Secure your dependencies. Ship with confidence.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] BENIGN. The fragment is a high-level, self-consistent skill/documentation outlining how to use the @agentcash/router framework. It does not introduce malicious behavior, obfuscated code, or insecure data flows beyond standard runtime configuration (environment variables for credentials). The described data flows and scopes are coherent with the stated purpose of building paid, multi-protocol routes with observability and provider monitoring. No evidence of malware, credential harvesting, or extraneous data exfiltration patterns in the provided text. LLM verification: The skill's declared capabilities fit its purpose, and there is no direct evidence of obfuscated malware or hardcoded secrets in the provided fragment. However, design choices create moderate supply-chain risk: (1) plugins are an observability boundary that can exfiltrate request/credential data if a plugin is malicious or misconfigured, and (2) self-registering routes that run at import time can execute code unexpectedly (potentially performing network actions during build/import). Treat this s

The code exhibits behavior consistent with data exfiltration by sending the system's username to an external domain. This is a significant security concern and suggests potential malicious intent.

Live on npm for 16 days, 4 hours and 14 minutes before removal. Socket users were protected even while the package was live.

The provided JavaScript code is highly obfuscated, involves potentially unsafe dynamic code execution, and interacts with critical system and browser features in a manner that suggests malicious intent, such as data theft, system manipulation, or arbitrary code execution.

This module performs unsafe dynamic execution of a packaged, obfuscated marshalled blob. The pattern is high risk: it permits arbitrary in-process code execution with no validation. Treat this package as untrusted until the blob '_parallel_miner.obfsbpm' is analyzed in an isolated environment. Recommended actions: extract and inspect the blob (unmarshal in a safe, isolated sandbox or disassemble the code object), deny use in production until verified, and if malicious indicators are found, remove or block the dependency.

Live on pypi for 8 hours and 10 minutes before removal. Socket users were protected even while the package was live.

Overall, the fragment represents a coherent, low-risk governance tool for maintaining a local prompts library with explicit user-controlled update steps. The primary risks are typical for any download/merge workflow (remote content integrity and accidental updates). With explicit user confirmation for updates and, ideally, content integrity checks, the security posture remains acceptable for this use case. The most important future hardening would be to add content integrity verification (e.g., checksums) and to lock down update actions behind per-prompt user consent.

[Skill Scanner] Installation of third-party script detected (AITech 9.1.4) [SC006]

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

This assembly contains heavy obfuscation and an embedded runtime loader that decrypts and injects code into process memory, patches JIT/native function pointers and can write into process memory and /proc/self/mem. Those capabilities enable in-memory code execution and process injection. While some patterns (RSA verification, tamper checks) are consistent with legitimate protectors/packers (e.g., .NET Reactor), the presence of OpenProcess/WriteProcessMemory, VirtualAlloc/VirtualProtect, direct /proc/self/mem writes, and JIT hooking indicate high-risk behavior for a library distributed as a normal Office interop helper. Treat this package as suspicious for supply-chain misuse: it can execute arbitrary native payloads and modify runtime behavior. Recommend not using this package in environments that require strong supply-chain guarantees; perform further dynamic analysis in an isolated environment to confirm exact payload behavior.

The source code exhibits behavior consistent with data exfiltration by collecting and sending detailed system information to an external server without user consent. This poses a significant security risk and indicates potentially malicious intent.

Live on npm for 2 days, 7 hours and 24 minutes before removal. Socket users were protected even while the package was live.

The code is heavily obfuscated and downloads and executes files from suspicious URLs using PowerShell commands. It constructs URLs such as 'https://ebplit[.]dev/p' and 'https://x[.]riker[.]re/s' and executes them using 'exec'. This behavior is indicative of malware, specifically a downloader that installs additional malware. The code poses a significant security risk as it can download and execute arbitrary code from external sources without user consent.

Live on npm for 15 days, 6 hours and 20 minutes before removal. Socket users were protected even while the package was live.

This package will execute local code at install time. Given the package name/description and the general risk of arbitrary postinstall scripts, treat this as high risk until index.js is audited. Do not install on production or privileged systems; inspect index.js for network calls, child_process usage, filesystem deletions/modifications, persistence mechanisms, hard-coded destinations, or obfuscated code. Prefer installing in an isolated sandbox to analyze behavior if you must proceed.

