Secure your dependencies. Ship with confidence.

Best matching report: Report 3 (most complete and correctly identifies the disruption/uninstall pattern). The improved assessment is that this snippet is a high-impact, unguarded teardown script that deletes systemd unit definitions and application configuration, removes specific network interfaces, and stops/removes containers and persistent Docker volumes. That strongly endangers availability and data integrity in a supply-chain context, but the fragment alone does not prove credential theft/exfiltration; therefore malware intent is not certain, though security risk is very high.

The fragment demonstrates a clear data-exfiltration pattern driven by a prompt-injection-like payload. It reads channel data (including a secret), posts content to an external site, and informs a recipient via direct messaging. The presence of a hardcoded secret and explicit exfiltration steps signals malicious intent or a high-risk test vector for abuse in a real environment. This should be treated as a data-leak risk and supply-chain concern if encountered in libraries or automation tooling.

This module is high risk for software supply chain use. The synchronous request implementation executes dynamically constructed JavaScript via child_process.spawn(..., ['-e', execString]), where execString is assembled from request options and (optionally) request body—an extreme red flag for code execution/supply-chain sabotage. It also supports file:// reads via fs.readFile/fs.readFileSync, enabling potential local file disclosure if the URL can be influenced. Finally, the bundled dataset includes hardcoded private keys/secret material, creating immediate credential exposure. Overall, it should not be used without deep review, removal of embedded secrets, and eliminating the spawn(-e) design.

This module contains explicit credential-harvesting and exfiltration logic: it reads AWS credentials from ~/.aws/credentials and POSTs them to a URL controlled via the WEB_HOOK environment variable. Even though the provided snippet has syntactic mistakes that prevent direct execution as-is, the malicious pattern is obvious and trivial to fix. Treat this code as a high-severity supply-chain/backdoor risk; do not run in user environments and remove or audit any packages containing this behavior.

This module contains insecure coding patterns that create serious security vulnerabilities: (1) executing a constructed shell command with shell=True using unvalidated command-line input (command injection), and (2) using eval() on data derived from XML/JSON parsing (remote code execution risk). Additional issues: malformed/misused regexes, improper TemporaryDirectory usage, and broad exception suppression. There is no clear evidence of deliberate malware (no hardcoded exfiltration endpoints or obfuscated payloads), but the vulnerabilities allow arbitrary code execution and should be treated as high risk. Do not run this code on untrusted input or in privileged environments without sanitizing inputs, removing eval, and using subprocess safely (list args, shell=False).

Live on pypi for 2 hours and 15 minutes before removal. Socket users were protected even while the package was live.

This preinstall runs a local file named 'payload.js' during installation and intentionally suppresses failures. Without inspecting payload.js, this is a high-risk behavior: it enables arbitrary code execution during install and the filename and failure-suppression suggest likely malicious intent. Do not install or run this package until payload.js has been inspected in a safe environment.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

This code is a post-exploitation/backdoor utility intended to obtain an interactive remote shell on a target via a PHP reverse shell or by uploading/running a native reverse-server binary. It performs file upload, remote command execution, and local network binding to accept shells. The fragment contains coding errors and undefined variables, but its purpose is clearly malicious and dangerous in most contexts. Treat any package including this code as malicious/backdoor unless its inclusion is explicitly authorized for offensive security operations within a controlled environment.

[Skill Scanner] Installation of third-party script detected This skill's documented capabilities are consistent with an automated browser CLI and do not contain explicit malicious code in the provided documentation. However, several legitimate features (eval <js>, upload, arbitrary navigation, snapshot --json) are high-risk channels for data access and exfiltration if misused or if the installed package/binaries are compromised. The installation via npm/git is typical but carries standard supply-chain risk; the documentation lacks artifact verification guidance. Overall: no direct malicious indicators present in this text, but the feature set requires careful trust and operational controls when used in untrusted environments. LLM verification: The SKILL.md describes a legitimate browser automation CLI whose features explain the presence of high-privilege operations (eval, cookies/storage access, file uploads, installer downloads). I found no direct evidence of malicious code or obfuscation in the supplied document. However, the feature set and installer flow produce a moderate supply-chain and data-exfiltration risk if the package source or install artifacts are untrusted. Recommended actions: install only from verified, pinned source

The fragment is an opaque, binary/packed payload or heavily obfuscated content that cannot be reliably analyzed statically. While this alone does not prove malicious intent, it signals high risk and warrants isolation, request for a readable source or deobfuscated form, and controlled dynamic analysis to determine any harmful behavior or data leakage potential.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

The code potentially allows execution of arbitrary JavaScript code by manipulating the 'time' input to point to a malicious script. The lack of validation or sanitization of the input combined with the execution rights raises security concerns.

