Secure your dependencies. Ship with confidence.

This code establishes a strong supply-chain/sandbox-break capability by executing a local bash hook at session start and directly passing both serialized caller context (stdin) and essentially the full parent environment (env) to that script, while also suppressing errors. While the snippet itself shows no explicit malicious behavior beyond delegation, the data exposure (context + process.env) and silent error handling make this pattern high-risk and warrant review of the hooks/babysitter-proxied-session-start.sh behavior.

This code is highly suspicious because it exposes direct remote filesystem operations: directory listing, arbitrary file reading (including base64 content exfiltration), and arbitrary file uploading (including chunked writes finalized onto the server filesystem). While safety may depend on the external runtime.resolvePath and authorization model, this module itself contains no robust sandbox/jail enforcement, access control, size/range validation for chunk writes, or strong transfer-ID protection. Functionally, it matches backdoor/RMM-style filesystem management capability and should be reviewed/locked down aggressively (or removed) if not intended for a trusted operator-only environment.

This module contains a critical remote-code-execution-like primitive via exec(code) using self.component.custom_methods (potentially attacker-controlled if configuration is not strictly locked). It also uses string-based method dispatch for timers. Together, these enable arbitrary Python code execution and device/gateway command manipulation. If custom_methods/meta are not strictly admin-only and protected, the security risk is very high.

This fragment is a high-confidence malicious loader/dropper: it downloads arbitrary Python code from a hardcoded remote IP over unencrypted HTTP, writes it to the local temp directory as launcher.py, and executes it using pythonw.exe with no visible window. The absence of integrity/authenticity checks and the stealthy execution strongly indicate malware staging behavior rather than legitimate functionality.

This code performs arbitrary Ruby code execution by directly `eval`ing a caller-supplied `source` string using `TOPLEVEL_BINDING`. In any supply-chain/dependency context, this is a critical security concern unless the caller is strictly trusted and inputs are tightly controlled. The most credible risk is RCE/compromise if an attacker can influence `source` (and the filename context can be attacker-influenced via `file_path`). The trailing `en` token should be verified in the actual file, but it does not change the core eval danger.

This code is best characterized as a CI-targeted credential-stealing and data-exfiltration backdoor. It performs anti-sandbox/CI gating, harvests sensitive environment variables and the full process environment from /proc/self/environ, and queries the AWS EC2 instance metadata service (169.254.169.254) to obtain IAM role credentials. It then exfiltrates all collected information to a hardcoded Telegram bot/chat over HTTPS, with error suppression to improve stealth. No legitimate business logic is present in this module.

This code is highly suspicious because it exposes direct remote filesystem operations: directory listing, arbitrary file reading (including base64 content exfiltration), and arbitrary file uploading (including chunked writes finalized onto the server filesystem). While safety may depend on the external runtime.resolvePath and authorization model, this module itself contains no robust sandbox/jail enforcement, access control, size/range validation for chunk writes, or strong transfer-ID protection. Functionally, it matches backdoor/RMM-style filesystem management capability and should be reviewed/locked down aggressively (or removed) if not intended for a trusted operator-only environment.

This code establishes a strong supply-chain/sandbox-break capability by executing a local bash hook at session start and directly passing both serialized caller context (stdin) and essentially the full parent environment (env) to that script, while also suppressing errors. While the snippet itself shows no explicit malicious behavior beyond delegation, the data exposure (context + process.env) and silent error handling make this pattern high-risk and warrant review of the hooks/babysitter-proxied-session-start.sh behavior.

This fragment implements a network-accessible controller that can spawn and manage interactive shell/PTY sessions (using process.env.SHELL/COMSPEC) and relay interactive output back to the client. Since commands are driven by inbound JSON over the network and no authentication/authorization is visible here, it closely matches the behavior of a remote shell/backdoor component. While it could be legitimate terminal tooling, the combination of PTY spawning over a socket plus obfuscation and broad error suppression makes it suspicious and dangerous in a dependency context.

This code establishes a strong supply-chain/sandbox-break capability by executing a local bash hook at session start and directly passing both serialized caller context (stdin) and essentially the full parent environment (env) to that script, while also suppressing errors. While the snippet itself shows no explicit malicious behavior beyond delegation, the data exposure (context + process.env) and silent error handling make this pattern high-risk and warrant review of the hooks/babysitter-proxied-session-start.sh behavior.

