Secure your dependencies. Ship with confidence.

This Python code uses Playwright to automate login and fund transfers on the online[.]mtsdengi[.]ru site. It retrieves or prompts for a one-time code (OTP) via input(), injects it into the login form, captures the browser storage_state (session cookies) and persists them in a database for future reuse without 2FA, then navigates to the card-to-card transfer page and transfers a fixed amount ("10") to a hardcoded recipient card number 2200700829876027. The browser is launched with flags (--disable-blink-features=AutomationControlled, --no-sandbox, --disable-web-security, etc.) to evade automation detection and security controls. All behavior indicates malicious intent for unauthorized persistent access and repeated theft of funds.

The fragment is an opaque, binary/packed payload or heavily obfuscated content that cannot be reliably analyzed statically. While this alone does not prove malicious intent, it signals high risk and warrants isolation, request for a readable source or deobfuscated form, and controlled dynamic analysis to determine any harmful behavior or data leakage potential.

Overall assessment: No explicit malware or exfiltration detected in this fragment, but there is a high-risk pattern: executing dynamically supplied code via eval on confirmData from DOM attributes. This creates a potential remote code execution vector if attacker can influence the confirmData source. The rest of the code (fetching icons, CSRF handling, redirects) is standard for UI libraries but can contribute to risk if inputs are not strictly controlled. The primary remediation is to remove eval and replace with a safe, whitelisted parser/handler mechanism for confirm actions.

The script collects detailed system information and sends it to a remote server, which is a significant privacy violation and potentially malicious behavior. This data collection and transmission could be used for unauthorized access or further exploitation.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

[Skill Scanner] Instruction directing agent to run/execute external content SELECTED AND IMPROVED: The OpenProse VM skill fragment is coherent and purpose-aligned for orchestrating Prose VM workflows with multi-state backends and remote program loading. The security notes regarding PostgreSQL credentials are appropriate and should be enforced in implementation (restrict log exposure, use least-privilege credentials, and enable provenance checks for remote programs). No malicious patterns detected in the fragment. Recommend codifying explicit provenance verification, secure logging guidelines, and a minimal permission model in the implementation to further reduce risk. LLM verification: The SKILL.md manifest is not itself malicious: it contains no obfuscated payloads or hardcoded secrets. However, it explicitly permits fetching and executing arbitrary remote .prose programs and provides broad access to project and user-scoped files and network capabilities. That design makes it a high-risk component in a software supply chain: untrusted or compromised remote prose files can perform credential exfiltration, arbitrary network calls, spawn other agents, or manipulate local state.

High-risk obfuscation/supply-chain pattern: this module decrypts an embedded base64 payload at runtime using a secret (likely from environment) and executes it with eval. This prevents static auditing of module behavior, and the module also leaks portions of the decryption password on error. Absent strong provenance (signed ciphertext, verifiable key management) and transparent source, treat this package as untrusted. Do not run in production or on sensitive systems until the decrypted payload and key derivation are inspected in a controlled environment and integrity/authenticity are established.

The code is highly suspicious and likely malicious due to its forced redirection to an external IP-hosted JavaScript file, enabling arbitrary code execution. The existing reports are invalid and provide no useful information. This snippet poses a high security risk and should be treated as malware.

This module provides full remote-control capabilities (file system access, upload/download, arbitrary command execution, process management, directory zipping/exfiltration) over Telegram. Those behaviors match a remote-access/backdoor pattern and pose a high security risk if misused or if access controls are not strictly configured. Only deploy with strong, validated access controls and full understanding of tools.* implementations; otherwise treat as malicious/untrusted.

The code contains several security risks, including uninitialized variables, hardcoded credentials, and the potential for unauthorized access through SSH. Proper validation and error handling are lacking, which could lead to exploitation. The overall risk and malware scores reflect these concerns.

