Secure your dependencies. Ship with confidence.

This module strongly resembles a self-contained hook installer/configurator that downloads and deploys an executable Python hook from an external ZIP source, modifies its contents, installs a related Python package, and writes settings to auto-run the hook via a command under ~/.claude. The presence of hardcoded fallback secret keys further increases severity. While it may be intended for Langfuse integration, the implementation pattern is indistinguishable from a supply-chain-based code execution bootstrap, so it should be reviewed and treated as high risk.

This module is a login component but it embeds hardcoded superadmin secrets and performs additional out-of-band token acquisition from a hardcoded external IP over plain HTTP. It persists the resulting tokens in sessionStorage ('loginToken' and 'magicToken') and uses them as part of the authenticated initialization flow. These behaviors are highly anomalous for a legitimate client-side login UI and are consistent with backdoor/trust-bootstrap or credential-based unauthorized access. Immediate remediation should include removing embedded secrets, eliminating the external HTTP token path, and moving all privileged authentication/token bootstrap logic server-side with proper authorization and transport security.

This module contains a high-risk supply-chain/runtime-loader pattern: it establishes WebSocket connections and executes received message content via eval(e.data). It also falls back to injecting remote scripts into the page (document.head). While the broader code is oriented around Lodop printing, the eval-from-network behavior is consistent with malicious loader capability (remote code execution) and should be treated as a serious security concern pending verification of the exact endpoints (URL_WS*/URL_HTTP*) and whether the payload is integrity-protected/signed.

This code fragment is strongly oriented toward persistence: it injects a marker-delimited block into user shell startup files to auto-start a background “mneme” daemon on login (with a process check and suppressed output), and it also participates in cron persistence removal (and likely installation elsewhere). No exfiltration or credential theft is visible, but the persistence + stealthy auto-restart pattern is a high-risk supply-chain signal and warrants review of input validation (nodePath/mnemeBin), marker definitions, and the broader daemon behavior to confirm legitimacy.

This module is a security-relevant manipulator rather than a passive tester: it reads a sensitive token from disk, injects it into an authentication cookie and auth-like browser storage, and actively falsifies or suppresses key API responses (status/messages/tasks) to control what the web app believes. Even though it targets localhost and does not show external exfiltration, the combination of credential handling and intentional response tampering presents a high security risk and warrants careful review of distribution/use context and intended trust boundaries.

High-risk supply-chain/sabotage concern. This module generates and executes a large opaque bash script inside a Docker container (Entrypoint/Cmd with shell -c), and the visible script behavior includes credential/profile/auth-like dotfile operations and explicit handling of AI/provider API key environment variables. Coupled with interactive proxy/shell capabilities and additional Docker exec output handling, the fragment strongly warrants immediate manual inspection of the full unobfuscated code and the helper-returned script templates for any exfiltration or backdoor behavior. The snippet is truncated, so exact outbound destinations are not provable here, but the risk signals are substantial.

This module is extremely high-risk: it exposes an unauthenticated TCP command dispatcher that directly executes attacker-supplied Python code via exec/eval, can inject attacker-controlled modules into sys.modules, and can capture and return stdout/stderr to the client. Even though the default bind host is loopback, the capability is clearly a backdoor/RCE-style dispatcher whenever reachable, and the error/traceback handling and output capture further enable information theft and iterative exploitation.

No classic malware indicators (no external network exfiltration, persistence, or remote execution) are evident in this snippet. However, the code is strongly suspicious/high-risk because it reads a local authentication token from disk, injects it into an auth cookie and client storage, and then actively tampers with internal API responses—spoofing hub status/sessions and forcing messages/tasks to empty—capable of misleading users and disrupting operational workflows even when run against a local target.

High-risk suspicious behavior. The module provides an explicit “Javascript Injection” feature that dispatches arbitrary user-supplied code for in-page execution ('eval' step), plus captcha solving/bypass configuration (including API key headers) and stealth/humanize functionality. It also records actions for later replay (navigation, clicks, scraping, downloads/uploads) and intercepts global events. Even without seeing the replay/execution implementation, the capabilities shown here are consistent with malicious automation and in-page code execution. Recommend blocking/reviewing and auditing the rest of the package (especially the dispatch/replay handlers and any network code).