This module performs on-import harvesting of local developer, repository and system configuration and exfiltrates it to a hardcoded external domain via HTTPS GET requests. The behavior is characteristic of a data-exfiltration/backdoor. Treat as malicious: remove the package, audit environments where it ran, rotate any potentially exposed credentials (npm tokens, registry credentials, SSH keys if exposed via git remotes), and investigate the source and maintainer of the package. Do not allow this code in trusted builds or CI pipelines.

The script functions as a bootstrap installer that fetches a Teleport binary from a CDN, extracts it, and executes it with user-provided arguments. While common in bootstrap flows, this approach carries significant supply-chain risk due to lack of integrity verification, potential tampering of the CDN content, and execution of an external binary in the host environment. To reduce risk, add cryptographic verification (signatures/checksums), validate the artifact against a trusted manifest, constrain and sanitize teleportArgs, implement isolation (sandbox/container), and improve error handling with cleanup. Consider using pinned TLS/HTTPS, and validating the tarball contents before execution.

This source is a straightforward system DNS resolver that issues A/AAAA and TXT queries and Base64-decodes concatenated TXT responses. The implementation itself contains no process spawning, filesystem modifications, or hard-coded credentials, but it fits a known pattern used by DNS-based command-and-control channels (fetching Base64-encoded commands or payloads via TXT records). Given the header and import path tying it to the Sliver implant framework, treat this module as a likely component of a C2 implant: acceptable as a benign utility in isolation, but high-risk when present in software meant to be benign. Recommend removing or auditing all callers that consume the decoded TXT bytes; if those bytes are ever interpreted or executed, consider the package malicious and block usage.

The script sends a pingback to a remote server using the machine's hostname and IP address, which raises concerns about data exfiltration and unauthorized telemetry.

Live on npm for 25 days, 18 hours and 20 minutes before removal. Socket users were protected even while the package was live.

High security risk. This module provides multiple powerful primitives: (1) runtime download/installation of an external executable artifact, (2) execution of workflow-provided JavaScript via runInContext, (3) host command execution via PTY write of rendered commands, and (4) network proxying/tunneling (TUN/VPN-like bridging and TCP forwarding). It also uses eval-based dynamic require as a supply-chain/loader abuse primitive. No explicit credential theft is visible in the excerpt, but if an attacker can influence workflow content/commands or proxy/tunnel configuration, the impact can be severe (RCE + filesystem manipulation + network pivoting).

The code overrides grecaptcha execution to forward solve requests via postMessage and return answers via a message listener — effectively creating a bridge to an out-of-band captcha solver. The fragment itself does not make network requests, but it leaks siteKey and params to another execution context and depends on that context to produce solutions. This behavior can be benign for testing or accessibility but is high-risk in production because it can be used to bypass CAPTCHA protections and exfiltrate sensitive data depending on the cooperating component's trustworthiness. Treat occurrences of this code as suspicious: verify the script's origin (extension, injected third-party, or site-controlled) and remove or restrict it if not explicitly trusted.

This code is malicious in intent: it automates fraudulent interaction with a banking website, contains hardcoded sensitive credentials, evades automation detection, prompts an operator to supply OTPs (social-engineering), performs money transfers, and persists session state to disk for reuse. It should be treated as a tool for account takeover and financial theft. Do not run it; remove any storage_state files and investigate systems where it executed. The snippet also contains syntax errors and is incomplete, but those do not mitigate the clearly malicious purpose.

This module contains two risky items: (1) an exposed, hardcoded Google Maps API key used for client-side geocoding requests (credential leakage and abuse risk), and (2) explicit, targeted disruptive behavior for Russian-language / Russian TLD users that disables interaction and autoplays media from a third-party domain. The latter constitutes intentional sabotage/trolling and is malicious. Recommended actions: remove the geo-targeted audio and pointer-events code immediately, rotate and remove the client-side Google API key (move geocoding to a server-side proxy with proper key protections), audit repository history and contributors for deliberate malicious code insertion, and treat the package as compromised until remediation.

This script implements a supply-chain persistence/backdoor pattern: it persistently patches a Vite runtime chunk in node_modules to dynamically import and run a local module whenever Vite runs. That grants arbitrary code execution in the context of Vite and is a severe security risk. Treat this package as malicious or highly suspicious unless you can verify the injected local module and that this behavior is intentionally required and reviewed. If you encounter this in a dependency, revert the modified file, audit index.js, and remove/replace the package.

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

This Keras HDF5 model contains an embedded, encoded Lambda function that references urllib.request and an explicit remote URL 'http://attacker.com/data' and includes identifiers suggesting 'data_exfiltration'. This is a high-probability malicious artifact designed to transmit data off-host (either at load-time or at inference). Treat the artifact as hostile: do not load it in sensitive or networked environments. Decode and inspect the lambda in a sandbox if more detail is required, and remove/replace the Lambda layer before use.

