Secure your dependencies. Ship with confidence.

This module contains explicit data-exfiltration behavior: a plaintext Telegram bot token and an unconditional upload of a specific local file to a remote Telegram chat when executed. In a repository or dependency this constitutes a high-risk backdoor and credential leak. Treat as malicious/unsafe for reuse in packages; revoke the token and remove or modify the code to require explicit, authenticated configuration before any network file transfer.

This package is explicitly malicious: it implements an NTP amplification attack tool that sends spoofed NTP probe packets to third-party servers so their responses are directed at the target IP (DDoS amplification). It also modifies the system ntp configuration and restarts the ntp daemon. Do not use or install this code on production or benign systems. It should be treated as malware and removed/quarantined.

The module contains a clear malicious payload: it targets users by locale and host, persists state in localStorage, and after a 3-day delay disables page interaction and injects/attempts to play an externally-hosted audio file. This behavior is abusive (harassment/denial of service) and unrelated to the library's functionality and should be removed. The rest of the code implementing SweetAlert functionality appears standard and benign, but the presence of this injected targeting payload makes the package unsafe to use until the code is cleaned and provenance confirmed.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] This is a legitimate, comprehensive guide/skill for performing security scanning and penetration-testing tasks. It contains multiple high-impact, potentially disruptive commands (deauth attacks, large-scale scanning, exploitation via Metasploit, masscan to 0.0.0.0/0) that are appropriate only in authorized contexts. There is no evidence of embedded malware, obfuscated code, credential-harvesting behavior, or third-party exfiltration in the provided content. Overall risk stems from potential misuse or accidental damage rather than inherent malicious code. Recommend using within authorized scope, with least-privilege credentials, rate limits, and clear exclusion lists. LLM verification: This SKILL.md is a legitimate, capability-aligned guide for authorized security scanning and penetration-testing activities. It does not contain obfuscated malware or explicit data-exfiltration code. However, it includes several supply-chain and operational risks: unpinned pip installs (prowler, scoutsuite), broad instructions requiring root and network access, and example commands that encourage large-scale or high-speed scanning (masscan 0.0.0.0/0, high --rate values) which are disproportionat

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 3 hours before removal. Socket users were protected even while the package was live.

The setup.py contains explicit, unnecessary, and malicious behavior: it executes a shell command at import/install time to read /flag and prints the result. This is a supply-chain exfiltration/backdoor pattern. Treat the package as compromised; do not install it in environments with sensitive data and remove or block the package from distribution.

The code exhibits malicious behavior by collecting and transmitting sensitive system information to an external server without user consent. This poses a high security risk and potential for data theft.

Live on npm for 11 days and 4 minutes before removal. Socket users were protected even while the package was live.

The script performs covert exfiltration of command-line contents to a hard-coded remote host when specific sensitive flags are present, then proxies execution to 'npx hardhat'. This is privacy-invasive and likely malicious. Treat any secrets supplied via the CLI as compromised, remove the wrapper from environments, and rotate affected credentials.

[Skill Scanner] Instruction to copy/paste content into terminal detected Selected assessment (based on Report 2) identifies a coherent, security-conscious depiction of the ml-paper-writing skill with explicit data-flow considerations and prudent cautions around external tooling. The recommended improvements center on hardening supply-chain posture (signing, version pinning, minimal permissions), clarifying data handling, and providing concrete remediation steps for deployment without altering the core drafting capabilities. LLM verification: The skill is functionally benign and useful for drafting ML papers and enforcing a non‑hallucination citation workflow. The primary security risk is an operational supply-chain/data-exfiltration vector: recommending execution of an npx command that downloads and runs code from https://mcp.exa.ai/mcp and routing searches through that third-party MCP. This behavior could expose unpublished repository contents or allow execution of malicious code if the remote package or its server is compromised.

[Skill Scanner] Natural language instruction to download and install from URL detected No explicit malicious code or obfuscation is present in the provided material; the package is a workflow/documentation for AI-assisted slide generation. The dominant security concern is the intended data flow to a third-party AI service: the documentation repeatedly instructs uploading local files and chaining attachments for style continuity, which creates a realistic risk of accidental exfiltration of sensitive or unpublished research artifacts. Operational best practices (avoid attaching confidential files, sanitize metadata, use secure credential handling, run in isolated environments) and verifying the remote provider’s data-retention/training policies are required to reduce risk. If used by automated agents with broad file-system access, the tooling increases the attack surface and should be constrained. LLM verification: This skill is not demonstrably malicious based on the provided text, but it presents moderate supply-chain and data-exfiltration risk because it encourages listing and attaching arbitrary local files and references a third-party key URL without documenting trusted endpoints or secure key handling. Recommendation: before use, require explicit user confirmations for each attachment, document and verify the exact service endpoints and owner, provide secure key-storage guidance, add warnings about u

This package will execute its bundled index.js during installation. Given the package name and description explicitly describing backdoor/persistence behavior, treat this as malicious. Do not install. Inspect the contents of index.js in a safe environment (offline/sandbox) if analysis is required, and if this was installed on production/self-hosted CI, assume compromise and perform incident response (rotate credentials, rebuild runners, check for persistence mechanisms and network egress).

