Did you mean: bindepend

From: requirements.txt → pypi/bindepend@0.1

ℹ Read more on: This package | This alert | What is a typosquat?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Use care when consuming similarly named packages and ensure that you did not intend to consume a different package. Malicious packages often publish using similar names as existing popular packages.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/bindepend@0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Did you mean: openapi-~~client-~~generator**-cli**

From: requirements.txt → pypi/openapi-client-generator@1.0.13

ℹ Read more on: This package | This alert | What is a typosquat?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Use care when consuming similarly named packages and ensure that you did not intend to consume a different package. Malicious packages often publish using similar names as existing popular packages.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/openapi-client-generator@1.0.13. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Did you mean: pyfirebase4

From: requirements.txt → pypi/pyrebase4@4.8.0

ℹ Read more on: This package | This alert | What is a typosquat?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Use care when consuming similarly named packages and ensure that you did not intend to consume a different package. Malicious packages often publish using similar names as existing popular packages.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/pyrebase4@4.8.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Note: Malicious code in runwifi (PyPI)

From: requirements.txt → pypi/runwifi@3.8.5.1

ℹ Read more on: This package | This alert | What is known malware?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: It is strongly recommended that malware is removed from your codebase.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/runwifi@3.8.5.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Note: The source code is designed to perform unauthorized data exfiltration. It recursively scans the local filesystem for files (excluding files ending with .zip) and sends each file to an external service by making HTTP POST requests to https://api[.]telegram[.]org. Additionally, it retrieves system information such as the hostname and IP address using socket.gethostname() and socket.gethostbyname(), and sends this data to the same external endpoint. The use of hardcoded credentials (a Telegram bot token and chat ID) significantly increases the risk of unauthorized data access and control.

From: requirements.txt → pypi/runwifi@3.8.5.1

ℹ Read more on: This package | This alert | What is known malware?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: It is strongly recommended that malware is removed from your codebase.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/runwifi@3.8.5.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Note: Malicious code in tronlinkperm (PyPI)

From: requirements.txt → pypi/tronlinkperm@0.0.1

ℹ Read more on: This package | This alert | What is known malware?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: It is strongly recommended that malware is removed from your codebase.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/tronlinkperm@0.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Did you mean: valid**ate-**docbr

From: requirements.txt → pypi/validdocbr@1.2.2

ℹ Read more on: This package | This alert | What is a typosquat?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Use care when consuming similarly named packages and ensure that you did not intend to consume a different package. Malicious packages often publish using similar names as existing popular packages.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/validdocbr@1.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Note: Malicious code in xcepthttp (PyPI)

From: requirements.txt → pypi/xcepthttp@0.0.2

ℹ Read more on: This package | This alert | What is known malware?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: It is strongly recommended that malware is removed from your codebase.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/xcepthttp@0.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Note: This is clearly malicious code designed to download and execute arbitrary code from a remote server. The use of encryption to hide the URL and the exec() function to run unknown code are strong indicators of malicious intent. This represents a severe security risk as it allows for remote code execution.

From: requirements.txt → pypi/xcepthttp@0.0.2

ℹ Read more on: This package | This alert | What is known malware?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: It is strongly recommended that malware is removed from your codebase.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/xcepthttp@0.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

License: GPL-3.0 (bindepend-0.1.dist-info/METADATA)

From: requirements.txt → pypi/bindepend@0.1

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/bindepend@0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

License: GPL-3.0 (bindepend-0.1/PKG-INFO)

License: GPL-3.0 (bindepend-0.1/setup.py)

License: GPL-3.0 (bindepend-0.1/bindepend.egg-info/PKG-INFO)

From: requirements.txt → pypi/bindepend@0.1

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/bindepend@0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

License: License :: Repoze Public License (colander-2.0.dist-info/METADATA)

License: BSD-derived (http://www.repoze.org/LICENSE.txt) (colander-2.0.dist-info/METADATA)

From: ? → pypi/openapi-client-generator@1.0.13 → pypi/colander@2.0

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/colander@2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

License: License :: Repoze Public License (colander-2.0/PKG-INFO)

License: BSD-derived (http://www.repoze.org/LICENSE.txt) (colander-2.0/PKG-INFO)

License: License :: Repoze Public License (colander-2.0/src/colander.egg-info/PKG-INFO)

License: BSD-derived (http://www.repoze.org/LICENSE.txt) (colander-2.0/src/colander.egg-info/PKG-INFO)

From: ? → pypi/openapi-client-generator@1.0.13 → pypi/colander@2.0

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/colander@2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

License: GPL-3.0-only (goes_api/abi_area.py)

License: GPL-3.0-only (goes_api/explore.py)

From: requirements.txt → pypi/goes-api@0.1.7

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/goes-api@0.1.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

License: GPL-3.0-only (goes_api-0.1.7/goes_api/abi_area.py)

License: GPL-3.0-only (goes_api-0.1.7/goes_api/explore.py)

From: requirements.txt → pypi/goes-api@0.1.7

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/goes-api@0.1.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

License: FSFAP (numpy-2.2.5/vendored-meson/meson/test cases/frameworks/6 gettext/data3/metainfo.its)

License: GPL-3.0 (numpy-2.2.5/tools/wheels/LICENSE_osx.txt)

License: GPL-3.0 (numpy-2.2.5/tools/wheels/LICENSE_linux.txt)

License: GPL-3.0-with-GCC-exception (numpy-2.2.5/tools/wheels/LICENSE_win32.txt)