Best matching report: Report 3 (most complete and correctly identifies the disruption/uninstall pattern). The improved assessment is that this snippet is a high-impact, unguarded teardown script that deletes systemd unit definitions and application configuration, removes specific network interfaces, and stops/removes containers and persistent Docker volumes. That strongly endangers availability and data integrity in a supply-chain context, but the fragment alone does not prove credential theft/exfiltration; therefore malware intent is not certain, though security risk is very high.

The fragment demonstrates a clear data-exfiltration pattern driven by a prompt-injection-like payload. It reads channel data (including a secret), posts content to an external site, and informs a recipient via direct messaging. The presence of a hardcoded secret and explicit exfiltration steps signals malicious intent or a high-risk test vector for abuse in a real environment. This should be treated as a data-leak risk and supply-chain concern if encountered in libraries or automation tooling.

This module is high risk for software supply chain use. The synchronous request implementation executes dynamically constructed JavaScript via child_process.spawn(..., ['-e', execString]), where execString is assembled from request options and (optionally) request body—an extreme red flag for code execution/supply-chain sabotage. It also supports file:// reads via fs.readFile/fs.readFileSync, enabling potential local file disclosure if the URL can be influenced. Finally, the bundled dataset includes hardcoded private keys/secret material, creating immediate credential exposure. Overall, it should not be used without deep review, removal of embedded secrets, and eliminating the spawn(-e) design.

This module contains explicit credential-harvesting and exfiltration logic: it reads AWS credentials from ~/.aws/credentials and POSTs them to a URL controlled via the WEB_HOOK environment variable. Even though the provided snippet has syntactic mistakes that prevent direct execution as-is, the malicious pattern is obvious and trivial to fix. Treat this code as a high-severity supply-chain/backdoor risk; do not run in user environments and remove or audit any packages containing this behavior.

This module contains insecure coding patterns that create serious security vulnerabilities: (1) executing a constructed shell command with shell=True using unvalidated command-line input (command injection), and (2) using eval() on data derived from XML/JSON parsing (remote code execution risk). Additional issues: malformed/misused regexes, improper TemporaryDirectory usage, and broad exception suppression. There is no clear evidence of deliberate malware (no hardcoded exfiltration endpoints or obfuscated payloads), but the vulnerabilities allow arbitrary code execution and should be treated as high risk. Do not run this code on untrusted input or in privileged environments without sanitizing inputs, removing eval, and using subprocess safely (list args, shell=False).

Live on pypi for 2 hours and 15 minutes before removal. Socket users were protected even while the package was live.

This preinstall runs a local file named 'payload.js' during installation and intentionally suppresses failures. Without inspecting payload.js, this is a high-risk behavior: it enables arbitrary code execution during install and the filename and failure-suppression suggest likely malicious intent. Do not install or run this package until payload.js has been inspected in a safe environment.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

This code is a post-exploitation/backdoor utility intended to obtain an interactive remote shell on a target via a PHP reverse shell or by uploading/running a native reverse-server binary. It performs file upload, remote command execution, and local network binding to accept shells. The fragment contains coding errors and undefined variables, but its purpose is clearly malicious and dangerous in most contexts. Treat any package including this code as malicious/backdoor unless its inclusion is explicitly authorized for offensive security operations within a controlled environment.

[Skill Scanner] Installation of third-party script detected This skill's documented capabilities are consistent with an automated browser CLI and do not contain explicit malicious code in the provided documentation. However, several legitimate features (eval <js>, upload, arbitrary navigation, snapshot --json) are high-risk channels for data access and exfiltration if misused or if the installed package/binaries are compromised. The installation via npm/git is typical but carries standard supply-chain risk; the documentation lacks artifact verification guidance. Overall: no direct malicious indicators present in this text, but the feature set requires careful trust and operational controls when used in untrusted environments. LLM verification: The SKILL.md describes a legitimate browser automation CLI whose features explain the presence of high-privilege operations (eval, cookies/storage access, file uploads, installer downloads). I found no direct evidence of malicious code or obfuscation in the supplied document. However, the feature set and installer flow produce a moderate supply-chain and data-exfiltration risk if the package source or install artifacts are untrusted. Recommended actions: install only from verified, pinned source

The fragment is an opaque, binary/packed payload or heavily obfuscated content that cannot be reliably analyzed statically. While this alone does not prove malicious intent, it signals high risk and warrants isolation, request for a readable source or deobfuscated form, and controlled dynamic analysis to determine any harmful behavior or data leakage potential.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

The code potentially allows execution of arbitrary JavaScript code by manipulating the 'time' input to point to a malicious script. The lack of validation or sanitization of the input combined with the execution rights raises security concerns.

