Secure your dependencies. Ship with confidence.

This module is a high-confidence security sabotage pattern: it fabricates authenticated users, neutralizes CSRF using a fixed token/value, weakens key browser security headers, and degrades session cookie protections. Additionally, when configured, it can exfiltrate client request metadata (IP/user-agent/path/query) to a configurable LLM endpoint and use the LLM output to block requests. Treat the package as a security alert rather than a benign middleware; verify whether it is enabled in production and review LLM/base_url/api_key configuration for data exfiltration exposure.

High-risk supply-chain signal: this module provides an HTML rendering component that extracts embedded script contents and executes them via window.eval when runScripts is enabled, and it also injects HTML into the DOM via dangerouslySetInnerHTML. If any caller can influence the provided HTML (or misconfigures runScripts/safeMode), this enables arbitrary JavaScript execution (XSS/RCE-in-browser). No backend malware behavior is evident in the provided fragment, but the client-side execution/injection primitives are severe and should be treated as unacceptable unless the inputs are strictly controlled and runScripts is never enabled for untrusted content.

This fragment is highly suspicious and consistent with a supply-chain dropper/loader: it uses a runtime decoder that ends in eval(...) and executes the decoded payload at import time. It also conditionally spawns a subprocess using sys.executable with decoded arguments and inherits the full environment, while additionally offering an in-process pytest/plugin execution mode with output suppression. The real payload behavior is not observable from this snippet alone, so treat it as malicious until decoded payload execution is fully inspected in a sandbox.

This module is overtly designed to execute BLE exploitation/denial-of-service workflows (malformed SMP Pairing Request and repeated/double ATT MTU exchange) against a specified remote target. No stealth, credential theft, persistence, or data exfiltration is evident in the snippet; however, its explicit destructive offensive purpose makes it materially risky in a supply-chain context where it could be misused or invoked unintentionally. Review and restrict deployment to authorized security testing contexts, and consider dependency governance to prevent accidental inclusion in production tooling.

This fragment is high-risk for supply-chain security due to a critical eval-based arbitrary code execution sink on dynamically constructed content, extensive obfuscation that obscures critical constants/endpoints, remote network reporting of session/host metadata, and runtime mutation of os.environ based on parsed server responses. While much of the surrounding logic appears consistent with legitimate accessibility testing orchestration, the presence of eval and environment/remote-response-driven behavior materially increase the likelihood of hidden functionality or sabotage. Treat as unsafe until the evaluated string source is proven immutable and the imported accessibility_scripts and helper network wrappers are independently verified for intent and destination integrity.

This module is a high-risk arbitrary code execution wrapper: it executes opts.source via new Function with immediate invocation and then runs attacker-defined scenario logic to produce and return evidence and final state. Without sandboxing/allowlisting/validation, if opts.source can be influenced by an attacker (or is malicious), it can perform arbitrary side effects in the host runtime and exfiltrate data through returned results. Evidence normalization is minimal and does not mitigate downstream misuse by callers.

This manifest embeds a cross-publisher extensionPack entry inside a normal, full-featured extension without clear disclosure. The pulled in extension is confirmed to be malicious.

This manifest embeds a cross-publisher extensionPack entry inside a normal, full-featured extension without clear disclosure. The pulled in extension is confirmed to be malicious.

This module is high-risk from a supply-chain/scripting perspective because it embeds a runtime `node -e` payload that directly spawns `npx -y @vpxa/aikit serve`, enabling network fetch and execution of third-party code. It also manipulates local npm/npx cache directories via `fs.renameSync` on failure and retries, which can help ensure the remote code execution path proceeds. Even if the intent is legitimate (bootstrapping a tool), the auto-approved npx execution and cache evasion/retry behavior warrant strong review, provenance validation, and containment (e.g., disallow execution on import, pin versions, and avoid shell:true).

This module contains multiple severe supply-chain red flags: it uses eval on a transformed string (dynamic arbitrary code execution), performs shell-based subprocess execution (shell=True), modifies an installed dependency’s source on disk (self-tampering behavior), downloads and extracts remote ZIP archives via extractall without visible path validation, and creates world-writable directories/files (0o777). While some functionality aligns with legitimate SDK telemetry/automation, the combination of these patterns is highly inconsistent with safe library utilities and should be treated as high risk pending deeper inspection of the eval input, the modified-file logic, and the precise download/execution paths in the full package.

