Secure your dependencies. Ship with confidence.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

High-risk malicious behavior: the snippet covertly fingerprints the host (cwd, hostname, public IP), hex-encodes values, and signals them by triggering DNS lookups to an external domain while suppressing output. This pattern is consistent with a supply-chain backdoor or beacon for tracking/exfiltration. Remove or isolate the package, treat hosts where it ran as compromised for further investigation, and block/monitor DNS queries to the referenced domain.

Live on npm for 14 minutes before removal. Socket users were protected even while the package was live.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] No malicious code is present in the SKILL.md content. The file contains documentation and example invocations of the inference.sh (infsh) CLI and remote AI apps to generate, merge, and caption video ads — behavior consistent with the stated purpose. The main security considerations are supply-chain/trust-related: installing a remote shell script (curl | sh) and executing a downloaded binary from dist.inference.sh requires trusting that provider and verifying checksums; and user prompts and media files will be sent to remote inference endpoints (privacy/data exposure risk). There are no hardcoded secrets, obfuscated payloads, nor indications of covert exfiltration to unrelated domains within this document. LLM verification: The document itself is a legitimate usage/guide for creating platform-specific video ads and running generation workflows via the infsh CLI. There is no direct evidence in the text of embedded malware or obfuscation, but the Quick Start practice of piping a remote install script into sh and the reliance on a centralized third-party operator (inference.sh / dist.inference.sh) constitute meaningful supply-chain and data-exposure risks. If users follow these examples, they should independently veri

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

The code exhibits malicious behavior by exfiltrating system and user data to external domains without user consent. This poses a significant security risk and indicates a high probability of malicious intent.

Live on npm for 30 minutes before removal. Socket users were protected even while the package was live.

A Chrome extension background script persistently scans localhost ports 8875–8895 (ws://localhost:8875, ws://127[.]0[.]0[.]1:8875, ws://[::1]:8875, etc.) to establish a WebSocket connection and automatically reconnects on failure. Once connected, it: 1) Enumerates all browser tabs via chrome.tabs.query, collecting id, url, title, active state and windowId, then sends this metadata over the WebSocket. 2) Injects a content script into every non-chrome:// page on install/startup. 3) Batches console logs and DOM operation results from pages (including timestamps, frameId, tabId) and forwards them to the server. 4) Accepts unfiltered server commands (“navigate” to arbitrary URLs, “dom_command” for page-context operations, “get_tabs” to re-enumerate tabs, “activate_tab” to focus a tab) and executes them via chrome.tabs.update or chrome.tabs.sendMessage, without origin checks, authentication tokens, or explicit user consent. These unchecked remote-control and exfiltration flows enable surveillance, credential harvesting, forced navigation, and arbitrary script execution in web pages, constituting malicious behavior.

This code implements a deliberate credential-exfiltration backdoor: if running in CI/GitHub Actions and GITHUB_TOKEN is present, it posts that token to an attacker-controlled host. Treat as malicious. Remove the code, rotate affected credentials, audit CI runs for compromise, and block or remove the package from supply chain.

The code is deliberately opaque and relies on dynamic code execution to reconstruct and run a payload that ultimately engages an external signing service with the user-provided URL. This pattern—extensive obfuscation, runtime payload generation, environment spoofing, and outbound network activity—represents a significant security risk and potential supply-chain tampering vector. Treat as high-risk; remove or replace with transparent, auditable logic and avoid eval-based payloads or hidden external signers.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

The code is highly obfuscated and appears to function as a remote-controlled WhatsApp bot (QueenAmdi) with extensive credential management, remote configuration, and data exfiltration capabilities. Given the combination of credential reconstruction, encryption workflows, numerous external network interactions, and persistence mechanisms, this package presents a high security risk and likely malicious intent within a supply-chain context. Recommend treating this as a hostile or untrustworthy component, conducting thorough deobfuscation/audit, and removing from any production supply chain pending a clean, auditable implementation. Potential backdoor/control pathways warrant immediate remediation and isolation from the project ecosystem.

Live on npm for 20 hours and 14 minutes before removal. Socket users were protected even while the package was live.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

Live on npm for 5 hours and 26 minutes before removal. Socket users were protected even while the package was live.

