Secure your dependencies. Ship with confidence.

The analyzed code is highly malicious. It steals sensitive system information and sends it to a suspicious external server, then executes arbitrary code received from that server. This poses a critical security risk including data theft and remote code execution. The obfuscation and silent error handling further confirm malicious intent. This package should be considered unsafe and avoided.

Live on npm for 5 days, 19 hours and 20 minutes before removal. Socket users were protected even while the package was live.

This script is a clear, simple file-encryption tool that encrypts and then deletes original files across a directory tree. Its behavior matches common ransomware patterns (encrypt-in-place, delete originals, no recovery mechanism). The code itself is not obfuscated and contains no network exfiltration, but it is highly destructive if executed. Treat this as malicious or high-risk code; do not run on systems with valuable data. If discovered in a dependency, consider it a severe supply-chain incident and remove or quarantine the package, and investigate where it was introduced.

This module deliberately conceals executable code in a base64+zlib blob and executes it directly with exec(). That is a high-risk, obfuscation-first design and is commonly associated with malicious or at least non-transparent behaviour. Treat the package as untrusted until the decompressed payload is fully inspected in a safe, isolated environment. Do not run this code in production or on systems containing sensitive data.

This code is malicious. It is designed to harvest cryptocurrency private keys and other secrets from user files and exfiltrate them to an attacker-controlled Telegram bot. It employs stealth/persistence techniques (detached background process, temporary script deletion, suppressed errors, signal handlers to remain active). Do not run this module. Treat any system that executed it as compromised: rotate any exposed keys/credentials immediately, perform forensic analysis, remove persistence, and investigate exfiltration endpoints (Telegram bot/chat IDs).

Live on npm for 4 hours and 16 minutes before removal. Socket users were protected even while the package was live.

Possible `simplification` typosquat of [resolve](https://socket.dev/npm/package/resolve) Explanation: The package 'dazaar-resolve' is a security holding package with a name that closely resembles 'resolve'. The description does not provide any distinct purpose, and the maintainer 'npm' does not clarify its legitimacy. The lack of additional context or namespace suggests it could be a typosquat. Security holding package. Closed as malware

Live on npm for 56 minutes before removal. Socket users were protected even while the package was live.

The script is making an outbound request to a potentially malicious server, which could lead to data exfiltration or telemetry. This is a significant security risk.

Live on npm for 4 hours and 25 minutes before removal. Socket users were protected even while the package was live.

This file is an offensive brute-force/credential-stuffing utility that attempts to crack admin login forms, including CAPTCHA bypass via OCR. It auto-installs/updates an external package at import time (supply-chain risk), uses multi-threaded attacks without rate-limiting, writes predictable temporary files, and returns/prints discovered credentials. The code is malicious in purpose and dangerous to run; do not execute it. Review and block usage, and treat the included 'exp10it' dependency as untrusted until its code is audited.

This module is an ARP spoofing / MITM tool: it actively forges ARP replies to poison ARP caches, enables IP forwarding on the host, and thus can intercept or manipulate network traffic between victim and gateway. It is potentially malicious when used without authorization. Use only in authorized testing environments. There is no obfuscation or hidden payload, but functionality directly facilitates network-level attacks.

This code implements explicit automated reporting of local project and host metadata to a remote Telegram chat using a hardcoded bot token — effectively exfiltrating potentially sensitive information. Combined with use of exec() and unescaped string interpolation, there is a significant risk of command injection and unauthorized remote disclosure. Treat this as a high-risk backdoor/telemetry concern: remove or make telemetry opt-in, remove hardcoded tokens, and replace exec-string concatenation with safe APIs and proper escaping. Avoid using the package until these issues are remediated.

The reports are incomplete and do not provide any useful analysis. The base64 encoded string in the source code could potentially hide malicious or sensitive content, but without decoding, this cannot be confirmed. Further analysis is required to assess any security risks.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This code is malicious: it exfiltrates process.env to a hard-coded external URL on module load, using obfuscation to hide the behavior. Do not run or include this package. Treat it as a compromise/supply-chain attack and remove or block the package, rotate any secrets that may have been exposed, and investigate systems where it ran.