This code is security-relevant and likely intended for targeted manipulation of a local dashboard: it reads a sensitive token from an absolute path, injects it into an authentication cookie/storage to gain access, and then actively intercepts and forges hub status responses while blanking messages and tasks. Even though it runs against localhost and does not visibly exfiltrate data, the combination of credential use and API response tampering is consistent with sabotage/integrity attacks rather than benign testing.

This code is primarily an integration-style UI probe, but it is security-sensitive: it reads a real auth token from a hardcoded local path, injects it into an authentication cookie for localhost, and performs active response tampering for hub/status/messages/tasks using wildcard route interception (including forcing messages/tasks to empty). While it does not show classic malware/exfiltration behaviors, the credential handling plus backend-response manipulation makes it a notable supply-chain risk and should be gated to trusted test environments and redesigned to avoid reading real tokens from disk.

High security risk. This module implements an arbitrary code execution engine in the browser (multiple new Function execution paths for project-provided expressions and rawFunctions) and directly injects remote/configured HTML into the DOM via dangerouslySetInnerHTML, plus it injects remote-generated CSS. If an attacker can influence the project configuration/rawFunctions/HTML (e.g., compromised backend/CDN or supply-chain tampering), this becomes equivalent to a client-side backdoor with access to API controllers and application context. Immediate review is warranted: enforce strict integrity/allowlisting for rawFunctions and HTML inputs, remove/replace dynamic execution where possible, and add sanitization/CSP protections.

This module implements an end-to-end local-to-remote data exfiltration workflow: it can perform broad full-PC scanning by default, explicitly includes secret-prone .env files, reads matched file contents, and uploads them as JSON to a configurable server endpoint with operator-injected HTTP headers and host fingerprinting. While the network and file-handling details are in helper modules, the data flow and intent shown here are highly consistent with malicious collection/exfiltration rather than legitimate functionality. Review the referenced ../lib/* implementations and verify distribution/maintainer intent before any use.

This module is effectively an abuse-ready remote control surface: it exposes direct arbitrary shell command execution (shell=True), arbitrary Python execution (python -c), arbitrary script execution by path, and unrestricted filesystem read/write/create/delete operations through API-accessible MCP tools with no apparent safety controls. Even without explicit malicious payloads in this snippet, the design is consistent with backdoor/remote administration functionality and would be critical to restrict, sandbox, or remove before use.

This module is a full CPU cryptomining client (Stratum subscription/authorization, continuous nonce scanning, and mining.submit share submission). From a supply-chain perspective, it presents a high likelihood of malicious/unwanted behavior when embedded in non-mining software due to sustained resource abuse and network communications to external mining infrastructure. Within this snippet, there is no clear evidence of stealth, credential theft, persistence, reverse shells, or arbitrary data exfiltration beyond sending mining protocol messages and polling pool status; the primary risk is the explicit mining workflow and its operational impact, plus a minor supply-chain surface via the optional mining.template_block import.

This file is a headless browser automation/probing script that uses a locally stored secret token to impersonate an authenticated dashboard session, then actively tampers with internal hub API responses (overwriting sessions and forcibly emptying messages/tasks) before probing UI rendering attributes. Even though it targets localhost and shows no external network exfiltration in this snippet, the deliberate credential reuse and in-flight response suppression constitutes a high-risk integrity manipulation pattern consistent with unauthorized interference rather than purely benign testing.

This module is a clear remote code execution/dropper pattern: it fetches a payload from a remote endpoint and executes response.data.Cookie as JavaScript via new Function, while granting the payload direct require access. The presence of secret-like request headers and stealth-oriented console handling further increases the likelihood of malicious intent. This should be treated as highly dangerous and not used without rigorous containment and verification.

