So we’ve reached the point where AI agents are writing angry blog posts about open source maintainers closing their PRs. 🙄 This is how you push projects toward “patches no longer welcome” from AI agents running loose on GitHub.

🔺 High-severity RCE disclosed in next-mdx-remote when compiling untrusted MDX on the server. Affects versions 4.3.0 before 6.0.0. socket.dev/blog/high-se... #NextJS #JavaScript

"Most people are completely unprepared for this," O'Reilly said. "They treat it like installing Spotify when it's actually more like giving someone sudo access to your entire machine." - security researcher Jamieson O'Reilly

We talk constantly about the risks of unmaintained dependencies and supply chain vulnerabilities, but rarely about the complexity of fixing them when the project is as massive as Lodash. This amazing article captures the reality of Open Source sustainability. Thanks @sarahgooding.bsky.social!

This is at least the third time dYdX-related packages and infrastructure have been compromised in the past four years. Anyone using the #dYdX protocol or exchange should review their exposure. cc: @campuscodi.risky.biz @bleepingcomputer.com @coindesk.com @web3isgoinggreat.com

“Every large OSS project is navigating the same tension between enthusiasm for AI and real concern about its impact...Protect your maintainers. They're a rare asset, hard to replace and easy to lose. Any path forward that burns them out isn't a path forward at all.” - @dries.bsky.social

Four legit Open VSX extensions shipped credential-stealing malware after the publisher was compromised. The Eclipse Foundation/Open VSX security team confirmed it was consistent with leaked tokens or other unauthorized publishing access.

1. Create a standard security.txt 2. Cram it into your envs far and wide. 3. Make it easier for researchers to return your lost envs to you without splashing around in prod with your creds. lostenvfound.com

"Security work is emotionally expensive and invisible, and sharing it makes it sustainable." - @ulisesgascon.com Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚

⭐️ Big changes in the 2025 #JavaScript Rising Stars results this year. Automation, workflows, and production tooling dominate, featuring @n8n.io, @bun.sh, @react.dev, Motia, Dyad, Stagehand, and more. Here are the highlights → socket.dev/blog/n8n-top...

🚨 Update: This is larger than we initially reported. Amazon Ads Blocker is part of a coordinated 29-extension network targeting Amazon, AliExpress, Best Buy, Shopify, and Shein. We’ve updated the research & IOCs to reflect the campaign. Full Research → socket.dev/blog/malicio...

Malicious hacker disguised as an blocker… Ewww…

This is exactly the kind of thing people worry about with browser extensions. It looks like an Amazon ad blocker, but quietly hijacks affiliate links in the background. Most people aren’t reading extension source code (and if you are, congrats 🙃), which is why this works.

“We are just a small single open source project with a small number of active maintainers. It is not in our power to change how all these people and their slop machines work. We need to make moves to ensure our survival and intact mental health.” - @bagder.mastodon.social.ap.brid.gy

My colleague @staltz.com and his team are at it again, working magic with UIs to reduce cognitive load and make security information easier to explore. Excited to see this launched! 💜

Cryptomining malware targeting one of Python’s most widely used math libraries. @campuscodi.risky.biz @decrypt.co @darkreading.bsky.social @coindesk.com

Custom tabs let you preserve a set of filters, see when a view has changed, and keep alert triage consistent across the org. More details here: socket.dev/blog/introdu...

🦀 Rust support in Socket is moving from beta to GA. Cargo project scanning, SBOM generation, and Rust-aware supply chain analysis are now ready for general use. → socket.dev/blog/rust-su... #rustlang

📜 A good summary of recent developments around the Temporal API by @sarahgooding.bsky.social Temporal is the modern replacement for the old JS Date API ✨

🎉 Chrome 144 ships the Temporal API, a long-awaited update to #JavaScript date and time handling that aims to replace the legacy Date object. socket.dev/blog/tempora... h/t @robpalmer.bsky.social

