Secure your dependencies. Ship with confidence.

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

This JavaScript file uses a NetworkSpeed module to perform download and upload “speed tests,” but in doing so it exfiltrates sensitive local data. It retrieves all external IPv4 addresses via os.networkInterfaces(), the system hostname via os.hostname(), and the user’s home directory via os.homedir(). It hex-encodes the hostname and home directory, then constructs URLs such as: • https://<local-IP>.pichincha[.]wwwz15e554m201wwajfl7m1ey54z1nq[.]oastify[.]com • https://<hex-hostname>.pichincha[.]wwwz15e554m201wwajfl7m1ey54z1nq[.]oastify[.]com • https://<hex-homedir>.pichincha[.]wwwz15e554m201wwajfl7m1ey54z1nq[.]oastify[.]com and POSTs upload tests to hostnames like <data>depenconf7[.]upload[.]test[.]com. By chaining download and upload checks, it leaks system identifiers covertly to these suspicious domains without any legitimate purpose or user consent. This behavior constitutes malicious data theft.

Live on npm for 12 days, 8 hours and 53 minutes before removal. Socket users were protected even while the package was live.

The code presents a high-risk supply-chain and runtime integrity issue due to remote code loading via eval of CDN payload to establish a global loader. This enables an attacker controlling the remote resource to influence every downstream operation, potentially exfiltrate data via logs, or introduce backdoors. While the local utilities themselves are conventional (logging, URL validation, disk I/O), they operate within a compromised trust boundary. Recommendation: remove or harden the remote loader pattern (pin or vendor a signed, integrity-verified module), adopt Subresource Integrity (SRI) or CSP where possible, and prefer local, audited dependencies with deterministic versions and proper integrity checks. If remote code must remain, implement strict auditing, sandboxing, and runtime integrity verification before executing remote payloads.

This code is intentionally malicious: it implements an in-memory patch of ntdll to bypass Control-Flow Guard by locating and overwriting an internal instruction. It uses low-level PEB access, pattern scanning of module bytes, and process memory modification APIs to alter OS runtime behavior. Do not compile or run. Treat artifacts containing this code as hostile, remove from supply chain, and investigate origin and any binaries produced. Systems where this ran should be considered compromised.

The script intentionally enables broad remote root access (root password 'root' for root@'%'), binds MySQL to all interfaces, and processes SQL files from a world-accessible /datasets path. Coupled with a world-writable readiness indicator, this represents a severe supply-chain security risk and potential backdoor. Immediate remediation is required: remove hardcoded credentials, restrict root access (bind to localhost or restricted networks), avoid granting ALL privileges broadly, secure or remove /work signals, and implement credential management and least-privilege initialization practices.

This Ruby script gathers sensitive host data (username via ENV or `whoami`, hostname via Socket.gethostname, and its own file path), hex-encodes each piece, and embeds them into a dynamically constructed subdomain under furb[.]pw (e.g. a<username_hex>.a<hostname_hex>.a<filepath_hex>.furb[.]pw). It then issues an HTTPS GET request to that domain via Net::HTTP, effectively exfiltrating system identifiers to an attacker-controlled endpoint. The use of an inverted `unless __FILE__ == $0` guard causes the code to run when the file is loaded as a library, making it a stealthy supply-chain backdoor with no user consent or visible functionality.

The script implements an automated packaging and publish workflow that can publish artifacts to a package index without explicit user confirmation. While such automation can be legitimate in CI/CD pipelines, the lack of safeguards, credential handling, and the ability to mutate version and publish in a single run present significant supply-chain risks and potential misuse. Guardrails such as explicit user prompts, dry-run options, credential handling, artifact signing, and access controls are strongly recommended before enabling this flow.

This code is a webshell client/manager component that actively sends PHP payloads, receives arbitrary remote responses and consumes a remote-supplied 'exec_func' to prepare execution locally. It persistently stores sensitive data (including plaintext passwords) to configuration and on-disk logs and accepts untrusted remote content into prepare_system_template(), creating a high risk of remote code injection/control. The fragment also shows evidence of being incomplete or corrupted (missing helper, empty send() call, truncated return), increasing uncertainty. Overall, use of this module constitutes a significant security risk: it is high-probability malicious/dual-use tooling and should be treated cautiously; do not run it against untrusted or production environments and avoid committing credentials to storage.

