Secure your dependencies. Ship with confidence.

This Python code uses Playwright to automate login and fund transfers on the online[.]mtsdengi[.]ru site. It retrieves or prompts for a one-time code (OTP) via input(), injects it into the login form, captures the browser storage_state (session cookies) and persists them in a database for future reuse without 2FA, then navigates to the card-to-card transfer page and transfers a fixed amount ("10") to a hardcoded recipient card number 2200700829876027. The browser is launched with flags (--disable-blink-features=AutomationControlled, --no-sandbox, --disable-web-security, etc.) to evade automation detection and security controls. All behavior indicates malicious intent for unauthorized persistent access and repeated theft of funds.

This module implements a remote Python shell that receives code over a network and executes it in-process. That behavior results in remote code execution, access to files, environment variables, network, and ability to run system commands. There is no authentication visible in this file, making it a high-risk component if exposed to untrusted networks or combined with malicious SockClient endpoints. If this package is included in a project unintentionally or run with a reachable socket, it can act as a backdoor. Review the deployment context: ensure the SockClient connects only to trusted endpoints, require authentication, or remove/disable this component if not needed.

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.

The provided code imports multiple suspiciously named modules and calls an undefined method `functame()` on each. Without the actual code for these modules, it is difficult to determine if this is malicious, but the unusual naming and method usage suggest potential malicious intent. Further investigation of the module implementations is required.

Live on npm for 57 days, 10 hours and 17 minutes before removal. Socket users were protected even while the package was live.

This source implements functionality to generate/regenerate implant binaries and to start network stagers for those implants via RPC — behavior that is explicitly offensive/malicious in a general attacker model. The code contains no obfuscated payloads or hardcoded secrets, and no immediate local exploitation code, but its purpose is to create and expose implant binaries and listeners. Treat this package as high-risk for use in production or untrusted environments; it is appropriate only in controlled red-team/assessment contexts.

This file implements an unattended update mechanism that fetches and installs .tgz archives from unverified remote sources—both the npm registry (registry[.]npmjs[.]org) and a configurable Firebase-style database URL—by downloading, extracting them into the application directory and then restarting PM2-managed processes. Because there is no cryptographic signature or checksum validation beyond a simple version check, a compromised registry account or database endpoint could deliver arbitrary code to every host running this updater. Additionally, on startup the script gathers extensive system and package metadata—including public IP (via api[.]ipify[.]org), local IP addresses, hostname, OS/platform, Node.js version, CPU/memory statistics, load averages, working directory and package.json fields—and posts it to a configurable Discord webhook endpoint (discordapp[.]com). This behavior poses both a supply-chain risk and a telemetry/privacy exposure risk, as sensitive host information is sent to an external service without explicit user consent or granular control.

The code presents a strong supply-chain and remote-execution risk by automatically downloading and executing remote Python payloads without integrity checks or sandboxing. It also creates and runs external services (Jupyter, Visdom, RStudio) based on user inputs, which can amplify impact if the remote payload is malicious. Mitigations include removing remote code execution paths, adding cryptographic verification (signatures or hash checks), isolating execution (sandboxes or containerization), validating inputs, and avoiding untrusted downloads or executions.

This file implements a persistent remote agent that accepts and executes arbitrary shell commands from a remote gateway and can perform/advertise remote interactive control. There are no authentication or validation controls and no TLS or origin checks, enabling an attacker who controls the gateway (or who can influence PHANTOM_GATEWAY_URL) to execute arbitrary code and exfiltrate data. Treat this module as malicious/backdoor-like in a supply-chain context and do not use it in production without substantial security hardening (mutual TLS or authenticated trusted gateway, signed commands, command whitelisting, explicit operator consent, isolation/sandboxing).

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

The code exhibits risky behavior by automatically installing packages from external sources without user confirmation, using hardcoded URLs and package names, and logging potentially sensitive information. The risk of unauthorized package installations and arbitrary code execution is high. While there are no direct signs of malicious intent, caution is advised when using this code.

