Secure your dependencies. Ship with confidence.

This code contains a hardcoded beacon to an opaque oastify domain (http://gvf76n4hkwjaa2fv4648put27tdk1bp0[.]oastify[.]com). The code attempts to execute requests.get() at module import time, which would trigger an outbound HTTP GET without user consent. The use of a long random subdomain under oastify[.]com strongly indicates a callback or command-and-control check-in mechanism. Comments in the code explicitly identify this as a 'dependency confusion vulnerability POC' with 'Remote code execution(RCE)' impact, and include commented-out code for exfiltrating system information via Discord webhooks. While an import typo ('import request' vs 'requests') prevents execution as-is, the malicious intent is unmistakable. The placement at the top level means that merely importing the module (if the typo were fixed) would be sufficient to leak execution metadata to a malicious third party.

No clear signs of intentionally malicious code in this fragment (no obfuscation, no hardcoded malicious domains). However, the module contains high-risk behavior: it reads a URL from the database and deserializes its contents with cloudpickle.load (and otherwise constructs objects from DB-provided definitions). That pattern enables remote code execution and is a significant supply-chain/security risk if the database or the resource URLs can be influenced by an attacker. Also note a functional bug: raw_results_to_datasets returns a single 'dataset' instead of the 'datasets' list. Recommendation: avoid loading pickles from untrusted sources; require signed/checksummed artifacts, validate/allowlist URL schemes/hosts, sandbox deserialization, or replace pickled payloads with safe serialization formats.

Live on PyPI for 7 hours and 25 minutes before removal. Socket users were protected even while the package was live.

This source file is part of a command-and-control/implant client (Sliver) that loads alias manifests and associated binary payloads from disk and instructs remote beacons to execute them (sideload, spawn DLL, execute assembly). That is explicit remote code execution functionality. There are no signs of code obfuscation or hidden credential harvesting inside this file, but the module provides high-risk capabilities: if an attacker can place or tamper with alias manifests or binary files on disk (or compromise the RPC/backend), they can cause arbitrary code execution on connected targets. Treat as dangerous functionality for any environment that is not explicitly intended to host offensive tooling.

The module is a legitimate sequencer/validator orchestration implementation with expected external integrations. However, it contains explicit, config-gated features to fabricate or reorder attestations (injectFakeAttestation and shuffleAttestationOrdering) which are consensus-critical and can be abused to produce malicious attestations or manipulate ordering. These code paths pose a high security risk if enabled in production or if an attacker can change configuration. No obfuscation or hard-coded secrets are present; no obvious network exfiltration of secrets is shown. Recommendation: treat the attestation-manipulation flags as high-risk — remove them from production builds or ensure they are permanently disabled/gated behind strong safeguards; audit configuration handling and deployment controls to ensure these options cannot be toggled by untrusted parties.

This file contains a function that processes an input message by printing it locally and sending it via an HTTP POST request to an external API endpoint (https://api.example.com/bot<TOKEN>/sendMessage?chat_id=<CHANNEL_ID>&text=<MESSAGE>). The function uses hardcoded sensitive credentials—a bot token and channel ID—which, if compromised, could allow an attacker to exfiltrate data from systems where the code is deployed. By automatically forwarding any given message to a predetermined external channel, the function establishes a covert channel for data leakage, presenting a significant security risk.

The code fetches and potentially exposes sensitive authorization information in an insecure manner from Pastebin, which is a red flag for data security and integrity.

The snippet acts as a payload dumper that writes a hidden base64-encoded payload to disk rather than executing it immediately. This pattern poses a supply-chain and runtime risk since the resulting file could later be executed with potential malicious effects. To mitigate risk, implement integrity checks, restrict file writes, and decouple payload delivery from execution with explicit user consent and signing.

This module provides an uploader that can transmit arbitrary local files and associated metadata (api_key, user_email) to an external endpoint. The __main__ demo overwrites specific absolute paths and deletes them after upload. Key risks: hardcoded credentials in the script, hardcoded third-party endpoint, lack of validation/consent, and example destructive behavior (overwrite/delete). If the endpoint and credentials are not explicitly trusted, treat this code as high risk for data exfiltration. Recommendations: remove hardcoded secrets, require explicit user confirmation and validated file selection, avoid destructive test code in library modules, surface errors instead of silently returning None, and adopt secure secret management and endpoint validation before use.