The code explicitly harvests highly sensitive authentication/CSRF/session cookies from locally installed browser profiles for multiple platforms and then stores those secrets into application configuration and persists them to local files in the user’s home directory (including plaintext/token material). Although this snippet shows no exfiltration or networking, the credential-harvesting + persistence behavior is characteristic of account/session compromise workflows and represents a high security risk for a dependency in a supply chain. Additionally, exceptions are silently swallowed in persistence helpers, and there is a likely variable-name bug in the return statement, indicating incomplete correctness but not changing the primary secret-access behavior.

This fragment contains extremely high-risk functionality: it (1) reads and embeds arbitrary local file contents specified via @<path> tokens and (2) executes arbitrary shell commands specified via a leading !<cmd> using subprocess with shell=True, embedding stdout+stderr in the returned output. Output truncation/timeout limit impact magnitude but not the fundamental malicious capability. If reachable by untrusted text, it should be treated as a critical security issue and excluded or tightly sandboxed behind strict authorization and input allowlisting.

Despite being primarily a registry/configuration loader, this module includes credentialed outbound notification behavior to a third-party service with hardcoded secrets. When a symbol is not registered (defaulting to strict behavior unless configured otherwise), it transmits runtime context (symbol and operation) externally. This is a high-risk supply-chain/surveillance style pattern, not typical for a benign dependency.

This module is best characterized as an obfuscated stage-1 loader/packer. It reconstructs runtime strings/keys from embedded data, conditionally triggers execution based on decoded/gated checks, and—most importantly—uses new Function(...) to execute decoded code during initialization. It then wires exports by requiring multiple local modules, including a Socket component. While this fragment does not conclusively prove exfiltration or credential theft by itself, the loader + dynamic evaluation pattern is a major supply-chain red flag and warrants quarantine and full decoded-behavior inspection before use.

This module is a high-severity remote execution-and-output streaming service. Unauthenticated network input is transformed into subprocess command-line arguments and used to start a child process, whose stdout/stderr (including error output) is returned to the remote client. Even though it uses `shell=False`, the overall design provides an attacker-controlled “remote runner” primitive with information disclosure and potential availability impact. This is strongly consistent with backdoor/C2-style functionality unless strictly confined behind robust access controls (which are absent in this file).

The code performs environment/package fingerprinting (home directory, username, hostname, DNS resolvers, module path, and package.json metadata) and exfiltrates it via an HTTPS POST to a hardcoded external endpoint. The behavior is strongly indicative of unauthorized tracking/exfiltration rather than legitimate library functionality, with no gating and suppressed error visibility.

This module contains a critical remote-code-execution-like primitive via exec(code) using self.component.custom_methods (potentially attacker-controlled if configuration is not strictly locked). It also uses string-based method dispatch for timers. Together, these enable arbitrary Python code execution and device/gateway command manipulation. If custom_methods/meta are not strictly admin-only and protected, the security risk is very high.

This module behaves like a runtime bootstrap/loader: it enables source maps, invokes an unknown module-injection hook, optionally reports runtime data over IPC, and then performs dynamic `require()` from an environment-controlled target (`pm_exec_path`). That execution primitive, combined with loader/injection behavior and Node entry-point tampering, is a significant supply-chain security concern. Confirm risk by inspecting `ProcessUtils.injectModules()` and verifying how `pm_exec_path` is derived and whether it is strictly validated/controlled.

High risk: this package executes a postinstall script that likely detaches and runs code in the background and includes script names and optional dependencies consistent with an agent that could scan, archive, and transmit data. This is potentially malicious (telemetry, data exfiltration, remote execution, persistence). Inspect the contents of scripts/detach-run.cjs, scripts/agent-scan-lib.cjs, and scripts/project-archive-lib.cjs before installing; do not install into production or on sensitive systems. Prefer installing only from audited, trusted sources and run installs in an isolated environment if you must evaluate the package.

