Secure your dependencies. Ship with confidence.

The code fragment has a security risk due to the use of the 'exec' function without proper input validation, which can lead to command injection vulnerabilities. Additionally, the code downloads and executes a file from an external URL without proper validation, which poses a risk of executing malicious files.

Live on npm for 2 hours and 49 minutes before removal. Socket users were protected even while the package was live.

This install script sends the local username to an external collector. It performs covert data exfiltration/telemetry without user consent and therefore poses a high privacy and security risk. It should be removed or blocked and the package contents and publisher should be investigated.

This code is highly suspicious and should not be trusted. It poses a significant security risk to any system on which it is installed.

High-risk code that implements network-exposed arbitrary command execution capabilities. While potentially legitimate for automation, it creates significant security vulnerabilities including remote code execution, command injection, and unauthorized system access. Should be treated as dangerous without proper security controls.

This module harvests sensitive browser artifacts (history, saved logins, cookies, extension metadata) and includes logic to exfiltrate that data via client.send_message. It forcibly terminates browser processes and launches a headless Chrome instance with remote debugging to extract cookies — an active technique used to obtain session tokens. These behaviors are consistent with credential harvesting and data exfiltration. Treat this code as malicious or at minimum highly privacy-invasive and unsuitable for use in trusted environments without strong justification and safeguards.

The code exhibits malicious behavior by collecting and transmitting system information to a suspicious domain. The use of obfuscation further indicates an attempt to conceal its true purpose. This poses a significant security risk.

Live on npm for 8 hours and 37 minutes before removal. Socket users were protected even while the package was live.

This file defines a large local dumpJSON array and then, unconditionally when imported, uses a hard-coded cookie (including a login_token JWT) plus static aiStudioUrl (https://bbqa2t5pfyfroyobmzknmktshckzto4btkfagxyjqwy[.]did[.]abtnet[.]io/ai-studio) and datasetId to authenticate and issue fetch GET to /api/datasets/{datasetId}/documents?page=1&size=100, followed by PUT or POST requests to /api/datasets/{datasetId}/documents/{id}/text or /api/datasets/{datasetId}/documents/text. Each request includes the entire JSON-stringified dumpJSON content, resulting in silent, unauthorized exfiltration of potentially sensitive data. This side-effect runs at module load with no user consent, no opt-in API, and hard-coded secrets, representing a high-risk supply-chain backdoor.

This module is high risk: it uses intentional obfuscation (base64 + zlib) and executes concealed code at import time without integrity checks or visibility. Treat the package as untrusted until the embedded payload is decoded and audited in a secure environment. Do not import or run this module in production or on sensitive hosts. Further analysis of the decoded payload is required to determine specific malicious behaviors.

The code is designed to collect and send sensitive information to a remote server without the user's knowledge or consent. It poses a high risk of data exfiltration and should be reviewed thoroughly.

Live on npm for 33 minutes before removal. Socket users were protected even while the package was live.

This script is sending sensitive system information to a remote server without the user's consent. This behavior is highly suspicious and poses a significant security risk.

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

The code is likely harvesting sensitive information and sending it to an external server, which is a common behavior in supply chain attacks. The domain used for data exfiltration is designed to look benign but is likely under the control of an attacker. The non-standard usage of the '___resolved' field suggests tampering with the package.json.

Live on npm for 3 days, 2 hours and 44 minutes before removal. Socket users were protected even while the package was live.

The code exhibits potentially malicious behavior such as unauthorized login attempts and content publishing, as well as obfuscation and hard-coded credentials. The overall security risk is high due to the presence of these factors.

Live on npm for 35 minutes before removal. Socket users were protected even while the package was live.

The code contains a significant risk due to the use of eval on dynamically decoded content, which could lead to arbitrary code execution. There is a high probability that the payload could be malicious, making this code highly dangerous.

Live on npm for 43 minutes before removal. Socket users were protected even while the package was live.