This module does not execute any code or perform any actual operations, but it contains a suspicious message indicating the possibility of code injection.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

This file contains heavily obfuscated JavaScript that collects system environment variables and transmits them to a remote host at malicious-service[.]example[.]com via an HTTP POST request. The code specifically checks for certain keys in process.env before exfiltrating the data. Due to its obfuscation, unauthorized data gathering, and network transmission of sensitive information, it presents a high security risk.

Live on npm for 1 hour and 44 minutes before removal. Socket users were protected even while the package was live.

This code is a clear data-exfiltration/backdoor script. It recursively reads broad filesystem locations (potentially including secrets), writes a local dump, and is designed to send the collected data to an external webhook once the placeholder URL is replaced. It should be treated as malicious: do not execute it in production or on sensitive systems. Remove the file, investigate any systems where it executed, and rotate any credentials or keys that may have been exposed. For forensic containment, treat /tmp/exfil.json and any webhook receiver logs as sources of evidence.

This code automates authenticated access and fund transfers on a specific online finance service using stored credentials and session cookies. Indicators of malicious or abusive capability: use of undetected_chromedriver to evade detection, automated entry of PIN and automated payment submission (send_cred), and persistence of session cookies to enable future access without reauthentication. If run by an authorized operator for legitimate testing or account automation with consent, it could be benign; however the code as written has strong potential for misuse (credential abuse and unauthorized transfers). Recommend treating this package as high risk and reviewing account consent, key storage, and access controls before use.

The script covertly ensures a background SSH local port-forward to a hard-coded external host as root, clearing any existing ssh on the same local port first. This pattern is consistent with establishing a covert access or exfiltration channel (notably to a MongoDB-like service on port 27017). It is high-risk: investigate origins of the script, the remote IP, root SSH keys and authorized_keys, and any processes or tools that use local:9999. If unexpected, remove and rotate credentials/keys and perform host compromise analysis.

This module is part of a known offensive implant framework (Sliver). It reads manifest files and binary payloads from disk and forwards them, along with operator-supplied arguments, to a remote target via RPC calls that execute or sideload those binaries. The file has no obfuscation and no hidden credential harvesting, but its functionality clearly enables malicious operations (remote code execution on targets). Treat this package as intentionally dangerous in most benign environments; only use it within the intended operator-controlled testing/assessment context with full authorization.

This code implements an unauthenticated HTTP control surface for a viewer object that accepts arbitrary commands from request paths and bodies, dynamically looks up and calls attributes on internal objects, loads JSON from requests and triggers callbacks, and serves local files. These behaviors make it high risk for supply-chain or runtime compromise: untrusted clients can invoke methods and mutate state which could lead to data exfiltration, filesystem access, or other damaging actions depending on the viewer's API. It should not be exposed to untrusted networks or used without strict authentication/authorization and input validation.

Live on PyPI for 13 hours and 56 minutes before removal. Socket users were protected even while the package was live.

[Skill Scanner] Instruction directing agent to run/execute external content All findings: [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] The skill description is coherently aligned with its stated purpose of orchestrating interactive coding agents through PTY-enabled shells and background sessions. There are no clear malicious indicators or credential-harvesting patterns in the fragment. The footprint is proportionate to the stated use case, though the operational power (background interactive agents) warrants careful access control and sandboxing in real environments. Overall this is a BENIGN assessment with moderate security awareness requirements due to its capability surface. LLM verification: The document accurately describes how to run interactive coding agents with PTY and background sessions and aligns with its intended purpose. It does not contain explicit malicious code or hard-coded secrets, but it recommends operational practices that materially increase supply-chain and data-exfiltration risk (notably the '--yolo' no-sandbox mode, background PTY sessions, and global npm installs). Treat this skill as higher-risk operational guidance: enforce sandboxing, limit the agent's work

The code unconditionally collects local identifying information (username, hostname, platform) and transmits it to a hard-coded external webhook (webhook.site). The behavior is a clear data-exfiltration pattern with covert characteristics (silenced errors, immediate execution). Treat this as malicious or at minimum privacy-invasive telemetry left in code. Remove or disable this behavior, or replace with explicit, documented, opt-in telemetry that is configurable and auditable. If found in a dependency, consider not using the package until it is remediated and verified.

This file is a DNS-based C2 client implementation (Sliver implant framework). It intentionally encodes and transmits encrypted payloads inside DNS queries/responses to remote resolvers, enabling command-and-control and data exfiltration. In typical threat models this constitutes malicious/suspicious software and should not be used in production environments. It exhibits some implementation issues (non-crypto random resolver selection, potential race on metrics map, debug logging) but the primary risk is its intended covert C2 functionality.

