing, or strict token whitelisting and restricting scope access. This pattern is unsuitable for trusted libraries exposes in open-source supply chains without significant safeguards.

This file is an offensive exploitation toolkit. It automates uploading a PHP web shell concealed inside an image to WordPress, controls that web shell via a base64(JSON) GET parameter command channel, and contains built-in support for initiating a reverse shell to a hardcoded attacker host and managing interactive post-exploitation tasks (PTY, su, exec). The presence of a concrete remote attacker IP:port and tailored attack flow indicate malicious intent. Treat this code as high risk; do not run in production or against systems you do not own/authorize.

This code performs explicit, immediate data exfiltration: it reads local files under /opt, base64-encodes them, and transmits them to a hard-coded external endpoint. Treat this as malicious/supply-chain compromise. Do not run or include this package; remove it, rotate any potentially exposed secrets, block the destination, and investigate origin and impact.

The code is highly suspicious and exhibits behavior consistent with malware. It collects extensive system information and sends it to external servers without user consent, using both HTTPS and DNS queries. The methods used for data transmission are covert, indicating a high risk of data exfiltration and privacy invasion.

Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.

An automated, hardcoded download-and-install of a JetBrains plugin into the IDE's plugin directories from a remote ZIP URL, executed without explicit user consent and without cryptographic verification, potentially enabling arbitrary code execution in the IDE. The behavior may include removing existing plugins with the same target name, representing a supply-chain style threat.

This module is a deliberate destructive utility that corrupts all .zip files in a specified directory by truncating each archive to half its size and appending repeated junk data. While it lacks common malware features like networking or data exfiltration, the behavior is strongly indicative of sabotage and would be unacceptable in most software supply-chain contexts due to its potential to break builds, deployments, or artifact integrity.

This module zips a local directory and uploads it to a specific S3 bucket. The code contains hardcoded AWS credentials and a hardcoded bucket name, which is a severe security issue and could enable data exfiltration if these credentials are valid. There are additional problems: a likely return-value bug (undefined variable s3_ke), possible insufficient path-safety around symlinks, and verbose logging of paths. There is no evidence of obfuscation or active payloads like reverse shells or eval-based code execution. Treat this package as high-risk until credentials are removed/rotated and the code is corrected and reviewed.

Live on pypi for 5 days, 9 hours and 4 minutes before removal. Socket users were protected even while the package was live.