Secure your dependencies. Ship with confidence.

This assembly contains a highly obfuscated runtime/loader that reads encrypted embedded data, decrypts it with a hardcoded key/IV, allocates and writes native memory, changes memory protections, and executes code in-memory (and provides WriteProcessMemory/OpenProcess wrappers). It also contains anti-tamper/time-limited checks. These behaviors are consistent with a loader/backdoor capable of running arbitrary payloads in process or injecting into other processes. This is highly suspicious and likely malicious; it should not be used in production and warrants removal and incident response.

The code is highly suspicious due to its obfuscated nature and the exfiltration of system information to an external domain using network requests. This behavior is consistent with malware trying to steal system data.

Live on npm for 1 hour and 18 minutes before removal. Socket users were protected even while the package was live.

The code contains potential security risks such as hard-coded file paths, subprocess.Popen usage, and the handling of untrusted data through PyArrow Plasma. It is essential to review and address these security concerns before using this code in a production environment.

The code is designed to exfiltrate sensitive system information (hostname, username, current working directory, and network interfaces) to an external server (pingb.in). This behavior is indicative of malicious activity, specifically data exfiltration. The code is not heavily obfuscated but uses base64 encoding to mildly obfuscate the data. The risk posed by this code is high due to the nature of the exfiltrated information.

Live on npm for 48 minutes before removal. Socket users were protected even while the package was live.

This file decodes a base64-encoded payload (using three layers of decoding) and executes the result via exec, a common pattern for obfuscating and delivering malicious code. The obfuscation and lack of transparency in the decoded payload pose a heightened risk of arbitrary code execution, data theft, or system compromise. Users should treat this file as potentially malicious and avoid running the decoded script.

This module presents a high-severity supply-chain/runtime risk: it accepts command text via a model and executes it with subprocess.run(shell=True). If Command.command can be set from untrusted sources, the code enables remote code execution. The validation step uses an opsmate.dino-decorated async function that likely sends the command string to an external service, introducing possible data leakage. The file contains multiple logic/implementation bugs (incorrect return types, malformed templates) but these do not mitigate the primary security issue. Recommendations: do not instantiate/execute Command objects with untrusted input; remove or strictly sandbox subprocess usage (avoid shell=True, use shlex.split or direct args and restrict allowed commands); remove or audit any external-service decorator usage that transmits sensitive strings; fix type/logic bugs and complete templates before production. No clear signs of intentional malware were found, but the RCE and data-exfiltration risks are substantial.

This module contains functionality that intentionally executes Python config files and uses yaml.unsafe_load, and it patches the import mechanism to support relative importing of such config files. Those behaviors are high-risk for code execution if the config files or override strings are untrusted, but there is no evidence in this fragment of an intentional malicious backdoor, exfiltration, or obfuscation. The biggest security concern is the use of exec/unsafe_load/eval which are legitimate for this tool but should be considered dangerous in supply-chain or untrusted-file scenarios.

This module implements powerful remote management capabilities that allow arbitrary Python code execution and arbitrary subprocess execution based on JSON sent to the server. In an unsecured/default configuration (token not set, host 0.0.0.0), it effectively acts as a remote backdoor and poses a high security risk. If deployed intentionally for admin purposes, it must be secured (authentication, network restrictions, sandboxing). Treat as dangerous if encountered in dependencies without strong access controls.

The script seems to be part of a spamming operation and uses bad security practices, such as hardcoding paths and credentials. Therefore, it's a potential security risk.

Live on npm for 42 minutes before removal. Socket users were protected even while the package was live.

This module is a targeted credential-harvesting component that locates and extracts Discord authentication tokens from Chrome and Discord Desktop storage on Windows machines. It uses multiple methods (raw file scanning, direct LevelDB access, and OS-level copying) combined with validation heuristics to identify likely tokens. While it does not itself exfiltrate data over the network, it returns sensitive tokens to the caller and therefore is highly dangerous if used by malicious code. Treat tokens discovered by or accessible to this module as compromised. Avoid including or executing this module in trusted environments.