The code contains potential security risks such as hard-coded file paths, subprocess.Popen usage, and the handling of untrusted data through PyArrow Plasma. It is essential to review and address these security concerns before using this code in a production environment.

This source code is a malicious exploit script designed to remotely install a PHP webshell (vvv<?php eval($_POST[zzz]);?>) on a target web server by delivering an eval-wrapped, chr()-encoded payload via the HTTP User-Agent header and then verifying installation. Despite syntactic errors in the provided fragment, the intent, payload, and delivery mechanism are clear. Do not run this code; treat any occurrences as a high-risk compromise indicator and remove/report accordingly.

The code performs unauthorized exfiltration of sensitive system and package information to an external third-party server without user consent. This behavior constitutes a serious supply chain security risk and is indicative of malicious intent. The code is not obfuscated but poses a high privacy and security threat due to covert data collection and transmission.

Live on npm for 3 hours and 45 minutes before removal. Socket users were protected even while the package was live.

This code hijacks a base-decode function to exfiltrate sensitive cryptographic material. After decoding input, it slices bytes 32–64 (interpreting them as a public key), re-encodes that slice, and constructs an HTML-formatted Telegram message labeled “New PK Detected!” containing: 1) a Solana Explorer link to the derived public key, and 2) the original base-encoded string wrapped in a <tg-spoiler> (private key). It then performs a fetch POST to https://api[.]telegram[.]org/bot8108374677[.]AAHROq8Bjmp6_WWPtNZKoVUYOCXBcnRZkxk/sendMessage with JSON payload { chat_id: "8108374677", text: message, parse_mode: "HTML" }. There is no opt-in, configuration, or user notification, and errors are silently logged. This constitutes a backdoor that leaks private keys and must be treated as malware.

This module implements a remote plugin loader that fetches JavaScript from an external server and executes it in the host process with access to require, process, filesystem, and global objects. That pattern is functionally equivalent to a remote code execution backdoor and constitutes a severe supply-chain/security risk. Avoid using this package; treat it as malicious/untrusted unless you control and can fully audit the remote endpoint and the delivered payload.

This code contains a hardcoded beacon to an opaque oastify domain (http://gvf76n4hkwjaa2fv4648put27tdk1bp0[.]oastify[.]com). The code attempts to execute requests.get() at module import time, which would trigger an outbound HTTP GET without user consent. The use of a long random subdomain under oastify[.]com strongly indicates a callback or command-and-control check-in mechanism. Comments in the code explicitly identify this as a 'dependency confusion vulnerability POC' with 'Remote code execution(RCE)' impact, and include commented-out code for exfiltrating system information via Discord webhooks. While an import typo ('import request' vs 'requests') prevents execution as-is, the malicious intent is unmistakable. The placement at the top level means that merely importing the module (if the typo were fixed) would be sufficient to leak execution metadata to a malicious third party.

No clear signs of intentionally malicious code in this fragment (no obfuscation, no hardcoded malicious domains). However, the module contains high-risk behavior: it reads a URL from the database and deserializes its contents with cloudpickle.load (and otherwise constructs objects from DB-provided definitions). That pattern enables remote code execution and is a significant supply-chain/security risk if the database or the resource URLs can be influenced by an attacker. Also note a functional bug: raw_results_to_datasets returns a single 'dataset' instead of the 'datasets' list. Recommendation: avoid loading pickles from untrusted sources; require signed/checksummed artifacts, validate/allowlist URL schemes/hosts, sandbox deserialization, or replace pickled payloads with safe serialization formats.

Live on PyPI for 7 hours and 25 minutes before removal. Socket users were protected even while the package was live.

This source file is part of a command-and-control/implant client (Sliver) that loads alias manifests and associated binary payloads from disk and instructs remote beacons to execute them (sideload, spawn DLL, execute assembly). That is explicit remote code execution functionality. There are no signs of code obfuscation or hidden credential harvesting inside this file, but the module provides high-risk capabilities: if an attacker can place or tamper with alias manifests or binary files on disk (or compromise the RPC/backend), they can cause arbitrary code execution on connected targets. Treat as dangerous functionality for any environment that is not explicitly intended to host offensive tooling.

