Secure your dependencies. Ship with confidence.

The code sends sensitive credentials from environment variables over an unencrypted HTTP connection to an external API service at api[.]sqhyw[.]net:90. It authenticates using username/password from the YEZI_USER environment variable, retrieves access tokens, and automates the process of obtaining mobile phone numbers and SMS verification codes. This behavior poses significant supply chain security risks through: (1) leakage of environment variable credentials over unencrypted HTTP, (2) interaction with a suspicious external domain on a non-standard port, (3) logging of potentially sensitive API responses including tokens and SMS codes, and (4) facilitation of SMS verification bypass which could enable fraudulent account creation or spam activities. The code continuously polls the external API for up to 120 seconds to retrieve SMS codes, creating additional operational risks. While not containing traditional malware payloads, the credential exfiltration and suspicious external communication patterns justify classification as malware due to the significant security risks posed to systems that deploy this code.

This packaging/publish script contains multiple high-risk patterns: eval() on file contents (arbitrary code execution), hard-coded absolute token file path, passing secrets on the command line, and executing an assembled shell command via os.system. These make it unsuitable for use in untrusted or automated environments without remediation. Practical recommendations: replace eval() with safe parsing (json, toml, or ast.literal_eval), stop passing tokens on the command line (use environment variables or keyrings), use subprocess.run with argument lists (no shell) or twine APIs, remove absolute credential paths, audit and review nestpython.nsp.files.nbuild, and avoid destructive flags (erase_dir=True) unless explicitly intended. While the code does not show explicit obfuscated malware payloads, the insecure patterns provide straightforward vectors for supply-chain compromise if supporting files are modified.

The code is heavily obfuscated, which raises suspicion about its intent. Without deobfuscation, it is impossible to determine if the code contains malware or poses a security risk. The obfuscation itself is a significant anomaly and should be addressed before using this code in any capacity.

Live on npm for 16 days, 5 hours and 48 minutes before removal. Socket users were protected even while the package was live.

The script appears to perform a DNS lookup using the 'host' command, with the hostname and username encoded in base64. This behavior could potentially be used for malicious purposes, such as exfiltrating data or establishing command and control communication.

Live on npm for 28 days, 9 hours and 49 minutes before removal. Socket users were protected even while the package was live.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This module contains functionality that intentionally executes Python config files and uses yaml.unsafe_load, and it patches the import mechanism to support relative importing of such config files. Those behaviors are high-risk for code execution if the config files or override strings are untrusted, but there is no evidence in this fragment of an intentional malicious backdoor, exfiltration, or obfuscation. The biggest security concern is the use of exec/unsafe_load/eval which are legitimate for this tool but should be considered dangerous in supply-chain or untrusted-file scenarios.

This module automates account login via Selenium and handles session cookies and orchestration hooks. The presence of a hardcoded external HTTP address (http://178.128.211.227) passed to utils.save_cookie combined with deletion of local cookie artifacts and orchestration calls is highly suspicious for credential/session harvesting and exfiltration. Treat the code as high risk: do not run with real credentials until utils.* implementations are audited and the remote host is validated. If using this package in a benign automation environment, replace or inspect utils.save_cookie and remove any hardcoded remote endpoints and destructive cleanup commands.

This code fragment implements file-based DB operations but contains a critical filesystem path handling bug in dropDb: using path.join with a leading '/' in the second argument allows creation of an absolute path which can lead to deletion of arbitrary files the process can write. There is no validation of dbName anywhere, increasing risk of path traversal, unintended file creation/deletion, or directory pollution. There is no indication of network exfiltration, obfuscation, or explicit backdoor functionality; the primary security risk is unsafe filesystem handling that can lead to data loss or privilege escalation within the filesystem scope.

Live on npm for 1 hour and 33 minutes before removal. Socket users were protected even while the package was live.

This code implements a remote administration/tunneling agent with full remote shell and file system control. Functionality includes spawning shells, reading and writing arbitrary files, renaming/moving/deleting files (including recursive deletes), and opening network tunnels/upgrades to a controller URL. While this may be legitimate MeshAgent agent code, the features constitute high-risk capabilities if included as an unexpected dependency or executed without proper trust and authorization. Treat this module as potentially dangerous in a supply-chain context: it can be used for remote command execution and data access/exfiltration by whoever controls the MeshAgent controller.

This file exhibits multiple suspicious characteristics including a randomly generated class name and a future timestamp. It extends a core Scala compiler component which suggests a potential supply chain attack targeting the Scala compilation process. Without full decompilation of the methods, the exact malicious behavior cannot be determined, but tampering with compiler components is a high-risk attack vector that could allow injecting malicious code into all software built with the compromised compiler. Immediate isolation and thorough investigation is recommended.