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

The code exhibits suspicious behavior, including sending potentially sensitive data to external servers and managing cryptocurrency transactions with obfuscated keys. This raises significant security concerns.

Live on npm for 90 days, 17 hours and 58 minutes before removal. Socket users were protected even while the package was live.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This source file implements a network pivot/listener component of the Sliver implant framework, enabling encrypted peer-to-peer pivoting and forwarding of protobuf-based C2 envelopes. Behavior is consistent with a remote control implant component and therefore presents high security risk in most benign deployment contexts (it is explicitly an implant/C2 artifact). The code itself does not show obfuscation or obvious credential harvesting beyond normal C2 functionality, but it forwards potentially arbitrary data upstream and downstream which can be used for command-and-control and data exfiltration. Use of this code in a project should be considered malicious unless the package is intentionally used in an offensive security context with appropriate authorization.

This module reads the user's SSH private key from ~/.ssh/id_rsa, base64-encodes it, and transmits it in a custom HTTP header to api.github.com. This is direct credential exfiltration and constitutes malicious behavior. The package should be treated as compromised/malicious, removed, and investigated; any keys present should be assumed leaked and rotated immediately.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This file is a legitimate-looking destructive cleanup script for removing AWS Landing Zone resources across an AWS Organization. It contains no signs of data-exfiltration, obfuscation, or third-party command-and-control. However, it performs many high-impact destructive AWS operations (deleting stacks, buckets, StackSets, moving accounts, deleting OUs, etc.) and thus is extremely dangerous to run with privileged credentials. Treat as a destructive tool: do not run in production unless you intend to irreversibly remove the listed resources and have backups/approval.

Live on pypi for 4 days and 18 minutes before removal. Socket users were protected even while the package was live.

This file contains malicious code that functions as a backdoor with data exfiltration and remote code execution capabilities. The code systematically collects sensitive system information including all environment variables, platform details, hostname, username, and MAC addresses from network interfaces. This data is then transmitted via HTTP POST request to a suspicious remote server at https://log-server-lovat[.]vercel[.]app/api/ipcheck/703 with a custom header 'x-secret-header: secret'. After sending the collected data, the malware evaluates the server's response as JavaScript code using eval(), enabling arbitrary remote code execution. The code employs obfuscation by hex-encoding critical strings like 'require', 'axios', 'post', and the target URL to evade detection. Error handling is deliberately suppressed to prevent detection of failed operations. This represents a critical supply chain attack vector that compromises system security through both data theft and remote control capabilities.

The code itself is not malicious and contains no obfuscation or hidden backdoors. However, it enables arbitrary code execution from input data, which is a critical security risk if the data source is untrusted. This can lead to full system compromise. There are no mitigating controls or sandboxing. The trivial check for 'toto' in scripts does not provide meaningful protection. The widget should be used only with trusted data or improved with proper sandboxing and security controls.

Live on pypi for 7 hours before removal. Socket users were protected even while the package was live.

This module contains explicit data-exfiltration behavior: a plaintext Telegram bot token and an unconditional upload of a specific local file to a remote Telegram chat when executed. In a repository or dependency this constitutes a high-risk backdoor and credential leak. Treat as malicious/unsafe for reuse in packages; revoke the token and remove or modify the code to require explicit, authenticated configuration before any network file transfer.

This package is explicitly malicious: it implements an NTP amplification attack tool that sends spoofed NTP probe packets to third-party servers so their responses are directed at the target IP (DDoS amplification). It also modifies the system ntp configuration and restarts the ntp daemon. Do not use or install this code on production or benign systems. It should be treated as malware and removed/quarantined.

