Secure your dependencies. Ship with confidence.

The code sends sensitive credentials from environment variables over an unencrypted HTTP connection to an external API service at api[.]sqhyw[.]net:90. It authenticates using username/password from the YEZI_USER environment variable, retrieves access tokens, and automates the process of obtaining mobile phone numbers and SMS verification codes. This behavior poses significant supply chain security risks through: (1) leakage of environment variable credentials over unencrypted HTTP, (2) interaction with a suspicious external domain on a non-standard port, (3) logging of potentially sensitive API responses including tokens and SMS codes, and (4) facilitation of SMS verification bypass which could enable fraudulent account creation or spam activities. The code continuously polls the external API for up to 120 seconds to retrieve SMS codes, creating additional operational risks. While not containing traditional malware payloads, the credential exfiltration and suspicious external communication patterns justify classification as malware due to the significant security risks posed to systems that deploy this code.

This install script performs a destructive filesystem operation (removing the katex directory) and then executes an unknown command. Even if not overtly labeled as malware, it poses a high risk: it can cause data loss and enables execution of arbitrary code. You should not run this without inspecting the package contents and verifying what `copy-files-from-to` refers to and why katex is being removed.

Live on PyPI for 5 hours and 2 minutes before removal. Socket users were protected even while the package was live.

This module is a straightforward Slowloris DoS tool. It intentionally opens and maintains many TCP connections and sends periodic partial headers to a target host to exhaust server resources. The code is not obfuscated and its malicious purpose is explicit. It should not be executed against systems without explicit authorization. Operational risks include legal exposure and local resource exhaustion. No signs of credential harvesting or stealthy backdoor behavior were found, but the package is nonetheless malicious in function.

Possible typosquat of azure azure-graphrbac is a malicious package that exfiltrates system (Ex - hostname) and project details to external servers.

Live on npm for 7 hours and 30 minutes before removal. Socket users were protected even while the package was live.

This file is a database-dumping tool that constructs and sends PHP payloads to a remote webshell-like backend, decodes returned data and writes full table dumps to local .sql files. Functionally this enables large-scale data exfiltration. If used against systems without explicit authorization it is malicious. The provided snippet appears incomplete/partially redacted (format placeholders broken), so full payload content and any additional hidden behavior could not be verified. Recommend treating this as high risk and auditing the referenced libs (libs.myapp, libs.config) and the exact payload templates before trusting or using.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

The file contains code that secretly gathers detailed system information, such as hostname, OS type, platform, release, architecture, local IP addresses, public IP address (fetched via an external API), username, and current working directory. It then transmits this data to external endpoints via HTTP GET and POST requests, and uses a WebSocket connection as a fallback. The endpoints are hardcoded, for example, to URLs like http://example.com/jpd3.php, http://example.com/jpd4.php, and wss://example.com/socket, which are not transparent or verified services. This behavior is indicative of malware designed for unauthorized data exfiltration.

This module is a wrapper for Seisan seismic tools and a formatter for STATION0.HYP files. It performs numerous system-level operations: downloading and extracting external software, installing system packages via apt-get with sudo, copying a packaged lib into /usr/lib, and executing external Seisan binaries via pexpect/subprocess. There is no clear code that exfiltrates secrets or establishes backdoors, but the lack of integrity checks on downloads, the requirement for root operations, and frequent shell command usage create substantial supply-chain and privilege escalation risk. Use in environments where the package or its downloaded content could be tampered with is dangerous. Recommend not running download_seisan() with sudo on production hosts and reviewing/locking sources, adding checksum verification, and avoiding copying bundled libraries into system paths.

The code is attempting to exfiltrate system information by sending it over the network using the ping command. This behavior is potentially malicious as it may result in data leakage or unauthorized access to sensitive information.

Live on npm for 1 hour and 8 minutes before removal. Socket users were protected even while the package was live.

The code contains a portion that appears to be unrelated to the main purpose of generating HTTP errors. This portion seems to exhibit behavior commonly associated with ransomware, such as encrypting files and potentially issuing ransom demands, which is highly malicious. The usage of the 'http' module to retrieve a key and the 'crypto' module to encrypt files on the system, combined with the suspicious 'beeceptor' domains and the file name 'whathappenedbroreadme.txt', indicates this code has a high probability of being intended for harmful actions.