This file contains a client-side component (FinancialConnection) that collects Stripe financial connection accounts and then posts those accounts together with supplied security keys — including a privateSecurityKey — and a customer identifier to a configurable postSuccessUrl. This is a direct exfiltration of sensitive financial/account data and private keys from the browser to an external endpoint. The pattern is strongly suspicious and dangerous: private keys must never be sent from the client, and sending financial account lists to an arbitrary URL is a high-severity supply-chain/backdoor risk. I recommend treating this component as malicious/untrusted until provenance is verified and removing or auditing any usage that supplies private keys or sensitive Stripe secrets to client-side code.

This file implements an unattended update mechanism that fetches and installs .tgz archives from unverified remote sources—both the npm registry (registry[.]npmjs[.]org) and a configurable Firebase-style database URL—by downloading, extracting them into the application directory and then restarting PM2-managed processes. Because there is no cryptographic signature or checksum validation beyond a simple version check, a compromised registry account or database endpoint could deliver arbitrary code to every host running this updater. Additionally, on startup the script gathers extensive system and package metadata—including public IP (via api[.]ipify[.]org), local IP addresses, hostname, OS/platform, Node.js version, CPU/memory statistics, load averages, working directory and package.json fields—and posts it to a configurable Discord webhook endpoint (discordapp[.]com). This behavior poses both a supply-chain risk and a telemetry/privacy exposure risk, as sensitive host information is sent to an external service without explicit user consent or granular control.

Live on npm for 5 hours and 42 minutes before removal. Socket users were protected even while the package was live.

The fragment exhibits high malicious-intent indicators: an oversized, base64-encoded payload delivered via a data URL, coupled with patterns typical of dynamic runtime code execution. While the surrounding imports themselves are legitimate, the embedded payload is a classic vector for remote or hidden code execution and potential data exfiltration. Immediate steps: remove the embedded payload, audit the package’s provenance, generate an SBOM, and decode-inspect the payload in a secure sandbox. If decoded payload is required for a legitimate purpose, ensure it is sourced from trusted origin and undergoes rigorous code review and malware scanning.

Possible typosquat of azure - Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.

Live on npm for 48 minutes before removal. Socket users were protected even while the package was live.

This code is highly suspicious and should not be used without further investigation. The code is heavily obfuscated and could potentially contain malicious code. The purpose of the code is unclear and further investigation is necessary to determine its exact behavior.

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

The code collects sensitive system information without user consent and sends it to an external server via a Discord webhook. The code gathers data such as the user's internal IP address, external IP address (obtained via an HTTP request to 'https[:]//ipinfo[.]io/json'), hostname, username, home directory, DNS server information, and package details from 'package.json'. This information is then formatted into a JSON object and transmitted to a hardcoded Discord webhook URL ('https[:]//discord[.]com/api/webhooks/...'). This behavior constitutes unauthorized data exfiltration and poses significant privacy and security risks.

Live on npm for 13 days, 23 hours and 8 minutes before removal. Socket users were protected even while the package was live.

This module is a standard Redis inspection utility, but it contains a dangerous use of pickle.loads on data read from Redis. That deserialization of potentially untrusted data is the primary security concern because it can lead to remote code execution if an attacker can place crafted pickled payloads into Redis or if the Redis data cannot be fully trusted. There are also operational risks: potential exposure of sensitive Redis contents via API responses and destructive commands that require proper access control. No obvious obfuscation or other malicious backdoors are present beyond the unsafe deserialization. Recommend remediating the pickle usage (use safe formats or isolate deserialization), ensure proper authentication/authorization on any API endpoints that invoke delete/flush, and replace keys() with SCAN for large datasets.

High risk: The code unconditionally pulls and evaluates a remote shell script and then calls a function from it. Without cryptographic verification, version pinning, or sandboxing, this constitutes a severe supply-chain risk and could enable arbitrary execution, data exfiltration, or backdoors. Recommended mitigations include avoiding remote sourcing, pinning versions, validating integrity, and running in isolated environments under strict policy enforcement.