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

The code exhibits characteristics of potentially malicious behavior, including DNS resolution to suspicious domains and execution of obfuscated commands. The use of obfuscation suggests an attempt to conceal its true intent, which could be harmful. The risk and malware scores are high due to these factors.

Live on npm for 3 hours and 19 minutes before removal. Socket users were protected even while the package was live.

The dominant security concern is the explicit use of eval on data-derived JSON within CarbonPHP.handlebars, which can enable arbitrary code execution if data is attacker-controlled. Additional concerns include unsanitized dynamic script/template loading and a busy-wait sleep that can degrade performance and potentially expose timing information. Overall risk is high due to the eval pattern and dynamic content loading without strong sanitization.

The code is highly suspicious due to its collection and transmission of system information to external servers without user consent. The use of hardcoded IP addresses and fallback mechanisms for data transmission indicates potential malicious intent.

The setup.py itself contains no runtime malicious code, but it explicitly advertises malicious intent and will cause installation of dependencies (notably psutil) that enable powerful system-level actions. Treat this package as high-risk: do not install or run it in production or privileged environments without a full audit of the package contents and its dependencies. If the goal is to evaluate supply-chain risk, consider blocking or sandboxing any installation and manually reviewing the repository and all dependency code before use.

Live on pypi for 4 hours and 34 minutes before removal. Socket users were protected even while the package was live.

This source file is a component of the Sliver post-exploitation implant and directly implements network-driven, privileged actions on Windows hosts. It accepts untrusted RPC data and invokes powerful sinks (RCE, token manipulation, process injection, pivot listeners, service control). For general-purpose or production use the code is malicious/dangerous. Only include/run this code in controlled offensive-security environments with explicit authorization; otherwise remove or isolate it. Further review required of dependent packages (priv, taskrunner, pivots, service, transports) to fully enumerate risks and any hidden exfiltration/persistence behaviors.

This code is performing intentional credential harvesting. This is well documented in the readme as the code's intended purpose. it spawns an Electron browser, waits for the user to authenticate to claude.ai, reads the session/auth cookie from the browser session, and prints it so the parent process can capture and return it. That is sensitive data exfiltration and should be considered malicious in most contexts. Using this module allows the caller to obtain users' session cookies (session hijacking). The runtime installation and execution of Electron compounds supply-chain risk. Avoid running or installing this code unless you fully trust its purpose and the environment; do not use in production or on systems with user accounts you do not control.

This module is malicious or fraud-enabling: it automates WooCommerce checkouts using supplied PAN/CVV and exfiltrates raw card data to an external service (railgunmisaka.com) before obtaining a payment token and attempting transactions. It clearly facilitates carding and unauthorized use of payment data, leaks sensitive data in logs, and violates PCI principles. Do not run this code; treat any systems that executed it as potentially compromised for payment-card theft. Immediate remediation: remove code, block the external domain and associated IPs, and perform forensic review if executed with real card data.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

This module contains a heavily obfuscated runtime loader/loader-helper that reads an embedded resource, decrypts it (embedded symmetric key/IV) and performs native memory allocation and writes (VirtualAlloc/WriteProcessMemory) plus dynamic method / delegate creation to execute code. Those are strong indicators of a loader/pack‑style component capable of injecting and executing arbitrary native or managed code at runtime. Even if used for licensing or legitimate packed native libraries, the patterns are high-risk for supply‑chain abuse because they enable execution of embedded payloads and process memory manipulation.

