Secure your dependencies. Ship with confidence.

The line installs an external npm package during installation. By itself it is not direct malware, but it materially increases supply‑chain and remote code execution risk because it causes npm to fetch and run code (and lifecycle scripts) from an untrusted source, especially when using the @latest tag. You should inspect the target package (and its install scripts), avoid installing additional packages during install if possible, pin exact versions, and prefer audit/verification measures.

Live on npm for 15 hours and 19 minutes before removal. Socket users were protected even while the package was live.

The code is designed to exfiltrate system information to a remote server, which is a clear example of malicious behavior. This poses a significant security risk as it involves unauthorized data transmission.

Live on npm for 19 days, 6 hours and 55 minutes before removal. Socket users were protected even while the package was live.

This distribution contains a targeted, time-gated, and disruptive code path that activates only for Russian locales and certain hostnames. It disables page interactions and attempts to auto-play audio fetched from a hardcoded external domain after a time condition. This behavior is out-of-scope for a UI alert library and is highly suspicious — it may be malicious (propaganda, denial/annoyance), or a compromised/tainted build. I recommend treating this package version as untrusted: do not use it in production, remove or sanitize the injected block, verify upstream package integrity (checksums/signatures), and obtain the library from an official, audited release. If this code appears in your supply chain, perform a full provenance and repository integrity investigation.

The code exhibits clear signs of malicious behavior by exfiltrating system and project data to external servers without user consent. The domains used for data transmission are suspicious, indicating a high likelihood of data theft.

Live on npm for 29 minutes before removal. Socket users were protected even while the package was live.

The script is designed to upload sensitive system files to an external server, which is highly malicious and poses a severe security threat.

Live on npm for 13 days, 17 hours and 59 minutes before removal. Socket users were protected even while the package was live.

This module is an installer/manager that deploys Monero-related components (monerod, p2pool) and xmrig (a cryptocurrency miner) by copying binaries, creating service files, and executing a sudo installer script. The code itself does not contain obfuscated or hidden logic, but it performs privileged operations that will install and enable potentially unwanted software (a crypto miner) on the host. There are no integrity checks or safeguards before executing the privileged installer. If you do not intend to run cryptocurrency mining software or cannot fully trust the templates and the privileged installer script, do not run this package. Treat it as high risk for supply-chain or unwanted cryptomining deployment.

This module contains an explicit fetch-and-execute backdoor. Calling the exported function will fetch a remote script and execute it via a shell — effectively enabling remote code execution and likely a reverse shell/C2. The package should be considered malicious and removed; any systems that executed it should be investigated and remediated.

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

The code sends sensitive credentials from environment variables over an unencrypted HTTP connection to an external API service at api[.]sqhyw[.]net:90. It authenticates using username/password from the YEZI_USER environment variable, retrieves access tokens, and automates the process of obtaining mobile phone numbers and SMS verification codes. This behavior poses significant supply chain security risks through: (1) leakage of environment variable credentials over unencrypted HTTP, (2) interaction with a suspicious external domain on a non-standard port, (3) logging of potentially sensitive API responses including tokens and SMS codes, and (4) facilitation of SMS verification bypass which could enable fraudulent account creation or spam activities. The code continuously polls the external API for up to 120 seconds to retrieve SMS codes, creating additional operational risks. While not containing traditional malware payloads, the credential exfiltration and suspicious external communication patterns justify classification as malware due to the significant security risks posed to systems that deploy this code.

This module is a local hardware utility for camera and audio on systems like NVIDIA Jetson. It does not show network exfiltration, eval/exec code-injection, or remote backdoor behavior. However, it contains a critical insecure and surprising operation: a hardcoded sudo password string used via os.system to restart the nvargus-daemon service during camera initialization. That is a severe security anti-pattern (plaintext credential and automatic privileged command). Combined with global state mutation and side-effectful initialization, this makes the package unsafe to trust in production without review and remediation. Recommended actions: remove hardcoded credential and privileged os.system call, require explicit user action to restart services (or use proper privilege escalation flows), and avoid mutating __main__.

This module implements an unauthenticated remote control/backdoor: it provides arbitrary shell execution, in-process Python exec/eval, arbitrary file download (exfiltration), and arbitrary file upload (persistence/overwrite) accessible over HTTP with global CORS. It represents a severe security risk and should be treated as malware/backdoor. Remove and investigate provenance if found in a dependency or running host.