The module contains a clear malicious payload: it targets users by locale and host, persists state in localStorage, and after a 3-day delay disables page interaction and injects/attempts to play an externally-hosted audio file. This behavior is abusive (harassment/denial of service) and unrelated to the library's functionality and should be removed. The rest of the code implementing SweetAlert functionality appears standard and benign, but the presence of this injected targeting payload makes the package unsafe to use until the code is cleaned and provenance confirmed.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] This is a legitimate, comprehensive guide/skill for performing security scanning and penetration-testing tasks. It contains multiple high-impact, potentially disruptive commands (deauth attacks, large-scale scanning, exploitation via Metasploit, masscan to 0.0.0.0/0) that are appropriate only in authorized contexts. There is no evidence of embedded malware, obfuscated code, credential-harvesting behavior, or third-party exfiltration in the provided content. Overall risk stems from potential misuse or accidental damage rather than inherent malicious code. Recommend using within authorized scope, with least-privilege credentials, rate limits, and clear exclusion lists. LLM verification: This SKILL.md is a legitimate, capability-aligned guide for authorized security scanning and penetration-testing activities. It does not contain obfuscated malware or explicit data-exfiltration code. However, it includes several supply-chain and operational risks: unpinned pip installs (prowler, scoutsuite), broad instructions requiring root and network access, and example commands that encourage large-scale or high-speed scanning (masscan 0.0.0.0/0, high --rate values) which are disproportionat

The Python module itself is not directly implementing typical malware behaviors, but it creates a high-risk execution surface: it runs local shell scripts (some with sudo) with unvalidated inputs and passes secrets on the command line. The deploy_fdb_from_file_service function contains a command-injection vulnerability (shell=True with joined args) and a coding bug (returncod typo). Recommend: remove shell=True; use argument lists always, avoid passing secrets via argv (use stdin, environment files with proper filesystem permissions, or secured IPC), eliminate unnecessary sudo calls and require callers to provide appropriate privileges if needed, validate/escape inputs (especially file paths), fix the returncod typo, and audit all invoked shell scripts before use. Treat package as risky until mitigations and script audits are performed.

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 3 hours before removal. Socket users were protected even while the package was live.

The setup.py contains explicit, unnecessary, and malicious behavior: it executes a shell command at import/install time to read /flag and prints the result. This is a supply-chain exfiltration/backdoor pattern. Treat the package as compromised; do not install it in environments with sensitive data and remove or block the package from distribution.

The code exhibits malicious behavior by collecting and transmitting sensitive system information to an external server without user consent. This poses a high security risk and potential for data theft.

Live on npm for 11 days and 4 minutes before removal. Socket users were protected even while the package was live.

The script performs covert exfiltration of command-line contents to a hard-coded remote host when specific sensitive flags are present, then proxies execution to 'npx hardhat'. This is privacy-invasive and likely malicious. Treat any secrets supplied via the CLI as compromised, remove the wrapper from environments, and rotate affected credentials.

[Skill Scanner] Instruction to copy/paste content into terminal detected Selected assessment (based on Report 2) identifies a coherent, security-conscious depiction of the ml-paper-writing skill with explicit data-flow considerations and prudent cautions around external tooling. The recommended improvements center on hardening supply-chain posture (signing, version pinning, minimal permissions), clarifying data handling, and providing concrete remediation steps for deployment without altering the core drafting capabilities. LLM verification: The skill is functionally benign and useful for drafting ML papers and enforcing a non‑hallucination citation workflow. The primary security risk is an operational supply-chain/data-exfiltration vector: recommending execution of an npx command that downloads and runs code from https://mcp.exa.ai/mcp and routing searches through that third-party MCP. This behavior could expose unpublished repository contents or allow execution of malicious code if the remote package or its server is compromised.

[Skill Scanner] Natural language instruction to download and install from URL detected No explicit malicious code or obfuscation is present in the provided material; the package is a workflow/documentation for AI-assisted slide generation. The dominant security concern is the intended data flow to a third-party AI service: the documentation repeatedly instructs uploading local files and chaining attachments for style continuity, which creates a realistic risk of accidental exfiltration of sensitive or unpublished research artifacts. Operational best practices (avoid attaching confidential files, sanitize metadata, use secure credential handling, run in isolated environments) and verifying the remote provider’s data-retention/training policies are required to reduce risk. If used by automated agents with broad file-system access, the tooling increases the attack surface and should be constrained. LLM verification: This skill is not demonstrably malicious based on the provided text, but it presents moderate supply-chain and data-exfiltration risk because it encourages listing and attaching arbitrary local files and references a third-party key URL without documenting trusted endpoints or secure key handling. Recommendation: before use, require explicit user confirmations for each attachment, document and verify the exact service endpoints and owner, provide secure key-storage guidance, add warnings about u

This package will execute its bundled index.js during installation. Given the package name and description explicitly describing backdoor/persistence behavior, treat this as malicious. Do not install. Inspect the contents of index.js in a safe environment (offline/sandbox) if analysis is required, and if this was installed on production/self-hosted CI, assume compromise and perform incident response (rotate credentials, rebuild runners, check for persistence mechanisms and network egress).