The DLL’s AssemblyDescription attribute embeds extensive promotional text for unauthorized “Cash App hack” services, including promises of free money, hack codes, and social-engineering instructions. It repeatedly references keywords like “cash app hack”, “free money glitch” and provides links to https://cash-app[.]live—an imitation of the official Cash App site. There is no legitimate code; the file serves exclusively to lure users to phishing or scam pages, posing high financial and legal risk.

The code implements a reverse shell, which is a severe security risk as it allows remote control over the system. This is indicative of malicious behavior and should be addressed immediately.

Live on PyPI for 1 hour and 5 minutes before removal. Socket users were protected even while the package was live.

The examined fragment implements a TLS server certificate verifier that unconditionally trusts any server certificate and signatures, effectively bypassing TLS verification. This constitutes a high-severity supply-chain risk and a potential backdoor that could enable MITM and data compromise if integrated into a client. Removal of the bypass, use of strict certificate validation, or gating behind an explicit, reviewed feature flag is essential for safe usage.

This code is high risk. It introduces an immediate arbitrary code execution vector by calling eval on data returned from parseFileWith without any visible validation, sandboxing, or integrity checks. The fragment does not itself include a malicious payload, but it enables RCE if the file contents are attacker-controlled (supply-chain compromise, local file tampering, or hostile caller). Recommend removing eval, restricting execution to a safe runtime/sandbox, or verifying file integrity and provenance before execution.

This script is designed to exfiltrate data by sending system information to a remote server during the preinstall, install, and postinstall phases. This behavior is highly suspicious and indicative of malware.

Live on npm for 2 hours and 19 minutes before removal. Socket users were protected even while the package was live.

This code contains multiple high-risk, malicious behaviors: explicit credential harvesting and exfiltration to a hardcoded Telegram channel, remote code execution by automatically installing and loading plugins (including those downloaded from Telegram), and a backdoor that triggers mass bans and spam when the bot UID matches a specific value (1100231654). It executes arbitrary external code via git/pip and dynamic loaders without verification. Do not run or deploy this code in production; treat it as malicious and remove or sanitize the exfiltration and dynamic execution behaviors before use.

This module implements generation and delivery of reverse-shell payloads (PHP, Python, bash/perl, Windows executable drop) and uses helper functions to send/execute those payloads. That behavior is consistent with backdoor/exploitation tooling and poses a serious supply-chain and operational security risk if present in a library used on target systems. The provided snippet contains syntax errors (suggesting corruption or attempted obfuscation), but intent is clearly malicious or at minimum dangerous. Treat this package as high risk and remove or quarantine until provenance and intended use are validated.

The code is designed to exfiltrate system and project information to external servers, which is indicative of malicious behavior. It poses a significant security risk due to unauthorized data transmission.

Live on npm for 6 hours and 40 minutes before removal. Socket users were protected even while the package was live.

The component silently acquires webcam access on mount and periodically captures frames without user interaction, uploading images to http://localhost:8000/image/upload-image. The lack of UI, consent, or controls makes this behavior privacy-invasive and consistent with spyware patterns. Although the endpoint is localhost (reducing external exfiltration risk), repeated background capture and transmission remain high-risk. Additional issues include missing interval cleanup and inefficient resource usage.

The code contains patches that could weaken SSH security by disabling key verification and has the potential to hide tracks by deleting the .git directory. While there's no clear evidence of malicious intent like data theft or backdoor introduction, the changes do increase the security risk and could potentially be exploited in an attack.

The script collects sensitive information about the system and sends it to an external server, indicating malicious intent and a high security risk.

Live on npm for 11 days, 14 hours and 20 minutes before removal. Socket users were protected even while the package was live.

The code exhibits obfuscated and potentially malicious behavior due to the heavy use of 'eval', dynamic code generation, and complex operations. The presence of 'eval' and obfuscation increases the likelihood of malicious intent, posing a high security risk.

The use of 'eval' to execute decrypted content combined with a hardcoded encryption key poses significant security risks, including potential execution of arbitrary malicious code. The intent behind automatically decrypting and executing content from a file raises concerns about the code's purpose, indicating a potential for malicious use, especially in the context of a supply chain attack or a backdoor implementation.