This file implements an unauthenticated reverse/C2-style proxy that links a configured external controller to execution endpoints (telnet, TCP socket, or callable RCE). When activated it enables remote arbitrary command execution and exfiltration of output to the controller; the callable branch is a direct code-execution sink. In a penetration testing toolkit this may be intended, but in a general dependency this is high-risk backdoor-capability code. Recommend treating this as dangerous: audit invocation sites, confirm conf.connect_back_host/port provenance, restrict use to controlled environments, and consider removal or requiring explicit opt-in and strong authentication before enabling.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] No direct malware or obfuscated payloads were found in the skill text. Functionally the skill is consistent with its claimed purpose (controlling/supervising CLI-based coding agents). However, it exposes notable supply-chain and data-exfiltration risks: recommending global installs from registries without integrity checks, encouraging dangerous auto-approve flags, forwarding agent stdout and permission prompts across multiple external channels, and mandating a `lemonade gateway wake` notification that routes task summaries externally. These behaviors are disproportionate unless the user explicitly consents and data sanitization/endpoint security is enforced. Treat this skill as SUSPICIOUS: acceptable if used with strict operational controls, but risky by default. LLM verification: This skill broadly matches its stated purpose (manage CLI-based coding agents and mediate permission prompts). It is not obviously malicious (no obfuscated payloads, no hardcoded credentials, no suspicious external endpoints). However, it is high-risk: it allows arbitrary shell/CLI execution, supports modes that auto-bypass permission checks (--dangerously-skip-permissions, --yolo, --full-auto), and routes agent output and prompts across external messaging channels without described filtering. T

The source code is performing malicious activities by sending sensitive system information to a remote server. This poses a significant security risk and indicates potential data theft.

Live on npm for 13 minutes before removal. Socket users were protected even while the package was live.

This module contains clear data-exfiltration capabilities: it reads arbitrary local files and uploads them to remote FTP servers using hardcoded credentials, and it sends arbitrary messages and notifications to remote endpoints. The module also fetches remote configuration at import time, giving the remote operator control over destinations. These are high-risk behaviors for a library: they can be abused to leak secrets or files. If this package is included in a project, it should be treated as dangerous unless you fully trust the remote servers and intended behavior. Recommend removal or thorough auditing and replacement of plaintext FTP, removal of hardcoded credentials, and adding strict validation and explicit opt-in before any file transfer.

The code contains potential security risks such as hard-coded file paths, subprocess.Popen usage, and the handling of untrusted data through PyArrow Plasma. It is essential to review and address these security concerns before using this code in a production environment.

Live on pypi for 11 hours and 45 minutes before removal. Socket users were protected even while the package was live.

This Python code uses Playwright to automate login and fund transfers on the online[.]mtsdengi[.]ru site. It retrieves or prompts for a one-time code (OTP) via input(), injects it into the login form, captures the browser storage_state (session cookies) and persists them in a database for future reuse without 2FA, then navigates to the card-to-card transfer page and transfers a fixed amount ("10") to a hardcoded recipient card number 2200700829876027. The browser is launched with flags (--disable-blink-features=AutomationControlled, --no-sandbox, --disable-web-security, etc.) to evade automation detection and security controls. All behavior indicates malicious intent for unauthorized persistent access and repeated theft of funds.

This module implements a remote Python shell that receives code over a network and executes it in-process. That behavior results in remote code execution, access to files, environment variables, network, and ability to run system commands. There is no authentication visible in this file, making it a high-risk component if exposed to untrusted networks or combined with malicious SockClient endpoints. If this package is included in a project unintentionally or run with a reachable socket, it can act as a backdoor. Review the deployment context: ensure the SockClient connects only to trusted endpoints, require authentication, or remove/disable this component if not needed.

The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.

The provided code imports multiple suspiciously named modules and calls an undefined method `functame()` on each. Without the actual code for these modules, it is difficult to determine if this is malicious, but the unusual naming and method usage suggest potential malicious intent. Further investigation of the module implementations is required.

Live on npm for 57 days, 10 hours and 17 minutes before removal. Socket users were protected even while the package was live.

This source implements functionality to generate/regenerate implant binaries and to start network stagers for those implants via RPC — behavior that is explicitly offensive/malicious in a general attacker model. The code contains no obfuscated payloads or hardcoded secrets, and no immediate local exploitation code, but its purpose is to create and expose implant binaries and listeners. Treat this package as high-risk for use in production or untrusted environments; it is appropriate only in controlled red-team/assessment contexts.