This module contains high-risk functionality consistent with a backdoor/debug agent: it exposes a socket endpoint that executes attacker-supplied JavaScript (debug:eval via new Function) and forwards server-provided commands to a Chrome extension (worker:exec via chrome.runtime.sendMessage). It also provides multiple endpoints to exfiltrate DOM content, logs, and screenshots, and it collects user email for server registration. While it may be intended for legitimate debugging in a controlled environment, from a supply-chain security standpoint the capabilities are powerful enough to materially increase compromise impact.

This module is a Playwright automation harness that elevates from UI/CSS probing into authenticated application manipulation by (1) loading a secret token from a hardcoded local path and embedding it into an auth cookie, (2) injecting client-side storage flags, and most importantly (3) intercepting and replacing hub API responses—fabricating status/session data and forcing messages/tasks to empty arrays. That combination strongly indicates intentional integrity-impacting tampering/bypass rather than benign observation. No external network exfiltration is evident in the provided fragment, but the integrity/availability risk to the targeted application environment is substantial.

High security risk with strong malicious-pattern indicators: the bundle contains hardcoded appSecret/appId credentials used to obtain access tokens, and it spawns a SharedWorker from an inline Blob that implements a WebSocket relay/forwarding bridge. The code forwards server-controlled messages to connected UI component ports and persists tokens in localStorage, making it a likely candidate for data exfiltration or command/behavior manipulation. This module should not be used as-is without verifying provenance, removing hardcoded secrets, and restricting/validating the worker relay behavior.

High-risk behavior: this installer downloads remote hook Python scripts, saves them as executable files, and registers IDE event hooks that execute them automatically (direct remote-to-local execution/persistence pathway). It also writes Bearer tokens into multiple local configuration files and sends a heartbeat with hostname/client kinds to the remote base_url. This strongly warrants deeper review of the downloaded hook scripts and the server endpoints (integrity/signing/pinning), as this module can facilitate supply-chain/backdoor execution depending on server behavior. Malware confidence is not maximal because intent cannot be proven from this file alone, but the mechanism is consistent with malicious sabotage/backdoor patterns.

This code is highly suspicious for supply-chain security purposes: it reads a sensitive local authentication token, injects it into browser cookies to authenticate to a local service, and then actively tampers with internal API responses—spoofing hub status sessions and wiping hub messages/tasks. Even though it appears to be run against localhost and does not show outward exfiltration in this snippet, the functional tampering behavior is consistent with sabotage/unauthorized state manipulation. Treat the dependency/script as unsafe and isolate/review it; rotate any tokens that may have been exposed.

This module is a full CPU cryptomining client (Stratum subscription/authorization, continuous nonce scanning, and mining.submit share submission). From a supply-chain perspective, it presents a high likelihood of malicious/unwanted behavior when embedded in non-mining software due to sustained resource abuse and network communications to external mining infrastructure. Within this snippet, there is no clear evidence of stealth, credential theft, persistence, reverse shells, or arbitrary data exfiltration beyond sending mining protocol messages and polling pool status; the primary risk is the explicit mining workflow and its operational impact, plus a minor supply-chain surface via the optional mining.template_block import.

This code is primarily an integration-style UI probe, but it is security-sensitive: it reads a real auth token from a hardcoded local path, injects it into an authentication cookie for localhost, and performs active response tampering for hub/status/messages/tasks using wildcard route interception (including forcing messages/tasks to empty). While it does not show classic malware/exfiltration behaviors, the credential handling plus backend-response manipulation makes it a notable supply-chain risk and should be gated to trusted test environments and redesigned to avoid reading real tokens from disk.

High-risk behavior: this installer downloads remote hook Python scripts, saves them as executable files, and registers IDE event hooks that execute them automatically (direct remote-to-local execution/persistence pathway). It also writes Bearer tokens into multiple local configuration files and sends a heartbeat with hostname/client kinds to the remote base_url. This strongly warrants deeper review of the downloaded hook scripts and the server endpoints (integrity/signing/pinning), as this module can facilitate supply-chain/backdoor execution depending on server behavior. Malware confidence is not maximal because intent cannot be proven from this file alone, but the mechanism is consistent with malicious sabotage/backdoor patterns.