This code is an administrative automation component that deliberately executes arbitrary ServiceNow server-side scripts and manipulates system tables. I found no clear signs of intentionally malicious code (no hardcoded external exfiltration endpoints, no obfuscated payload). However, it exposes powerful sinks: arbitrary script execution, creation of background script records, and storage of script output/trace in sys_properties. The primary security risk is abuse/misconfiguration (e.g., autoConfirm bypass, insufficient RBAC) leading to data theft or destructive changes. Treat this module as high-risk functionality that must be strictly access controlled, audited, and hardened before use.

This file contains an exploit script used to achieve remote code execution by writing arbitrary files and executing commands in the Landray OA sysSearchMain.do component. It leverages reflective code execution and file manipulation to gain control over the target system. Attackers can use this script to compromise servers by sending crafted POST requests to a JSP endpoint, allowing them to upload malicious files or run unauthorized code.

This is a repository mass-update script that clones target repositories, replaces their top-level contents with specified local files, then commits and force-pushes branches and tags. It is not obviously malware by itself (no hidden exfiltration or backdoor code), but it is potentially dangerous: it deletes files, rewrites history with --force pushes, and re-tags/pushes tags. The use of subprocess.run with shell=True and direct interpolation of CLI-provided repo URLs increases the risk of command injection if arguments are attacker-controlled. Treat this script as high-impact and potentially destructive — review intended targets carefully and avoid running with untrusted inputs or on critical repositories.

Live on PyPI for 2 hours and 5 minutes before removal. Socket users were protected even while the package was live.

This fragment implements a persistent alias that shadows a common tool name ('pnpm') and executes a local Python script when invoked. That behavior is high-risk and consistent with trojan/supply-chain persistence. Although the snippet does not show direct exfiltration or a payload, the persistence mechanism is sufficient to enable malicious actions later. Recommend treating this as suspicious: require review of helpers.abs_path() and the referenced 'generate' script before allowing installation, and avoid automatically modifying user shell startup files without explicit, informed consent.

[Skill Scanner] Installation of third-party script detected (AITech 9.1.4) [SC006]

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

This module programmatically harvests the active Colab notebook and copies arbitrary filesystem paths referenced by notebook code into a local collection directory, then attempts to send those files and the provided user email to a hardcoded third-party orchestration server. The behavior constitutes likely intentional data exfiltration and a serious privacy/supply-chain risk. There are no signs of obfuscation or self-evasion, but the hardcoded remote endpoint and unchecked copying of local files make this code dangerous to run in environments containing secrets. Recommend not running this code on sensitive notebooks or machines; treat the package as malicious/untrusted unless the remote operator is explicitly trusted and the implementation corrected/verified.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] Functionally coherent with its stated purpose (managing Azure VMs and AKS with Flux), but contains several high-risk operational behaviors: automatic SSH session recording and central exposure via an API, forwarding of local credentials during bootstrap, and persistence of sensitive tokens in ~/.fops.json. Those features are plausible for convenience and auditing but significantly increase credential and data exposure risk if the fops control plane or storage is not properly secured. No direct evidence of malicious intent or obfuscated malware was found, but the concentration of sensitive data and exposure endpoints warrants cautious use, strict access controls, and review of retention/ACL policies for stored sessions and state. LLM verification: This SKILL.md documents a powerful Azure management skill whose capabilities align with its stated purpose, but it includes several high-risk behaviors for credential and session handling: forwarding local credentials during bootstrap, persisting swarm/manager join tokens in ~/.fops.json, automatic recording of all SSH sessions on every VM, and the ability to push arbitrary local files (e.g., .env) across the fleet. These behaviors are not intrinsically malicious but are disproportionate unless

This module hides and immediately executes an embedded compressed payload via exec() at import time. That behavior is an explicit supply-chain risk: importing the module runs opaque code with full process privileges. While the exact actions of the payload are unknown without decompressing and inspecting it, the construct (opaque blob + import-time exec) is strongly indicative of malicious or at minimum high-risk behavior. Do not use this package in production and decode/audit the payload in an isolated environment before any further use.

Live on PyPI for 3 hours and 20 minutes before removal. Socket users were protected even while the package was live.