The code is malicious: it performs reconnaissance of the local environment (hostname, username, cwd, home directory) and exfiltrates that information to a hard-coded remote server via crafted HTTP GET requests. The presence of environment-aware checks to avoid execution in CI/sandbox/Windows/cloud environments strongly indicates deliberate evasion and malicious intent. Treat the package as compromised; remove or isolate and conduct full repository audit. If this behavior is claimed to be legitimate, require a documented, verifiable justification and third-party code audit before reuse.

The code contains an explicit, targeted, and malicious/undesirable behavior: for Russian-language users on specific country TLDs the library disables page interactions and injects/plays a hardcoded external audio file hosted on flag-gimn.ru. This action is unrelated to the library's purpose, creates a third-party network fetch and unsolicited playback, and persists state in localStorage. Treat this as a high-severity supply-chain compromise; do not use this version in production. Replace with a clean, audited release or remove the geo-targeted audio block.

This fragment provides a remote command execution channel with possible interactive sessions, but it harbors significant security risks due to untrusted pickle deserialization and absence of authentication. The combination of remote control capabilities and insecure data handling makes it a high-risk component in a supply-chain context unless properly secured, authenticated, and sandboxed. The apparent truncation further raises concerns about reliability and cleanup.

This code is a browser fingerprinting library (collecting canvas, WebGL, audio, font, DOM, and many other signals) to compute a visitorId. It is not exhibiting classic malware behaviors (no remote shells, no credential leaks to arbitrary endpoints, no system command execution). However it is privacy-invasive by design: it builds a persistent identifier from many device/browser signals and performs hidden DOM/audio/canvas measurements. The only network activity visible is an occasional telemetry GET to an openfpcdn.io monitoring path; the fragment does not show exfiltration of collected fingerprint components. If you are evaluating for supply-chain safety: the module is not malware but it poses significant privacy/tracking risk and should be treated accordingly in contexts where fingerprinting is unacceptable.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] BENIGN. The fragment is a high-level, self-consistent skill/documentation outlining how to use the @agentcash/router framework. It does not introduce malicious behavior, obfuscated code, or insecure data flows beyond standard runtime configuration (environment variables for credentials). The described data flows and scopes are coherent with the stated purpose of building paid, multi-protocol routes with observability and provider monitoring. No evidence of malware, credential harvesting, or extraneous data exfiltration patterns in the provided text. LLM verification: The skill's declared capabilities fit its purpose, and there is no direct evidence of obfuscated malware or hardcoded secrets in the provided fragment. However, design choices create moderate supply-chain risk: (1) plugins are an observability boundary that can exfiltrate request/credential data if a plugin is malicious or misconfigured, and (2) self-registering routes that run at import time can execute code unexpectedly (potentially performing network actions during build/import). Treat this s

The code exhibits behavior consistent with data exfiltration by sending the system's username to an external domain. This is a significant security concern and suggests potential malicious intent.

Live on npm for 16 days, 4 hours and 14 minutes before removal. Socket users were protected even while the package was live.

The provided JavaScript code is highly obfuscated, involves potentially unsafe dynamic code execution, and interacts with critical system and browser features in a manner that suggests malicious intent, such as data theft, system manipulation, or arbitrary code execution.

This module performs unsafe dynamic execution of a packaged, obfuscated marshalled blob. The pattern is high risk: it permits arbitrary in-process code execution with no validation. Treat this package as untrusted until the blob '_parallel_miner.obfsbpm' is analyzed in an isolated environment. Recommended actions: extract and inspect the blob (unmarshal in a safe, isolated sandbox or disassemble the code object), deny use in production until verified, and if malicious indicators are found, remove or block the dependency.

Live on pypi for 8 hours and 10 minutes before removal. Socket users were protected even while the package was live.

Overall, the fragment represents a coherent, low-risk governance tool for maintaining a local prompts library with explicit user-controlled update steps. The primary risks are typical for any download/merge workflow (remote content integrity and accidental updates). With explicit user confirmation for updates and, ideally, content integrity checks, the security posture remains acceptable for this use case. The most important future hardening would be to add content integrity verification (e.g., checksums) and to lock down update actions behind per-prompt user consent.