High confidence malicious assessment. This code is designed to harvest Kubernetes and Vault credentials/secrets from local environment and files, authenticate to Kubernetes/Vault APIs, enumerate secret paths (including Vault mounts/KV traversal and Kubernetes namespaces/secrets), package/encrypt the results, and exfiltrate the data to an external GitHub repository via repository/commit operations. It additionally includes daemonization/persistence behavior and obfuscation, all consistent with credential/secret theft malware rather than a legitimate dependency component.

This module is a high-risk guest agent that, after token authentication, executes arbitrary shell commands via /bin/sh -c and returns stdout/stderr (including streamed output) back to the host/client over HTTP (JSON/SSE) and/or virtio-serial. The main security concerns are the remote command execution capability itself, direct output exfiltration to the caller, and partial token leakage in logs. Timeout handling does not explicitly kill spawned processes, and exclusive-lock release is tied to streaming/task completion (availability risk). No obfuscated/memory-unsafe malware patterns are present in this fragment; however, the functional impact is equivalent to a powerful backdoor if misused or if the token/transport is compromised.

This module introduces extremely high-risk capabilities driven by user input: it can execute arbitrary shell commands via execSync when messages begin with '!', and it can read local files based on user-supplied @mention paths (with potential path traversal) and embed the contents into the prompt forwarded to downstream hooks/models. These behaviors create clear pathways for system compromise and sensitive data exfiltration. If this feature is intended, it must be tightly permission-gated and constrained (e.g., remove execSync, add strict command allowlisting, enforce a safe read root/deny traversal, and perform authorization checks before any side-effecting operations).

This module is high-risk: it performs obfuscated runtime decoding that feeds into eval(), executed immediately at import time, and then acts as a wrapper/launcher that reads credentials from environment/config and spawns an external binary with directly forwarded stdio. While the exact payload behavior depends on helper functions and the executed binary, the combination of eval-based obfuscation, import-time execution, and credentialed subprocess invocation is strongly consistent with supply-chain malware/loader activity and warrants immediate isolation and deeper investigation of the invoked binary and helper modules.

This module establishes a WebSocket-controlled agent that executes host-level commands based on untrusted remote messages. It includes high-risk behavior: remote start/stop of a gateway, reading local config/logs and sending them back over the network, and (most critically) command injection via execSync with template-string interpolation of untrusted params (channel/target/message). Without strong authentication/authorization and strict input validation/escaping, this presents a strong backdoor/remote execution and data exfiltration risk.

This preinstall script is malicious: it actively searches for secrets and files on the host/container, encodes them, and exfiltrates them to a remote ngrok endpoint. Installing this package would likely leak sensitive information (environment variables, secrets, files) from the machine or container. Treat as high-risk malware and avoid installing; investigate any systems where it ran and rotate exposed secrets/keys.

This code is highly likely malicious. It performs prototype pollution (Array/Object/Math) to break application logic, directly corrupts game state, attempts sandbox escape using Function/eval/constructor, and—when Node APIs are accessible—writes to disk, runs destructive commands (rm -rf /), and terminates the process. It also performs clear data exfiltration/C2 attempts to attacker-controlled domains (evil.com) via fetch/XHR/WebSocket/EventSource/sendBeacon, and injects attacker scripts via importScripts/Worker/SharedWorker. Clipboard and BroadcastChannel usage further supports unauthorized data handling. Overall, it should be treated as dangerous and not used.

This bundle fragment contains a clear high-risk OS command execution primitive using `child_process.spawn`, including a Windows path that runs PowerShell with `-ExecutionPolicy Unrestricted` for `.ps1` targets and a detached execution helper using an embedded `Jobber.exe`. If any extension logic can pass controllable inputs into these helpers, it can lead to arbitrary code execution, persistence, and follow-on malicious actions. The networking utilities increase potential for remote interaction, but the spawn-to-network/payload linkage is not proven within this excerpt. Treat as a serious security alert requiring audit of how spawn parameters are derived and whether execution is strictly restricted to trusted, hardcoded commands.

This module provides direct Windows remote-process DLL injection and unloading primitives: it allocates/writes a caller-controlled DLL path into another process and creates a remote thread to call kernel32!LoadLibraryW; unloading is done similarly via FreeLibrary. While it includes some validation (PID != 0, DLL existence, basic x86/x64/WOW64 gating, and already-loaded checks), it still enables high-impact offensive behavior (remote code execution in a chosen process). No obvious obfuscation is present, but the capability itself is highly dangerous for a general dependency.