The code exhibits malicious behavior consistent with a backdoor or data exfiltration module, collecting sensitive information and sending it to a remote server with obfuscated details to avoid detection.

Live on npm for 19 minutes before removal. Socket users were protected even while the package was live.

The code is highly suspicious due to its collection and transmission of system information to external servers without user consent. The use of hardcoded IP addresses and fallback mechanisms for data transmission indicates potential malicious intent.

Live on npm for 5 days, 18 hours and 40 minutes before removal. Socket users were protected even while the package was live.

This code is a powerful automation toolkit that includes behaviors consistent with malicious activity: remotely fetching payloads and copying them into other apps' private data directories using root privileges, automating captcha bypasses via external paid services and AI APIs, controlling Android devices via adb (clearing, starting apps, input injection), and exfiltrating data to remote endpoints. It contains hardcoded API keys and performs operations (su, chmod 777, cp into /data/user/0) that can implant or persist malicious payloads. It is unsafe to use in untrusted environments and likely intended for misuse (account automation, fraud, or supply-chain-style manipulation of installed apps).

The code provides an execution wrapper that runs supplied source strings (and optional command sequences) inside the Sage environment using eval() or exec(). There is no sanitization or sandboxing and it will execute arbitrary code with the process's privileges. If these functions are reachable with untrusted input, they permit remote code execution, data exfiltration, process spawning, and other high-impact attacks. The module itself is not obviously obfuscated nor does it contain hardcoded malicious payloads, but its functionality is inherently dangerous when used with untrusted inputs.

This module contains a highly obfuscated component that reads embedded resources or files, decrypts them, allocates native memory, writes payload bytes, modifies memory protections and invokes code (and can write into other processes). Those are textbook capabilities of an in-memory loader/runner and are very high-risk for supply-chain attacks. Treat this package as potentially malicious or at minimum highly suspicious; remove or sandbox and perform a deeper runtime/forensic analysis of the decrypted payload bytes and any network behavior. If you need to keep it, perform a full audit and obtain provenance from the author. Do not deploy to production without exhaustive review.

Legitimate documentation publishing code with a critical command injection vulnerability due to unsafe use of os.system() with unsanitized input. High security risk but no malicious intent detected.

Live on PyPI for 4 hours and 47 minutes before removal. Socket users were protected even while the package was live.

This file implements a reverse shell: it connects to a remote host and exposes a local bash shell to that remote peer, forwarding commands from the network to the shell and sending shell output back. pkt_common functions obscure packet handling and may provide additional stealth (encryption/obfuscation). This is high-risk malicious functionality — treat as malware/backdoor unless execution is explicitly authorized and audited. Remove or quarantine and investigate any systems where this code ran.

The provided security reports are unusable placeholders. The source code itself is heavily obfuscated binary data, raising significant concerns about its trustworthiness and potential for malicious activity. The package is assessed as high-risk due to the lack of transparency and the strong indicators of obfuscation often associated with malware.

The code contains patches that could weaken SSH security by disabling key verification and has the potential to hide tracks by deleting the .git directory. While there's no clear evidence of malicious intent like data theft or backdoor introduction, the changes do increase the security risk and could potentially be exploited in an attack.

This module deliberately hides executable code inside a base64-encoded, zlib-compressed blob and executes it unconditionally with exec() on import. That pattern prevents code review and is a high-risk supply-chain anti-pattern. Without decoding the blob we cannot determine whether the payload is malicious, but the use of exec() over an obfuscated, embedded payload executed at import time is sufficient grounds to treat this package as untrusted until the embedded code is decoded and audited. Recommend immediate offline decoding and full review, or removal/blocking of this package from sensitive environments.

Live on PyPI for 23 hours and 6 minutes before removal. Socket users were protected even while the package was live.