The code imports and calls functions from several external modules with unusual and non-descriptive names, without any apparent input or output. The naming conventions of the modules and functions are suspicious, and the purpose of the code is unclear. While the code does not directly indicate malicious behavior, the potential for it exists due to the lack of transparency and context for these external dependencies.

Live on npm for 57 days, 9 hours and 17 minutes before removal. Socket users were protected even while the package was live.

The code collects environment variables and sends them to a potentially malicious remote server under certain conditions. This behavior is highly suspicious and could lead to data leakage or credential theft.

The fragment contains a high-risk pattern: it downloads a Python script from a remote source and immediately executes it without integrity verification or sandboxing. This creates a critical supply-chain and remote-code-execution risk, as the remote payload could perform any action on the host, including data exfiltration, credential access, or system compromise. Even though defaults use placeholders, the mechanism itself is unsafe and should be disallowed or hardened (e.g., verify hashes, use signed modules, avoid executing remote code).

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

The code fragment demonstrates a workflow that reads deployment-related inputs and mutates Kubernetes manifests to change container images and related fields, followed by persisting updates to disk. While this could be legitimate automation (CI/CD tooling or cluster-hardening utilities), the heavy obfuscation, sizeable data-driven mutation logic, and direct writes to critical deployment files constitute a significant supply-chain and runtime-risk. Treat as suspicious; require source-of-truth validation for all input data, remove obfuscation, and run in a sandbox with strict runtime controls and auditing to confirm intended behavior and prevent unauthorized deployments.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

This file implements an encrypted DNS command-and-control client (Sliver implant DNS transport). It intentionally serializes, encrypts and transports arbitrary protobuf envelopes over DNS queries and reads responses — behavior consistent with a backdoor/C2 implant. There are no hardcoded credentials or obfuscation techniques in this module; however, the module enables covert data exfiltration and remote command delivery when provided a parent domain and resolvers. From a supply-chain/security standpoint, including this package in software will provide C2 capabilities and is high risk unless explicitly desired for red-team/offensive use.

The code sends sensitive credentials from environment variables over an unencrypted HTTP connection to an external API service at api[.]sqhyw[.]net:90. It authenticates using username/password from the YEZI_USER environment variable, retrieves access tokens, and automates the process of obtaining mobile phone numbers and SMS verification codes. This behavior poses significant supply chain security risks through: (1) leakage of environment variable credentials over unencrypted HTTP, (2) interaction with a suspicious external domain on a non-standard port, (3) logging of potentially sensitive API responses including tokens and SMS codes, and (4) facilitation of SMS verification bypass which could enable fraudulent account creation or spam activities. The code continuously polls the external API for up to 120 seconds to retrieve SMS codes, creating additional operational risks. While not containing traditional malware payloads, the credential exfiltration and suspicious external communication patterns justify classification as malware due to the significant security risks posed to systems that deploy this code.

This packaging/publish script contains multiple high-risk patterns: eval() on file contents (arbitrary code execution), hard-coded absolute token file path, passing secrets on the command line, and executing an assembled shell command via os.system. These make it unsuitable for use in untrusted or automated environments without remediation. Practical recommendations: replace eval() with safe parsing (json, toml, or ast.literal_eval), stop passing tokens on the command line (use environment variables or keyrings), use subprocess.run with argument lists (no shell) or twine APIs, remove absolute credential paths, audit and review nestpython.nsp.files.nbuild, and avoid destructive flags (erase_dir=True) unless explicitly intended. While the code does not show explicit obfuscated malware payloads, the insecure patterns provide straightforward vectors for supply-chain compromise if supporting files are modified.

The code is heavily obfuscated, which raises suspicion about its intent. Without deobfuscation, it is impossible to determine if the code contains malware or poses a security risk. The obfuscation itself is a significant anomaly and should be addressed before using this code in any capacity.

Live on npm for 16 days, 5 hours and 48 minutes before removal. Socket users were protected even while the package was live.

The script appears to perform a DNS lookup using the 'host' command, with the hostname and username encoded in base64. This behavior could potentially be used for malicious purposes, such as exfiltrating data or establishing command and control communication.

Live on npm for 28 days, 9 hours and 49 minutes before removal. Socket users were protected even while the package was live.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This module contains functionality that intentionally executes Python config files and uses yaml.unsafe_load, and it patches the import mechanism to support relative importing of such config files. Those behaviors are high-risk for code execution if the config files or override strings are untrusted, but there is no evidence in this fragment of an intentional malicious backdoor, exfiltration, or obfuscation. The biggest security concern is the use of exec/unsafe_load/eval which are legitimate for this tool but should be considered dangerous in supply-chain or untrusted-file scenarios.