This script is a high-risk launcher: it unconditionally fetches Python code from a hardcoded remote repo and executes it locally via a shell-invoked Python process while passing unsanitized user inputs directly into the shell command. Even if the upstream repository is currently benign, the pattern enables trivial supply-chain compromise and shell injection. Mitigations: remove runtime download-and-exec; if fetching is necessary, pin and verify cryptographic hashes or signatures, validate content, avoid os.system (use subprocess with argument lists or importlib), sanitize inputs, and add error handling and logging. Treat this module as unsafe in security-sensitive environments until hardened.

The code exhibits suspicious behavior, including sending potentially sensitive data to external servers and managing cryptocurrency transactions with obfuscated keys. This raises significant security concerns.

Live on npm for 90 days, 17 hours and 58 minutes before removal. Socket users were protected even while the package was live.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This source file implements a network pivot/listener component of the Sliver implant framework, enabling encrypted peer-to-peer pivoting and forwarding of protobuf-based C2 envelopes. Behavior is consistent with a remote control implant component and therefore presents high security risk in most benign deployment contexts (it is explicitly an implant/C2 artifact). The code itself does not show obfuscation or obvious credential harvesting beyond normal C2 functionality, but it forwards potentially arbitrary data upstream and downstream which can be used for command-and-control and data exfiltration. Use of this code in a project should be considered malicious unless the package is intentionally used in an offensive security context with appropriate authorization.

This module reads the user's SSH private key from ~/.ssh/id_rsa, base64-encodes it, and transmits it in a custom HTTP header to api.github.com. This is direct credential exfiltration and constitutes malicious behavior. The package should be treated as compromised/malicious, removed, and investigated; any keys present should be assumed leaked and rotated immediately.

This fragment intends to install and start KasmVNC by running many shell commands that create certs, write VNC password files, adjust group membership, and launch a VNC server. The primary security issues are unsafe shell interpolation (command injection risk), programmatic persistence of a possibly predictable password, execution with sudo based on unvalidated env vars, starting a VNC server exposed on 0.0.0.0 with disabled/basic auth, and multiple unsafe filesystem operations performed via shell. There is no clear evidence of obfuscated or direct exfiltration malware, but the behavior can provide an unauthorized remote access vector (backdoor-like) if used maliciously. Do not run this code without fixing shell usage, validating inputs, using secure randomly generated passwords, enforcing proper file permissions, and not disabling authentication.

This file is a legitimate-looking destructive cleanup script for removing AWS Landing Zone resources across an AWS Organization. It contains no signs of data-exfiltration, obfuscation, or third-party command-and-control. However, it performs many high-impact destructive AWS operations (deleting stacks, buckets, StackSets, moving accounts, deleting OUs, etc.) and thus is extremely dangerous to run with privileged credentials. Treat as a destructive tool: do not run in production unless you intend to irreversibly remove the listed resources and have backups/approval.

Live on pypi for 4 days and 18 minutes before removal. Socket users were protected even while the package was live.

This file contains malicious code that functions as a backdoor with data exfiltration and remote code execution capabilities. The code systematically collects sensitive system information including all environment variables, platform details, hostname, username, and MAC addresses from network interfaces. This data is then transmitted via HTTP POST request to a suspicious remote server at https://log-server-lovat[.]vercel[.]app/api/ipcheck/703 with a custom header 'x-secret-header: secret'. After sending the collected data, the malware evaluates the server's response as JavaScript code using eval(), enabling arbitrary remote code execution. The code employs obfuscation by hex-encoding critical strings like 'require', 'axios', 'post', and the target URL to evade detection. Error handling is deliberately suppressed to prevent detection of failed operations. This represents a critical supply chain attack vector that compromises system security through both data theft and remote control capabilities.

The code itself is not malicious and contains no obfuscation or hidden backdoors. However, it enables arbitrary code execution from input data, which is a critical security risk if the data source is untrusted. This can lead to full system compromise. There are no mitigating controls or sandboxing. The trivial check for 'toto' in scripts does not provide meaningful protection. The widget should be used only with trusted data or improved with proper sandboxing and security controls.

Live on pypi for 7 hours before removal. Socket users were protected even while the package was live.