This module implements an in-process remote code execution mechanism: it listens on a TCP socket, accepts null-delimited payloads, and exec()'s them on Blender's main thread with full access to bpy and the host environment. Even though the default bind address is localhost, the pattern is a high-risk backdoor and qualifies as a serious supply-chain/security issue. Recommend removing this capability or replacing it with a safe, authenticated, and sandboxed IPC mechanism. If this code is present in third-party packages, treat it as malicious/untrusted and audit the environment for signs of misuse.

This package executes its own index.js during install (both preinstall and postinstall). That is an untrusted code-execution vector that can perform arbitrary malicious actions. Before installing, inspect index.js to verify it performs only expected, benign setup tasks. If you cannot review the file, treat the package as high risk and avoid installing it in sensitive environments or run the install in an isolated sandbox.

Live on npm for 3 days, 12 hours and 12 minutes before removal. Socket users were protected even while the package was live.

The code is dangerous and should not be used. The file downloaded from the external source should be verified and validated before being executed, and errors and exceptions should be handled properly.

Live on npm for 20 minutes before removal. Socket users were protected even while the package was live.

The code takes a base64 encoded string, decodes it, and evaluates it using the 'eval' function. This introduces a significant security risk as it allows arbitrary code execution. The code should be considered dangerous and should not be used.

Live on npm for 1 hour and 40 minutes before removal. Socket users were protected even while the package was live.

This code collects extensive system information—including hostname, OS type, platform, release, architecture, local IP, current user, and working directory—and fetches the public IP from https://api64[.]ipify[.]org?format=json. It then exfiltrates this data without user consent via HTTP GET and POST requests to http://54[.]173[.]15[.]59:8080/jpd[.]php (with a fake Mozilla/5.0 User-Agent) and falls back to a WebSocket connection to wss://yourserver[.]com/socket if HTTP fails. It suppresses console output during the npm preinstall lifecycle and uses dynamic imports to evade static analysis. These behaviors demonstrate clear malicious intent and high security risk.

The code is highly suspicious due to its collection and transmission of system information to external servers without user consent. The use of hardcoded IP addresses and fallback mechanisms for data transmission indicates potential malicious intent.

Live on npm for 8 hours and 33 minutes before removal. Socket users were protected even while the package was live.

This script downloads a VBScript from a hardcoded external URL and immediately executes it using Windows cscript without any integrity checks, prompts, or sandboxing. That pattern enables arbitrary remote code execution and is high risk. Treat the code as dangerous to run in any environment unless the URL/content is fully controlled, validated, and delivered over a trusted, verifiable channel. Replace this pattern with secure update/verification mechanisms (signature/hash verification, allowlist, user approval, limited privileges, and use of temporary isolated execution) or remove direct remote execution entirely.

The script is malicious and intended for cyber attacks. It opens a reverse shell for remote system control and sends the output of shell commands to an external server, which could lead to unauthorized access to sensitive system information.

Live on npm for 3 days and 15 minutes before removal. Socket users were protected even while the package was live.

The code poses a significant security risk by downloading and executing an external executable without any verification. This behavior is indicative of potential malware activity.

Live on PyPI for 19 minutes before removal. Socket users were protected even while the package was live.

The code is collecting sensitive system and package information and sending it to potentially malicious domains without user consent. This is indicative of data exfiltration and poses a significant security risk.

This module intentionally implements and controls a PHP webshell — it generates an obfuscated PHP payload that, when placed on a server, will check a secret User-Agent and then eval() any PHP sent in POST['command']. It also provides functions to upload arbitrary files and to send arbitrary code to be executed server-side. These are explicit backdoor capabilities (remote code execution and file write). The presence of obfuscation (rot13/base64 layering) and runtime exec-based imports increase the supply-chain and analysis risk. Whether the package is 'malicious' depends on author intent and consent of the target, but from a security/supply-chain perspective this package is highly dangerous and should not be used on systems where you do not have explicit authorization. Recommended action: treat as high-risk/malicious-capability code; audit dependencies (pipincluder, ashar, hexor), do not install on production systems without verification.

