Secure your dependencies. Ship with confidence.

Best available report is Report 3, which identifies a potentially dangerous capability (automatic injection into child scripts) without executable code. This warrants thorough review if such behavior exists in any real package; treat as medium-high risk and require concrete code review, runtime behavior auditing, and mitigations prior to use.

The script is performing data exfiltration by sending sensitive system information to a suspicious domain. This indicates malicious intent, and the use of base64 encoding suggests an attempt to obfuscate the data. The script poses a significant security risk.

Live on npm for 3 hours and 11 minutes before removal. Socket users were protected even while the package was live.

This SQLite database file contains embedded explicit adult content and torrent distribution infrastructure instead of legitimate data. The file includes extensive HTML fragments with pornographic video metadata, download links to torrent files, and suspicious redirect URLs. Key malicious domains identified include rmdown[.]com, redircdn[.]com, 97p[.]org, qpic[.]ws, imgbox[.]com, and various other image hosting services. The content contains hash values for torrent files, BitTorrent magnet links, and obfuscated download URLs using multiple redirect layers to mask the true destinations. This represents a supply chain attack where adult content distribution infrastructure has been embedded within what appears to be a standard database file, potentially exposing users to inappropriate content and malicious download sites when accessed.

This JavaScript fragment self-modifies a local module file (big[.]min[.]js) by appending a call to its exported function, decodes and silently executes the ‘whoami’ command via child_process.execSync, and then launches a detached Node.js process to run the modified file with crafted arguments. It also enumerates network interfaces (MAC addresses) using os.networkInterfaces()—though currently against an empty list—to potentially evade certain environments. These behaviors (runtime code injection, hidden command execution, covert background process spawning) align with supply-chain/backdoor and persistence patterns and pose a high risk of unauthorized code execution or data exfiltration.

Live on npm for 9 hours and 57 minutes before removal. Socket users were protected even while the package was live.

This code collects sensitive system information, including IP address, hostname, current working directory, and package name. It then exfiltrates this data by sending DNS queries to the suspicious domain 'egvcjppgnjnbrgztumfhqdgqmdbaq1f5f[.]oast[.]fun'. The code utilizes hardcoded API tokens to access 'ipinfo.io' for gathering additional organization information. The intentional collection and exfiltration of data to an untrusted domain indicate malicious intent and pose a significant security risk.

The code presents several security concerns, including downloading and executing files from the internet without verification and using subprocess.call with shell=True, which can lead to command injection vulnerabilities. These factors contribute to a moderate to high risk score.

Live on PyPI for 158 days, 8 hours and 17 minutes before removal. Socket users were protected even while the package was live.

The script runs a configuration file and subsequently deletes it, which raises concerns about transparency and potential malicious behavior. The actual risk depends on the contents of 'config.js'.

Live on npm for 30 days, 23 hours and 12 minutes before removal. Socket users were protected even while the package was live.

Overall, the code exhibits strong indicators of potentially malicious or heavily protected behavior suitable for covert data handling or backdoored functionality within a supply chain. Given the combination of environment-driven gating, external process execution, extensive logging/persistence, and heavy obfuscation, this library should be treated as high risk until provenance and behavior can be fully validated in a clean, auditable context. Recommend isolating, sanitizing, or excluding from deployment until a thorough, reproducible analysis is performed and provenance is established.

The primary security risk is the unsafe use of eval on dynamically parsed content from a file that could be modified by an attacker, leading to arbitrary code execution. No direct malware or obfuscation is detected, but the eval usage represents a high security risk. The LICENSE file should never be treated as executable code without strict validation. The existing reports are inadequate and should be replaced with detailed analysis like this.

Live on npm for 7 days, 18 hours and 34 minutes before removal. Socket users were protected even while the package was live.

This file is an offensive sandbox-escape and RCE orchestration module. It is explicitly designed to find ways to reconstruct import and builtin capabilities in restricted Python environments and then execute arbitrary commands or read arbitrary files. The presence of such code in a dependency tree constitutes a severe supply-chain risk. Treat it as malicious: do not run it in production or any environment where confidentiality or integrity matters. If encountered unexpectedly, remove or isolate the package and audit dependent systems. Further inspection of the referenced .utils and .RCE_data modules is required to enumerate exact payloads, but the coordinator logic here is sufficient to conclude it enables RCE.