The code is heavily obfuscated, uses 'eval', has conditional behavior that could be used to detect runtime environment, and performs operations that are common in legitimate cryptography but could also be used for malicious purposes such as hiding a payload or executing a payload conditionally. Given the evidence, it is likely that the code is intended to be evasive and may be malicious.

Live on npm for 4 minutes before removal. Socket users were protected even while the package was live.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

High risk. The package runs an extract-tokens script automatically on install (postinstall) and provides tooling that can harvest tokens and send invites. Combined with screen-capture capability and the suspicious self-dependency, this package is likely to perform credential theft and unsolicited account actions. Do not install on any machine with credentials or sensitive data; inspect the referenced scripts (bin/extract-tokens.js, bin/preinstall.js, bin/start-bot.js, etc.) in a safe, offline environment before considering use.

This script is highly suspicious and potentially malicious. It attempts to exfiltrate sensitive system information and send it to an external endpoint.

Live on npm for 43 minutes before removal. Socket users were protected even while the package was live.

This code contains multiple high-risk and potentially malicious behaviors: (1) runtime replacement of installed library modules by downloading code from an external GitHub repository (supply-chain tampering), (2) exfiltration of private message contents and user identifiers to the bot owner via the bot token, and (3) destructive shell/file operations and silent runtime package installation. These behaviors enable arbitrary remote code execution and privacy violations and should be treated as a severe security risk. Do not run this module on production or sensitive machines. If executed, inspect and restore overwritten site-packages, rotate any compromised bot tokens/API credentials, and audit the system for additional persistence or changes.

The code is highly likely to be malicious due to its suspicious behavior of gathering sensitive system information and sending it to an external server. Its purpose appears to be system reconnaissance which is a common characteristic of malware. It's strongly advised not to use this code.

Live on npm for 21 days, 5 hours and 37 minutes before removal. Socket users were protected even while the package was live.

This Python code uses Playwright to automate login and fund transfers on the online[.]mtsdengi[.]ru site. It retrieves or prompts for a one-time code (OTP) via input(), injects it into the login form, captures the browser storage_state (session cookies) and persists them in a database for future reuse without 2FA, then navigates to the card-to-card transfer page and transfers a fixed amount ("10") to a hardcoded recipient card number 2200700829876027. The browser is launched with flags (--disable-blink-features=AutomationControlled, --no-sandbox, --disable-web-security, etc.) to evade automation detection and security controls. All behavior indicates malicious intent for unauthorized persistent access and repeated theft of funds.

The fragment is an opaque, binary/packed payload or heavily obfuscated content that cannot be reliably analyzed statically. While this alone does not prove malicious intent, it signals high risk and warrants isolation, request for a readable source or deobfuscated form, and controlled dynamic analysis to determine any harmful behavior or data leakage potential.

Overall assessment: No explicit malware or exfiltration detected in this fragment, but there is a high-risk pattern: executing dynamically supplied code via eval on confirmData from DOM attributes. This creates a potential remote code execution vector if attacker can influence the confirmData source. The rest of the code (fetching icons, CSRF handling, redirects) is standard for UI libraries but can contribute to risk if inputs are not strictly controlled. The primary remediation is to remove eval and replace with a safe, whitelisted parser/handler mechanism for confirm actions.

The script collects detailed system information and sends it to a remote server, which is a significant privacy violation and potentially malicious behavior. This data collection and transmission could be used for unauthorized access or further exploitation.

Live on npm for 3 minutes before removal. Socket users were protected even while the package was live.

[Skill Scanner] Instruction directing agent to run/execute external content SELECTED AND IMPROVED: The OpenProse VM skill fragment is coherent and purpose-aligned for orchestrating Prose VM workflows with multi-state backends and remote program loading. The security notes regarding PostgreSQL credentials are appropriate and should be enforced in implementation (restrict log exposure, use least-privilege credentials, and enable provenance checks for remote programs). No malicious patterns detected in the fragment. Recommend codifying explicit provenance verification, secure logging guidelines, and a minimal permission model in the implementation to further reduce risk. LLM verification: The SKILL.md manifest is not itself malicious: it contains no obfuscated payloads or hardcoded secrets. However, it explicitly permits fetching and executing arbitrary remote .prose programs and provides broad access to project and user-scoped files and network capabilities. That design makes it a high-risk component in a software supply chain: untrusted or compromised remote prose files can perform credential exfiltration, arbitrary network calls, spawn other agents, or manipulate local state.