License: GPL-3.0-with-GCC-exception (numpy-2.2.5/tools/wheels/LICENSE_win32.txt)

License: GPL-3.0 (numpy-2.2.5/tools/wheels/LICENSE_win32.txt)

License: GPL-3.0-or-later (numpy-2.2.5/tools/wheels/LICENSE_win32.txt)

From: ? → pypi/goes-api@0.1.7 → pypi/numpy@2.2.5

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/numpy@2.2.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

License: GPL-3.0-with-GCC-exception (numpy-2.2.5.dist-info/METADATA)

License: GPL-3.0 (numpy-2.2.5.dist-info/METADATA)

License: GPL-3.0-with-GCC-exception (numpy-2.2.5.dist-info/LICENSE.txt)

License: GPL-3.0-with-GCC-exception (numpy-2.2.5.dist-info/LICENSE.txt)

License: GPL-3.0 (numpy-2.2.5.dist-info/LICENSE.txt)

From: ? → pypi/goes-api@0.1.7 → pypi/numpy@2.2.5

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/numpy@2.2.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

License: GPL-3.0-with-GCC-exception (numpy-2.2.5.dist-info/METADATA)

License: GPL-3.0 (numpy-2.2.5.dist-info/METADATA)

License: GPL-3.0-with-GCC-exception (numpy-2.2.5.dist-info/LICENSE.txt)

License: GPL-3.0-with-GCC-exception (numpy-2.2.5.dist-info/LICENSE.txt)

License: GPL-3.0 (numpy-2.2.5.dist-info/LICENSE.txt)

From: ? → pypi/goes-api@0.1.7 → pypi/numpy@2.2.5

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/numpy@2.2.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

License: GPL-3.0-with-GCC-exception (numpy-2.2.5.dist-info/METADATA)

License: GPL-3.0 (numpy-2.2.5.dist-info/METADATA)

License: GPL-3.0-with-GCC-exception (numpy-2.2.5.dist-info/LICENSE.txt)

License: GPL-3.0-with-GCC-exception (numpy-2.2.5.dist-info/LICENSE.txt)

License: GPL-3.0 (numpy-2.2.5.dist-info/LICENSE.txt)

From: ? → pypi/goes-api@0.1.7 → pypi/numpy@2.2.5

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/numpy@2.2.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Note: Package name is similar to other popular packages and may not be the package you want.

Source: Manifest File

ℹ️ Read more on: This package | This alert | What is known malware?

Suggestion: Use care when consuming similarly named packages and ensure that you did not intend to consume a different package. Malicious packages often publish using similar names as existing popular packages.

Mark as acceptable risk: To ignore this alert only in this pull request, reply with:
@SocketSecurity ignore bindepend@0.1
Or ignore all future alerts with:
@SocketSecurity ignore-all

Note: Package name is similar to other popular packages and may not be the package you want.

Source: Manifest File

ℹ️ Read more on: This package | This alert | What is known malware?

Suggestion: Use care when consuming similarly named packages and ensure that you did not intend to consume a different package. Malicious packages often publish using similar names as existing popular packages.

Mark as acceptable risk: To ignore this alert only in this pull request, reply with:
@SocketSecurity ignore pyrebase4@4.8.0
Or ignore all future alerts with:
@SocketSecurity ignore-all

Note: This package is malware. We have asked the package registry to remove it.

Source: Manifest File

ℹ️ Read more on: This package | This alert | What is known malware?

Suggestion: It is strongly recommended that malware is removed from your codebase.

Mark as acceptable risk: To ignore this alert only in this pull request, reply with:
@SocketSecurity ignore xcepthttp@0.0.2
Or ignore all future alerts with:
@SocketSecurity ignore-all

Note: This package is malware. We have asked the package registry to remove it.

Source: Manifest File

ℹ️ Read more on: This package | This alert | What is known malware?

Suggestion: It is strongly recommended that malware is removed from your codebase.

Mark as acceptable risk: To ignore this alert only in this pull request, reply with:
@SocketSecurity ignore tronlinkperm@0.0.1
Or ignore all future alerts with:
@SocketSecurity ignore-all

Note: Package name is similar to other popular packages and may not be the package you want.

Source: Manifest File

ℹ️ Read more on: This package | This alert | What is known malware?

Suggestion: Use care when consuming similarly named packages and ensure that you did not intend to consume a different package. Malicious packages often publish using similar names as existing popular packages.

Mark as acceptable risk: To ignore this alert only in this pull request, reply with:
@SocketSecurity ignore openapi-client-generator@1.0.13
Or ignore all future alerts with:
@SocketSecurity ignore-all

Note: This package is malware. We have asked the package registry to remove it.

Source: Manifest File

ℹ️ Read more on: This package | This alert | What is known malware?

Suggestion: It is strongly recommended that malware is removed from your codebase.

Mark as acceptable risk: To ignore this alert only in this pull request, reply with:
@SocketSecurity ignore runwifi@3.8.5.1
Or ignore all future alerts with:
@SocketSecurity ignore-all

Note: Package name is similar to other popular packages and may not be the package you want.

Source: Manifest File

ℹ️ Read more on: This package | This alert | What is known malware?

Suggestion: Use care when consuming similarly named packages and ensure that you did not intend to consume a different package. Malicious packages often publish using similar names as existing popular packages.

Mark as acceptable risk: To ignore this alert only in this pull request, reply with:
@SocketSecurity ignore validdocbr@1.2.2
Or ignore all future alerts with:
@SocketSecurity ignore-all