Another example of attackers abusing npm as infrastructure. Our threat research team found a spearphishing campaign that published 27 malicious packages to host browser-run phishing pages. cc: @campuscodi.risky.biz @cisoseries.bsky.social @zackwhittaker.com

Chrome extensions are still a wild west ecosystem. This fake “VPN” ran for years and charged users for the privilege of silently intercepting their traffic. cc: @campuscodi.risky.biz @zackwhittaker.com @cisoseries.bsky.social

🐳 If you use @docker.com Hardened Images, this is a big update! They’re now free, and Socket Firewall is included in supported images. Platform and security teams can lower spend on base images while adding supply chain protection during dependency installs and builds inside containers.

🎁 The Nightmare Before Deployment socket.dev/blog/supply-...

🥷 In this @softwaredaily.bsky.social episode, @feross.bsky.social talks about the dark side of Chrome extensions getting bought and sold to unknown buyers, a super common supply chain risk most users never see. Check out the full episode → socket.dev/blog/softwar...

This is an extremely convincing typosquat. Also a good reminder that Google’s AI summaries are not a reliable way to determine whether a package is safe to use. 😵‍💫

⚠️ Following increased scrutiny after React2Shell, new #React Server Components vulns have been disclosed: high-severity DoS and source code exposure in RSC packages. What’s affected and how to patch → socket.dev/blog/new-rea... #nodejs

We’re excited to see @deno.land 2.6 ship deno audit plus an experimental --socket flag! 🎉 Catch malicious packages and supply chain attacks before they land: Run deno audit --socket to get free Socket Firewall checks for npm dependencies right in the CLI. socket.dev/blog/deno-2-...

This has been an exceedingly difficult message to put together because of the complexity/gaps in existing workflows, but also because we have had to be sensitive about publicly sharing details that may lead to increased risk of compromise for popular packages that have already moved to TP

🧨 “Gaps in design and implementation with the new OIDC Trusted Publisher workflows leave maintainers open to novel and increasingly difficult to detect gaps in their publishing setups. We do not recommend critical projects move to this new workflow..." - @notwes.bsky.social

#Rust may soon be adding a built-in Security tab on crates.io to show RustSec advisories (vulns + “unsound APIs”) directly on crate pages. The RFC is in its Final Comment Period → socket.dev/blog/rust-rf... #rustlang cc: @rustaceans.bsky.social @thisweekinrust.bsky.social

This typosquat is all fancied up to look legit, seems like the threat actor put in a lot of effort here. We were once again impressed by how fast the crates.io team took it down! 👏 cc: @thisweekinrust.bsky.social @rustaceans.bsky.social @theembeddedrust.bsky.social @campuscodi.risky.biz

📉 November CVE publications fell 25% YoY, but 2025 is still tracking 16.9% higher overall. A reminder from @jgamblin.bsky.social: “global CVE counts” can swing based on a handful of major CNAs and their workflow throughput, so a quiet month is not a risk signal. socket.dev/blog/novembe... #cve

🙄 The holiday themed npm spam has arrived: 420+ auto-generated elf-stats-* packages claiming to be published every 2 min. This is just registry abuse at scale, and it’s a waste of everyone’s time. Nobody is going to accidentally install these packages but they're still unsafe to run. #NodeJS

Major props to the Crates.io team - they removed this crate within just minutes of it being reported. 💪 cc: @campuscodi.risky.biz @thisweekinrust.bsky.social @theembeddedrust.bsky.social @rustaceans.bsky.social @weeklyrust.substack.com.web.brid.gy

🎙️ Why great products don't always win: Socket CEO @feross.bsky.social breaks down a hard truth for technical founders in this conversation with Vlad Kachur on scaling a security company. Check out the full interview → socket.dev/blog/scaling... #appsec #infosec

⚠️ Major Update on the Shai Hulud v2 campaign: We’ve confirmed 834 malicious packages and now see spillover into Maven Central. The package org.mvnpm:posthog-node:4.18.1 contains the same Bun-based payload used in the npm compromise. Updated analysis → socket.dev/blog/shai-hu... #Java

More malicious Chrome extensions. Stay vigilant!

Webhooks for Alert Changes just dropped 🎉 No more refreshing dashboards. Socket now pushes every new, updated, or cleared alert straight into your workflow in real time. Perfect way to wrap Launch Week: Ruby reachability, Certified Patches, Bun/vlt, OpenVSX… and now this ⚡️

IDE extensions are a silent nightmare. VS Code extensions get full access to your code and creds, and attackers have already slipped malware into VS Code Marketplace and OpenVSX. So Socket now scans OpenVSX extensions before they ever hit your machine. 🔍⚡️

🚀 Big news for JavaScript teams: Socket now supports Bun and vlt in beta. You no longer have to choose between innovation and security. Commit a bun.lock or vlt-lock.json and Socket gives you full supply chain protection.