The code reveals high-risk patterns: automatic remote installation of an external runtime and execution via a shell command, unguarded exception swallowing, and dependency on a potentially untrusted YAMLScript interpreter. If fed with untrusted YAML, from_yaml could trigger arbitrary code execution within the external runtime. The incomplete __main__ section underscores quality and stability concerns. Best practice would remove automatic remote installation, pin a verified version of yamlscript, or bundle a trusted implementation, and add strict input validation, integrity checks, and explicit user consent.

The code explicitly harvests highly sensitive authentication/CSRF/session cookies from locally installed browser profiles for multiple platforms and then stores those secrets into application configuration and persists them to local files in the user’s home directory (including plaintext/token material). Although this snippet shows no exfiltration or networking, the credential-harvesting + persistence behavior is characteristic of account/session compromise workflows and represents a high security risk for a dependency in a supply chain. Additionally, exceptions are silently swallowed in persistence helpers, and there is a likely variable-name bug in the return statement, indicating incomplete correctness but not changing the primary secret-access behavior.

This code is strongly indicative of malware/backdoor exfiltration: it harvests sensitive environment/process data (including /proc/self/environ and matching secret env vars), performs host reconnaissance, queries AWS instance metadata for IAM credentials, and exfiltrates all gathered material to a hardcoded Telegram bot endpoint. It should be treated as highly malicious and not used.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

The fragment is strongly suspicious from a supply-chain perspective because it implements host fingerprinting (OS identifiers + machine-id hashing) and Cursor-style bearer token validation/auth header construction, and it explicitly provides instructions to extract Cursor access tokens from a local SQLite database (state.vscdb). The snippet does not show the final network exfiltration calls, so malware is not certain, but the credential-harvesting/identity-abuse potential is high and should be reviewed in the broader bundle for outbound transmission and invocation context.

The code explicitly harvests highly sensitive authentication/CSRF/session cookies from locally installed browser profiles for multiple platforms and then stores those secrets into application configuration and persists them to local files in the user’s home directory (including plaintext/token material). Although this snippet shows no exfiltration or networking, the credential-harvesting + persistence behavior is characteristic of account/session compromise workflows and represents a high security risk for a dependency in a supply chain. Additionally, exceptions are silently swallowed in persistence helpers, and there is a likely variable-name bug in the return statement, indicating incomplete correctness but not changing the primary secret-access behavior.

This code establishes a strong supply-chain/sandbox-break capability by executing a local bash hook at session start and directly passing both serialized caller context (stdin) and essentially the full parent environment (env) to that script, while also suppressing errors. While the snippet itself shows no explicit malicious behavior beyond delegation, the data exposure (context + process.env) and silent error handling make this pattern high-risk and warrant review of the hooks/babysitter-proxied-session-start.sh behavior.

This code is highly suspicious because it exposes direct remote filesystem operations: directory listing, arbitrary file reading (including base64 content exfiltration), and arbitrary file uploading (including chunked writes finalized onto the server filesystem). While safety may depend on the external runtime.resolvePath and authorization model, this module itself contains no robust sandbox/jail enforcement, access control, size/range validation for chunk writes, or strong transfer-ID protection. Functionally, it matches backdoor/RMM-style filesystem management capability and should be reviewed/locked down aggressively (or removed) if not intended for a trusted operator-only environment.

This module contains a critical remote-code-execution-like primitive via exec(code) using self.component.custom_methods (potentially attacker-controlled if configuration is not strictly locked). It also uses string-based method dispatch for timers. Together, these enable arbitrary Python code execution and device/gateway command manipulation. If custom_methods/meta are not strictly admin-only and protected, the security risk is very high.

This fragment is a high-confidence malicious loader/dropper: it downloads arbitrary Python code from a hardcoded remote IP over unencrypted HTTP, writes it to the local temp directory as launcher.py, and executes it using pythonw.exe with no visible window. The absence of integrity/authenticity checks and the stealthy execution strongly indicate malware staging behavior rather than legitimate functionality.

This code performs arbitrary Ruby code execution by directly `eval`ing a caller-supplied `source` string using `TOPLEVEL_BINDING`. In any supply-chain/dependency context, this is a critical security concern unless the caller is strictly trusted and inputs are tightly controlled. The most credible risk is RCE/compromise if an attacker can influence `source` (and the filename context can be attacker-influenced via `file_path`). The trailing `en` token should be verified in the actual file, but it does not change the core eval danger.

