Secure your dependencies. Ship with confidence.

The provided specification is a legitimate tool description for managing Feishu permissions and does not itself contain code-level indicators of malware, obfuscation, or backdoors. The main security risks are operational: acceptance and use of a high-privilege token without guidance on secure handling, and the absence of explicit API endpoints which creates uncertainty about where tokens/requests will be sent. Recommendations: keep the tool disabled by default; require explicit opt-in and documented network endpoints that must be verified to be official Feishu APIs; enforce least-privilege, short-lived tokens; implement logging redaction and audit trails; and perform code review on any implementation to ensure tokens are not logged, persisted insecurely, or proxied through third parties.

This file implements screenshot capture and handling for a remote implant client: it saves screenshot bytes to local disk and can exfiltrate them to the operator via the loot subsystem. There is no obfuscation or hidden behavior, but the provided functionality is inherently malicious/abusive in adversarial contexts (privacy-invasive remote screenshot capture and exfiltration). The code has a minor safety issue: an arbitrary --save path is opened for writing without path sanitization (risk of accidental overwrite). No hardcoded secrets, command execution, or suspicious obfuscated payloads were found.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill/instruction document is coherent with its stated purpose (LSP-based semantic code navigation). There is no code-level evidence of malware or intentional data-exfiltration. The main risks are operational: the included shell snippet will read hidden skill-memory files under user home directories (potentially exposing private notes) and the advice to run npx/install global tools means users will execute code fetched from package registries (normal for dev tools but a supply-chain risk). Recommend users: (1) inspect any npx/global installs before running, (2) avoid running the grep/awk snippet if you don’t want local skill-memory contents exposed, and (3) prefer per-project installs where possible. Overall: benign functional content with normal developer-tooling supply-chain cautions. LLM verification: No evidence of active malware or deliberate backdoor code inside the provided documentation. The skill is functionally consistent: it documents LSP usage and fallback to SpecWeave CLI. The main risks are supply-chain and operational: unpinned package installs and the use of npx/tweakcc which fetch and execute remote code, and an inline shell snippet that reads local skill-memory files under $HOME (which could reveal sensitive local content if blindly executed). Recommend: treat install steps wit

This package contains a concealed, encrypted payload that is decrypted and executed during installation on Windows. The pattern (hardcoded symmetric key + ciphertext + exec within install hook) is a classic supply-chain/backdoor technique. Treat this package as malicious: do not install it in any trusted environment. Recovering the payload is straightforward by decrypting the ciphertext with the embedded key, and doing so in an isolated analysis environment is recommended to inspect its exact behavior. The package should be removed from public indexes and reported.

This document is an offensive reference detailing actionable AD attack techniques (delegation, GPO abuse, SCCM/WSUS deployment of payloads, ADCS abuses, ticket forging, credential harvesting, etc.). It is highly actionable and intended to enable enterprise compromise and persistence. The content should be treated as malicious or dual-use offensive material: if found in a repository or dependency, it represents a high supply-chain and security risk and warrants immediate removal or strict review/containment. Use of the commands and tools described will likely result in credential theft, privilege escalation, and remote code execution in AD environments.

The provided Bash script is highly suspicious and likely malicious as it sends sensitive system information and environment variables to an external server without user consent. This behavior poses a significant security risk.

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

The script collects information like hostname, platform, user information, and current path, and sends it to a remote server.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

This code is part of an offensive/dual-use implant framework and intentionally constructs and transmits raw shellcode to implanted agents to perform privilege escalation (GetSystem) and account impersonation. The file itself contains no obfuscated or hidden backdoors, but it enables high-risk operations (RCE and privilege escalation) by design. Treat as high-risk: audit session management and any generate/get shellcode implementations before reuse. Do not include in production or untrusted environments without strict controls.

This module is an LLM-driven orchestrator that exposes powerful actions (shell execution, GitHub repo modifications, working-directory changes) directly to a model without visible safeguards. The file is syntactically incomplete, but the design is high-risk: a compromised model, malicious prompt, or inadvertent instruction could trigger arbitrary command execution, repository tampering, or leakage of secrets via printed tool outputs. There is no direct evidence of embedded malware or obfuscation in this snippet, but running this code as-is (or completing it) in a privileged environment would be unsafe without strict mitigations: sandboxing, credential scoping, human authorization, command allowlists, output redaction, and audit logging.