The code fragment has a security risk due to the use of the 'exec' function without proper input validation, which can lead to command injection vulnerabilities. Additionally, the code downloads and executes a file from an external URL without proper validation, which poses a risk of executing malicious files.

Live on npm for 2 hours and 49 minutes before removal. Socket users were protected even while the package was live.

This install script sends the local username to an external collector. It performs covert data exfiltration/telemetry without user consent and therefore poses a high privacy and security risk. It should be removed or blocked and the package contents and publisher should be investigated.

This code is highly suspicious and should not be trusted. It poses a significant security risk to any system on which it is installed.

High-risk code that implements network-exposed arbitrary command execution capabilities. While potentially legitimate for automation, it creates significant security vulnerabilities including remote code execution, command injection, and unauthorized system access. Should be treated as dangerous without proper security controls.

This module harvests sensitive browser artifacts (history, saved logins, cookies, extension metadata) and includes logic to exfiltrate that data via client.send_message. It forcibly terminates browser processes and launches a headless Chrome instance with remote debugging to extract cookies — an active technique used to obtain session tokens. These behaviors are consistent with credential harvesting and data exfiltration. Treat this code as malicious or at minimum highly privacy-invasive and unsuitable for use in trusted environments without strong justification and safeguards.

The code exhibits malicious behavior by collecting and transmitting system information to a suspicious domain. The use of obfuscation further indicates an attempt to conceal its true purpose. This poses a significant security risk.

Live on npm for 8 hours and 37 minutes before removal. Socket users were protected even while the package was live.

This file defines a large local dumpJSON array and then, unconditionally when imported, uses a hard-coded cookie (including a login_token JWT) plus static aiStudioUrl (https://bbqa2t5pfyfroyobmzknmktshckzto4btkfagxyjqwy[.]did[.]abtnet[.]io/ai-studio) and datasetId to authenticate and issue fetch GET to /api/datasets/{datasetId}/documents?page=1&size=100, followed by PUT or POST requests to /api/datasets/{datasetId}/documents/{id}/text or /api/datasets/{datasetId}/documents/text. Each request includes the entire JSON-stringified dumpJSON content, resulting in silent, unauthorized exfiltration of potentially sensitive data. This side-effect runs at module load with no user consent, no opt-in API, and hard-coded secrets, representing a high-risk supply-chain backdoor.

This module is high risk: it uses intentional obfuscation (base64 + zlib) and executes concealed code at import time without integrity checks or visibility. Treat the package as untrusted until the embedded payload is decoded and audited in a secure environment. Do not import or run this module in production or on sensitive hosts. Further analysis of the decoded payload is required to determine specific malicious behaviors.

The code is designed to collect and send sensitive information to a remote server without the user's knowledge or consent. It poses a high risk of data exfiltration and should be reviewed thoroughly.

Live on npm for 33 minutes before removal. Socket users were protected even while the package was live.

This script is sending sensitive system information to a remote server without the user's consent. This behavior is highly suspicious and poses a significant security risk.

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

The code is likely harvesting sensitive information and sending it to an external server, which is a common behavior in supply chain attacks. The domain used for data exfiltration is designed to look benign but is likely under the control of an attacker. The non-standard usage of the '___resolved' field suggests tampering with the package.json.

Live on npm for 3 days, 2 hours and 44 minutes before removal. Socket users were protected even while the package was live.

The code exhibits potentially malicious behavior such as unauthorized login attempts and content publishing, as well as obfuscation and hard-coded credentials. The overall security risk is high due to the presence of these factors.

Live on npm for 35 minutes before removal. Socket users were protected even while the package was live.

The code contains a significant risk due to the use of eval on dynamically decoded content, which could lead to arbitrary code execution. There is a high probability that the payload could be malicious, making this code highly dangerous.

Live on npm for 43 minutes before removal. Socket users were protected even while the package was live.