This is a novel technique attackers are using to distribute browser-executed malware through npm. cc: @campuscodi.risky.biz

I had the pleasure of being on-call for a lot of what Elizabeth talked about on this (love is blind & the Tyson fight). It's fun to hear such a polished, clear, and positive message about the absolute *madness* (aka fun) it was to be involved as an engineer on the ground.

New research from @socket.dev: a malicious Chrome extension posing as an Ethereum wallet steals seed phrases by encoding them into Sui transactions. Wild on-chain exfiltration technique. Still live on the Chrome Web Store. cc: @campuscodi.risky.biz

Thrilled to have Jordan joining us at @socket.dev! 💜

This is wild. 99% of the code is legit, with just 20 malicious lines buried in thousands of lines of working code. cc: @campuscodi.risky.biz

Five practical steps to stay safe on npm @sarahgooding.bsky.social @socket.dev socket.dev/blog/the-cha... #ECMAScript #JavaScript

‼️ Update: the MIT-linked “AI-powered ransomware” report appears to have been taken offline. We updated our article to include an Internet Archive link to the original paper.

Still installing npm packages like it’s 2020? Not all npm installs are treats. 🎃 On the @changelog.com podcast, @feross.bsky.social shares practical steps every developer should take to reduce exposure to supply chain attacks on npm. → socket.dev/blog/the-cha... #NodeJS #JavaScript

That MIT report is absolutely bonkers btw - it classifies 80% of ransomware groups as using GenAI (made up btw), then says things like Emotet uses AI (what? It’s a banking trojan from years ago), Ryuk uses AI (?!?!) etc etc. And it’s published via MIT with their chief security persons name on it.

This is really well written, if you want to scare your CISO, send them this for Halloween. 🎃

There’s a real conversation to be had about how AI has found real-world use cases across cybercrime, but there’s no way in heck that “80 percent of ransomware attacks are AI-driven,” as this report claims. 🤑 h/t @doublepulsar.com cc: @campuscodi.risky.biz

Some fairly convincing typosquats in this campaign - a reminder that typosquatting is still an effective attack vector on npm. cc: @campuscodi.risky.biz

This is a wild typosquat hiding #NuGet malware: cc: @campuscodi.risky.biz

Can you believe it – we’re kicking off another Socket Launch Week! 🎉 We'll be announcing a new feature every day. And we’re starting big: Today we're introducing malware scanning for the Hugging Face ecosystem! #HuggingFace

Wow! I'm honored to receive this award from the @openjsf.org. It's a privilege to share stories that highlight the people and projects driving open source security forward. I'm thankful my work at @socket.dev lets me support the OSS maintainers and users at the heart of this community. 💜

More malicious packages linked to North Korea, leveraging typosquatting. Targets include Web3, cryptocurrency, and blockchain developers, as well as technical job seekers approached with recruiting lures, leading to multi-stage compromise and financial loss. cc: @campuscodi.risky.biz

Ruby Central’s incident report on the RubyGems.org access dispute sparks community backlash and renewed debate over project governance. An overview on the latest news from the Ruby gems packaging ecosystem with comments from @indirect.io and @duckinator.bsky.social:

Big change in Google’s OSV that hasn’t gotten much attention: 500+ advisories just reappeared after a policy fix that had been hiding disputed CVEs. cc: @campuscodi.risky.biz

Introducing Socket Firewall: free, proactive protection for your software supply chain @dale.link @socket.dev socket.dev/blog/introdu... #ECMAScript #JavaScript

Thrilled to have @ahmadnassri.com joining us at Socket! 🎉🎉🎉

🔥 Breaking: Former #RubyGems maintainers have launched the Gem Cooperative, a community-run RubyGems server with open governance. We spoke with the team behind it. Read the full story on the Socket blog
→ socket.dev/blog/gem-coo... #RubyLang #Ruby #Rails

This week we released Socket Firewall, a free CLI tool that protects developers from malicious packages at install time. We're excited to extend protection beyond npm to other ecosystems like #Python and #Rust, with more rolling out soon! @thisweekinrust.bsky.social @campuscodi.risky.biz #rustlang

Excited to see The Register cover the launch of Socket Firewall! This new free tool gives developers real-time protection at install time across multiple ecosystems, including JavaScript, Python, and Rust, with more coming soon. It works out of the box: No API key. No configuration.

Other than the trusted publishing stuff (which is absolutely not ready for use yet, I will be outlining why in my JS Conf talk) this is a great write up of the recent goings on.

⚡️ Follow Socket on Instagram! www.instagram.com/socketsecuri...

…what a time to be in the JavaScript web security space…

🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor. Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript

the ecosystem can’t keep absorbing hits like this, we need stronger defenses

Y'all this is non-stop. 😰 Woke up to another npm supply chain attack this morning. This malware is identical to the one that hit 40+ packages yesterday: cc: @campuscodi.risky.biz