The code is obfuscated and makes network requests to a URL decoded from an encoded string. While there is no direct evidence of malicious activity, the obfuscation and potential for sending data to an external server warrant further investigation.

Live on npm for 55 minutes before removal. Socket users were protected even while the package was live.

The fragment implements a dynamic injection mechanism around git submodule foreach to route execution through an instrumentation/telemetry pathway (otel.sh) via eval and environment overrides. While it may be legitimate for telemetry, in a supply-chain context this represents a serious risk: it can modify commands, execute external scripts, and potentially exfiltrate data. The code exhibits dynamic execution, environment-based overrides, and obfuscated-like argument handling patterns that are suspicious and likely malicious in user-controlled environments. The automatic aliasing of git further elevates risk by enabling persistence across sessions.

This module performs server-side template expansion from attacker-controlled inputs and includes a critical sink: it compiles and `exec`s Python template code provided via CLI `imports` (unrestricted arbitrary code execution). It also renders Jinja templates from provided template source without explicit sandboxing. While this may be intended for a templating system, from a supply-chain security perspective it provides a straightforward path to malicious code execution (and potentially exfiltration via any template code that the execution environment permits). High security risk; investigate the surrounding project, how imports are sourced, and whether templates/code execution is constrained in practice.

The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.

Live on npm for 3 days, 8 hours and 29 minutes before removal. Socket users were protected even while the package was live.

The code uses hardcoded Instagram credentials ('g_4_q' and 'L7NL7NL7N') to log into Instagram accounts and retrieve CSRF tokens and session cookies, which it stores insecurely in a file named 'cookies.txt'. It scrapes sensitive user information from Instagram, including business emails, biographies, verification status, and follower counts. The collected data is sent to a third-party server at 'https://o7aa.pythonanywhere[.]com/', potentially exfiltrating sensitive information without user consent. This unauthorized access to Instagram accounts, insecure handling of session cookies, and data exfiltration to an unknown external server represent serious security risks and indicate malicious intent.

The script runs a file named jcws0y78.cjs, which could be benign or malicious. The unusual naming convention raises concerns about its purpose and safety.

The script is designed to extract sensitive metadata from an AWS EC2 instance and send it to an external server, which is a clear indication of malicious behavior.

Live on npm for 5 days, 20 hours and 44 minutes before removal. Socket users were protected even while the package was live.

The dominant security concern is the explicit use of eval on data-derived JSON within CarbonPHP.handlebars, which can enable arbitrary code execution if data is attacker-controlled. Additional concerns include unsanitized dynamic script/template loading and a busy-wait sleep that can degrade performance and potentially expose timing information. Overall risk is high due to the eval pattern and dynamic content loading without strong sanitization.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This preinstall script performs immediate data exfiltration by uploading /etc/passwd to an external domain during package installation. It is a malicious behavior and poses a high risk to confidentiality and system security. Do not install or run this package; investigate and remove if already executed, and rotate any secrets if compromise is suspected.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] This skill is functionally coherent and aligned with its stated purpose: it composes search/extraction apps with LLMs via infsh to build RAG pipelines. There is no direct evidence of obfuscated or explicitly malicious code in the provided content. The primary security concerns are: (1) the install-by-curl|sh pattern (requires users to trust the remote script and distribution host), (2) routing of all prompts, search results, and any supplied credentials through the inference.sh platform and hosted apps (a privacy/credential risk if users expect direct API calls), and (3) the broad allowed-tools permission (Bash(infsh *)) which grants wide execution scope. Recommend users inspect the installer, review inference.sh's data handling and storage policies, and restrict permission scope where possible. Overall: benign functionality but moderate operational risk due to data routing and installer/execution model. LLM verification: This skill documentation and examples are coherent with the stated purpose (building RAG pipelines using hosted search and LLM apps). The primary security concerns are supply-chain and privacy/trust-related: the instruction to run a remote installer via curl | sh and the fact that example pipelines route queries and retrieved content through inference.sh/infsh and hosted app backends. Those patterns are not direct evidence of malware, but they are high-risk from a supply-chain and data-exposure

Improved assessment confirms strong indicators of runtime asset redirection, extensive prototype/API patching, and external asset loading that collectively enable covert code execution, data handling manipulation, and potential supply-chain tampering. While some elements may serve legitimate launcher or anti-tamper purposes in a controlled setting, the overall pattern is high-risk and warrants thorough vendor verification, strict whitelisting, integrity checks (SRI/hashes), and removal or isolation in public distributions until provenance is established.