The code is designed to collect sensitive system information and transmit it to an external server using obfuscated methods. This behavior is indicative of malicious activity, specifically data exfiltration.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This code contains a critical unsafe-deserialization issue: it takes a base64 string from an HTTP request, decodes and unpickles it (via debase64_pickled), and immediately uses the result in a privileged operation (up_compose). That pattern allows remote code execution or arbitrary process control if attacker-controlled data reaches this endpoint. Immediate remediation: remove unpickling of untrusted data, require signed/validated payloads or switch to safe formats, and add authentication and strict input validation. Until remediated, this endpoint should be considered high-risk and treated as potentially compromised if exposed to untrusted callers.

The code exhibits behavior consistent with data exfiltration attempts, using DNS queries to send system information to a suspicious domain. This poses a significant security risk.

Live on npm for 4 hours and 9 minutes before removal. Socket users were protected even while the package was live.

This is cryptocurrency mining software that uses a server and headless browser automation to mine cryptocurrency. The code structure and parameters (siteKey, threads, interval) strongly indicate cryptojacking functionality. When deployed without explicit user consent, this constitutes malware that will consume system resources for unauthorized mining operations.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

This code poses a serious security risk and should not be used.

Live on npm for 1 hour and 26 minutes before removal. Socket users were protected even while the package was live.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

This module implements a persistent, unauthenticated backchannel: it serializes and sends all NoneBot events (including user messages and metadata) to a remote websocket and accepts arbitrary API commands from that remote controller which it executes via bot.call_api. The combination of exfiltration and remote-executable actions constitutes a high-severity supply-chain/backdoor risk. Remove or isolate this code and block outbound connections to the configured host(s) unless the remote controller is fully trusted and authorized.

The module itself is not directly an obfuscated or explicit malware payload, but it provides high-risk functionality for software supply-chain compromise and remote code execution. Primary risks: command injection via subprocess.run(shell=True) with unsanitized inputs; installing and executing unverified remote code (git clone + pip install + dynamic import) without authentication or sandboxing; destructive filesystem operations influenced by repository metadata. Recommended mitigations: avoid shell=True and use subprocess.run with argument lists, validate/sanitize inputs (gitref, org names), enforce checksums or signed artifacts for repositories and Python packages, perform pip installs in isolated environments (virtualenv/container), add rigorous error handling and input validation, and avoid importing untrusted code into the controlling process. Treat any use of install/update operations with untrusted gitrefs as a significant security risk.

Live on PyPI for 2 hours and 13 minutes before removal. Socket users were protected even while the package was live.

The code sends sensitive credentials from environment variables over an unencrypted HTTP connection to an external API service at api[.]sqhyw[.]net:90. It authenticates using username/password from the YEZI_USER environment variable, retrieves access tokens, and automates the process of obtaining mobile phone numbers and SMS verification codes. This behavior poses significant supply chain security risks through: (1) leakage of environment variable credentials over unencrypted HTTP, (2) interaction with a suspicious external domain on a non-standard port, (3) logging of potentially sensitive API responses including tokens and SMS codes, and (4) facilitation of SMS verification bypass which could enable fraudulent account creation or spam activities. The code continuously polls the external API for up to 120 seconds to retrieve SMS codes, creating additional operational risks. While not containing traditional malware payloads, the credential exfiltration and suspicious external communication patterns justify classification as malware due to the significant security risks posed to systems that deploy this code.

The fragment uses a hardened, obfuscated dynamic loader (marshal.loads + exec) to run hidden payloads, with clear indicators of malicious intent (zlib.decompress usage, TOXICVIRUS21 marker). This pattern is a high-risk supply-chain threat and should be treated as malware unless the payload can be thoroughly unpacked and validated in a secure, isolated environment.

This module is explicitly malicious/offensive: it provides actionable planning and workflow automation for APT attacks, zero-day weaponization, and control of military systems, targeting named national assets. It lacks any safety controls and would present a severe supply-chain and operational risk if distributed or integrated into other systems. Treat as high-risk/malicious: do not install, execute, or include in benign environments; remove from public packages and investigate the origin and distribution.

The provided security reports are unusable placeholders. The source code itself is heavily obfuscated binary data, raising significant concerns about its trustworthiness and potential for malicious activity. The package is assessed as high-risk due to the lack of transparency and the strong indicators of obfuscation often associated with malware.