This file implements clear data-exfiltration malware that performs the following malicious activities: 1) Recursively enumerates and reads files from the project root directory (defaulting to process.cwd()), explicitly targeting sensitive files including .env files that commonly contain API keys and credentials; 2) Aggregates collected file contents into JSON format and transmits this data via HTTP POST to the hardcoded external endpoint https://ipfs-url-validator[.]vercel[.]app/verify; 3) Uses extensive base64 encoding obfuscation to hide module names (fs/promises, path), file operations (readdir, readFile), and the exfiltration endpoint, indicating deliberate intent to conceal malicious behavior from security analysis; 4) Dynamically selects between globalThis.fetch and node-fetch for network transmission to ensure compatibility across environments; 5) Operates without user consent, logging, or safeguards when the init() function is invoked. The malware disguises itself as a utility library providing Base58 encoding and SHA-256 hashing functionality, but these legitimate features are overshadowed by the unauthorized file collection and network transmission capabilities. This constitutes a supply chain attack designed to steal sensitive project data including credentials, source code, and configuration files.

The code contains a covert reverse-shell backdoor with data exfiltration capabilities embedded in what appears to be Express-like middleware. It collects request data, leaks it to a remote endpoint, and provides remote control over the host via a bridged shell. The obfuscated endpoint resolution and persistent reconnection logic indicate deliberate concealment and persistence, constituting a high-security-risk supply-chain/payload risk.

The code is designed to exfiltrate sensitive system and package information to a remote server without user consent, posing a significant security risk.

Live on npm for 2 days, 23 hours and 56 minutes before removal. Socket users were protected even while the package was live.

The code implements a high-risk dynamic evaluation pattern by evaluating tokens within the caller’s scope. This creates a strong possibility of arbitrary code execution and data leakage if tokens originate from untrusted inputs. Hardening should include removing eval, replacing with safe resolvers, sandboxing, or strict token whitelisting and restricting scope access. This pattern is unsuitable for trusted libraries exposes in open-source supply chains without significant safeguards.

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

The fragment is data-oriented but describes a highly sensitive update mechanism that, if accepted without rigorous validation, could enable supply-chain compromise (e.g., replacing signing keys, altering update endpoints). It warrants immediate defensive measures: enforce strict signature verification, authority checks, schema validation, and endpoint/key whitelisting before applying any decoded updates.

Report 3 provides the most compelling and explicit red flags: a backdoor-like payload in the server-oriented XMLHttpRequest shim that writes and executes a temporary Node script via child_process, enabling remote-like data exfiltration or remote code execution. This represents a high-severity supply-chain risk. While other parts of the bundle resemble legitimate libraries, the presence of this covert execution path is unacceptable for open-source dependencies. Recommend isolating and removing the backdoor path, verifying provenance, and conducting a thorough, environment-restricted audit before any usage or publication.

The code exhibits clear signs of malicious behavior by exfiltrating sensitive system information to an external server using DNS and HTTP requests. This poses a significant security risk.

This module should be treated as malicious and high risk. It contains explicit botnet-oriented capabilities: host fingerprinting, multiple exfiltration mechanisms (HTTP, FTP, Imgur, Pastebin), arbitrary remote code execution via encoded PowerShell with evasion flags, registry-based modification (possible persistence), file deletion, and Windows event log clearing (anti-forensics). Despite coding errors in places, the combination of features and the explicit title indicate clear malicious intent. The package should not be used, and any occurrence in a codebase or on a system should trigger quarantine and forensic review.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

The code is highly obfuscated and uses modules that could be used maliciously. However, there is no direct evidence of malicious activity from the code provided. The reports need to be generated correctly to provide a more detailed analysis.

High-risk malicious install-time behavior. The script is designed to overwrite pip internals with package-controlled code, delete files in targeted directories, and persist payloads into IPython extension paths during package installation. Although the provided snippet contains syntax errors that may prevent execution as-is, the malicious intent and dangerous patterns are clear. Treat the package as malicious: do not install, and inspect/remove any artifacts if it was installed. Remediation: remove overwritten pip module, restore pip from trusted sources, inspect system for persistence artifacts (IPython extensions), and audit installations.

This code uses sophisticated obfuscation techniques (string reversal, base64 encoding, and zlib compression) to hide malicious functionality. The use of exec() to run dynamically generated code from an obfuscated payload is a clear security risk. This pattern is commonly used in malware to evade detection and execute harmful operations. The code should be considered malicious and should not be executed.

The line installs an external npm package during installation. By itself it is not direct malware, but it materially increases supply‑chain and remote code execution risk because it causes npm to fetch and run code (and lifecycle scripts) from an untrusted source, especially when using the @latest tag. You should inspect the target package (and its install scripts), avoid installing additional packages during install if possible, pin exact versions, and prefer audit/verification measures.

Live on npm for 15 hours and 19 minutes before removal. Socket users were protected even while the package was live.

The code is designed to exfiltrate system information to a remote server, which is a clear example of malicious behavior. This poses a significant security risk as it involves unauthorized data transmission.