This module is overtly designed to execute BLE exploitation/denial-of-service workflows (malformed SMP Pairing Request and repeated/double ATT MTU exchange) against a specified remote target. No stealth, credential theft, persistence, or data exfiltration is evident in the snippet; however, its explicit destructive offensive purpose makes it materially risky in a supply-chain context where it could be misused or invoked unintentionally. Review and restrict deployment to authorized security testing contexts, and consider dependency governance to prevent accidental inclusion in production tooling.

This manifest embeds a cross-publisher extensionPack entry inside a normal, full-featured extension without clear disclosure. The pulled in extension is confirmed to be malicious.

This module is high-risk due to dynamic code execution (compile/exec) on content derived from caller-provided param/kwargs, executed with globals(), which can enable arbitrary code execution if inputs are not strictly controlled. In addition, it can send requests to arbitrary caller-supplied URLs and logs request content/headers, increasing the potential for data exfiltration and secret leakage. Treat as potentially malicious until usage is proven safe (e.g., param is constant/trusted and URL/headers are constrained/redacted).

This module is explicitly designed to establish and remove Windows user-logon persistence (scheduled task ONLOGON and HKCU Run key) by wiring a generated launcher into schtasks/reg. That is a high-risk supply-chain pattern because the module can cause code to execute automatically at every user logon. Malware intent cannot be proven from this fragment alone due to the missing writeLauncherScript implementation; however, the persistence behavior and lack of validation around the launcher target make the security risk elevated and warrant close review of the helper that generates the launcher and any consent/guardrails around invoking install().

High-risk offensive capability: this module is an interactive web-shell/command-injection client that crafts attacker-controlled OS commands into a URL query parameter, sends them over HTTP, parses echoed output using randomized delimiters, and provides recon (e.g., searching for flag-like files) plus optional local saving of retrieved results. It contains no safety controls (allowlisting, output filtering, or execution constraints) and is therefore dangerous to include in a supply chain unless the dependency is strictly intended for authorized testing in a controlled environment.

This code is highly consistent with a malicious/offensive Bluetooth “hijack” tool: it clones/spoofs a phone identity, attempts a known authentication bypass (BIAS), connects to a targeted IVI device, and extracts sensitive user data (PBAP phonebook, MAP messages) and sets up HFP audio capabilities. It also executes system bluetoothctl commands and performs hardware state modification/rollback. No obfuscation is present, but the functional behavior is clearly adversarial and privacy-invasive. If published as a dependency, it should be treated as an extremely dangerous package component for supply-chain security.

This module is a high-confidence security sabotage pattern: it fabricates authenticated users, neutralizes CSRF using a fixed token/value, weakens key browser security headers, and degrades session cookie protections. Additionally, when configured, it can exfiltrate client request metadata (IP/user-agent/path/query) to a configurable LLM endpoint and use the LLM output to block requests. Treat the package as a security alert rather than a benign middleware; verify whether it is enabled in production and review LLM/base_url/api_key configuration for data exfiltration exposure.

High-risk supply-chain signal: this module provides an HTML rendering component that extracts embedded script contents and executes them via window.eval when runScripts is enabled, and it also injects HTML into the DOM via dangerouslySetInnerHTML. If any caller can influence the provided HTML (or misconfigures runScripts/safeMode), this enables arbitrary JavaScript execution (XSS/RCE-in-browser). No backend malware behavior is evident in the provided fragment, but the client-side execution/injection primitives are severe and should be treated as unacceptable unless the inputs are strictly controlled and runScripts is never enabled for untrusted content.

This fragment is highly suspicious and consistent with a supply-chain dropper/loader: it uses a runtime decoder that ends in eval(...) and executes the decoded payload at import time. It also conditionally spawns a subprocess using sys.executable with decoded arguments and inherits the full environment, while additionally offering an in-process pytest/plugin execution mode with output suppression. The real payload behavior is not observable from this snippet alone, so treat it as malicious until decoded payload execution is fully inspected in a sandbox.

This module is overtly designed to execute BLE exploitation/denial-of-service workflows (malformed SMP Pairing Request and repeated/double ATT MTU exchange) against a specified remote target. No stealth, credential theft, persistence, or data exfiltration is evident in the snippet; however, its explicit destructive offensive purpose makes it materially risky in a supply-chain context where it could be misused or invoked unintentionally. Review and restrict deployment to authorized security testing contexts, and consider dependency governance to prevent accidental inclusion in production tooling.

This fragment is high-risk for supply-chain security due to a critical eval-based arbitrary code execution sink on dynamically constructed content, extensive obfuscation that obscures critical constants/endpoints, remote network reporting of session/host metadata, and runtime mutation of os.environ based on parsed server responses. While much of the surrounding logic appears consistent with legitimate accessibility testing orchestration, the presence of eval and environment/remote-response-driven behavior materially increase the likelihood of hidden functionality or sabotage. Treat as unsafe until the evaluated string source is proven immutable and the imported accessibility_scripts and helper network wrappers are independently verified for intent and destination integrity.