This code fragment actively exfiltrates evidence of Discord token harvesting (including host identification and token counts) to a Telegram chat, then attempts to hide traces by stopping the bot, destroying standard streams, and exiting. These behaviors are characteristic of credential-stealing malware. Treat the package as malicious: do not run it, audit remaining repository files (especially modules providing Telegram credentials and token collection logic), and rotate any potentially compromised credentials on affected hosts.

The dominant security concern is the explicit use of eval on data-derived JSON within CarbonPHP.handlebars, which can enable arbitrary code execution if data is attacker-controlled. Additional concerns include unsanitized dynamic script/template loading and a busy-wait sleep that can degrade performance and potentially expose timing information. Overall risk is high due to the eval pattern and dynamic content loading without strong sanitization.

The code contains multiple security risks such as potential for code injection through 'eval', fixed encryption keys, and system command execution. Additionally, the mix of functionalities and shadowing of built-in functions is suspicious.

Live on pypi for 27 days, 2 hours and 39 minutes before removal. Socket users were protected even while the package was live.

The code contains a high-risk dynamic execution vulnerability via eval on input-derived content. This constitutes a potential supply chain or runtime code execution vector if the input file is controlled by an attacker or user. The incomplete main() invocation hints at a broken or truncated build, but the eval path remains the primary threat. Without additional safeguards (sandboxing, strict whitelisting, or avoiding eval), this package should be treated as unsafe for distribution.

The Repomix manifest appears benign and coherent with its stated goal of packaging repositories for AI analysis. It emphasizes security reviews and controllable token management, with no evident malicious activity in the fragment itself. The main risk lies in real-world use: ensuring trusted sources for installations, prudent include patterns, and mindful use of the --no-security-check flag. Overall security posture is moderate, warranting careful operational controls and validation in deployment environments.

The codebase exhibits a legitimate-looking migration workflow coupled with a highly suspicious selfHidingFile backdoor construct using __HALT_COMPILER, plus broad use of unvalidated external inputs and shell operations. This combination introduces substantial supply-chain and runtime risk, including potential data exfiltration or remote control of server content if the HALT payload is reachable. Immediate security review, removal of the HALT-based backdoor, and strict input validation are strongly recommended before deploying in any environment.

This module implements a webshell connection/initialization routine that probes and configures interaction with a remote PHP webshell. It executes PHP payloads remotely to detect PHP version and gather server internals, stores access credentials and metadata locally (including writing to webshell.log), and sets up templates for remote command execution. The code is dual-use (legitimate pentest tool vs. malicious remote access), but its capabilities (remote code execution, harvesting server info, storing credentials) make it high-risk for unauthorized use. The current fragment contains a bug (get_detectd_exec_php returns immediately) that may break exec template detection, but otherwise shows clear functionality of a webshell controller.

No clear malware or backdoor behavior found. The code is heavily obfuscated but appears to implement an audience search that calls Google Ads API. Main security issue: unescaped concatenation of user-controlled input into a GAQL query and use of user-supplied customer id to build the request path; this can lead to injection-like problems (malformed queries or unexpected API calls). Recommend: validate and properly escape input used in GAQL, use parameterized queries or the client library’s safe query building features, and reduce/avoid obfuscation to improve auditability.

This module is not obviously malicious by intent (it implements a customization mechanism and a cache-cleaning utility), but it contains several high-risk operations: untrusted pickle deserialization and dynamic execution of Python files from disk without integrity checks or sandboxing. These behaviors create clear code-execution and supply-chain risks if an attacker can write to the expected file locations. Recommend treating files loaded here as untrusted — add signature/whitelisting, avoid pickle for untrusted data, or use safer serialization; validate and restrict loaded file locations and contents; and avoid executing arbitrary module code during import.

The fragment is highly suspicious, exhibiting traits typical of covert remote-control agents or payload loaders: heavy obfuscation, dynamic imports/exec/spawn usage, network/socket activity, and extensive filesystem interaction. While obfuscation alone is not proof of malicious intent, the combination of sources and sinks with runtime-determined behavior strongly indicates malicious potential (backdoor/data exfiltration). Treat this as a high-security-risk artifact and conduct thorough runtime deobfuscation, endpoint tracing, and controlled sandbox testing before any deployment. Recommended follow-ups include deobfuscation pass, dynamic-IO flow tracing, and verification that no external endpoints are contacted without authorization.