The analyzed code is highly malicious. It steals sensitive system information and sends it to a suspicious external server, then executes arbitrary code received from that server. This poses a critical security risk including data theft and remote code execution. The obfuscation and silent error handling further confirm malicious intent. This package should be considered unsafe and avoided.

Live on npm for 5 days, 19 hours and 20 minutes before removal. Socket users were protected even while the package was live.

This script is a clear, simple file-encryption tool that encrypts and then deletes original files across a directory tree. Its behavior matches common ransomware patterns (encrypt-in-place, delete originals, no recovery mechanism). The code itself is not obfuscated and contains no network exfiltration, but it is highly destructive if executed. Treat this as malicious or high-risk code; do not run on systems with valuable data. If discovered in a dependency, consider it a severe supply-chain incident and remove or quarantine the package, and investigate where it was introduced.

This module deliberately conceals executable code in a base64+zlib blob and executes it directly with exec(). That is a high-risk, obfuscation-first design and is commonly associated with malicious or at least non-transparent behaviour. Treat the package as untrusted until the decompressed payload is fully inspected in a safe, isolated environment. Do not run this code in production or on systems containing sensitive data.

This code is malicious. It is designed to harvest cryptocurrency private keys and other secrets from user files and exfiltrate them to an attacker-controlled Telegram bot. It employs stealth/persistence techniques (detached background process, temporary script deletion, suppressed errors, signal handlers to remain active). Do not run this module. Treat any system that executed it as compromised: rotate any exposed keys/credentials immediately, perform forensic analysis, remove persistence, and investigate exfiltration endpoints (Telegram bot/chat IDs).

Live on npm for 4 hours and 16 minutes before removal. Socket users were protected even while the package was live.

Possible `simplification` typosquat of [resolve](https://socket.dev/npm/package/resolve) Explanation: The package 'dazaar-resolve' is a security holding package with a name that closely resembles 'resolve'. The description does not provide any distinct purpose, and the maintainer 'npm' does not clarify its legitimacy. The lack of additional context or namespace suggests it could be a typosquat. Security holding package. Closed as malware

Live on npm for 56 minutes before removal. Socket users were protected even while the package was live.

The script is making an outbound request to a potentially malicious server, which could lead to data exfiltration or telemetry. This is a significant security risk.

Live on npm for 4 hours and 25 minutes before removal. Socket users were protected even while the package was live.

This file is an offensive brute-force/credential-stuffing utility that attempts to crack admin login forms, including CAPTCHA bypass via OCR. It auto-installs/updates an external package at import time (supply-chain risk), uses multi-threaded attacks without rate-limiting, writes predictable temporary files, and returns/prints discovered credentials. The code is malicious in purpose and dangerous to run; do not execute it. Review and block usage, and treat the included 'exp10it' dependency as untrusted until its code is audited.

This module is an ARP spoofing / MITM tool: it actively forges ARP replies to poison ARP caches, enables IP forwarding on the host, and thus can intercept or manipulate network traffic between victim and gateway. It is potentially malicious when used without authorization. Use only in authorized testing environments. There is no obfuscation or hidden payload, but functionality directly facilitates network-level attacks.

This code implements explicit automated reporting of local project and host metadata to a remote Telegram chat using a hardcoded bot token — effectively exfiltrating potentially sensitive information. Combined with use of exec() and unescaped string interpolation, there is a significant risk of command injection and unauthorized remote disclosure. Treat this as a high-risk backdoor/telemetry concern: remove or make telemetry opt-in, remove hardcoded tokens, and replace exec-string concatenation with safe APIs and proper escaping. Avoid using the package until these issues are remediated.

The reports are incomplete and do not provide any useful analysis. The base64 encoded string in the source code could potentially hide malicious or sensitive content, but without decoding, this cannot be confirmed. Further analysis is required to assess any security risks.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This code is malicious: it exfiltrates process.env to a hard-coded external URL on module load, using obfuscation to hide the behavior. Do not run or include this package. Treat it as a compromise/supply-chain attack and remove or block the package, rotate any secrets that may have been exposed, and investigate systems where it ran.