This module is a high-risk arbitrary code execution wrapper: it executes opts.source via new Function with immediate invocation and then runs attacker-defined scenario logic to produce and return evidence and final state. Without sandboxing/allowlisting/validation, if opts.source can be influenced by an attacker (or is malicious), it can perform arbitrary side effects in the host runtime and exfiltrate data through returned results. Evidence normalization is minimal and does not mitigate downstream misuse by callers.

This manifest embeds a cross-publisher extensionPack entry inside a normal, full-featured extension without clear disclosure. The pulled in extension is confirmed to be malicious.

This manifest embeds a cross-publisher extensionPack entry inside a normal, full-featured extension without clear disclosure. The pulled in extension is confirmed to be malicious.

This module is high-risk from a supply-chain/scripting perspective because it embeds a runtime `node -e` payload that directly spawns `npx -y @vpxa/aikit serve`, enabling network fetch and execution of third-party code. It also manipulates local npm/npx cache directories via `fs.renameSync` on failure and retries, which can help ensure the remote code execution path proceeds. Even if the intent is legitimate (bootstrapping a tool), the auto-approved npx execution and cache evasion/retry behavior warrant strong review, provenance validation, and containment (e.g., disallow execution on import, pin versions, and avoid shell:true).

This module contains multiple severe supply-chain red flags: it uses eval on a transformed string (dynamic arbitrary code execution), performs shell-based subprocess execution (shell=True), modifies an installed dependency’s source on disk (self-tampering behavior), downloads and extracts remote ZIP archives via extractall without visible path validation, and creates world-writable directories/files (0o777). While some functionality aligns with legitimate SDK telemetry/automation, the combination of these patterns is highly inconsistent with safe library utilities and should be treated as high risk pending deeper inspection of the eval input, the modified-file logic, and the precise download/execution paths in the full package.

High confidence malicious assessment. This code is designed to harvest Kubernetes and Vault credentials/secrets from local environment and files, authenticate to Kubernetes/Vault APIs, enumerate secret paths (including Vault mounts/KV traversal and Kubernetes namespaces/secrets), package/encrypt the results, and exfiltrate the data to an external GitHub repository via repository/commit operations. It additionally includes daemonization/persistence behavior and obfuscation, all consistent with credential/secret theft malware rather than a legitimate dependency component.

This module is a high-risk guest agent that, after token authentication, executes arbitrary shell commands via /bin/sh -c and returns stdout/stderr (including streamed output) back to the host/client over HTTP (JSON/SSE) and/or virtio-serial. The main security concerns are the remote command execution capability itself, direct output exfiltration to the caller, and partial token leakage in logs. Timeout handling does not explicitly kill spawned processes, and exclusive-lock release is tied to streaming/task completion (availability risk). No obfuscated/memory-unsafe malware patterns are present in this fragment; however, the functional impact is equivalent to a powerful backdoor if misused or if the token/transport is compromised.

This module introduces extremely high-risk capabilities driven by user input: it can execute arbitrary shell commands via execSync when messages begin with '!', and it can read local files based on user-supplied @mention paths (with potential path traversal) and embed the contents into the prompt forwarded to downstream hooks/models. These behaviors create clear pathways for system compromise and sensitive data exfiltration. If this feature is intended, it must be tightly permission-gated and constrained (e.g., remove execSync, add strict command allowlisting, enforce a safe read root/deny traversal, and perform authorization checks before any side-effecting operations).

This module is high-risk: it performs obfuscated runtime decoding that feeds into eval(), executed immediately at import time, and then acts as a wrapper/launcher that reads credentials from environment/config and spawns an external binary with directly forwarded stdio. While the exact payload behavior depends on helper functions and the executed binary, the combination of eval-based obfuscation, import-time execution, and credentialed subprocess invocation is strongly consistent with supply-chain malware/loader activity and warrants immediate isolation and deeper investigation of the invoked binary and helper modules.

This module establishes a WebSocket-controlled agent that executes host-level commands based on untrusted remote messages. It includes high-risk behavior: remote start/stop of a gateway, reading local config/logs and sending them back over the network, and (most critically) command injection via execSync with template-string interpolation of untrusted params (channel/target/message). Without strong authentication/authorization and strict input validation/escaping, this presents a strong backdoor/remote execution and data exfiltration risk.