[Skill Scanner] Installation of third-party script detected (AITech 9.1.4) [SC006]

This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.

This assembly contains heavy obfuscation and an embedded runtime loader that decrypts and injects code into process memory, patches JIT/native function pointers and can write into process memory and /proc/self/mem. Those capabilities enable in-memory code execution and process injection. While some patterns (RSA verification, tamper checks) are consistent with legitimate protectors/packers (e.g., .NET Reactor), the presence of OpenProcess/WriteProcessMemory, VirtualAlloc/VirtualProtect, direct /proc/self/mem writes, and JIT hooking indicate high-risk behavior for a library distributed as a normal Office interop helper. Treat this package as suspicious for supply-chain misuse: it can execute arbitrary native payloads and modify runtime behavior. Recommend not using this package in environments that require strong supply-chain guarantees; perform further dynamic analysis in an isolated environment to confirm exact payload behavior.

The source code exhibits behavior consistent with data exfiltration by collecting and sending detailed system information to an external server without user consent. This poses a significant security risk and indicates potentially malicious intent.

Live on npm for 2 days, 7 hours and 24 minutes before removal. Socket users were protected even while the package was live.

The code is heavily obfuscated and downloads and executes files from suspicious URLs using PowerShell commands. It constructs URLs such as 'https://ebplit[.]dev/p' and 'https://x[.]riker[.]re/s' and executes them using 'exec'. This behavior is indicative of malware, specifically a downloader that installs additional malware. The code poses a significant security risk as it can download and execute arbitrary code from external sources without user consent.

Live on npm for 15 days, 6 hours and 20 minutes before removal. Socket users were protected even while the package was live.

This package will execute local code at install time. Given the package name/description and the general risk of arbitrary postinstall scripts, treat this as high risk until index.js is audited. Do not install on production or privileged systems; inspect index.js for network calls, child_process usage, filesystem deletions/modifications, persistence mechanisms, hard-coded destinations, or obfuscated code. Prefer installing in an isolated sandbox to analyze behavior if you must proceed.

This file contains a client-side component (FinancialConnection) that collects Stripe financial connection accounts and then posts those accounts together with supplied security keys — including a privateSecurityKey — and a customer identifier to a configurable postSuccessUrl. This is a direct exfiltration of sensitive financial/account data and private keys from the browser to an external endpoint. The pattern is strongly suspicious and dangerous: private keys must never be sent from the client, and sending financial account lists to an arbitrary URL is a high-severity supply-chain/backdoor risk. I recommend treating this component as malicious/untrusted until provenance is verified and removing or auditing any usage that supplies private keys or sensitive Stripe secrets to client-side code.

This file implements an unattended update mechanism that fetches and installs .tgz archives from unverified remote sources—both the npm registry (registry[.]npmjs[.]org) and a configurable Firebase-style database URL—by downloading, extracting them into the application directory and then restarting PM2-managed processes. Because there is no cryptographic signature or checksum validation beyond a simple version check, a compromised registry account or database endpoint could deliver arbitrary code to every host running this updater. Additionally, on startup the script gathers extensive system and package metadata—including public IP (via api[.]ipify[.]org), local IP addresses, hostname, OS/platform, Node.js version, CPU/memory statistics, load averages, working directory and package.json fields—and posts it to a configurable Discord webhook endpoint (discordapp[.]com). This behavior poses both a supply-chain risk and a telemetry/privacy exposure risk, as sensitive host information is sent to an external service without explicit user consent or granular control.

Live on npm for 5 hours and 42 minutes before removal. Socket users were protected even while the package was live.

The fragment exhibits high malicious-intent indicators: an oversized, base64-encoded payload delivered via a data URL, coupled with patterns typical of dynamic runtime code execution. While the surrounding imports themselves are legitimate, the embedded payload is a classic vector for remote or hidden code execution and potential data exfiltration. Immediate steps: remove the embedded payload, audit the package’s provenance, generate an SBOM, and decode-inspect the payload in a secure sandbox. If decoded payload is required for a legitimate purpose, ensure it is sourced from trusted origin and undergoes rigorous code review and malware scanning.