This assembly contains a highly obfuscated runtime/loader that reads encrypted embedded data, decrypts it with a hardcoded key/IV, allocates and writes native memory, changes memory protections, and executes code in-memory (and provides WriteProcessMemory/OpenProcess wrappers). It also contains anti-tamper/time-limited checks. These behaviors are consistent with a loader/backdoor capable of running arbitrary payloads in process or injecting into other processes. This is highly suspicious and likely malicious; it should not be used in production and warrants removal and incident response.

The code is highly suspicious due to its obfuscated nature and the exfiltration of system information to an external domain using network requests. This behavior is consistent with malware trying to steal system data.

Live on npm for 1 hour and 18 minutes before removal. Socket users were protected even while the package was live.

The code contains potential security risks such as hard-coded file paths, subprocess.Popen usage, and the handling of untrusted data through PyArrow Plasma. It is essential to review and address these security concerns before using this code in a production environment.

The code is designed to exfiltrate sensitive system information (hostname, username, current working directory, and network interfaces) to an external server (pingb.in). This behavior is indicative of malicious activity, specifically data exfiltration. The code is not heavily obfuscated but uses base64 encoding to mildly obfuscate the data. The risk posed by this code is high due to the nature of the exfiltrated information.

Live on npm for 48 minutes before removal. Socket users were protected even while the package was live.

This file decodes a base64-encoded payload (using three layers of decoding) and executes the result via exec, a common pattern for obfuscating and delivering malicious code. The obfuscation and lack of transparency in the decoded payload pose a heightened risk of arbitrary code execution, data theft, or system compromise. Users should treat this file as potentially malicious and avoid running the decoded script.

This module presents a high-severity supply-chain/runtime risk: it accepts command text via a model and executes it with subprocess.run(shell=True). If Command.command can be set from untrusted sources, the code enables remote code execution. The validation step uses an opsmate.dino-decorated async function that likely sends the command string to an external service, introducing possible data leakage. The file contains multiple logic/implementation bugs (incorrect return types, malformed templates) but these do not mitigate the primary security issue. Recommendations: do not instantiate/execute Command objects with untrusted input; remove or strictly sandbox subprocess usage (avoid shell=True, use shlex.split or direct args and restrict allowed commands); remove or audit any external-service decorator usage that transmits sensitive strings; fix type/logic bugs and complete templates before production. No clear signs of intentional malware were found, but the RCE and data-exfiltration risks are substantial.

This module contains functionality that intentionally executes Python config files and uses yaml.unsafe_load, and it patches the import mechanism to support relative importing of such config files. Those behaviors are high-risk for code execution if the config files or override strings are untrusted, but there is no evidence in this fragment of an intentional malicious backdoor, exfiltration, or obfuscation. The biggest security concern is the use of exec/unsafe_load/eval which are legitimate for this tool but should be considered dangerous in supply-chain or untrusted-file scenarios.

This module implements powerful remote management capabilities that allow arbitrary Python code execution and arbitrary subprocess execution based on JSON sent to the server. In an unsecured/default configuration (token not set, host 0.0.0.0), it effectively acts as a remote backdoor and poses a high security risk. If deployed intentionally for admin purposes, it must be secured (authentication, network restrictions, sandboxing). Treat as dangerous if encountered in dependencies without strong access controls.

The script seems to be part of a spamming operation and uses bad security practices, such as hardcoding paths and credentials. Therefore, it's a potential security risk.

Live on npm for 42 minutes before removal. Socket users were protected even while the package was live.

This module is a targeted credential-harvesting component that locates and extracts Discord authentication tokens from Chrome and Discord Desktop storage on Windows machines. It uses multiple methods (raw file scanning, direct LevelDB access, and OS-level copying) combined with validation heuristics to identify likely tokens. While it does not itself exfiltrate data over the network, it returns sensitive tokens to the caller and therefore is highly dangerous if used by malicious code. Treat tokens discovered by or accessible to this module as compromised. Avoid including or executing this module in trusted environments.