This file implements an unattended update mechanism that fetches and installs .tgz archives from unverified remote sources—both the npm registry (registry[.]npmjs[.]org) and a configurable Firebase-style database URL—by downloading, extracting them into the application directory and then restarting PM2-managed processes. Because there is no cryptographic signature or checksum validation beyond a simple version check, a compromised registry account or database endpoint could deliver arbitrary code to every host running this updater. Additionally, on startup the script gathers extensive system and package metadata—including public IP (via api[.]ipify[.]org), local IP addresses, hostname, OS/platform, Node.js version, CPU/memory statistics, load averages, working directory and package.json fields—and posts it to a configurable Discord webhook endpoint (discordapp[.]com). This behavior poses both a supply-chain risk and a telemetry/privacy exposure risk, as sensitive host information is sent to an external service without explicit user consent or granular control.

The code presents a strong supply-chain and remote-execution risk by automatically downloading and executing remote Python payloads without integrity checks or sandboxing. It also creates and runs external services (Jupyter, Visdom, RStudio) based on user inputs, which can amplify impact if the remote payload is malicious. Mitigations include removing remote code execution paths, adding cryptographic verification (signatures or hash checks), isolating execution (sandboxes or containerization), validating inputs, and avoiding untrusted downloads or executions.

This file implements a persistent remote agent that accepts and executes arbitrary shell commands from a remote gateway and can perform/advertise remote interactive control. There are no authentication or validation controls and no TLS or origin checks, enabling an attacker who controls the gateway (or who can influence PHANTOM_GATEWAY_URL) to execute arbitrary code and exfiltrate data. Treat this module as malicious/backdoor-like in a supply-chain context and do not use it in production without substantial security hardening (mutual TLS or authenticated trusted gateway, signed commands, command whitelisting, explicit operator consent, isolation/sandboxing).

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

The code exhibits risky behavior by automatically installing packages from external sources without user confirmation, using hardcoded URLs and package names, and logging potentially sensitive information. The risk of unauthorized package installations and arbitrary code execution is high. While there are no direct signs of malicious intent, caution is advised when using this code.

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

The code exhibits characteristics of potentially malicious behavior, including DNS resolution to suspicious domains and execution of obfuscated commands. The use of obfuscation suggests an attempt to conceal its true intent, which could be harmful. The risk and malware scores are high due to these factors.

Live on npm for 3 hours and 19 minutes before removal. Socket users were protected even while the package was live.

The dominant security concern is the explicit use of eval on data-derived JSON within CarbonPHP.handlebars, which can enable arbitrary code execution if data is attacker-controlled. Additional concerns include unsanitized dynamic script/template loading and a busy-wait sleep that can degrade performance and potentially expose timing information. Overall risk is high due to the eval pattern and dynamic content loading without strong sanitization.

The code is highly suspicious due to its collection and transmission of system information to external servers without user consent. The use of hardcoded IP addresses and fallback mechanisms for data transmission indicates potential malicious intent.

The setup.py itself contains no runtime malicious code, but it explicitly advertises malicious intent and will cause installation of dependencies (notably psutil) that enable powerful system-level actions. Treat this package as high-risk: do not install or run it in production or privileged environments without a full audit of the package contents and its dependencies. If the goal is to evaluate supply-chain risk, consider blocking or sandboxing any installation and manually reviewing the repository and all dependency code before use.

Live on pypi for 4 hours and 34 minutes before removal. Socket users were protected even while the package was live.

This source file is a component of the Sliver post-exploitation implant and directly implements network-driven, privileged actions on Windows hosts. It accepts untrusted RPC data and invokes powerful sinks (RCE, token manipulation, process injection, pivot listeners, service control). For general-purpose or production use the code is malicious/dangerous. Only include/run this code in controlled offensive-security environments with explicit authorization; otherwise remove or isolate it. Further review required of dependent packages (priv, taskrunner, pivots, service, transports) to fully enumerate risks and any hidden exfiltration/persistence behaviors.