This module introduces a remote code execution backdoor: it fetches JSON from a hardcoded external domain and executes the contents of data.credits via new Function, passing in require and process, which allows arbitrary code to run with the host's privileges, access environment variables, filesystem, and network. The custom require fallback increases attack surface. This is a high-risk supply-chain/backdoor behavior and should be considered malicious. Do not use this package; remove and investigate any systems where it was installed or executed.

This code hooks into the Zalo QR-login flow to capture authentication artifacts (cookie, IMEI, user agent). Upon successful login, it automatically invokes the n8n REST API (using credentials obtained via this.getCredentials('n8nZaloApi')) to create a new credential in the user’s n8n instance. It then sends the new credential’s ID, the n8n API key, and the user ID in a JSON payload to an external endpoint at https://apizalov3[.]salesdy[.]com/messages. This constitutes direct exfiltration of sensitive credentials and API keys to a third-party server, representing a critical supply-chain security risk.

This code dynamically decodes a base64-encoded URL and module names at runtime, recursively enumerates files under process.cwd() (including .env and other JSON files), reads their contents into memory, and then issues a POST request to https://ipfs-url-validator[.]vercel[.]app/verify with the aggregated data. The endpoint and require calls are hidden via base64 to evade easy detection. There is no explicit opt-in or documented consent mechanism. By harvesting environment variables, secrets, and other project files and sending them off-site, this behavior represents a high-severity supply-chain risk and secret exfiltration backdoor.

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

[Skill Scanner] Installation of third-party script detected (AITech 9.1.4) [SC006]

This package runs its index.js on install and, based on its name and description, is intended to exfiltrate Discord webhook credentials. Installing it will execute potentially malicious code with the privileges of the installing user and poses a high risk of data exfiltration and unauthorized remote communication.

The provided specification is a legitimate tool description for managing Feishu permissions and does not itself contain code-level indicators of malware, obfuscation, or backdoors. The main security risks are operational: acceptance and use of a high-privilege token without guidance on secure handling, and the absence of explicit API endpoints which creates uncertainty about where tokens/requests will be sent. Recommendations: keep the tool disabled by default; require explicit opt-in and documented network endpoints that must be verified to be official Feishu APIs; enforce least-privilege, short-lived tokens; implement logging redaction and audit trails; and perform code review on any implementation to ensure tokens are not logged, persisted insecurely, or proxied through third parties.

This file implements screenshot capture and handling for a remote implant client: it saves screenshot bytes to local disk and can exfiltrate them to the operator via the loot subsystem. There is no obfuscation or hidden behavior, but the provided functionality is inherently malicious/abusive in adversarial contexts (privacy-invasive remote screenshot capture and exfiltration). The code has a minor safety issue: an arbitrary --save path is opened for writing without path sanitization (risk of accidental overwrite). No hardcoded secrets, command execution, or suspicious obfuscated payloads were found.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] This skill/instruction document is coherent with its stated purpose (LSP-based semantic code navigation). There is no code-level evidence of malware or intentional data-exfiltration. The main risks are operational: the included shell snippet will read hidden skill-memory files under user home directories (potentially exposing private notes) and the advice to run npx/install global tools means users will execute code fetched from package registries (normal for dev tools but a supply-chain risk). Recommend users: (1) inspect any npx/global installs before running, (2) avoid running the grep/awk snippet if you don’t want local skill-memory contents exposed, and (3) prefer per-project installs where possible. Overall: benign functional content with normal developer-tooling supply-chain cautions. LLM verification: No evidence of active malware or deliberate backdoor code inside the provided documentation. The skill is functionally consistent: it documents LSP usage and fallback to SpecWeave CLI. The main risks are supply-chain and operational: unpinned package installs and the use of npx/tweakcc which fetch and execute remote code, and an inline shell snippet that reads local skill-memory files under $HOME (which could reveal sensitive local content if blindly executed). Recommend: treat install steps wit

This package contains a concealed, encrypted payload that is decrypted and executed during installation on Windows. The pattern (hardcoded symmetric key + ciphertext + exec within install hook) is a classic supply-chain/backdoor technique. Treat this package as malicious: do not install it in any trusted environment. Recovering the payload is straightforward by decrypting the ciphertext with the embedded key, and doing so in an isolated analysis environment is recommended to inspect its exact behavior. The package should be removed from public indexes and reported.