This module strongly resembles a self-contained hook installer/configurator that downloads and deploys an executable Python hook from an external ZIP source, modifies its contents, installs a related Python package, and writes settings to auto-run the hook via a command under ~/.claude. The presence of hardcoded fallback secret keys further increases severity. While it may be intended for Langfuse integration, the implementation pattern is indistinguishable from a supply-chain-based code execution bootstrap, so it should be reviewed and treated as high risk.

This module is a login component but it embeds hardcoded superadmin secrets and performs additional out-of-band token acquisition from a hardcoded external IP over plain HTTP. It persists the resulting tokens in sessionStorage ('loginToken' and 'magicToken') and uses them as part of the authenticated initialization flow. These behaviors are highly anomalous for a legitimate client-side login UI and are consistent with backdoor/trust-bootstrap or credential-based unauthorized access. Immediate remediation should include removing embedded secrets, eliminating the external HTTP token path, and moving all privileged authentication/token bootstrap logic server-side with proper authorization and transport security.

This module contains a high-risk supply-chain/runtime-loader pattern: it establishes WebSocket connections and executes received message content via eval(e.data). It also falls back to injecting remote scripts into the page (document.head). While the broader code is oriented around Lodop printing, the eval-from-network behavior is consistent with malicious loader capability (remote code execution) and should be treated as a serious security concern pending verification of the exact endpoints (URL_WS*/URL_HTTP*) and whether the payload is integrity-protected/signed.

This code fragment is strongly oriented toward persistence: it injects a marker-delimited block into user shell startup files to auto-start a background “mneme” daemon on login (with a process check and suppressed output), and it also participates in cron persistence removal (and likely installation elsewhere). No exfiltration or credential theft is visible, but the persistence + stealthy auto-restart pattern is a high-risk supply-chain signal and warrants review of input validation (nodePath/mnemeBin), marker definitions, and the broader daemon behavior to confirm legitimacy.

This module is a security-relevant manipulator rather than a passive tester: it reads a sensitive token from disk, injects it into an authentication cookie and auth-like browser storage, and actively falsifies or suppresses key API responses (status/messages/tasks) to control what the web app believes. Even though it targets localhost and does not show external exfiltration, the combination of credential handling and intentional response tampering presents a high security risk and warrants careful review of distribution/use context and intended trust boundaries.

High-risk supply-chain/sabotage concern. This module generates and executes a large opaque bash script inside a Docker container (Entrypoint/Cmd with shell -c), and the visible script behavior includes credential/profile/auth-like dotfile operations and explicit handling of AI/provider API key environment variables. Coupled with interactive proxy/shell capabilities and additional Docker exec output handling, the fragment strongly warrants immediate manual inspection of the full unobfuscated code and the helper-returned script templates for any exfiltration or backdoor behavior. The snippet is truncated, so exact outbound destinations are not provable here, but the risk signals are substantial.

This module is extremely high-risk: it exposes an unauthenticated TCP command dispatcher that directly executes attacker-supplied Python code via exec/eval, can inject attacker-controlled modules into sys.modules, and can capture and return stdout/stderr to the client. Even though the default bind host is loopback, the capability is clearly a backdoor/RCE-style dispatcher whenever reachable, and the error/traceback handling and output capture further enable information theft and iterative exploitation.

No classic malware indicators (no external network exfiltration, persistence, or remote execution) are evident in this snippet. However, the code is strongly suspicious/high-risk because it reads a local authentication token from disk, injects it into an auth cookie and client storage, and then actively tampers with internal API responses—spoofing hub status/sessions and forcing messages/tasks to empty—capable of misleading users and disrupting operational workflows even when run against a local target.

High-risk suspicious behavior. The module provides an explicit “Javascript Injection” feature that dispatches arbitrary user-supplied code for in-page execution ('eval' step), plus captcha solving/bypass configuration (including API key headers) and stealth/humanize functionality. It also records actions for later replay (navigation, clicks, scraping, downloads/uploads) and intercepts global events. Even without seeing the replay/execution implementation, the capabilities shown here are consistent with malicious automation and in-page code execution. Recommend blocking/reviewing and auditing the rest of the package (especially the dispatch/replay handlers and any network code).