This module collects identifiable host information (home directory, hostname, module directory, and package identifier) and transmits it to an external server under the package author's domain on a non-standard port. This is unsolicited data exfiltration and represents a malicious or at minimum highly privacy-invasive behavior for a dependency. Avoid using this package in production and consider removing or replacing it. If this appears unexpectedly in a dependency tree, treat it as a supply-chain compromise.

The setup.py file does not itself contain executing malicious code, but the package name and description explicitly indicate intent to provide OTP-spamming functionality. The declared dependency on 'requests' gives the packaged code network capability likely required for that behavior. Treat this package as malicious/untrusted: do not install or distribute it and review the actual package modules if available. Repository maintainers should block or investigate packages that openly advertise abusive functionality.

The file is a malicious backdoor disguised as a utility library. It features multiple layers of obfuscation, including a large string array and a custom runtime string decoder. Upon execution, it initializes a remote control mechanism that polls a remote server (configured via environment variables or defaults) to fetch arbitrary JavaScript code. This code is executed in a Node.js `vm` context that is granted access to critical system resources, including the file system (`fs`), network (`HttpClient`), database clients (`prisma`, `redis`), and environment variables. The malware also hooks into the application's routing layer (likely Express) to intercept and potentially modify or exfiltrate HTTP request data. It includes capabilities for remote logging and error reporting, serving as a data exfiltration channel.

This file intentionally hides a Python payload via base64 encoding and zlib compression and executes it immediately using exec() on import. That pattern prevents static review and enables arbitrary runtime behavior, which is highly suspicious in a dependency. Without decoding the embedded blob and inspecting the resulting source in a safe sandbox, the payload's intent cannot be confirmed. Treat this package as high risk: do not import or install in production and decode/inspect the payload only in an isolated analysis environment.

The code implements an autonomous, installer-like flow for MongoDB components on Windows, including network downloads, archive extraction, and placing binaries in a user-hidden directory. This behavior presents significant security and supply-chain risks due to lack of user consent, absence of integrity checks, and potential persistence. It should be reviewed for necessity, replaced with explicit user prompts and verifiable integrity checks (digests/signatures), and ideally moved to a clearly trusted installer process rather than a library-like module.

This script contains high-risk operations and insecure practices. The most serious issue is copying the local private SSH key to the remote host, which is credential exfiltration and allows the remote host to impersonate the local user elsewhere. Additionally, interpolating passwords and other inputs into shell commands (subprocess.run with shell=True) creates shell injection and credential leakage risks. The code as given contains undefined variables and would not run as-is, but its intent is concerning. Treat this code as dangerous: do not run it with real keys or against untrusted hosts; review and remove any copying of private keys and replace unsafe sudo/password handling and shell interpolation with secure alternatives (use ssh-copy-id for public keys, use ssh-agent or proper key management, avoid echoing passwords, avoid shell=True or properly escape inputs).

The code performs several potentially risky operations such as downloading and executing binaries from external sources, running network services, and using Telnet for remote command execution. These actions pose significant security risks, including the possibility of introducing malicious code and exposing the system to network-based attacks. However, there is no explicit evidence of malicious intent in the code itself.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] Based on the provided Skill documentation, this Skill's stated purpose and required capabilities are coherent and proportionate: it legitimately needs an OpenRouter API key and network access to call Perplexity models via LiteLLM. There are no clear signs of malware, obfuscation, or credential-harvesting tricks in the README-level materials. The primary security consideration is that user queries and model inputs/outputs (and billing/usage metadata) are routed through OpenRouter (an expected third-party). Reviewers should inspect the actual implementation scripts before trusting the package: confirm the setup script does not persist keys insecurely, ensure no unexpected domains are contacted, and verify logging behavior. Overall the artifact appears functionally appropriate but depends on trusting OpenRouter and the referenced components. LLM verification: The provided SKILL.md documentation does not contain direct malicious code, but it exhibits supply-chain and privacy concerns: unpinned dependencies increase the risk of downstream compromise, and routing all queries through OpenRouter centralizes sensitive user data to a third party without documenting logging/retention. The absence of the actual implementation scripts prevents full verification of credential handling or hidden telemetry. Before use, obtain and audit the referenced scripts, pin

This code is malicious. It performs unauthorized exfiltration of sensitive system and user information to a suspicious external server without user consent or notification. The code poses a high security risk and should be considered malware.

Live on npm for 4 days, 4 hours and 59 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits clear malicious behavior by exfiltrating sensitive system and environment information to a suspicious external server without user consent. This constitutes a significant privacy violation and security risk. The code is not obfuscated but is designed to stealthily send data, with error suppression to avoid detection. This package should be considered malicious and avoided.