This module implements an in-process remote code execution mechanism: it listens on a TCP socket, accepts null-delimited payloads, and exec()'s them on Blender's main thread with full access to bpy and the host environment. Even though the default bind address is localhost, the pattern is a high-risk backdoor and qualifies as a serious supply-chain/security issue. Recommend removing this capability or replacing it with a safe, authenticated, and sandboxed IPC mechanism. If this code is present in third-party packages, treat it as malicious/untrusted and audit the environment for signs of misuse.

This package executes its own index.js during install (both preinstall and postinstall). That is an untrusted code-execution vector that can perform arbitrary malicious actions. Before installing, inspect index.js to verify it performs only expected, benign setup tasks. If you cannot review the file, treat the package as high risk and avoid installing it in sensitive environments or run the install in an isolated sandbox.

Live on npm for 3 days, 12 hours and 12 minutes before removal. Socket users were protected even while the package was live.

The code is dangerous and should not be used. The file downloaded from the external source should be verified and validated before being executed, and errors and exceptions should be handled properly.

Live on npm for 20 minutes before removal. Socket users were protected even while the package was live.

The code takes a base64 encoded string, decodes it, and evaluates it using the 'eval' function. This introduces a significant security risk as it allows arbitrary code execution. The code should be considered dangerous and should not be used.

Live on npm for 1 hour and 40 minutes before removal. Socket users were protected even while the package was live.

This code collects extensive system information—including hostname, OS type, platform, release, architecture, local IP, current user, and working directory—and fetches the public IP from https://api64[.]ipify[.]org?format=json. It then exfiltrates this data without user consent via HTTP GET and POST requests to http://54[.]173[.]15[.]59:8080/jpd[.]php (with a fake Mozilla/5.0 User-Agent) and falls back to a WebSocket connection to wss://yourserver[.]com/socket if HTTP fails. It suppresses console output during the npm preinstall lifecycle and uses dynamic imports to evade static analysis. These behaviors demonstrate clear malicious intent and high security risk.

The code is highly suspicious due to its collection and transmission of system information to external servers without user consent. The use of hardcoded IP addresses and fallback mechanisms for data transmission indicates potential malicious intent.

Live on npm for 8 hours and 33 minutes before removal. Socket users were protected even while the package was live.

This script downloads a VBScript from a hardcoded external URL and immediately executes it using Windows cscript without any integrity checks, prompts, or sandboxing. That pattern enables arbitrary remote code execution and is high risk. Treat the code as dangerous to run in any environment unless the URL/content is fully controlled, validated, and delivered over a trusted, verifiable channel. Replace this pattern with secure update/verification mechanisms (signature/hash verification, allowlist, user approval, limited privileges, and use of temporary isolated execution) or remove direct remote execution entirely.

The script is malicious and intended for cyber attacks. It opens a reverse shell for remote system control and sends the output of shell commands to an external server, which could lead to unauthorized access to sensitive system information.

Live on npm for 3 days and 15 minutes before removal. Socket users were protected even while the package was live.

The code poses a significant security risk by downloading and executing an external executable without any verification. This behavior is indicative of potential malware activity.

Live on PyPI for 19 minutes before removal. Socket users were protected even while the package was live.

The code is collecting sensitive system and package information and sending it to potentially malicious domains without user consent. This is indicative of data exfiltration and poses a significant security risk.

This module intentionally implements and controls a PHP webshell — it generates an obfuscated PHP payload that, when placed on a server, will check a secret User-Agent and then eval() any PHP sent in POST['command']. It also provides functions to upload arbitrary files and to send arbitrary code to be executed server-side. These are explicit backdoor capabilities (remote code execution and file write). The presence of obfuscation (rot13/base64 layering) and runtime exec-based imports increase the supply-chain and analysis risk. Whether the package is 'malicious' depends on author intent and consent of the target, but from a security/supply-chain perspective this package is highly dangerous and should not be used on systems where you do not have explicit authorization. Recommended action: treat as high-risk/malicious-capability code; audit dependencies (pipincluder, ashar, hexor), do not install on production systems without verification.