This code is security-relevant and likely intended for targeted manipulation of a local dashboard: it reads a sensitive token from an absolute path, injects it into an authentication cookie/storage to gain access, and then actively intercepts and forges hub status responses while blanking messages and tasks. Even though it runs against localhost and does not visibly exfiltrate data, the combination of credential use and API response tampering is consistent with sabotage/integrity attacks rather than benign testing.

This code is primarily an integration-style UI probe, but it is security-sensitive: it reads a real auth token from a hardcoded local path, injects it into an authentication cookie for localhost, and performs active response tampering for hub/status/messages/tasks using wildcard route interception (including forcing messages/tasks to empty). While it does not show classic malware/exfiltration behaviors, the credential handling plus backend-response manipulation makes it a notable supply-chain risk and should be gated to trusted test environments and redesigned to avoid reading real tokens from disk.

High security risk. This module implements an arbitrary code execution engine in the browser (multiple new Function execution paths for project-provided expressions and rawFunctions) and directly injects remote/configured HTML into the DOM via dangerouslySetInnerHTML, plus it injects remote-generated CSS. If an attacker can influence the project configuration/rawFunctions/HTML (e.g., compromised backend/CDN or supply-chain tampering), this becomes equivalent to a client-side backdoor with access to API controllers and application context. Immediate review is warranted: enforce strict integrity/allowlisting for rawFunctions and HTML inputs, remove/replace dynamic execution where possible, and add sanitization/CSP protections.

This module implements an end-to-end local-to-remote data exfiltration workflow: it can perform broad full-PC scanning by default, explicitly includes secret-prone .env files, reads matched file contents, and uploads them as JSON to a configurable server endpoint with operator-injected HTTP headers and host fingerprinting. While the network and file-handling details are in helper modules, the data flow and intent shown here are highly consistent with malicious collection/exfiltration rather than legitimate functionality. Review the referenced ../lib/* implementations and verify distribution/maintainer intent before any use.

This module is effectively an abuse-ready remote control surface: it exposes direct arbitrary shell command execution (shell=True), arbitrary Python execution (python -c), arbitrary script execution by path, and unrestricted filesystem read/write/create/delete operations through API-accessible MCP tools with no apparent safety controls. Even without explicit malicious payloads in this snippet, the design is consistent with backdoor/remote administration functionality and would be critical to restrict, sandbox, or remove before use.

This module is a full CPU cryptomining client (Stratum subscription/authorization, continuous nonce scanning, and mining.submit share submission). From a supply-chain perspective, it presents a high likelihood of malicious/unwanted behavior when embedded in non-mining software due to sustained resource abuse and network communications to external mining infrastructure. Within this snippet, there is no clear evidence of stealth, credential theft, persistence, reverse shells, or arbitrary data exfiltration beyond sending mining protocol messages and polling pool status; the primary risk is the explicit mining workflow and its operational impact, plus a minor supply-chain surface via the optional mining.template_block import.

This file is a headless browser automation/probing script that uses a locally stored secret token to impersonate an authenticated dashboard session, then actively tampers with internal hub API responses (overwriting sessions and forcibly emptying messages/tasks) before probing UI rendering attributes. Even though it targets localhost and shows no external network exfiltration in this snippet, the deliberate credential reuse and in-flight response suppression constitutes a high-risk integrity manipulation pattern consistent with unauthorized interference rather than purely benign testing.

This module is a clear remote code execution/dropper pattern: it fetches a payload from a remote endpoint and executes response.data.Cookie as JavaScript via new Function, while granting the payload direct require access. The presence of secret-like request headers and stealth-oriented console handling further increases the likelihood of malicious intent. This should be treated as highly dangerous and not used without rigorous containment and verification.