This is sophisticated malware designed to steal Solana cryptocurrency private keys through supply chain compromise. It intercepts all keypair generation methods and transmits encrypted private key material to attackers via blockchain transactions. Any application using this package would have all generated keypairs compromised, leading to potential total loss of funds.

Live on pypi for 12 hours and 11 minutes before removal. Socket users were protected even while the package was live.

This file contains malicious code designed to establish unauthorized remote desktop access via VNC (Virtual Network Computing). The code searches for and attempts to start winvnc.exe processes, then connects them to a remote host and port specified in the data payload. The malicious behavior includes: automatically launching VNC server software without user knowledge or consent, establishing outbound connections to attacker-controlled hosts, using subprocess calls with potentially unsafe parameters (shell=True, CREATE_NO_WINDOW), and implementing process management to ensure the VNC service remains active. The package structure reveals additional concerning elements including pre-compiled VNC executables, configuration files, and supporting libraries that would enable complete remote control of the infected system. While the code contains a reference to a non-existent package that would cause import errors, the malicious intent and capability for unauthorized remote access are clearly present.

This client-side script is malicious: it captures session cookies and form input and attempts to exfiltrate them to a hardcoded ngrok WebSocket endpoint on form submission, then redirects the user. Although there are implementation bugs (password variable typo and incorrect WebSocket.send usage) that may prevent full credential exfiltration, document.cookie is sent successfully and represents a severe compromise (session takeover). The file should be treated as compromised/malicious, removed or blocked immediately, and any potentially exposed sessions/credentials rotated. Investigate repository history, hosting compromises, and other files for similar artifacts.

Live on npm for 8 hours and 26 minutes before removal. Socket users were protected even while the package was live.

This install script attempts to create an outbound TCP connection to a remote listener and attach an interactive bash shell to it (a reverse shell). This is a high‑severity malicious action: it enables unauthorized remote access and control, represents immediate compromise, and may be used for data exfiltration, lateral movement, or persistence.

The source code exhibits clear malicious behavior by accessing local storage directories, extracting tokens, and sending them to a remote server. This poses a significant security risk and indicates a high probability of malware.

Live on npm for 43 minutes before removal. Socket users were protected even while the package was live.

This module is not overtly malicious (no backdoor, reverse shell, or obfuscated malware). However, it poses a moderate-to-high supply-chain/privacy risk because it unconditionally collects repository files, attachments, and user-provided context (including potential secrets) and sends them to an external AI gateway without redaction, filtering, or explicit safe-guarding. The system prompt even normalizes revealing API keys when present, increasing the chance of secret leakage. Use with caution: add strict filtering, secret redaction, size limits, and explicit user consent before sending repository/attachment contents to remote services.

Live on pypi for 5 days and 18 hours before removal. Socket users were protected even while the package was live.

The source code performs unauthorized data exfiltration of sensitive system and package information to a suspicious external server, constituting a serious privacy and security risk. The code collects detailed environment data including the user's home directory, system hostname, username, DNS server configurations, current directory path, and complete package metadata. This information is serialized into JSON format, URL-encoded, and transmitted via HTTPS POST request to the suspicious domain 'd1dsp80lq9i8is5bgh30ihafidh5uegj6[.]oast[.]pro' without user consent or notification. The code operates silently with suppressed error handling to avoid detection. This behavior represents malicious data theft and should be considered a supply chain security threat requiring immediate removal or blocking of affected packages.

Live on npm for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

The code snippet exhibits suspicious behavior by contacting a potentially malicious external server and logging its response. While it does not show obfuscation or direct malicious payloads, the network communication to a suspicious VPS domain is a strong indicator of malicious intent or at least a significant security risk. The existing reports are unusable and should be replaced with this detailed analysis.

Live on npm for 19 days, 5 hours and 50 minutes before removal. Socket users were protected even while the package was live.

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

This code poses a serious security risk and should not be used.

Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

The script executes a VBScript file, which could potentially contain harmful code. Without inspecting the contents of 'systask.vbs', it is impossible to determine the safety of this operation.