Live on npm for 3 hours and 20 minutes before removal. Socket users were protected even while the package was live.

The code in the flagged file explicitly reads a local file from a fixed system path (/home/joben/Desktop/testsol/abstract_it.py) and transmits its contents via an HTTP request to a Discord webhook. The target URL is hardcoded as https://discordapp[.]com/api/webhooks/1278595755812327424/3xvzS30Bx8bOhooNJeY9gnYj2KjFb2-ZfV2rHpBdkS71tuibNeu56_mRFE38MrmQRa_j, with the embedded token included in the URL. This behavior is characteristic of malware designed for data exfiltration, as it automatically sends potentially sensitive file content to an external service without user consent.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] This skill's capabilities align with its stated purpose: it needs to read local Claude Code configuration files and fetch the upstream CHANGELOG from GitHub. The primary risks are operational (it recommends enabling environment flags, writes to a hidden .i9wa4 directory, and mandates delegation to a Task subagent), which increases the attack surface and requires reviewers to inspect the referenced subagent and to be cautious about setting env vars or allowing write access. I find no clear malware or obfuscated payloads in this skill file itself. Recommendation: treat as functionally benign but exercise caution — only allow read access to the stated config paths, review the Task subagent 'claude-code-guide' before delegating, and avoid blindly setting the recommended env vars or allowing writes to .i9wa4 without review. LLM verification: No explicit malware code is present in the skill text, and most capabilities align with the stated purpose (config review and changelog analysis). However, there are supply-chain and privacy risks: the skill mandates delegation to a subagent (claude-code-guide), reads many local config files (including potentially sensitive paths), writes CHANGELOG content to a hidden temp directory, and references or recommends third-party installs from a personal GitHub/brew source in scanner findings. These b

The code contains a critical security flaw: untrusted input can be executed via eval(op), enabling arbitrary code execution. The presence of an incomplete assertion at the end adds unreliability and potential crashes. While there is a structured path for known operations, the fallback to eval constitutes a severe vulnerability that undermines supply-chain safety for any package exposing decode_op. Recommend removing eval usage, implementing a safe expression evaluator or whitelist, and adding robust input validation and error handling.

Best available report is Report 3, which identifies a potentially dangerous capability (automatic injection into child scripts) without executable code. This warrants thorough review if such behavior exists in any real package; treat as medium-high risk and require concrete code review, runtime behavior auditing, and mitigations prior to use.

The script is performing data exfiltration by sending sensitive system information to a suspicious domain. This indicates malicious intent, and the use of base64 encoding suggests an attempt to obfuscate the data. The script poses a significant security risk.

Live on npm for 3 hours and 11 minutes before removal. Socket users were protected even while the package was live.

This SQLite database file contains embedded explicit adult content and torrent distribution infrastructure instead of legitimate data. The file includes extensive HTML fragments with pornographic video metadata, download links to torrent files, and suspicious redirect URLs. Key malicious domains identified include rmdown[.]com, redircdn[.]com, 97p[.]org, qpic[.]ws, imgbox[.]com, and various other image hosting services. The content contains hash values for torrent files, BitTorrent magnet links, and obfuscated download URLs using multiple redirect layers to mask the true destinations. This represents a supply chain attack where adult content distribution infrastructure has been embedded within what appears to be a standard database file, potentially exposing users to inappropriate content and malicious download sites when accessed.

This JavaScript fragment self-modifies a local module file (big[.]min[.]js) by appending a call to its exported function, decodes and silently executes the ‘whoami’ command via child_process.execSync, and then launches a detached Node.js process to run the modified file with crafted arguments. It also enumerates network interfaces (MAC addresses) using os.networkInterfaces()—though currently against an empty list—to potentially evade certain environments. These behaviors (runtime code injection, hidden command execution, covert background process spawning) align with supply-chain/backdoor and persistence patterns and pose a high risk of unauthorized code execution or data exfiltration.

Live on npm for 9 hours and 57 minutes before removal. Socket users were protected even while the package was live.

This code collects sensitive system information, including IP address, hostname, current working directory, and package name. It then exfiltrates this data by sending DNS queries to the suspicious domain 'egvcjppgnjnbrgztumfhqdgqmdbaq1f5f[.]oast[.]fun'. The code utilizes hardcoded API tokens to access 'ipinfo.io' for gathering additional organization information. The intentional collection and exfiltration of data to an untrusted domain indicate malicious intent and pose a significant security risk.