This module contains high-risk functionality consistent with a backdoor/debug agent: it exposes a socket endpoint that executes attacker-supplied JavaScript (debug:eval via new Function) and forwards server-provided commands to a Chrome extension (worker:exec via chrome.runtime.sendMessage). It also provides multiple endpoints to exfiltrate DOM content, logs, and screenshots, and it collects user email for server registration. While it may be intended for legitimate debugging in a controlled environment, from a supply-chain security standpoint the capabilities are powerful enough to materially increase compromise impact.

This module is a Playwright automation harness that elevates from UI/CSS probing into authenticated application manipulation by (1) loading a secret token from a hardcoded local path and embedding it into an auth cookie, (2) injecting client-side storage flags, and most importantly (3) intercepting and replacing hub API responses—fabricating status/session data and forcing messages/tasks to empty arrays. That combination strongly indicates intentional integrity-impacting tampering/bypass rather than benign observation. No external network exfiltration is evident in the provided fragment, but the integrity/availability risk to the targeted application environment is substantial.

High security risk with strong malicious-pattern indicators: the bundle contains hardcoded appSecret/appId credentials used to obtain access tokens, and it spawns a SharedWorker from an inline Blob that implements a WebSocket relay/forwarding bridge. The code forwards server-controlled messages to connected UI component ports and persists tokens in localStorage, making it a likely candidate for data exfiltration or command/behavior manipulation. This module should not be used as-is without verifying provenance, removing hardcoded secrets, and restricting/validating the worker relay behavior.

High-risk behavior: this installer downloads remote hook Python scripts, saves them as executable files, and registers IDE event hooks that execute them automatically (direct remote-to-local execution/persistence pathway). It also writes Bearer tokens into multiple local configuration files and sends a heartbeat with hostname/client kinds to the remote base_url. This strongly warrants deeper review of the downloaded hook scripts and the server endpoints (integrity/signing/pinning), as this module can facilitate supply-chain/backdoor execution depending on server behavior. Malware confidence is not maximal because intent cannot be proven from this file alone, but the mechanism is consistent with malicious sabotage/backdoor patterns.

This code is highly suspicious for supply-chain security purposes: it reads a sensitive local authentication token, injects it into browser cookies to authenticate to a local service, and then actively tampers with internal API responses—spoofing hub status sessions and wiping hub messages/tasks. Even though it appears to be run against localhost and does not show outward exfiltration in this snippet, the functional tampering behavior is consistent with sabotage/unauthorized state manipulation. Treat the dependency/script as unsafe and isolate/review it; rotate any tokens that may have been exposed.

This module is a full CPU cryptomining client (Stratum subscription/authorization, continuous nonce scanning, and mining.submit share submission). From a supply-chain perspective, it presents a high likelihood of malicious/unwanted behavior when embedded in non-mining software due to sustained resource abuse and network communications to external mining infrastructure. Within this snippet, there is no clear evidence of stealth, credential theft, persistence, reverse shells, or arbitrary data exfiltration beyond sending mining protocol messages and polling pool status; the primary risk is the explicit mining workflow and its operational impact, plus a minor supply-chain surface via the optional mining.template_block import.

This code is primarily an integration-style UI probe, but it is security-sensitive: it reads a real auth token from a hardcoded local path, injects it into an authentication cookie for localhost, and performs active response tampering for hub/status/messages/tasks using wildcard route interception (including forcing messages/tasks to empty). While it does not show classic malware/exfiltration behaviors, the credential handling plus backend-response manipulation makes it a notable supply-chain risk and should be gated to trusted test environments and redesigned to avoid reading real tokens from disk.

High-risk behavior: this installer downloads remote hook Python scripts, saves them as executable files, and registers IDE event hooks that execute them automatically (direct remote-to-local execution/persistence pathway). It also writes Bearer tokens into multiple local configuration files and sends a heartbeat with hostname/client kinds to the remote base_url. This strongly warrants deeper review of the downloaded hook scripts and the server endpoints (integrity/signing/pinning), as this module can facilitate supply-chain/backdoor execution depending on server behavior. Malware confidence is not maximal because intent cannot be proven from this file alone, but the mechanism is consistent with malicious sabotage/backdoor patterns.