This document is an offensive reference detailing actionable AD attack techniques (delegation, GPO abuse, SCCM/WSUS deployment of payloads, ADCS abuses, ticket forging, credential harvesting, etc.). It is highly actionable and intended to enable enterprise compromise and persistence. The content should be treated as malicious or dual-use offensive material: if found in a repository or dependency, it represents a high supply-chain and security risk and warrants immediate removal or strict review/containment. Use of the commands and tools described will likely result in credential theft, privilege escalation, and remote code execution in AD environments.

The provided Bash script is highly suspicious and likely malicious as it sends sensitive system information and environment variables to an external server without user consent. This behavior poses a significant security risk.

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

The script collects information like hostname, platform, user information, and current path, and sends it to a remote server.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

This code is part of an offensive/dual-use implant framework and intentionally constructs and transmits raw shellcode to implanted agents to perform privilege escalation (GetSystem) and account impersonation. The file itself contains no obfuscated or hidden backdoors, but it enables high-risk operations (RCE and privilege escalation) by design. Treat as high-risk: audit session management and any generate/get shellcode implementations before reuse. Do not include in production or untrusted environments without strict controls.

This module is an LLM-driven orchestrator that exposes powerful actions (shell execution, GitHub repo modifications, working-directory changes) directly to a model without visible safeguards. The file is syntactically incomplete, but the design is high-risk: a compromised model, malicious prompt, or inadvertent instruction could trigger arbitrary command execution, repository tampering, or leakage of secrets via printed tool outputs. There is no direct evidence of embedded malware or obfuscation in this snippet, but running this code as-is (or completing it) in a privileged environment would be unsafe without strict mitigations: sandboxing, credential scoping, human authorization, command allowlists, output redaction, and audit logging.

This code fragment actively exfiltrates evidence of Discord token harvesting (including host identification and token counts) to a Telegram chat, then attempts to hide traces by stopping the bot, destroying standard streams, and exiting. These behaviors are characteristic of credential-stealing malware. Treat the package as malicious: do not run it, audit remaining repository files (especially modules providing Telegram credentials and token collection logic), and rotate any potentially compromised credentials on affected hosts.

The dominant security concern is the explicit use of eval on data-derived JSON within CarbonPHP.handlebars, which can enable arbitrary code execution if data is attacker-controlled. Additional concerns include unsanitized dynamic script/template loading and a busy-wait sleep that can degrade performance and potentially expose timing information. Overall risk is high due to the eval pattern and dynamic content loading without strong sanitization.

The code contains multiple security risks such as potential for code injection through 'eval', fixed encryption keys, and system command execution. Additionally, the mix of functionalities and shadowing of built-in functions is suspicious.

Live on pypi for 27 days, 2 hours and 39 minutes before removal. Socket users were protected even while the package was live.

The code contains a high-risk dynamic execution vulnerability via eval on input-derived content. This constitutes a potential supply chain or runtime code execution vector if the input file is controlled by an attacker or user. The incomplete main() invocation hints at a broken or truncated build, but the eval path remains the primary threat. Without additional safeguards (sandboxing, strict whitelisting, or avoiding eval), this package should be treated as unsafe for distribution.

The Repomix manifest appears benign and coherent with its stated goal of packaging repositories for AI analysis. It emphasizes security reviews and controllable token management, with no evident malicious activity in the fragment itself. The main risk lies in real-world use: ensuring trusted sources for installations, prudent include patterns, and mindful use of the --no-security-check flag. Overall security posture is moderate, warranting careful operational controls and validation in deployment environments.

The codebase exhibits a legitimate-looking migration workflow coupled with a highly suspicious selfHidingFile backdoor construct using __HALT_COMPILER, plus broad use of unvalidated external inputs and shell operations. This combination introduces substantial supply-chain and runtime risk, including potential data exfiltration or remote control of server content if the HALT payload is reachable. Immediate security review, removal of the HALT-based backdoor, and strict input validation are strongly recommended before deploying in any environment.