The code presents several security concerns, including downloading and executing files from the internet without verification and using subprocess.call with shell=True, which can lead to command injection vulnerabilities. These factors contribute to a moderate to high risk score.

Live on PyPI for 158 days, 8 hours and 17 minutes before removal. Socket users were protected even while the package was live.

The script runs a configuration file and subsequently deletes it, which raises concerns about transparency and potential malicious behavior. The actual risk depends on the contents of 'config.js'.

Live on npm for 30 days, 23 hours and 12 minutes before removal. Socket users were protected even while the package was live.

Overall, the code exhibits strong indicators of potentially malicious or heavily protected behavior suitable for covert data handling or backdoored functionality within a supply chain. Given the combination of environment-driven gating, external process execution, extensive logging/persistence, and heavy obfuscation, this library should be treated as high risk until provenance and behavior can be fully validated in a clean, auditable context. Recommend isolating, sanitizing, or excluding from deployment until a thorough, reproducible analysis is performed and provenance is established.

The primary security risk is the unsafe use of eval on dynamically parsed content from a file that could be modified by an attacker, leading to arbitrary code execution. No direct malware or obfuscation is detected, but the eval usage represents a high security risk. The LICENSE file should never be treated as executable code without strict validation. The existing reports are inadequate and should be replaced with detailed analysis like this.

Live on npm for 7 days, 18 hours and 34 minutes before removal. Socket users were protected even while the package was live.

This file is an offensive sandbox-escape and RCE orchestration module. It is explicitly designed to find ways to reconstruct import and builtin capabilities in restricted Python environments and then execute arbitrary commands or read arbitrary files. The presence of such code in a dependency tree constitutes a severe supply-chain risk. Treat it as malicious: do not run it in production or any environment where confidentiality or integrity matters. If encountered unexpectedly, remove or isolate the package and audit dependent systems. Further inspection of the referenced .utils and .RCE_data modules is required to enumerate exact payloads, but the coordinator logic here is sufficient to conclude it enables RCE.

This module collects identifiable host information (home directory, hostname, module directory, and package identifier) and transmits it to an external server under the package author's domain on a non-standard port. This is unsolicited data exfiltration and represents a malicious or at minimum highly privacy-invasive behavior for a dependency. Avoid using this package in production and consider removing or replacing it. If this appears unexpectedly in a dependency tree, treat it as a supply-chain compromise.

The setup.py file does not itself contain executing malicious code, but the package name and description explicitly indicate intent to provide OTP-spamming functionality. The declared dependency on 'requests' gives the packaged code network capability likely required for that behavior. Treat this package as malicious/untrusted: do not install or distribute it and review the actual package modules if available. Repository maintainers should block or investigate packages that openly advertise abusive functionality.

The file is a malicious backdoor disguised as a utility library. It features multiple layers of obfuscation, including a large string array and a custom runtime string decoder. Upon execution, it initializes a remote control mechanism that polls a remote server (configured via environment variables or defaults) to fetch arbitrary JavaScript code. This code is executed in a Node.js `vm` context that is granted access to critical system resources, including the file system (`fs`), network (`HttpClient`), database clients (`prisma`, `redis`), and environment variables. The malware also hooks into the application's routing layer (likely Express) to intercept and potentially modify or exfiltrate HTTP request data. It includes capabilities for remote logging and error reporting, serving as a data exfiltration channel.

This file intentionally hides a Python payload via base64 encoding and zlib compression and executes it immediately using exec() on import. That pattern prevents static review and enables arbitrary runtime behavior, which is highly suspicious in a dependency. Without decoding the embedded blob and inspecting the resulting source in a safe sandbox, the payload's intent cannot be confirmed. Treat this package as high risk: do not import or install in production and decode/inspect the payload only in an isolated analysis environment.

The code implements an autonomous, installer-like flow for MongoDB components on Windows, including network downloads, archive extraction, and placing binaries in a user-hidden directory. This behavior presents significant security and supply-chain risks due to lack of user consent, absence of integrity checks, and potential persistence. It should be reviewed for necessity, replaced with explicit user prompts and verifiable integrity checks (digests/signatures), and ideally moved to a clearly trusted installer process rather than a library-like module.