This code is performing intentional credential harvesting. This is well documented in the readme as the code's intended purpose. it spawns an Electron browser, waits for the user to authenticate to claude.ai, reads the session/auth cookie from the browser session, and prints it so the parent process can capture and return it. That is sensitive data exfiltration and should be considered malicious in most contexts. Using this module allows the caller to obtain users' session cookies (session hijacking). The runtime installation and execution of Electron compounds supply-chain risk. Avoid running or installing this code unless you fully trust its purpose and the environment; do not use in production or on systems with user accounts you do not control.

This module is malicious or fraud-enabling: it automates WooCommerce checkouts using supplied PAN/CVV and exfiltrates raw card data to an external service (railgunmisaka.com) before obtaining a payment token and attempting transactions. It clearly facilitates carding and unauthorized use of payment data, leaks sensitive data in logs, and violates PCI principles. Do not run this code; treat any systems that executed it as potentially compromised for payment-card theft. Immediate remediation: remove code, block the external domain and associated IPs, and perform forensic review if executed with real card data.

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

This module contains a heavily obfuscated runtime loader/loader-helper that reads an embedded resource, decrypts it (embedded symmetric key/IV) and performs native memory allocation and writes (VirtualAlloc/WriteProcessMemory) plus dynamic method / delegate creation to execute code. Those are strong indicators of a loader/pack‑style component capable of injecting and executing arbitrary native or managed code at runtime. Even if used for licensing or legitimate packed native libraries, the patterns are high-risk for supply‑chain abuse because they enable execution of embedded payloads and process memory manipulation.

This file implements an unauthenticated reverse/C2-style proxy that links a configured external controller to execution endpoints (telnet, TCP socket, or callable RCE). When activated it enables remote arbitrary command execution and exfiltration of output to the controller; the callable branch is a direct code-execution sink. In a penetration testing toolkit this may be intended, but in a general dependency this is high-risk backdoor-capability code. Recommend treating this as dangerous: audit invocation sites, confirm conf.connect_back_host/port provenance, restrict use to controlled environments, and consider removal or requiring explicit opt-in and strong authentication before enabling.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] No direct malware or obfuscated payloads were found in the skill text. Functionally the skill is consistent with its claimed purpose (controlling/supervising CLI-based coding agents). However, it exposes notable supply-chain and data-exfiltration risks: recommending global installs from registries without integrity checks, encouraging dangerous auto-approve flags, forwarding agent stdout and permission prompts across multiple external channels, and mandating a `lemonade gateway wake` notification that routes task summaries externally. These behaviors are disproportionate unless the user explicitly consents and data sanitization/endpoint security is enforced. Treat this skill as SUSPICIOUS: acceptable if used with strict operational controls, but risky by default. LLM verification: This skill broadly matches its stated purpose (manage CLI-based coding agents and mediate permission prompts). It is not obviously malicious (no obfuscated payloads, no hardcoded credentials, no suspicious external endpoints). However, it is high-risk: it allows arbitrary shell/CLI execution, supports modes that auto-bypass permission checks (--dangerously-skip-permissions, --yolo, --full-auto), and routes agent output and prompts across external messaging channels without described filtering. T

The source code is performing malicious activities by sending sensitive system information to a remote server. This poses a significant security risk and indicates potential data theft.

Live on npm for 13 minutes before removal. Socket users were protected even while the package was live.

This module contains clear data-exfiltration capabilities: it reads arbitrary local files and uploads them to remote FTP servers using hardcoded credentials, and it sends arbitrary messages and notifications to remote endpoints. The module also fetches remote configuration at import time, giving the remote operator control over destinations. These are high-risk behaviors for a library: they can be abused to leak secrets or files. If this package is included in a project, it should be treated as dangerous unless you fully trust the remote servers and intended behavior. Recommend removal or thorough auditing and replacement of plaintext FTP, removal of hardcoded credentials, and adding strict validation and explicit opt-in before any file transfer.

The code contains potential security risks such as hard-coded file paths, subprocess.Popen usage, and the handling of untrusted data through PyArrow Plasma. It is essential to review and address these security concerns before using this code in a production environment.

Live on pypi for 11 hours and 45 minutes before removal. Socket users were protected even while the package was live.