High-risk obfuscation/supply-chain pattern: this module decrypts an embedded base64 payload at runtime using a secret (likely from environment) and executes it with eval. This prevents static auditing of module behavior, and the module also leaks portions of the decryption password on error. Absent strong provenance (signed ciphertext, verifiable key management) and transparent source, treat this package as untrusted. Do not run in production or on sensitive systems until the decrypted payload and key derivation are inspected in a controlled environment and integrity/authenticity are established.

The code is highly suspicious and likely malicious due to its forced redirection to an external IP-hosted JavaScript file, enabling arbitrary code execution. The existing reports are invalid and provide no useful information. This snippet poses a high security risk and should be treated as malware.

This module provides full remote-control capabilities (file system access, upload/download, arbitrary command execution, process management, directory zipping/exfiltration) over Telegram. Those behaviors match a remote-access/backdoor pattern and pose a high security risk if misused or if access controls are not strictly configured. Only deploy with strong, validated access controls and full understanding of tools.* implementations; otherwise treat as malicious/untrusted.

The code contains several security risks, including uninitialized variables, hardcoded credentials, and the potential for unauthorized access through SSH. Proper validation and error handling are lacking, which could lead to exploitation. The overall risk and malware scores reflect these concerns.

This code is an administrative automation component that deliberately executes arbitrary ServiceNow server-side scripts and manipulates system tables. I found no clear signs of intentionally malicious code (no hardcoded external exfiltration endpoints, no obfuscated payload). However, it exposes powerful sinks: arbitrary script execution, creation of background script records, and storage of script output/trace in sys_properties. The primary security risk is abuse/misconfiguration (e.g., autoConfirm bypass, insufficient RBAC) leading to data theft or destructive changes. Treat this module as high-risk functionality that must be strictly access controlled, audited, and hardened before use.

This file contains an exploit script used to achieve remote code execution by writing arbitrary files and executing commands in the Landray OA sysSearchMain.do component. It leverages reflective code execution and file manipulation to gain control over the target system. Attackers can use this script to compromise servers by sending crafted POST requests to a JSP endpoint, allowing them to upload malicious files or run unauthorized code.

This is a repository mass-update script that clones target repositories, replaces their top-level contents with specified local files, then commits and force-pushes branches and tags. It is not obviously malware by itself (no hidden exfiltration or backdoor code), but it is potentially dangerous: it deletes files, rewrites history with --force pushes, and re-tags/pushes tags. The use of subprocess.run with shell=True and direct interpolation of CLI-provided repo URLs increases the risk of command injection if arguments are attacker-controlled. Treat this script as high-impact and potentially destructive — review intended targets carefully and avoid running with untrusted inputs or on critical repositories.

Live on PyPI for 2 hours and 5 minutes before removal. Socket users were protected even while the package was live.

This fragment implements a persistent alias that shadows a common tool name ('pnpm') and executes a local Python script when invoked. That behavior is high-risk and consistent with trojan/supply-chain persistence. Although the snippet does not show direct exfiltration or a payload, the persistence mechanism is sufficient to enable malicious actions later. Recommend treating this as suspicious: require review of helpers.abs_path() and the referenced 'generate' script before allowing installation, and avoid automatically modifying user shell startup files without explicit, informed consent.

[Skill Scanner] Installation of third-party script detected (AITech 9.1.4) [SC006]

Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package

Live on npm for 36 minutes before removal. Socket users were protected even while the package was live.

This code poses a serious security risk and should not be used.

Live on npm for 9 minutes before removal. Socket users were protected even while the package was live.