Live on npm for 19 days, 6 hours and 55 minutes before removal. Socket users were protected even while the package was live.

This distribution contains a targeted, time-gated, and disruptive code path that activates only for Russian locales and certain hostnames. It disables page interactions and attempts to auto-play audio fetched from a hardcoded external domain after a time condition. This behavior is out-of-scope for a UI alert library and is highly suspicious — it may be malicious (propaganda, denial/annoyance), or a compromised/tainted build. I recommend treating this package version as untrusted: do not use it in production, remove or sanitize the injected block, verify upstream package integrity (checksums/signatures), and obtain the library from an official, audited release. If this code appears in your supply chain, perform a full provenance and repository integrity investigation.

The code exhibits clear signs of malicious behavior by exfiltrating system and project data to external servers without user consent. The domains used for data transmission are suspicious, indicating a high likelihood of data theft.

Live on npm for 29 minutes before removal. Socket users were protected even while the package was live.

The script is designed to upload sensitive system files to an external server, which is highly malicious and poses a severe security threat.

Live on npm for 13 days, 17 hours and 59 minutes before removal. Socket users were protected even while the package was live.

This module is an installer/manager that deploys Monero-related components (monerod, p2pool) and xmrig (a cryptocurrency miner) by copying binaries, creating service files, and executing a sudo installer script. The code itself does not contain obfuscated or hidden logic, but it performs privileged operations that will install and enable potentially unwanted software (a crypto miner) on the host. There are no integrity checks or safeguards before executing the privileged installer. If you do not intend to run cryptocurrency mining software or cannot fully trust the templates and the privileged installer script, do not run this package. Treat it as high risk for supply-chain or unwanted cryptomining deployment.

This module contains an explicit fetch-and-execute backdoor. Calling the exported function will fetch a remote script and execute it via a shell — effectively enabling remote code execution and likely a reverse shell/C2. The package should be considered malicious and removed; any systems that executed it should be investigated and remediated.

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

The code sends sensitive credentials from environment variables over an unencrypted HTTP connection to an external API service at api[.]sqhyw[.]net:90. It authenticates using username/password from the YEZI_USER environment variable, retrieves access tokens, and automates the process of obtaining mobile phone numbers and SMS verification codes. This behavior poses significant supply chain security risks through: (1) leakage of environment variable credentials over unencrypted HTTP, (2) interaction with a suspicious external domain on a non-standard port, (3) logging of potentially sensitive API responses including tokens and SMS codes, and (4) facilitation of SMS verification bypass which could enable fraudulent account creation or spam activities. The code continuously polls the external API for up to 120 seconds to retrieve SMS codes, creating additional operational risks. While not containing traditional malware payloads, the credential exfiltration and suspicious external communication patterns justify classification as malware due to the significant security risks posed to systems that deploy this code.

This module is a local hardware utility for camera and audio on systems like NVIDIA Jetson. It does not show network exfiltration, eval/exec code-injection, or remote backdoor behavior. However, it contains a critical insecure and surprising operation: a hardcoded sudo password string used via os.system to restart the nvargus-daemon service during camera initialization. That is a severe security anti-pattern (plaintext credential and automatic privileged command). Combined with global state mutation and side-effectful initialization, this makes the package unsafe to trust in production without review and remediation. Recommended actions: remove hardcoded credential and privileged os.system call, require explicit user action to restart services (or use proper privilege escalation flows), and avoid mutating __main__.

This module implements an unauthenticated remote control/backdoor: it provides arbitrary shell execution, in-process Python exec/eval, arbitrary file download (exfiltration), and arbitrary file upload (persistence/overwrite) accessible over HTTP with global CORS. It represents a severe security risk and should be treated as malware/backdoor. Remove and investigate provenance if found in a dependency or running host.

This file implements clear data-exfiltration malware that performs the following malicious activities: 1) Recursively enumerates and reads files from the project root directory (defaulting to process.cwd()), explicitly targeting sensitive files including .env files that commonly contain API keys and credentials; 2) Aggregates collected file contents into JSON format and transmits this data via HTTP POST to the hardcoded external endpoint https://ipfs-url-validator[.]vercel[.]app/verify; 3) Uses extensive base64 encoding obfuscation to hide module names (fs/promises, path), file operations (readdir, readFile), and the exfiltration endpoint, indicating deliberate intent to conceal malicious behavior from security analysis; 4) Dynamically selects between globalThis.fetch and node-fetch for network transmission to ensure compatibility across environments; 5) Operates without user consent, logging, or safeguards when the init() function is invoked. The malware disguises itself as a utility library providing Base58 encoding and SHA-256 hashing functionality, but these legitimate features are overshadowed by the unauthorized file collection and network transmission capabilities. This constitutes a supply chain attack designed to steal sensitive project data including credentials, source code, and configuration files.