This preinstall script is malicious: it actively searches for secrets and files on the host/container, encodes them, and exfiltrates them to a remote ngrok endpoint. Installing this package would likely leak sensitive information (environment variables, secrets, files) from the machine or container. Treat as high-risk malware and avoid installing; investigate any systems where it ran and rotate exposed secrets/keys.

This code is highly likely malicious. It performs prototype pollution (Array/Object/Math) to break application logic, directly corrupts game state, attempts sandbox escape using Function/eval/constructor, and—when Node APIs are accessible—writes to disk, runs destructive commands (rm -rf /), and terminates the process. It also performs clear data exfiltration/C2 attempts to attacker-controlled domains (evil.com) via fetch/XHR/WebSocket/EventSource/sendBeacon, and injects attacker scripts via importScripts/Worker/SharedWorker. Clipboard and BroadcastChannel usage further supports unauthorized data handling. Overall, it should be treated as dangerous and not used.

This bundle fragment contains a clear high-risk OS command execution primitive using `child_process.spawn`, including a Windows path that runs PowerShell with `-ExecutionPolicy Unrestricted` for `.ps1` targets and a detached execution helper using an embedded `Jobber.exe`. If any extension logic can pass controllable inputs into these helpers, it can lead to arbitrary code execution, persistence, and follow-on malicious actions. The networking utilities increase potential for remote interaction, but the spawn-to-network/payload linkage is not proven within this excerpt. Treat as a serious security alert requiring audit of how spawn parameters are derived and whether execution is strictly restricted to trusted, hardcoded commands.

This module provides direct Windows remote-process DLL injection and unloading primitives: it allocates/writes a caller-controlled DLL path into another process and creates a remote thread to call kernel32!LoadLibraryW; unloading is done similarly via FreeLibrary. While it includes some validation (PID != 0, DLL existence, basic x86/x64/WOW64 gating, and already-loaded checks), it still enables high-impact offensive behavior (remote code execution in a chosen process). No obvious obfuscation is present, but the capability itself is highly dangerous for a general dependency.

This module is overtly designed to execute BLE exploitation/denial-of-service workflows (malformed SMP Pairing Request and repeated/double ATT MTU exchange) against a specified remote target. No stealth, credential theft, persistence, or data exfiltration is evident in the snippet; however, its explicit destructive offensive purpose makes it materially risky in a supply-chain context where it could be misused or invoked unintentionally. Review and restrict deployment to authorized security testing contexts, and consider dependency governance to prevent accidental inclusion in production tooling.

This manifest embeds a cross-publisher extensionPack entry inside a normal, full-featured extension without clear disclosure. The pulled in extension is confirmed to be malicious.

This module is high-risk due to dynamic code execution (compile/exec) on content derived from caller-provided param/kwargs, executed with globals(), which can enable arbitrary code execution if inputs are not strictly controlled. In addition, it can send requests to arbitrary caller-supplied URLs and logs request content/headers, increasing the potential for data exfiltration and secret leakage. Treat as potentially malicious until usage is proven safe (e.g., param is constant/trusted and URL/headers are constrained/redacted).

This module is explicitly designed to establish and remove Windows user-logon persistence (scheduled task ONLOGON and HKCU Run key) by wiring a generated launcher into schtasks/reg. That is a high-risk supply-chain pattern because the module can cause code to execute automatically at every user logon. Malware intent cannot be proven from this fragment alone due to the missing writeLauncherScript implementation; however, the persistence behavior and lack of validation around the launcher target make the security risk elevated and warrant close review of the helper that generates the launcher and any consent/guardrails around invoking install().

High-risk offensive capability: this module is an interactive web-shell/command-injection client that crafts attacker-controlled OS commands into a URL query parameter, sends them over HTTP, parses echoed output using randomized delimiters, and provides recon (e.g., searching for flag-like files) plus optional local saving of retrieved results. It contains no safety controls (allowlisting, output filtering, or execution constraints) and is therefore dangerous to include in a supply chain unless the dependency is strictly intended for authorized testing in a controlled environment.

This code is highly consistent with a malicious/offensive Bluetooth “hijack” tool: it clones/spoofs a phone identity, attempts a known authentication bypass (BIAS), connects to a targeted IVI device, and extracts sensitive user data (PBAP phonebook, MAP messages) and sets up HFP audio capabilities. It also executes system bluetoothctl commands and performs hardware state modification/rollback. No obfuscation is present, but the functional behavior is clearly adversarial and privacy-invasive. If published as a dependency, it should be treated as an extremely dangerous package component for supply-chain security.