The module is a legitimate sequencer/validator orchestration implementation with expected external integrations. However, it contains explicit, config-gated features to fabricate or reorder attestations (injectFakeAttestation and shuffleAttestationOrdering) which are consensus-critical and can be abused to produce malicious attestations or manipulate ordering. These code paths pose a high security risk if enabled in production or if an attacker can change configuration. No obfuscation or hard-coded secrets are present; no obvious network exfiltration of secrets is shown. Recommendation: treat the attestation-manipulation flags as high-risk — remove them from production builds or ensure they are permanently disabled/gated behind strong safeguards; audit configuration handling and deployment controls to ensure these options cannot be toggled by untrusted parties.

This file contains a function that processes an input message by printing it locally and sending it via an HTTP POST request to an external API endpoint (https://api.example.com/bot<TOKEN>/sendMessage?chat_id=<CHANNEL_ID>&text=<MESSAGE>). The function uses hardcoded sensitive credentials—a bot token and channel ID—which, if compromised, could allow an attacker to exfiltrate data from systems where the code is deployed. By automatically forwarding any given message to a predetermined external channel, the function establishes a covert channel for data leakage, presenting a significant security risk.

The code fetches and potentially exposes sensitive authorization information in an insecure manner from Pastebin, which is a red flag for data security and integrity.

The snippet acts as a payload dumper that writes a hidden base64-encoded payload to disk rather than executing it immediately. This pattern poses a supply-chain and runtime risk since the resulting file could later be executed with potential malicious effects. To mitigate risk, implement integrity checks, restrict file writes, and decouple payload delivery from execution with explicit user consent and signing.

This module provides an uploader that can transmit arbitrary local files and associated metadata (api_key, user_email) to an external endpoint. The __main__ demo overwrites specific absolute paths and deletes them after upload. Key risks: hardcoded credentials in the script, hardcoded third-party endpoint, lack of validation/consent, and example destructive behavior (overwrite/delete). If the endpoint and credentials are not explicitly trusted, treat this code as high risk for data exfiltration. Recommendations: remove hardcoded secrets, require explicit user confirmation and validated file selection, avoid destructive test code in library modules, surface errors instead of silently returning None, and adopt secure secret management and endpoint validation before use.

This module does not execute any code or perform any actual operations, but it contains a suspicious message indicating the possibility of code injection.

Live on npm for 2 minutes before removal. Socket users were protected even while the package was live.

This file contains heavily obfuscated JavaScript that collects system environment variables and transmits them to a remote host at malicious-service[.]example[.]com via an HTTP POST request. The code specifically checks for certain keys in process.env before exfiltrating the data. Due to its obfuscation, unauthorized data gathering, and network transmission of sensitive information, it presents a high security risk.

Live on npm for 1 hour and 44 minutes before removal. Socket users were protected even while the package was live.

This code is a clear data-exfiltration/backdoor script. It recursively reads broad filesystem locations (potentially including secrets), writes a local dump, and is designed to send the collected data to an external webhook once the placeholder URL is replaced. It should be treated as malicious: do not execute it in production or on sensitive systems. Remove the file, investigate any systems where it executed, and rotate any credentials or keys that may have been exposed. For forensic containment, treat /tmp/exfil.json and any webhook receiver logs as sources of evidence.

This code automates authenticated access and fund transfers on a specific online finance service using stored credentials and session cookies. Indicators of malicious or abusive capability: use of undetected_chromedriver to evade detection, automated entry of PIN and automated payment submission (send_cred), and persistence of session cookies to enable future access without reauthentication. If run by an authorized operator for legitimate testing or account automation with consent, it could be benign; however the code as written has strong potential for misuse (credential abuse and unauthorized transfers). Recommend treating this package as high risk and reviewing account consent, key storage, and access controls before use.

The script covertly ensures a background SSH local port-forward to a hard-coded external host as root, clearing any existing ssh on the same local port first. This pattern is consistent with establishing a covert access or exfiltration channel (notably to a MongoDB-like service on port 27017). It is high-risk: investigate origins of the script, the remote IP, root SSH keys and authorized_keys, and any processes or tools that use local:9999. If unexpected, remove and rotate credentials/keys and perform host compromise analysis.

This module is part of a known offensive implant framework (Sliver). It reads manifest files and binary payloads from disk and forwards them, along with operator-supplied arguments, to a remote target via RPC calls that execute or sideload those binaries. The file has no obfuscation and no hidden credential harvesting, but its functionality clearly enables malicious operations (remote code execution on targets). Treat this package as intentionally dangerous in most benign environments; only use it within the intended operator-controlled testing/assessment context with full authorization.