This module performs on-import harvesting of local developer, repository and system configuration and exfiltrates it to a hardcoded external domain via HTTPS GET requests. The behavior is characteristic of a data-exfiltration/backdoor. Treat as malicious: remove the package, audit environments where it ran, rotate any potentially exposed credentials (npm tokens, registry credentials, SSH keys if exposed via git remotes), and investigate the source and maintainer of the package. Do not allow this code in trusted builds or CI pipelines.

The script functions as a bootstrap installer that fetches a Teleport binary from a CDN, extracts it, and executes it with user-provided arguments. While common in bootstrap flows, this approach carries significant supply-chain risk due to lack of integrity verification, potential tampering of the CDN content, and execution of an external binary in the host environment. To reduce risk, add cryptographic verification (signatures/checksums), validate the artifact against a trusted manifest, constrain and sanitize teleportArgs, implement isolation (sandbox/container), and improve error handling with cleanup. Consider using pinned TLS/HTTPS, and validating the tarball contents before execution.

This source is a straightforward system DNS resolver that issues A/AAAA and TXT queries and Base64-decodes concatenated TXT responses. The implementation itself contains no process spawning, filesystem modifications, or hard-coded credentials, but it fits a known pattern used by DNS-based command-and-control channels (fetching Base64-encoded commands or payloads via TXT records). Given the header and import path tying it to the Sliver implant framework, treat this module as a likely component of a C2 implant: acceptable as a benign utility in isolation, but high-risk when present in software meant to be benign. Recommend removing or auditing all callers that consume the decoded TXT bytes; if those bytes are ever interpreted or executed, consider the package malicious and block usage.

The script sends a pingback to a remote server using the machine's hostname and IP address, which raises concerns about data exfiltration and unauthorized telemetry.

Live on npm for 25 days, 18 hours and 20 minutes before removal. Socket users were protected even while the package was live.

High security risk. This module provides multiple powerful primitives: (1) runtime download/installation of an external executable artifact, (2) execution of workflow-provided JavaScript via runInContext, (3) host command execution via PTY write of rendered commands, and (4) network proxying/tunneling (TUN/VPN-like bridging and TCP forwarding). It also uses eval-based dynamic require as a supply-chain/loader abuse primitive. No explicit credential theft is visible in the excerpt, but if an attacker can influence workflow content/commands or proxy/tunnel configuration, the impact can be severe (RCE + filesystem manipulation + network pivoting).

The code overrides grecaptcha execution to forward solve requests via postMessage and return answers via a message listener — effectively creating a bridge to an out-of-band captcha solver. The fragment itself does not make network requests, but it leaks siteKey and params to another execution context and depends on that context to produce solutions. This behavior can be benign for testing or accessibility but is high-risk in production because it can be used to bypass CAPTCHA protections and exfiltrate sensitive data depending on the cooperating component's trustworthiness. Treat occurrences of this code as suspicious: verify the script's origin (extension, injected third-party, or site-controlled) and remove or restrict it if not explicitly trusted.

This code is malicious in intent: it automates fraudulent interaction with a banking website, contains hardcoded sensitive credentials, evades automation detection, prompts an operator to supply OTPs (social-engineering), performs money transfers, and persists session state to disk for reuse. It should be treated as a tool for account takeover and financial theft. Do not run it; remove any storage_state files and investigate systems where it executed. The snippet also contains syntax errors and is incomplete, but those do not mitigate the clearly malicious purpose.

This module contains two risky items: (1) an exposed, hardcoded Google Maps API key used for client-side geocoding requests (credential leakage and abuse risk), and (2) explicit, targeted disruptive behavior for Russian-language / Russian TLD users that disables interaction and autoplays media from a third-party domain. The latter constitutes intentional sabotage/trolling and is malicious. Recommended actions: remove the geo-targeted audio and pointer-events code immediately, rotate and remove the client-side Google API key (move geocoding to a server-side proxy with proper key protections), audit repository history and contributors for deliberate malicious code insertion, and treat the package as compromised until remediation.

This script implements a supply-chain persistence/backdoor pattern: it persistently patches a Vite runtime chunk in node_modules to dynamically import and run a local module whenever Vite runs. That grants arbitrary code execution in the context of Vite and is a severe security risk. Treat this package as malicious or highly suspicious unless you can verify the injected local module and that this behavior is intentionally required and reviewed. If you encounter this in a dependency, revert the modified file, audit index.js, and remove/replace the package.

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

This Keras HDF5 model contains an embedded, encoded Lambda function that references urllib.request and an explicit remote URL 'http://attacker.com/data' and includes identifiers suggesting 'data_exfiltration'. This is a high-probability malicious artifact designed to transmit data off-host (either at load-time or at inference). Treat the artifact as hostile: do not load it in sensitive or networked environments. Decode and inspect the lambda in a sandbox if more detail is required, and remove/replace the Lambda layer before use.