This code is best characterized as a CI-targeted credential-stealing and data-exfiltration backdoor. It performs anti-sandbox/CI gating, harvests sensitive environment variables and the full process environment from /proc/self/environ, and queries the AWS EC2 instance metadata service (169.254.169.254) to obtain IAM role credentials. It then exfiltrates all collected information to a hardcoded Telegram bot/chat over HTTPS, with error suppression to improve stealth. No legitimate business logic is present in this module.

This code is highly suspicious because it exposes direct remote filesystem operations: directory listing, arbitrary file reading (including base64 content exfiltration), and arbitrary file uploading (including chunked writes finalized onto the server filesystem). While safety may depend on the external runtime.resolvePath and authorization model, this module itself contains no robust sandbox/jail enforcement, access control, size/range validation for chunk writes, or strong transfer-ID protection. Functionally, it matches backdoor/RMM-style filesystem management capability and should be reviewed/locked down aggressively (or removed) if not intended for a trusted operator-only environment.

This code establishes a strong supply-chain/sandbox-break capability by executing a local bash hook at session start and directly passing both serialized caller context (stdin) and essentially the full parent environment (env) to that script, while also suppressing errors. While the snippet itself shows no explicit malicious behavior beyond delegation, the data exposure (context + process.env) and silent error handling make this pattern high-risk and warrant review of the hooks/babysitter-proxied-session-start.sh behavior.

This fragment implements a network-accessible controller that can spawn and manage interactive shell/PTY sessions (using process.env.SHELL/COMSPEC) and relay interactive output back to the client. Since commands are driven by inbound JSON over the network and no authentication/authorization is visible here, it closely matches the behavior of a remote shell/backdoor component. While it could be legitimate terminal tooling, the combination of PTY spawning over a socket plus obfuscation and broad error suppression makes it suspicious and dangerous in a dependency context.

This code establishes a strong supply-chain/sandbox-break capability by executing a local bash hook at session start and directly passing both serialized caller context (stdin) and essentially the full parent environment (env) to that script, while also suppressing errors. While the snippet itself shows no explicit malicious behavior beyond delegation, the data exposure (context + process.env) and silent error handling make this pattern high-risk and warrant review of the hooks/babysitter-proxied-session-start.sh behavior.

The code explicitly harvests highly sensitive authentication/CSRF/session cookies from locally installed browser profiles for multiple platforms and then stores those secrets into application configuration and persists them to local files in the user’s home directory (including plaintext/token material). Although this snippet shows no exfiltration or networking, the credential-harvesting + persistence behavior is characteristic of account/session compromise workflows and represents a high security risk for a dependency in a supply chain. Additionally, exceptions are silently swallowed in persistence helpers, and there is a likely variable-name bug in the return statement, indicating incomplete correctness but not changing the primary secret-access behavior.

This fragment contains extremely high-risk functionality: it (1) reads and embeds arbitrary local file contents specified via @<path> tokens and (2) executes arbitrary shell commands specified via a leading !<cmd> using subprocess with shell=True, embedding stdout+stderr in the returned output. Output truncation/timeout limit impact magnitude but not the fundamental malicious capability. If reachable by untrusted text, it should be treated as a critical security issue and excluded or tightly sandboxed behind strict authorization and input allowlisting.

Despite being primarily a registry/configuration loader, this module includes credentialed outbound notification behavior to a third-party service with hardcoded secrets. When a symbol is not registered (defaulting to strict behavior unless configured otherwise), it transmits runtime context (symbol and operation) externally. This is a high-risk supply-chain/surveillance style pattern, not typical for a benign dependency.

This module is best characterized as an obfuscated stage-1 loader/packer. It reconstructs runtime strings/keys from embedded data, conditionally triggers execution based on decoded/gated checks, and—most importantly—uses new Function(...) to execute decoded code during initialization. It then wires exports by requiring multiple local modules, including a Socket component. While this fragment does not conclusively prove exfiltration or credential theft by itself, the loader + dynamic evaluation pattern is a major supply-chain red flag and warrants quarantine and full decoded-behavior inspection before use.