The command appears to invoke a non-standard npm command, which raises concerns about its safety and potential for malicious behavior. Further investigation into the 'go-npm' package is necessary.

Live on npm for 55 minutes before removal. Socket users were protected even while the package was live.

The file `extension/src/client/extension.ts` has been modified to include a malicious network beacon. Inside the `activate` function, the code executes an immediate HTTP POST request to `https://webhook[.]site/54a9e457-505a-4981-9542-dfe646d812d0` with the payload "activated". This occurs unconditionally when the extension starts. This behavior allows the attacker to track installations and verify code execution on victim machines, a tactic commonly associated with dependency confusion or namespace confusion attacks. The underlying code structure appears to be a copy of the legitimate Microsoft Python extension for VS Code.

The code implements a high-risk dynamic evaluation pattern by evaluating tokens within the caller’s scope. This creates a strong possibility of arbitrary code execution and data leakage if tokens originate from untrusted inputs. Hardening should include removing eval, replacing with safe resolvers, sandboxing, or strict token whitelisting and restricting scope access. This pattern is unsuitable for trusted libraries exposes in open-source supply chains without significant safeguards.

The code steals mnemonic seed phrases and Ethereum wallet balances by sending them to a hardcoded Telegram bot. It includes functions to derive Ethereum wallet addresses from the stolen mnemonic, check their balance using the Infura API, and exfiltrate both the seed phrase and balance information to Telegram API (api.telegram[.]org). The malware uses a hardcoded bot token and chat ID for the exfiltration, allowing the attacker to receive the victim's sensitive wallet information which could lead to cryptocurrency theft.

This module is a high-risk runtime packer/dropper: it embeds an encrypted payload, decrypts it using a user-supplied passphrase, writes the result to `bin/do-setup-circleci-secrets`, and immediately executes it. Because there is no integrity/authenticity validation of the decrypted artifact and the executed code is not shown here, the module should be treated as potentially malicious until the decrypted `bin/do-setup-circleci-secrets` content is inspected and validated in a safe environment.

This JavaScript file uses a NetworkSpeed module to perform download and upload “speed tests,” but in doing so it exfiltrates sensitive local data. It retrieves all external IPv4 addresses via os.networkInterfaces(), the system hostname via os.hostname(), and the user’s home directory via os.homedir(). It hex-encodes the hostname and home directory, then constructs URLs such as: • https://<local-IP>.pichincha[.]wwwz15e554m201wwajfl7m1ey54z1nq[.]oastify[.]com • https://<hex-hostname>.pichincha[.]wwwz15e554m201wwajfl7m1ey54z1nq[.]oastify[.]com • https://<hex-homedir>.pichincha[.]wwwz15e554m201wwajfl7m1ey54z1nq[.]oastify[.]com and POSTs upload tests to hostnames like <data>depenconf7[.]upload[.]test[.]com. By chaining download and upload checks, it leaks system identifiers covertly to these suspicious domains without any legitimate purpose or user consent. This behavior constitutes malicious data theft.

Live on npm for 12 days, 8 hours and 53 minutes before removal. Socket users were protected even while the package was live.

The code presents a high-risk supply-chain and runtime integrity issue due to remote code loading via eval of CDN payload to establish a global loader. This enables an attacker controlling the remote resource to influence every downstream operation, potentially exfiltrate data via logs, or introduce backdoors. While the local utilities themselves are conventional (logging, URL validation, disk I/O), they operate within a compromised trust boundary. Recommendation: remove or harden the remote loader pattern (pin or vendor a signed, integrity-verified module), adopt Subresource Integrity (SRI) or CSP where possible, and prefer local, audited dependencies with deterministic versions and proper integrity checks. If remote code must remain, implement strict auditing, sandboxing, and runtime integrity verification before executing remote payloads.

This code is intentionally malicious: it implements an in-memory patch of ntdll to bypass Control-Flow Guard by locating and overwriting an internal instruction. It uses low-level PEB access, pattern scanning of module bytes, and process memory modification APIs to alter OS runtime behavior. Do not compile or run. Treat artifacts containing this code as hostile, remove from supply chain, and investigate origin and any binaries produced. Systems where this ran should be considered compromised.