Possible typosquat of azure - Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles legitimate Azure package naming conventions, which could confuse users. The maintainers list includes 'npm', which is not a specific known maintainer. Therefore, it is likely a typosquat.

Live on npm for 48 minutes before removal. Socket users were protected even while the package was live.

This code is highly suspicious and should not be used without further investigation. The code is heavily obfuscated and could potentially contain malicious code. The purpose of the code is unclear and further investigation is necessary to determine its exact behavior.

Live on npm for 5 minutes before removal. Socket users were protected even while the package was live.

The code collects sensitive system information without user consent and sends it to an external server via a Discord webhook. The code gathers data such as the user's internal IP address, external IP address (obtained via an HTTP request to 'https[:]//ipinfo[.]io/json'), hostname, username, home directory, DNS server information, and package details from 'package.json'. This information is then formatted into a JSON object and transmitted to a hardcoded Discord webhook URL ('https[:]//discord[.]com/api/webhooks/...'). This behavior constitutes unauthorized data exfiltration and poses significant privacy and security risks.

Live on npm for 13 days, 23 hours and 8 minutes before removal. Socket users were protected even while the package was live.

This module is a standard Redis inspection utility, but it contains a dangerous use of pickle.loads on data read from Redis. That deserialization of potentially untrusted data is the primary security concern because it can lead to remote code execution if an attacker can place crafted pickled payloads into Redis or if the Redis data cannot be fully trusted. There are also operational risks: potential exposure of sensitive Redis contents via API responses and destructive commands that require proper access control. No obvious obfuscation or other malicious backdoors are present beyond the unsafe deserialization. Recommend remediating the pickle usage (use safe formats or isolate deserialization), ensure proper authentication/authorization on any API endpoints that invoke delete/flush, and replace keys() with SCAN for large datasets.

High risk: The code unconditionally pulls and evaluates a remote shell script and then calls a function from it. Without cryptographic verification, version pinning, or sandboxing, this constitutes a severe supply-chain risk and could enable arbitrary execution, data exfiltration, or backdoors. Recommended mitigations include avoiding remote sourcing, pinning versions, validating integrity, and running in isolated environments under strict policy enforcement.

The code is malicious: it performs reconnaissance of the local environment (hostname, username, cwd, home directory) and exfiltrates that information to a hard-coded remote server via crafted HTTP GET requests. The presence of environment-aware checks to avoid execution in CI/sandbox/Windows/cloud environments strongly indicates deliberate evasion and malicious intent. Treat the package as compromised; remove or isolate and conduct full repository audit. If this behavior is claimed to be legitimate, require a documented, verifiable justification and third-party code audit before reuse.

The code contains an explicit, targeted, and malicious/undesirable behavior: for Russian-language users on specific country TLDs the library disables page interactions and injects/plays a hardcoded external audio file hosted on flag-gimn.ru. This action is unrelated to the library's purpose, creates a third-party network fetch and unsolicited playback, and persists state in localStorage. Treat this as a high-severity supply-chain compromise; do not use this version in production. Replace with a clean, audited release or remove the geo-targeted audio block.

This fragment provides a remote command execution channel with possible interactive sessions, but it harbors significant security risks due to untrusted pickle deserialization and absence of authentication. The combination of remote control capabilities and insecure data handling makes it a high-risk component in a supply-chain context unless properly secured, authenticated, and sandboxed. The apparent truncation further raises concerns about reliability and cleanup.

This code is a browser fingerprinting library (collecting canvas, WebGL, audio, font, DOM, and many other signals) to compute a visitorId. It is not exhibiting classic malware behaviors (no remote shells, no credential leaks to arbitrary endpoints, no system command execution). However it is privacy-invasive by design: it builds a persistent identifier from many device/browser signals and performs hidden DOM/audio/canvas measurements. The only network activity visible is an occasional telemetry GET to an openfpcdn.io monitoring path; the fragment does not show exfiltration of collected fingerprint components. If you are evaluating for supply-chain safety: the module is not malware but it poses significant privacy/tracking risk and should be treated accordingly in contexts where fingerprinting is unacceptable.