The code exhibits malicious behavior consistent with a backdoor or data exfiltration module, collecting sensitive information and sending it to a remote server with obfuscated details to avoid detection.

Live on npm for 19 minutes before removal. Socket users were protected even while the package was live.

The code is highly suspicious due to its collection and transmission of system information to external servers without user consent. The use of hardcoded IP addresses and fallback mechanisms for data transmission indicates potential malicious intent.

Live on npm for 5 days, 18 hours and 40 minutes before removal. Socket users were protected even while the package was live.

This code is a powerful automation toolkit that includes behaviors consistent with malicious activity: remotely fetching payloads and copying them into other apps' private data directories using root privileges, automating captcha bypasses via external paid services and AI APIs, controlling Android devices via adb (clearing, starting apps, input injection), and exfiltrating data to remote endpoints. It contains hardcoded API keys and performs operations (su, chmod 777, cp into /data/user/0) that can implant or persist malicious payloads. It is unsafe to use in untrusted environments and likely intended for misuse (account automation, fraud, or supply-chain-style manipulation of installed apps).

The code provides an execution wrapper that runs supplied source strings (and optional command sequences) inside the Sage environment using eval() or exec(). There is no sanitization or sandboxing and it will execute arbitrary code with the process's privileges. If these functions are reachable with untrusted input, they permit remote code execution, data exfiltration, process spawning, and other high-impact attacks. The module itself is not obviously obfuscated nor does it contain hardcoded malicious payloads, but its functionality is inherently dangerous when used with untrusted inputs.

This module contains a highly obfuscated component that reads embedded resources or files, decrypts them, allocates native memory, writes payload bytes, modifies memory protections and invokes code (and can write into other processes). Those are textbook capabilities of an in-memory loader/runner and are very high-risk for supply-chain attacks. Treat this package as potentially malicious or at minimum highly suspicious; remove or sandbox and perform a deeper runtime/forensic analysis of the decrypted payload bytes and any network behavior. If you need to keep it, perform a full audit and obtain provenance from the author. Do not deploy to production without exhaustive review.

Legitimate documentation publishing code with a critical command injection vulnerability due to unsafe use of os.system() with unsanitized input. High security risk but no malicious intent detected.

Live on PyPI for 4 hours and 47 minutes before removal. Socket users were protected even while the package was live.

This file implements a reverse shell: it connects to a remote host and exposes a local bash shell to that remote peer, forwarding commands from the network to the shell and sending shell output back. pkt_common functions obscure packet handling and may provide additional stealth (encryption/obfuscation). This is high-risk malicious functionality — treat as malware/backdoor unless execution is explicitly authorized and audited. Remove or quarantine and investigate any systems where this code ran.

The provided security reports are unusable placeholders. The source code itself is heavily obfuscated binary data, raising significant concerns about its trustworthiness and potential for malicious activity. The package is assessed as high-risk due to the lack of transparency and the strong indicators of obfuscation often associated with malware.

The code contains patches that could weaken SSH security by disabling key verification and has the potential to hide tracks by deleting the .git directory. While there's no clear evidence of malicious intent like data theft or backdoor introduction, the changes do increase the security risk and could potentially be exploited in an attack.

This module deliberately hides executable code inside a base64-encoded, zlib-compressed blob and executes it unconditionally with exec() on import. That pattern prevents code review and is a high-risk supply-chain anti-pattern. Without decoding the blob we cannot determine whether the payload is malicious, but the use of exec() over an obfuscated, embedded payload executed at import time is sufficient grounds to treat this package as untrusted until the embedded code is decoded and audited. Recommend immediate offline decoding and full review, or removal/blocking of this package from sensitive environments.

Live on PyPI for 23 hours and 6 minutes before removal. Socket users were protected even while the package was live.