This module programmatically harvests the active Colab notebook and copies arbitrary filesystem paths referenced by notebook code into a local collection directory, then attempts to send those files and the provided user email to a hardcoded third-party orchestration server. The behavior constitutes likely intentional data exfiltration and a serious privacy/supply-chain risk. There are no signs of obfuscation or self-evasion, but the hardcoded remote endpoint and unchecked copying of local files make this code dangerous to run in environments containing secrets. Recommend not running this code on sensitive notebooks or machines; treat the package as malicious/untrusted unless the remote operator is explicitly trusted and the implementation corrected/verified.

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] Functionally coherent with its stated purpose (managing Azure VMs and AKS with Flux), but contains several high-risk operational behaviors: automatic SSH session recording and central exposure via an API, forwarding of local credentials during bootstrap, and persistence of sensitive tokens in ~/.fops.json. Those features are plausible for convenience and auditing but significantly increase credential and data exposure risk if the fops control plane or storage is not properly secured. No direct evidence of malicious intent or obfuscated malware was found, but the concentration of sensitive data and exposure endpoints warrants cautious use, strict access controls, and review of retention/ACL policies for stored sessions and state. LLM verification: This SKILL.md documents a powerful Azure management skill whose capabilities align with its stated purpose, but it includes several high-risk behaviors for credential and session handling: forwarding local credentials during bootstrap, persisting swarm/manager join tokens in ~/.fops.json, automatic recording of all SSH sessions on every VM, and the ability to push arbitrary local files (e.g., .env) across the fleet. These behaviors are not intrinsically malicious but are disproportionate unless

This module hides and immediately executes an embedded compressed payload via exec() at import time. That behavior is an explicit supply-chain risk: importing the module runs opaque code with full process privileges. While the exact actions of the payload are unknown without decompressing and inspecting it, the construct (opaque blob + import-time exec) is strongly indicative of malicious or at minimum high-risk behavior. Do not use this package in production and decode/audit the payload in an isolated environment before any further use.

Live on PyPI for 3 hours and 20 minutes before removal. Socket users were protected even while the package was live.

The code is heavily obfuscated, uses 'eval', has conditional behavior that could be used to detect runtime environment, and performs operations that are common in legitimate cryptography but could also be used for malicious purposes such as hiding a payload or executing a payload conditionally. Given the evidence, it is likely that the code is intended to be evasive and may be malicious.

Live on npm for 4 minutes before removal. Socket users were protected even while the package was live.

The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.

High risk. The package runs an extract-tokens script automatically on install (postinstall) and provides tooling that can harvest tokens and send invites. Combined with screen-capture capability and the suspicious self-dependency, this package is likely to perform credential theft and unsolicited account actions. Do not install on any machine with credentials or sensitive data; inspect the referenced scripts (bin/extract-tokens.js, bin/preinstall.js, bin/start-bot.js, etc.) in a safe, offline environment before considering use.

This script is highly suspicious and potentially malicious. It attempts to exfiltrate sensitive system information and send it to an external endpoint.

Live on npm for 43 minutes before removal. Socket users were protected even while the package was live.

This code contains multiple high-risk and potentially malicious behaviors: (1) runtime replacement of installed library modules by downloading code from an external GitHub repository (supply-chain tampering), (2) exfiltration of private message contents and user identifiers to the bot owner via the bot token, and (3) destructive shell/file operations and silent runtime package installation. These behaviors enable arbitrary remote code execution and privacy violations and should be treated as a severe security risk. Do not run this module on production or sensitive machines. If executed, inspect and restore overwritten site-packages, rotate any compromised bot tokens/API credentials, and audit the system for additional persistence or changes.

The code is highly likely to be malicious due to its suspicious behavior of gathering sensitive system information and sending it to an external server. Its purpose appears to be system reconnaissance which is a common characteristic of malware. It's strongly advised not to use this code.

Live on npm for 21 days, 5 hours and 37 minutes before removal. Socket users were protected even while the package was live.