The code sends sensitive credentials from environment variables over an unencrypted HTTP connection to an external API service at api[.]sqhyw[.]net:90. It authenticates using username/password from the YEZI_USER environment variable, retrieves access tokens, and automates the process of obtaining mobile phone numbers and SMS verification codes. This behavior poses significant supply chain security risks through: (1) leakage of environment variable credentials over unencrypted HTTP, (2) interaction with a suspicious external domain on a non-standard port, (3) logging of potentially sensitive API responses including tokens and SMS codes, and (4) facilitation of SMS verification bypass which could enable fraudulent account creation or spam activities. The code continuously polls the external API for up to 120 seconds to retrieve SMS codes, creating additional operational risks. While not containing traditional malware payloads, the credential exfiltration and suspicious external communication patterns justify classification as malware due to the significant security risks posed to systems that deploy this code.

This install script performs a destructive filesystem operation (removing the katex directory) and then executes an unknown command. Even if not overtly labeled as malware, it poses a high risk: it can cause data loss and enables execution of arbitrary code. You should not run this without inspecting the package contents and verifying what `copy-files-from-to` refers to and why katex is being removed.

Live on PyPI for 5 hours and 2 minutes before removal. Socket users were protected even while the package was live.

This module is a straightforward Slowloris DoS tool. It intentionally opens and maintains many TCP connections and sends periodic partial headers to a target host to exhaust server resources. The code is not obfuscated and its malicious purpose is explicit. It should not be executed against systems without explicit authorization. Operational risks include legal exposure and local resource exhaustion. No signs of credential harvesting or stealthy backdoor behavior were found, but the package is nonetheless malicious in function.

Possible typosquat of azure azure-graphrbac is a malicious package that exfiltrates system (Ex - hostname) and project details to external servers.

Live on npm for 7 hours and 30 minutes before removal. Socket users were protected even while the package was live.

This file is a database-dumping tool that constructs and sends PHP payloads to a remote webshell-like backend, decodes returned data and writes full table dumps to local .sql files. Functionally this enables large-scale data exfiltration. If used against systems without explicit authorization it is malicious. The provided snippet appears incomplete/partially redacted (format placeholders broken), so full payload content and any additional hidden behavior could not be verified. Recommend treating this as high risk and auditing the referenced libs (libs.myapp, libs.config) and the exact payload templates before trusting or using.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

The file contains code that secretly gathers detailed system information, such as hostname, OS type, platform, release, architecture, local IP addresses, public IP address (fetched via an external API), username, and current working directory. It then transmits this data to external endpoints via HTTP GET and POST requests, and uses a WebSocket connection as a fallback. The endpoints are hardcoded, for example, to URLs like http://example.com/jpd3.php, http://example.com/jpd4.php, and wss://example.com/socket, which are not transparent or verified services. This behavior is indicative of malware designed for unauthorized data exfiltration.

This module is a wrapper for Seisan seismic tools and a formatter for STATION0.HYP files. It performs numerous system-level operations: downloading and extracting external software, installing system packages via apt-get with sudo, copying a packaged lib into /usr/lib, and executing external Seisan binaries via pexpect/subprocess. There is no clear code that exfiltrates secrets or establishes backdoors, but the lack of integrity checks on downloads, the requirement for root operations, and frequent shell command usage create substantial supply-chain and privilege escalation risk. Use in environments where the package or its downloaded content could be tampered with is dangerous. Recommend not running download_seisan() with sudo on production hosts and reviewing/locking sources, adding checksum verification, and avoiding copying bundled libraries into system paths.

The code is attempting to exfiltrate system information by sending it over the network using the ping command. This behavior is potentially malicious as it may result in data leakage or unauthorized access to sensitive information.

Live on npm for 1 hour and 8 minutes before removal. Socket users were protected even while the package was live.

The code contains a portion that appears to be unrelated to the main purpose of generating HTTP errors. This portion seems to exhibit behavior commonly associated with ransomware, such as encrypting files and potentially issuing ransom demands, which is highly malicious. The usage of the 'http' module to retrieve a key and the 'crypto' module to encrypt files on the system, combined with the suspicious 'beeceptor' domains and the file name 'whathappenedbroreadme.txt', indicates this code has a high probability of being intended for harmful actions.