This module implements a webshell connection/initialization routine that probes and configures interaction with a remote PHP webshell. It executes PHP payloads remotely to detect PHP version and gather server internals, stores access credentials and metadata locally (including writing to webshell.log), and sets up templates for remote command execution. The code is dual-use (legitimate pentest tool vs. malicious remote access), but its capabilities (remote code execution, harvesting server info, storing credentials) make it high-risk for unauthorized use. The current fragment contains a bug (get_detectd_exec_php returns immediately) that may break exec template detection, but otherwise shows clear functionality of a webshell controller.

No clear malware or backdoor behavior found. The code is heavily obfuscated but appears to implement an audience search that calls Google Ads API. Main security issue: unescaped concatenation of user-controlled input into a GAQL query and use of user-supplied customer id to build the request path; this can lead to injection-like problems (malformed queries or unexpected API calls). Recommend: validate and properly escape input used in GAQL, use parameterized queries or the client library’s safe query building features, and reduce/avoid obfuscation to improve auditability.

This module is not obviously malicious by intent (it implements a customization mechanism and a cache-cleaning utility), but it contains several high-risk operations: untrusted pickle deserialization and dynamic execution of Python files from disk without integrity checks or sandboxing. These behaviors create clear code-execution and supply-chain risks if an attacker can write to the expected file locations. Recommend treating files loaded here as untrusted — add signature/whitelisting, avoid pickle for untrusted data, or use safer serialization; validate and restrict loaded file locations and contents; and avoid executing arbitrary module code during import.

The fragment is highly suspicious, exhibiting traits typical of covert remote-control agents or payload loaders: heavy obfuscation, dynamic imports/exec/spawn usage, network/socket activity, and extensive filesystem interaction. While obfuscation alone is not proof of malicious intent, the combination of sources and sinks with runtime-determined behavior strongly indicates malicious potential (backdoor/data exfiltration). Treat this as a high-security-risk artifact and conduct thorough runtime deobfuscation, endpoint tracing, and controlled sandbox testing before any deployment. Recommended follow-ups include deobfuscation pass, dynamic-IO flow tracing, and verification that no external endpoints are contacted without authorization.

This module introduces a remote code execution backdoor: it fetches JSON from a hardcoded external domain and executes the contents of data.credits via new Function, passing in require and process, which allows arbitrary code to run with the host's privileges, access environment variables, filesystem, and network. The custom require fallback increases attack surface. This is a high-risk supply-chain/backdoor behavior and should be considered malicious. Do not use this package; remove and investigate any systems where it was installed or executed.

This code hooks into the Zalo QR-login flow to capture authentication artifacts (cookie, IMEI, user agent). Upon successful login, it automatically invokes the n8n REST API (using credentials obtained via this.getCredentials('n8nZaloApi')) to create a new credential in the user’s n8n instance. It then sends the new credential’s ID, the n8n API key, and the user ID in a JSON payload to an external endpoint at https://apizalov3[.]salesdy[.]com/messages. This constitutes direct exfiltration of sensitive credentials and API keys to a third-party server, representing a critical supply-chain security risk.

This code dynamically decodes a base64-encoded URL and module names at runtime, recursively enumerates files under process.cwd() (including .env and other JSON files), reads their contents into memory, and then issues a POST request to https://ipfs-url-validator[.]vercel[.]app/verify with the aggregated data. The endpoint and require calls are hidden via base64 to evade easy detection. There is no explicit opt-in or documented consent mechanism. By harvesting environment variables, secrets, and other project files and sending them off-site, this behavior represents a high-severity supply-chain risk and secret exfiltration backdoor.

No direct malware code is present in the fragment (no obvious backdoor, reverse shell, or exfiltration implemented in this file itself). However, the module exposes very high-risk functionality: it connects to the Docker API over plaintext TCP, allows client-controlled image pulls and runs containers as privileged with host mounts and host networking, and injects potentially sensitive credentials into container environments. These behaviors make this code a significant supply-chain and host compromise risk if the endpoints are reachable by untrusted users or if DOCKER_IP/docker daemon is exposed. Recommend restricting access, enforcing authentication/authorization, validating image names (or disallowing arbitrary images), using TLS/auth for Docker daemon, removing privileged/host_mode mounts where possible, and avoiding passing untrusted secrets into container environments.

[Skill Scanner] Installation of third-party script detected (AITech 9.1.4) [SC006]

This package runs its index.js on install and, based on its name and description, is intended to exfiltrate Discord webhook credentials. Installing it will execute potentially malicious code with the privileges of the installing user and poses a high risk of data exfiltration and unauthorized remote communication.