This module automates account login via Selenium and handles session cookies and orchestration hooks. The presence of a hardcoded external HTTP address (http://178.128.211.227) passed to utils.save_cookie combined with deletion of local cookie artifacts and orchestration calls is highly suspicious for credential/session harvesting and exfiltration. Treat the code as high risk: do not run with real credentials until utils.* implementations are audited and the remote host is validated. If using this package in a benign automation environment, replace or inspect utils.save_cookie and remove any hardcoded remote endpoints and destructive cleanup commands.

This code fragment implements file-based DB operations but contains a critical filesystem path handling bug in dropDb: using path.join with a leading '/' in the second argument allows creation of an absolute path which can lead to deletion of arbitrary files the process can write. There is no validation of dbName anywhere, increasing risk of path traversal, unintended file creation/deletion, or directory pollution. There is no indication of network exfiltration, obfuscation, or explicit backdoor functionality; the primary security risk is unsafe filesystem handling that can lead to data loss or privilege escalation within the filesystem scope.

Live on npm for 1 hour and 33 minutes before removal. Socket users were protected even while the package was live.

This code implements a remote administration/tunneling agent with full remote shell and file system control. Functionality includes spawning shells, reading and writing arbitrary files, renaming/moving/deleting files (including recursive deletes), and opening network tunnels/upgrades to a controller URL. While this may be legitimate MeshAgent agent code, the features constitute high-risk capabilities if included as an unexpected dependency or executed without proper trust and authorization. Treat this module as potentially dangerous in a supply-chain context: it can be used for remote command execution and data access/exfiltration by whoever controls the MeshAgent controller.

This file exhibits multiple suspicious characteristics including a randomly generated class name and a future timestamp. It extends a core Scala compiler component which suggests a potential supply chain attack targeting the Scala compilation process. Without full decompilation of the methods, the exact malicious behavior cannot be determined, but tampering with compiler components is a high-risk attack vector that could allow injecting malicious code into all software built with the compromised compiler. Immediate isolation and thorough investigation is recommended.

The code imports and calls functions from several external modules with unusual and non-descriptive names, without any apparent input or output. The naming conventions of the modules and functions are suspicious, and the purpose of the code is unclear. While the code does not directly indicate malicious behavior, the potential for it exists due to the lack of transparency and context for these external dependencies.

Live on npm for 57 days, 9 hours and 17 minutes before removal. Socket users were protected even while the package was live.

The code collects environment variables and sends them to a potentially malicious remote server under certain conditions. This behavior is highly suspicious and could lead to data leakage or credential theft.

The fragment contains a high-risk pattern: it downloads a Python script from a remote source and immediately executes it without integrity verification or sandboxing. This creates a critical supply-chain and remote-code-execution risk, as the remote payload could perform any action on the host, including data exfiltration, credential access, or system compromise. Even though defaults use placeholders, the mechanism itself is unsafe and should be disallowed or hardened (e.g., verify hashes, use signed modules, avoid executing remote code).

The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.

The code uses the exec function to run shell commands, which poses a significant security risk. It could potentially execute malicious code if the input to exec is manipulated. Redirecting output to /dev/null to hide execution details is suspicious.

Live on npm for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

The code fragment demonstrates a workflow that reads deployment-related inputs and mutates Kubernetes manifests to change container images and related fields, followed by persisting updates to disk. While this could be legitimate automation (CI/CD tooling or cluster-hardening utilities), the heavy obfuscation, sizeable data-driven mutation logic, and direct writes to critical deployment files constitute a significant supply-chain and runtime-risk. Treat as suspicious; require source-of-truth validation for all input data, remove obfuscation, and run in a sandbox with strict runtime controls and auditing to confirm intended behavior and prevent unauthorized deployments.

The code exhibits a dangerous remote code execution pattern: it downloads and immediately runs a remote Python payload without integrity checks, sandboxing, or input validation. This creates a severe supply-chain and runtime security risk. Recommended mitigations include removing dynamic downloads, validating payloads with cryptographic hashes or signatures, using safe subprocess invocations with argument lists, and implementing strict input sanitization. If remote functionality must remain, switch to a trusted-internal mechanism (e.g., plugin architecture with signed components, offline verification) and add robust error handling and logging.

This file implements an encrypted DNS command-and-control client (Sliver implant DNS transport). It intentionally serializes, encrypts and transports arbitrary protobuf envelopes over DNS queries and reads responses — behavior consistent with a backdoor/C2 implant. There are no hardcoded credentials or obfuscation techniques in this module; however, the module enables covert data exfiltration and remote command delivery when provided a parent domain and resolvers. From a supply-chain/security standpoint, including this package in software will provide C2 capabilities and is high risk unless explicitly desired for red-team/offensive use.