The code is designed to collect sensitive system information and transmit it to an external server using obfuscated methods. This behavior is indicative of malicious activity, specifically data exfiltration.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This code contains a critical unsafe-deserialization issue: it takes a base64 string from an HTTP request, decodes and unpickles it (via debase64_pickled), and immediately uses the result in a privileged operation (up_compose). That pattern allows remote code execution or arbitrary process control if attacker-controlled data reaches this endpoint. Immediate remediation: remove unpickling of untrusted data, require signed/validated payloads or switch to safe formats, and add authentication and strict input validation. Until remediated, this endpoint should be considered high-risk and treated as potentially compromised if exposed to untrusted callers.

The code exhibits behavior consistent with data exfiltration attempts, using DNS queries to send system information to a suspicious domain. This poses a significant security risk.

Live on npm for 4 hours and 9 minutes before removal. Socket users were protected even while the package was live.

This is cryptocurrency mining software that uses a server and headless browser automation to mine cryptocurrency. The code structure and parameters (siteKey, threads, interval) strongly indicate cryptojacking functionality. When deployed without explicit user consent, this constitutes malware that will consume system resources for unauthorized mining operations.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

This code poses a serious security risk and should not be used.

Live on npm for 1 hour and 26 minutes before removal. Socket users were protected even while the package was live.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

This module implements a persistent, unauthenticated backchannel: it serializes and sends all NoneBot events (including user messages and metadata) to a remote websocket and accepts arbitrary API commands from that remote controller which it executes via bot.call_api. The combination of exfiltration and remote-executable actions constitutes a high-severity supply-chain/backdoor risk. Remove or isolate this code and block outbound connections to the configured host(s) unless the remote controller is fully trusted and authorized.

The module itself is not directly an obfuscated or explicit malware payload, but it provides high-risk functionality for software supply-chain compromise and remote code execution. Primary risks: command injection via subprocess.run(shell=True) with unsanitized inputs; installing and executing unverified remote code (git clone + pip install + dynamic import) without authentication or sandboxing; destructive filesystem operations influenced by repository metadata. Recommended mitigations: avoid shell=True and use subprocess.run with argument lists, validate/sanitize inputs (gitref, org names), enforce checksums or signed artifacts for repositories and Python packages, perform pip installs in isolated environments (virtualenv/container), add rigorous error handling and input validation, and avoid importing untrusted code into the controlling process. Treat any use of install/update operations with untrusted gitrefs as a significant security risk.

Live on PyPI for 2 hours and 13 minutes before removal. Socket users were protected even while the package was live.

The code sends sensitive credentials from environment variables over an unencrypted HTTP connection to an external API service at api[.]sqhyw[.]net:90. It authenticates using username/password from the YEZI_USER environment variable, retrieves access tokens, and automates the process of obtaining mobile phone numbers and SMS verification codes. This behavior poses significant supply chain security risks through: (1) leakage of environment variable credentials over unencrypted HTTP, (2) interaction with a suspicious external domain on a non-standard port, (3) logging of potentially sensitive API responses including tokens and SMS codes, and (4) facilitation of SMS verification bypass which could enable fraudulent account creation or spam activities. The code continuously polls the external API for up to 120 seconds to retrieve SMS codes, creating additional operational risks. While not containing traditional malware payloads, the credential exfiltration and suspicious external communication patterns justify classification as malware due to the significant security risks posed to systems that deploy this code.

The fragment uses a hardened, obfuscated dynamic loader (marshal.loads + exec) to run hidden payloads, with clear indicators of malicious intent (zlib.decompress usage, TOXICVIRUS21 marker). This pattern is a high-risk supply-chain threat and should be treated as malware unless the payload can be thoroughly unpacked and validated in a secure, isolated environment.

This module is explicitly malicious/offensive: it provides actionable planning and workflow automation for APT attacks, zero-day weaponization, and control of military systems, targeting named national assets. It lacks any safety controls and would present a severe supply-chain and operational risk if distributed or integrated into other systems. Treat as high-risk/malicious: do not install, execute, or include in benign environments; remove from public packages and investigate the origin and distribution.

The provided security reports are unusable placeholders. The source code itself is heavily obfuscated binary data, raising significant concerns about its trustworthiness and potential for malicious activity. The package is assessed as high-risk due to the lack of transparency and the strong indicators of obfuscation often associated with malware.