Live on npm for 1 hour and 7 minutes before removal. Socket users were protected even while the package was live.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

High-risk malicious behavior: the snippet covertly fingerprints the host (cwd, hostname, public IP), hex-encodes values, and signals them by triggering DNS lookups to an external domain while suppressing output. This pattern is consistent with a supply-chain backdoor or beacon for tracking/exfiltration. Remove or isolate the package, treat hosts where it ran as compromised for further investigation, and block/monitor DNS queries to the referenced domain.

Live on npm for 14 minutes before removal. Socket users were protected even while the package was live.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] No malicious code is present in the SKILL.md content. The file contains documentation and example invocations of the inference.sh (infsh) CLI and remote AI apps to generate, merge, and caption video ads — behavior consistent with the stated purpose. The main security considerations are supply-chain/trust-related: installing a remote shell script (curl | sh) and executing a downloaded binary from dist.inference.sh requires trusting that provider and verifying checksums; and user prompts and media files will be sent to remote inference endpoints (privacy/data exposure risk). There are no hardcoded secrets, obfuscated payloads, nor indications of covert exfiltration to unrelated domains within this document. LLM verification: The document itself is a legitimate usage/guide for creating platform-specific video ads and running generation workflows via the infsh CLI. There is no direct evidence in the text of embedded malware or obfuscation, but the Quick Start practice of piping a remote install script into sh and the reliance on a centralized third-party operator (inference.sh / dist.inference.sh) constitute meaningful supply-chain and data-exposure risks. If users follow these examples, they should independently veri

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

The code exhibits malicious behavior by exfiltrating system and user data to external domains without user consent. This poses a significant security risk and indicates a high probability of malicious intent.

Live on npm for 30 minutes before removal. Socket users were protected even while the package was live.

A Chrome extension background script persistently scans localhost ports 8875–8895 (ws://localhost:8875, ws://127[.]0[.]0[.]1:8875, ws://[::1]:8875, etc.) to establish a WebSocket connection and automatically reconnects on failure. Once connected, it: 1) Enumerates all browser tabs via chrome.tabs.query, collecting id, url, title, active state and windowId, then sends this metadata over the WebSocket. 2) Injects a content script into every non-chrome:// page on install/startup. 3) Batches console logs and DOM operation results from pages (including timestamps, frameId, tabId) and forwards them to the server. 4) Accepts unfiltered server commands (“navigate” to arbitrary URLs, “dom_command” for page-context operations, “get_tabs” to re-enumerate tabs, “activate_tab” to focus a tab) and executes them via chrome.tabs.update or chrome.tabs.sendMessage, without origin checks, authentication tokens, or explicit user consent. These unchecked remote-control and exfiltration flows enable surveillance, credential harvesting, forced navigation, and arbitrary script execution in web pages, constituting malicious behavior.

This code implements a deliberate credential-exfiltration backdoor: if running in CI/GitHub Actions and GITHUB_TOKEN is present, it posts that token to an attacker-controlled host. Treat as malicious. Remove the code, rotate affected credentials, audit CI runs for compromise, and block or remove the package from supply chain.

The code is deliberately opaque and relies on dynamic code execution to reconstruct and run a payload that ultimately engages an external signing service with the user-provided URL. This pattern—extensive obfuscation, runtime payload generation, environment spoofing, and outbound network activity—represents a significant security risk and potential supply-chain tampering vector. Treat as high-risk; remove or replace with transparent, auditable logic and avoid eval-based payloads or hidden external signers.

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

The code is highly obfuscated and appears to function as a remote-controlled WhatsApp bot (QueenAmdi) with extensive credential management, remote configuration, and data exfiltration capabilities. Given the combination of credential reconstruction, encryption workflows, numerous external network interactions, and persistence mechanisms, this package presents a high security risk and likely malicious intent within a supply-chain context. Recommend treating this as a hostile or untrustworthy component, conducting thorough deobfuscation/audit, and removing from any production supply chain pending a clean, auditable implementation. Potential backdoor/control pathways warrant immediate remediation and isolation from the project ecosystem.

Live on npm for 20 hours and 14 minutes before removal. Socket users were protected even while the package was live.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

Live on npm for 5 hours and 26 minutes before removal. Socket users were protected even while the package was live.