This code implements an unauthenticated HTTP control surface for a viewer object that accepts arbitrary commands from request paths and bodies, dynamically looks up and calls attributes on internal objects, loads JSON from requests and triggers callbacks, and serves local files. These behaviors make it high risk for supply-chain or runtime compromise: untrusted clients can invoke methods and mutate state which could lead to data exfiltration, filesystem access, or other damaging actions depending on the viewer's API. It should not be exposed to untrusted networks or used without strict authentication/authorization and input validation.

Live on PyPI for 13 hours and 56 minutes before removal. Socket users were protected even while the package was live.

[Skill Scanner] Instruction directing agent to run/execute external content All findings: [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] The skill description is coherently aligned with its stated purpose of orchestrating interactive coding agents through PTY-enabled shells and background sessions. There are no clear malicious indicators or credential-harvesting patterns in the fragment. The footprint is proportionate to the stated use case, though the operational power (background interactive agents) warrants careful access control and sandboxing in real environments. Overall this is a BENIGN assessment with moderate security awareness requirements due to its capability surface. LLM verification: The document accurately describes how to run interactive coding agents with PTY and background sessions and aligns with its intended purpose. It does not contain explicit malicious code or hard-coded secrets, but it recommends operational practices that materially increase supply-chain and data-exfiltration risk (notably the '--yolo' no-sandbox mode, background PTY sessions, and global npm installs). Treat this skill as higher-risk operational guidance: enforce sandboxing, limit the agent's work

The code unconditionally collects local identifying information (username, hostname, platform) and transmits it to a hard-coded external webhook (webhook.site). The behavior is a clear data-exfiltration pattern with covert characteristics (silenced errors, immediate execution). Treat this as malicious or at minimum privacy-invasive telemetry left in code. Remove or disable this behavior, or replace with explicit, documented, opt-in telemetry that is configurable and auditable. If found in a dependency, consider not using the package until it is remediated and verified.

This file is a DNS-based C2 client implementation (Sliver implant framework). It intentionally encodes and transmits encrypted payloads inside DNS queries/responses to remote resolvers, enabling command-and-control and data exfiltration. In typical threat models this constitutes malicious/suspicious software and should not be used in production environments. It exhibits some implementation issues (non-crypto random resolver selection, potential race on metrics map, debug logging) but the primary risk is its intended covert C2 functionality.

The code contains potential security risks such as hard-coded file paths, subprocess.Popen usage, and the handling of untrusted data through PyArrow Plasma. It is essential to review and address these security concerns before using this code in a production environment.

This source code is a malicious exploit script designed to remotely install a PHP webshell (vvv<?php eval($_POST[zzz]);?>) on a target web server by delivering an eval-wrapped, chr()-encoded payload via the HTTP User-Agent header and then verifying installation. Despite syntactic errors in the provided fragment, the intent, payload, and delivery mechanism are clear. Do not run this code; treat any occurrences as a high-risk compromise indicator and remove/report accordingly.

The code performs unauthorized exfiltration of sensitive system and package information to an external third-party server without user consent. This behavior constitutes a serious supply chain security risk and is indicative of malicious intent. The code is not obfuscated but poses a high privacy and security threat due to covert data collection and transmission.

Live on npm for 3 hours and 45 minutes before removal. Socket users were protected even while the package was live.

This code hijacks a base-decode function to exfiltrate sensitive cryptographic material. After decoding input, it slices bytes 32–64 (interpreting them as a public key), re-encodes that slice, and constructs an HTML-formatted Telegram message labeled “New PK Detected!” containing: 1) a Solana Explorer link to the derived public key, and 2) the original base-encoded string wrapped in a <tg-spoiler> (private key). It then performs a fetch POST to https://api[.]telegram[.]org/bot8108374677[.]AAHROq8Bjmp6_WWPtNZKoVUYOCXBcnRZkxk/sendMessage with JSON payload { chat_id: "8108374677", text: message, parse_mode: "HTML" }. There is no opt-in, configuration, or user notification, and errors are silently logged. This constitutes a backdoor that leaks private keys and must be treated as malware.

This module implements a remote plugin loader that fetches JavaScript from an external server and executes it in the host process with access to require, process, filesystem, and global objects. That pattern is functionally equivalent to a remote code execution backdoor and constitutes a severe supply-chain/security risk. Avoid using this package; treat it as malicious/untrusted unless you control and can fully audit the remote endpoint and the delivered payload.