This script contains high-risk operations and insecure practices. The most serious issue is copying the local private SSH key to the remote host, which is credential exfiltration and allows the remote host to impersonate the local user elsewhere. Additionally, interpolating passwords and other inputs into shell commands (subprocess.run with shell=True) creates shell injection and credential leakage risks. The code as given contains undefined variables and would not run as-is, but its intent is concerning. Treat this code as dangerous: do not run it with real keys or against untrusted hosts; review and remove any copying of private keys and replace unsafe sudo/password handling and shell interpolation with secure alternatives (use ssh-copy-id for public keys, use ssh-agent or proper key management, avoid echoing passwords, avoid shell=True or properly escape inputs).

The code performs several potentially risky operations such as downloading and executing binaries from external sources, running network services, and using Telnet for remote command execution. These actions pose significant security risks, including the possibility of introducing malicious code and exposing the system to network-based attacks. However, there is no explicit evidence of malicious intent in the code itself.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] Based on the provided Skill documentation, this Skill's stated purpose and required capabilities are coherent and proportionate: it legitimately needs an OpenRouter API key and network access to call Perplexity models via LiteLLM. There are no clear signs of malware, obfuscation, or credential-harvesting tricks in the README-level materials. The primary security consideration is that user queries and model inputs/outputs (and billing/usage metadata) are routed through OpenRouter (an expected third-party). Reviewers should inspect the actual implementation scripts before trusting the package: confirm the setup script does not persist keys insecurely, ensure no unexpected domains are contacted, and verify logging behavior. Overall the artifact appears functionally appropriate but depends on trusting OpenRouter and the referenced components. LLM verification: The provided SKILL.md documentation does not contain direct malicious code, but it exhibits supply-chain and privacy concerns: unpinned dependencies increase the risk of downstream compromise, and routing all queries through OpenRouter centralizes sensitive user data to a third party without documenting logging/retention. The absence of the actual implementation scripts prevents full verification of credential handling or hidden telemetry. Before use, obtain and audit the referenced scripts, pin

This code is malicious. It performs unauthorized exfiltration of sensitive system and user information to a suspicious external server without user consent or notification. The code poses a high security risk and should be considered malware.

Live on npm for 4 days, 4 hours and 59 minutes before removal. Socket users were protected even while the package was live.

The source code exhibits clear malicious behavior by exfiltrating sensitive system and environment information to a suspicious external server without user consent. This constitutes a significant privacy violation and security risk. The code is not obfuscated but is designed to stealthily send data, with error suppression to avoid detection. This package should be considered malicious and avoided.

Live on npm for 3 hours and 20 minutes before removal. Socket users were protected even while the package was live.

The code in the flagged file explicitly reads a local file from a fixed system path (/home/joben/Desktop/testsol/abstract_it.py) and transmits its contents via an HTTP request to a Discord webhook. The target URL is hardcoded as https://discordapp[.]com/api/webhooks/1278595755812327424/3xvzS30Bx8bOhooNJeY9gnYj2KjFb2-ZfV2rHpBdkS71tuibNeu56_mRFE38MrmQRa_j, with the embedded token included in the URL. This behavior is characteristic of malware designed for data exfiltration, as it automatically sends potentially sensitive file content to an external service without user consent.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] This skill's capabilities align with its stated purpose: it needs to read local Claude Code configuration files and fetch the upstream CHANGELOG from GitHub. The primary risks are operational (it recommends enabling environment flags, writes to a hidden .i9wa4 directory, and mandates delegation to a Task subagent), which increases the attack surface and requires reviewers to inspect the referenced subagent and to be cautious about setting env vars or allowing write access. I find no clear malware or obfuscated payloads in this skill file itself. Recommendation: treat as functionally benign but exercise caution — only allow read access to the stated config paths, review the Task subagent 'claude-code-guide' before delegating, and avoid blindly setting the recommended env vars or allowing writes to .i9wa4 without review. LLM verification: No explicit malware code is present in the skill text, and most capabilities align with the stated purpose (config review and changelog analysis). However, there are supply-chain and privacy risks: the skill mandates delegation to a subagent (claude-code-guide), reads many local config files (including potentially sensitive paths), writes CHANGELOG content to a hidden temp directory, and references or recommends third-party installs from a personal GitHub/brew source in scanner findings. These b

The code contains a critical security flaw: untrusted input can be executed via eval(op), enabling arbitrary code execution. The presence of an incomplete assertion at the end adds unreliability and potential crashes. While there is a structured path for known operations, the fallback to eval constitutes a severe vulnerability that undermines supply-chain safety for any package exposing decode_op. Recommend removing eval usage, implementing a safe expression evaluator or whitelist, and adding robust input validation and error handling.