This is sophisticated malware designed to steal Solana cryptocurrency private keys through supply chain compromise. It intercepts all keypair generation methods and transmits encrypted private key material to attackers via blockchain transactions. Any application using this package would have all generated keypairs compromised, leading to potential total loss of funds.

Live on pypi for 12 hours and 11 minutes before removal. Socket users were protected even while the package was live.

This file contains malicious code designed to establish unauthorized remote desktop access via VNC (Virtual Network Computing). The code searches for and attempts to start winvnc.exe processes, then connects them to a remote host and port specified in the data payload. The malicious behavior includes: automatically launching VNC server software without user knowledge or consent, establishing outbound connections to attacker-controlled hosts, using subprocess calls with potentially unsafe parameters (shell=True, CREATE_NO_WINDOW), and implementing process management to ensure the VNC service remains active. The package structure reveals additional concerning elements including pre-compiled VNC executables, configuration files, and supporting libraries that would enable complete remote control of the infected system. While the code contains a reference to a non-existent package that would cause import errors, the malicious intent and capability for unauthorized remote access are clearly present.

This client-side script is malicious: it captures session cookies and form input and attempts to exfiltrate them to a hardcoded ngrok WebSocket endpoint on form submission, then redirects the user. Although there are implementation bugs (password variable typo and incorrect WebSocket.send usage) that may prevent full credential exfiltration, document.cookie is sent successfully and represents a severe compromise (session takeover). The file should be treated as compromised/malicious, removed or blocked immediately, and any potentially exposed sessions/credentials rotated. Investigate repository history, hosting compromises, and other files for similar artifacts.

Live on npm for 8 hours and 26 minutes before removal. Socket users were protected even while the package was live.

This install script attempts to create an outbound TCP connection to a remote listener and attach an interactive bash shell to it (a reverse shell). This is a high‑severity malicious action: it enables unauthorized remote access and control, represents immediate compromise, and may be used for data exfiltration, lateral movement, or persistence.

The source code exhibits clear malicious behavior by accessing local storage directories, extracting tokens, and sending them to a remote server. This poses a significant security risk and indicates a high probability of malware.

Live on npm for 43 minutes before removal. Socket users were protected even while the package was live.

This module is not overtly malicious (no backdoor, reverse shell, or obfuscated malware). However, it poses a moderate-to-high supply-chain/privacy risk because it unconditionally collects repository files, attachments, and user-provided context (including potential secrets) and sends them to an external AI gateway without redaction, filtering, or explicit safe-guarding. The system prompt even normalizes revealing API keys when present, increasing the chance of secret leakage. Use with caution: add strict filtering, secret redaction, size limits, and explicit user consent before sending repository/attachment contents to remote services.

Live on pypi for 5 days and 18 hours before removal. Socket users were protected even while the package was live.

The source code performs unauthorized data exfiltration of sensitive system and package information to a suspicious external server, constituting a serious privacy and security risk. The code collects detailed environment data including the user's home directory, system hostname, username, DNS server configurations, current directory path, and complete package metadata. This information is serialized into JSON format, URL-encoded, and transmitted via HTTPS POST request to the suspicious domain 'd1dsp80lq9i8is5bgh30ihafidh5uegj6[.]oast[.]pro' without user consent or notification. The code operates silently with suppressed error handling to avoid detection. This behavior represents malicious data theft and should be considered a supply chain security threat requiring immediate removal or blocking of affected packages.

Live on npm for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

The code snippet exhibits suspicious behavior by contacting a potentially malicious external server and logging its response. While it does not show obfuscation or direct malicious payloads, the network communication to a suspicious VPS domain is a strong indicator of malicious intent or at least a significant security risk. The existing reports are unusable and should be replaced with this detailed analysis.

Live on npm for 19 days, 5 hours and 50 minutes before removal. Socket users were protected even while the package was live.

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

This code poses a serious security risk and should not be used.

Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

The script executes a VBScript file, which could potentially contain harmful code. Without inspecting the contents of 'systask.vbs', it is impossible to determine the safety of this operation.

Live on npm for 1 hour and 7 minutes before removal. Socket users were protected even while the package was live.