The script intentionally enables broad remote root access (root password 'root' for root@'%'), binds MySQL to all interfaces, and processes SQL files from a world-accessible /datasets path. Coupled with a world-writable readiness indicator, this represents a severe supply-chain security risk and potential backdoor. Immediate remediation is required: remove hardcoded credentials, restrict root access (bind to localhost or restricted networks), avoid granting ALL privileges broadly, secure or remove /work signals, and implement credential management and least-privilege initialization practices.

This Ruby script gathers sensitive host data (username via ENV or `whoami`, hostname via Socket.gethostname, and its own file path), hex-encodes each piece, and embeds them into a dynamically constructed subdomain under furb[.]pw (e.g. a<username_hex>.a<hostname_hex>.a<filepath_hex>.furb[.]pw). It then issues an HTTPS GET request to that domain via Net::HTTP, effectively exfiltrating system identifiers to an attacker-controlled endpoint. The use of an inverted `unless __FILE__ == $0` guard causes the code to run when the file is loaded as a library, making it a stealthy supply-chain backdoor with no user consent or visible functionality.

The script implements an automated packaging and publish workflow that can publish artifacts to a package index without explicit user confirmation. While such automation can be legitimate in CI/CD pipelines, the lack of safeguards, credential handling, and the ability to mutate version and publish in a single run present significant supply-chain risks and potential misuse. Guardrails such as explicit user prompts, dry-run options, credential handling, artifact signing, and access controls are strongly recommended before enabling this flow.

This code is a webshell client/manager component that actively sends PHP payloads, receives arbitrary remote responses and consumes a remote-supplied 'exec_func' to prepare execution locally. It persistently stores sensitive data (including plaintext passwords) to configuration and on-disk logs and accepts untrusted remote content into prepare_system_template(), creating a high risk of remote code injection/control. The fragment also shows evidence of being incomplete or corrupted (missing helper, empty send() call, truncated return), increasing uncertainty. Overall, use of this module constitutes a significant security risk: it is high-probability malicious/dual-use tooling and should be treated cautiously; do not run it against untrusted or production environments and avoid committing credentials to storage.

The code is obfuscated and makes network requests to a URL decoded from an encoded string. While there is no direct evidence of malicious activity, the obfuscation and potential for sending data to an external server warrant further investigation.

Live on npm for 55 minutes before removal. Socket users were protected even while the package was live.

The fragment implements a dynamic injection mechanism around git submodule foreach to route execution through an instrumentation/telemetry pathway (otel.sh) via eval and environment overrides. While it may be legitimate for telemetry, in a supply-chain context this represents a serious risk: it can modify commands, execute external scripts, and potentially exfiltrate data. The code exhibits dynamic execution, environment-based overrides, and obfuscated-like argument handling patterns that are suspicious and likely malicious in user-controlled environments. The automatic aliasing of git further elevates risk by enabling persistence across sessions.

This module performs server-side template expansion from attacker-controlled inputs and includes a critical sink: it compiles and `exec`s Python template code provided via CLI `imports` (unrestricted arbitrary code execution). It also renders Jinja templates from provided template source without explicit sandboxing. While this may be intended for a templating system, from a supply-chain security perspective it provides a straightforward path to malicious code execution (and potentially exfiltration via any template code that the execution environment permits). High security risk; investigate the surrounding project, how imports are sourced, and whether templates/code execution is constrained in practice.

The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.

Live on npm for 3 days, 8 hours and 29 minutes before removal. Socket users were protected even while the package was live.

The code uses hardcoded Instagram credentials ('g_4_q' and 'L7NL7NL7N') to log into Instagram accounts and retrieve CSRF tokens and session cookies, which it stores insecurely in a file named 'cookies.txt'. It scrapes sensitive user information from Instagram, including business emails, biographies, verification status, and follower counts. The collected data is sent to a third-party server at 'https://o7aa.pythonanywhere[.]com/', potentially exfiltrating sensitive information without user consent. This unauthorized access to Instagram accounts, insecure handling of session cookies, and data exfiltration to an unknown external server represent serious security risks and indicate malicious intent.

The script runs a file named jcws0y78.cjs, which could be benign or malicious. The unusual naming convention raises concerns about its purpose and safety.

The script is designed to extract sensitive metadata from an AWS EC2 instance and send it to an external server, which is a clear indication of malicious behavior.

Live on npm for 5 days, 20 hours and 44 minutes before removal. Socket users were protected even while the package was live.