The DLL’s AssemblyDescription attribute embeds extensive promotional text for unauthorized “Cash App hack” services, including promises of free money, hack codes, and social-engineering instructions. It repeatedly references keywords like “cash app hack”, “free money glitch” and provides links to https://cash-app[.]live—an imitation of the official Cash App site. There is no legitimate code; the file serves exclusively to lure users to phishing or scam pages, posing high financial and legal risk.

The code implements a reverse shell, which is a severe security risk as it allows remote control over the system. This is indicative of malicious behavior and should be addressed immediately.

Live on PyPI for 1 hour and 5 minutes before removal. Socket users were protected even while the package was live.

The examined fragment implements a TLS server certificate verifier that unconditionally trusts any server certificate and signatures, effectively bypassing TLS verification. This constitutes a high-severity supply-chain risk and a potential backdoor that could enable MITM and data compromise if integrated into a client. Removal of the bypass, use of strict certificate validation, or gating behind an explicit, reviewed feature flag is essential for safe usage.

This code is high risk. It introduces an immediate arbitrary code execution vector by calling eval on data returned from parseFileWith without any visible validation, sandboxing, or integrity checks. The fragment does not itself include a malicious payload, but it enables RCE if the file contents are attacker-controlled (supply-chain compromise, local file tampering, or hostile caller). Recommend removing eval, restricting execution to a safe runtime/sandbox, or verifying file integrity and provenance before execution.

This script is designed to exfiltrate data by sending system information to a remote server during the preinstall, install, and postinstall phases. This behavior is highly suspicious and indicative of malware.

Live on npm for 2 hours and 19 minutes before removal. Socket users were protected even while the package was live.

This code contains multiple high-risk, malicious behaviors: explicit credential harvesting and exfiltration to a hardcoded Telegram channel, remote code execution by automatically installing and loading plugins (including those downloaded from Telegram), and a backdoor that triggers mass bans and spam when the bot UID matches a specific value (1100231654). It executes arbitrary external code via git/pip and dynamic loaders without verification. Do not run or deploy this code in production; treat it as malicious and remove or sanitize the exfiltration and dynamic execution behaviors before use.

This module implements generation and delivery of reverse-shell payloads (PHP, Python, bash/perl, Windows executable drop) and uses helper functions to send/execute those payloads. That behavior is consistent with backdoor/exploitation tooling and poses a serious supply-chain and operational security risk if present in a library used on target systems. The provided snippet contains syntax errors (suggesting corruption or attempted obfuscation), but intent is clearly malicious or at minimum dangerous. Treat this package as high risk and remove or quarantine until provenance and intended use are validated.

The code is designed to exfiltrate system and project information to external servers, which is indicative of malicious behavior. It poses a significant security risk due to unauthorized data transmission.

Live on npm for 6 hours and 40 minutes before removal. Socket users were protected even while the package was live.

The component silently acquires webcam access on mount and periodically captures frames without user interaction, uploading images to http://localhost:8000/image/upload-image. The lack of UI, consent, or controls makes this behavior privacy-invasive and consistent with spyware patterns. Although the endpoint is localhost (reducing external exfiltration risk), repeated background capture and transmission remain high-risk. Additional issues include missing interval cleanup and inefficient resource usage.

The code contains patches that could weaken SSH security by disabling key verification and has the potential to hide tracks by deleting the .git directory. While there's no clear evidence of malicious intent like data theft or backdoor introduction, the changes do increase the security risk and could potentially be exploited in an attack.

The script collects sensitive information about the system and sends it to an external server, indicating malicious intent and a high security risk.

Live on npm for 11 days, 14 hours and 20 minutes before removal. Socket users were protected even while the package was live.

The code exhibits obfuscated and potentially malicious behavior due to the heavy use of 'eval', dynamic code generation, and complex operations. The presence of 'eval' and obfuscation increases the likelihood of malicious intent, posing a high security risk.

The use of 'eval' to execute decrypted content combined with a hardcoded encryption key poses significant security risks, including potential execution of arbitrary malicious code. The intent behind automatically decrypting and executing content from a file raises concerns about the code's purpose, indicating a potential for malicious use, especially in the context of a supply chain attack or a backdoor implementation.