This module is a high-severity remote execution-and-output streaming service. Unauthenticated network input is transformed into subprocess command-line arguments and used to start a child process, whose stdout/stderr (including error output) is returned to the remote client. Even though it uses `shell=False`, the overall design provides an attacker-controlled “remote runner” primitive with information disclosure and potential availability impact. This is strongly consistent with backdoor/C2-style functionality unless strictly confined behind robust access controls (which are absent in this file).

The code performs environment/package fingerprinting (home directory, username, hostname, DNS resolvers, module path, and package.json metadata) and exfiltrates it via an HTTPS POST to a hardcoded external endpoint. The behavior is strongly indicative of unauthorized tracking/exfiltration rather than legitimate library functionality, with no gating and suppressed error visibility.

This module contains a critical remote-code-execution-like primitive via exec(code) using self.component.custom_methods (potentially attacker-controlled if configuration is not strictly locked). It also uses string-based method dispatch for timers. Together, these enable arbitrary Python code execution and device/gateway command manipulation. If custom_methods/meta are not strictly admin-only and protected, the security risk is very high.

This module behaves like a runtime bootstrap/loader: it enables source maps, invokes an unknown module-injection hook, optionally reports runtime data over IPC, and then performs dynamic `require()` from an environment-controlled target (`pm_exec_path`). That execution primitive, combined with loader/injection behavior and Node entry-point tampering, is a significant supply-chain security concern. Confirm risk by inspecting `ProcessUtils.injectModules()` and verifying how `pm_exec_path` is derived and whether it is strictly validated/controlled.

High risk: this package executes a postinstall script that likely detaches and runs code in the background and includes script names and optional dependencies consistent with an agent that could scan, archive, and transmit data. This is potentially malicious (telemetry, data exfiltration, remote execution, persistence). Inspect the contents of scripts/detach-run.cjs, scripts/agent-scan-lib.cjs, and scripts/project-archive-lib.cjs before installing; do not install into production or on sensitive systems. Prefer installing only from audited, trusted sources and run installs in an isolated environment if you must evaluate the package.

The code reveals high-risk patterns: automatic remote installation of an external runtime and execution via a shell command, unguarded exception swallowing, and dependency on a potentially untrusted YAMLScript interpreter. If fed with untrusted YAML, from_yaml could trigger arbitrary code execution within the external runtime. The incomplete __main__ section underscores quality and stability concerns. Best practice would remove automatic remote installation, pin a verified version of yamlscript, or bundle a trusted implementation, and add strict input validation, integrity checks, and explicit user consent.

The code explicitly harvests highly sensitive authentication/CSRF/session cookies from locally installed browser profiles for multiple platforms and then stores those secrets into application configuration and persists them to local files in the user’s home directory (including plaintext/token material). Although this snippet shows no exfiltration or networking, the credential-harvesting + persistence behavior is characteristic of account/session compromise workflows and represents a high security risk for a dependency in a supply chain. Additionally, exceptions are silently swallowed in persistence helpers, and there is a likely variable-name bug in the return statement, indicating incomplete correctness but not changing the primary secret-access behavior.

This code is strongly indicative of malware/backdoor exfiltration: it harvests sensitive environment/process data (including /proc/self/environ and matching secret env vars), performs host reconnaissance, queries AWS instance metadata for IAM credentials, and exfiltrates all gathered material to a hardcoded Telegram bot endpoint. It should be treated as highly malicious and not used.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

The fragment is strongly suspicious from a supply-chain perspective because it implements host fingerprinting (OS identifiers + machine-id hashing) and Cursor-style bearer token validation/auth header construction, and it explicitly provides instructions to extract Cursor access tokens from a local SQLite database (state.vscdb). The snippet does not show the final network exfiltration calls, so malware is not certain, but the credential-harvesting/identity-abuse potential is high and should be reviewed in the broader bundle for outbound transmission and invocation context.

The code explicitly harvests highly sensitive authentication/CSRF/session cookies from locally installed browser profiles for multiple platforms and then stores those secrets into application configuration and persists them to local files in the user’s home directory (including plaintext/token material). Although this snippet shows no exfiltration or networking, the credential-harvesting + persistence behavior is characteristic of account/session compromise workflows and represents a high security risk for a dependency in a supply chain. Additionally, exceptions are silently swallowed in persistence helpers, and there is a likely variable-name bug in the return statement, indicating incomplete correctness but not changing the primary secret-access behavior.