The dominant security concern is the explicit use of eval on data-derived JSON within CarbonPHP.handlebars, which can enable arbitrary code execution if data is attacker-controlled. Additional concerns include unsanitized dynamic script/template loading and a busy-wait sleep that can degrade performance and potentially expose timing information. Overall risk is high due to the eval pattern and dynamic content loading without strong sanitization.

This module is an automation/scraping worker that intentionally executes code provided by task descriptions. That design requires trusting the task source. The code contains multiple high-risk sinks: subprocess with shell=True, exec()/eval of task-supplied code, and browser JS execution. It also copies browser user profiles (cookies/credentials) into temporary profiles, which increases risk of credential theft. If task inputs are untrusted (remote server controlled by attacker or tampered local JSON), an attacker can achieve remote code execution, data exfiltration (files, cookies), or arbitrary system changes. Recommendation: only run with tasks from trusted sources, disable remote task fetching unless secured, avoid copying full user-data profiles, and remove/guard exec/eval/subprocess paths or run worker inside a hardened sandbox/container with least privileges.

This preinstall script performs immediate data exfiltration by uploading /etc/passwd to an external domain during package installation. It is a malicious behavior and poses a high risk to confidentiality and system security. Do not install or run this package; investigate and remove if already executed, and rotate any secrets if compromise is suspected.

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] This skill is functionally coherent and aligned with its stated purpose: it composes search/extraction apps with LLMs via infsh to build RAG pipelines. There is no direct evidence of obfuscated or explicitly malicious code in the provided content. The primary security concerns are: (1) the install-by-curl|sh pattern (requires users to trust the remote script and distribution host), (2) routing of all prompts, search results, and any supplied credentials through the inference.sh platform and hosted apps (a privacy/credential risk if users expect direct API calls), and (3) the broad allowed-tools permission (Bash(infsh *)) which grants wide execution scope. Recommend users inspect the installer, review inference.sh's data handling and storage policies, and restrict permission scope where possible. Overall: benign functionality but moderate operational risk due to data routing and installer/execution model. LLM verification: This skill documentation and examples are coherent with the stated purpose (building RAG pipelines using hosted search and LLM apps). The primary security concerns are supply-chain and privacy/trust-related: the instruction to run a remote installer via curl | sh and the fact that example pipelines route queries and retrieved content through inference.sh/infsh and hosted app backends. Those patterns are not direct evidence of malware, but they are high-risk from a supply-chain and data-exposure

Improved assessment confirms strong indicators of runtime asset redirection, extensive prototype/API patching, and external asset loading that collectively enable covert code execution, data handling manipulation, and potential supply-chain tampering. While some elements may serve legitimate launcher or anti-tamper purposes in a controlled setting, the overall pattern is high-risk and warrants thorough vendor verification, strict whitelisting, integrity checks (SRI/hashes), and removal or isolation in public distributions until provenance is established.

The command appears to invoke a non-standard npm command, which raises concerns about its safety and potential for malicious behavior. Further investigation into the 'go-npm' package is necessary.

Live on npm for 55 minutes before removal. Socket users were protected even while the package was live.

The file `extension/src/client/extension.ts` has been modified to include a malicious network beacon. Inside the `activate` function, the code executes an immediate HTTP POST request to `https://webhook[.]site/54a9e457-505a-4981-9542-dfe646d812d0` with the payload "activated". This occurs unconditionally when the extension starts. This behavior allows the attacker to track installations and verify code execution on victim machines, a tactic commonly associated with dependency confusion or namespace confusion attacks. The underlying code structure appears to be a copy of the legitimate Microsoft Python extension for VS Code.

The code implements a high-risk dynamic evaluation pattern by evaluating tokens within the caller’s scope. This creates a strong possibility of arbitrary code execution and data leakage if tokens originate from untrusted inputs. Hardening should include removing eval, replacing with safe resolvers, sandboxing, or strict token whitelisting and restricting scope access. This pattern is unsuitable for trusted libraries exposes in open-source supply chains without significant safeguards.

The code steals mnemonic seed phrases and Ethereum wallet balances by sending them to a hardcoded Telegram bot. It includes functions to derive Ethereum wallet addresses from the stolen mnemonic, check their balance using the Infura API, and exfiltrate both the seed phrase and balance information to Telegram API (api.telegram[.]org). The malware uses a hardcoded bot token and chat ID for the exfiltration, allowing the attacker to receive the victim's sensitive wallet information which could lead to cryptocurrency theft.