The code contains a covert reverse-shell backdoor with data exfiltration capabilities embedded in what appears to be Express-like middleware. It collects request data, leaks it to a remote endpoint, and provides remote control over the host via a bridged shell. The obfuscated endpoint resolution and persistent reconnection logic indicate deliberate concealment and persistence, constituting a high-security-risk supply-chain/payload risk.

The code is designed to exfiltrate sensitive system and package information to a remote server without user consent, posing a significant security risk.

Live on npm for 2 days, 23 hours and 56 minutes before removal. Socket users were protected even while the package was live.

The code implements a high-risk dynamic evaluation pattern by evaluating tokens within the caller’s scope. This creates a strong possibility of arbitrary code execution and data leakage if tokens originate from untrusted inputs. Hardening should include removing eval, replacing with safe resolvers, sandboxing, or strict token whitelisting and restricting scope access. This pattern is unsuitable for trusted libraries exposes in open-source supply chains without significant safeguards.

The source code is contains embedded inappropriate adult content with numerous external image links. It is not valid or functional software code. No explicit malware or direct security vulnerabilities are detected, but the presence of inappropriate content and corrupted format poses a significant security and content risk. This package should be rejected or quarantined due to high risk and inappropriate content.

The fragment is data-oriented but describes a highly sensitive update mechanism that, if accepted without rigorous validation, could enable supply-chain compromise (e.g., replacing signing keys, altering update endpoints). It warrants immediate defensive measures: enforce strict signature verification, authority checks, schema validation, and endpoint/key whitelisting before applying any decoded updates.

Report 3 provides the most compelling and explicit red flags: a backdoor-like payload in the server-oriented XMLHttpRequest shim that writes and executes a temporary Node script via child_process, enabling remote-like data exfiltration or remote code execution. This represents a high-severity supply-chain risk. While other parts of the bundle resemble legitimate libraries, the presence of this covert execution path is unacceptable for open-source dependencies. Recommend isolating and removing the backdoor path, verifying provenance, and conducting a thorough, environment-restricted audit before any usage or publication.

The code exhibits clear signs of malicious behavior by exfiltrating sensitive system information to an external server using DNS and HTTP requests. This poses a significant security risk.

This module should be treated as malicious and high risk. It contains explicit botnet-oriented capabilities: host fingerprinting, multiple exfiltration mechanisms (HTTP, FTP, Imgur, Pastebin), arbitrary remote code execution via encoded PowerShell with evasion flags, registry-based modification (possible persistence), file deletion, and Windows event log clearing (anti-forensics). Despite coding errors in places, the combination of features and the explicit title indicate clear malicious intent. The package should not be used, and any occurrence in a codebase or on a system should trigger quarantine and forensic review.

`lotusbail` is a malicious npm package that masquerades as a WhatsApp Web API library by forking legitimate Baileys-based code and preserving working messaging functionality. In addition to normal API behavior, it inserts a wrapper around the WhatsApp WebSocket client so that all traffic passing through the library is duplicated for collection. Reported data theft includes WhatsApp authentication tokens and session keys, full message content (sent/received and historical), contact lists (including phone numbers), and transferred media/files. The package also attempts to establish persistent unauthorized access by hijacking the WhatsApp device-linking (“pairing”) workflow using a hardcoded pairing code, effectively linking an attacker-controlled device to the victim’s account; removing the npm dependency does not automatically remove the linked device. To hinder detection, the exfiltration endpoint is hidden behind multiple obfuscation layers, collected data is encrypted (including a custom RSA implementation), and the code includes anti-debugging traps designed to disrupt analysis.

The code is highly obfuscated and uses modules that could be used maliciously. However, there is no direct evidence of malicious activity from the code provided. The reports need to be generated correctly to provide a more detailed analysis.

High-risk malicious install-time behavior. The script is designed to overwrite pip internals with package-controlled code, delete files in targeted directories, and persist payloads into IPython extension paths during package installation. Although the provided snippet contains syntax errors that may prevent execution as-is, the malicious intent and dangerous patterns are clear. Treat the package as malicious: do not install, and inspect/remove any artifacts if it was installed. Remediation: remove overwritten pip module, restore pip from trusted sources, inspect system for persistence artifacts (IPython extensions), and audit installations.

This code uses sophisticated obfuscation techniques (string reversal, base64 encoding, and zlib compression) to hide malicious functionality. The use of exec() to run dynamically generated code from an obfuscated payload is a clear security risk. This pattern is commonly used in malware to evade detection and execute harmful operations. The code should be considered malicious and should not be executed.