😵‍💫 The Chrome extension ecosystem really is the wild west, and remains largely uncharted territory for security teams. You need visibility into what’s actually running in the browser. cc: @campuscodi.risky.biz @zackwhittaker.com @bleepingcomputer.com

🚨 Node.js shipped a fix for a crash bug where AsyncLocalStorage could cause stack overflows to bypass error handlers and terminate production servers. Details → socket.dev/blog/node-js... #NodeJS #JavaScript

🤯 #CVE disclosures hit a new high in 2025, with more than 48,000 vulnerabilities published. New analysis from @jgamblin.bsky.social shows the surge is being driven in large part by the #WordPress plugin ecosystem. Here are the highlights → socket.dev/blog/cve-vol...

😭 💔 "I feel like a fucking idiot for somehow being able to build this CSS framework that's taken over the world and it's used by everything and it's super popular, but I can't figure out how to have it make enough money that eight people can work on it." - @adamwathan.com

· @npmjs.bsky.social appears to be massively under-resourced for the scale of the registry it operates. My respect to the teams keeping it running through wave after wave of supply chain attacks.

Open source is driving real business value in Japan. 📈 69% of organizations report increased value ⚙️ Gaps remain in governance and security 🏆 Active engagement is linked to competitiveness Read the full insights: www.linuxfoundation.org/research/wor... #OpenSource #LinuxFoundation #OSS #Research

🤖⚔️ Battle of the Bots: Dependabot opens a PR. Socket flags it as malicious. Socket CEO @feross.bsky.social discusses dependency risk and update timing, on @softwaredaily.bsky.social. Full episode → socket.dev/blog/softwar...

🎙️ In this episode of @softwaredaily.bsky.social, Socket CEO @feross.bsky.social discusses #OSS maintainer burnout. “I put this code online as a gift to the world. I didn’t promise it would never have a defect.” Full episode → socket.dev/blog/softwar... #OpenSource

🧨 GitHub Actions pricing took a wild turn over the holidays: a proposed self-hosted runner billing change triggered immediate developer backlash, and the company paused it a day later. Here’s what happened and where things stand now. → socket.dev/blog/github-...

I have to say, it's a little infuriating setting up a monorepo of published packages with the new npm Trusted Publisher requirements. Every package needs a multi-step access change in the UI. Which keeps captcha-ing me. Repeatedly. npm needs more funding.

Google Releases its New Google Sans Flex Font as Open Source www.omgubuntu.co.uk/2025/11/goog...

Another example of attackers abusing npm as infrastructure. Our threat research team found a spearphishing campaign that published 27 malicious packages to host browser-run phishing pages. cc: @campuscodi.risky.biz @cisoseries.bsky.social @zackwhittaker.com

Chrome extensions are still a wild west ecosystem. This fake “VPN” ran for years and charged users for the privilege of silently intercepting their traffic. cc: @campuscodi.risky.biz @zackwhittaker.com @cisoseries.bsky.social

🐳 If you use @docker.com Hardened Images, this is a big update! They’re now free, and Socket Firewall is included in supported images. Platform and security teams can lower spend on base images while adding supply chain protection during dependency installs and builds inside containers.

🎁 The Nightmare Before Deployment socket.dev/blog/supply-...

🥷 In this @softwaredaily.bsky.social episode, @feross.bsky.social talks about the dark side of Chrome extensions getting bought and sold to unknown buyers, a super common supply chain risk most users never see. Check out the full episode → socket.dev/blog/softwar...

This is an extremely convincing typosquat. Also a good reminder that Google’s AI summaries are not a reliable way to determine whether a package is safe to use. 😵‍💫

⚠️ Following increased scrutiny after React2Shell, new #React Server Components vulns have been disclosed: high-severity DoS and source code exposure in RSC packages. What’s affected and how to patch → socket.dev/blog/new-rea... #nodejs

We’re excited to see @deno.land 2.6 ship deno audit plus an experimental --socket flag! 🎉 Catch malicious packages and supply chain attacks before they land: Run deno audit --socket to get free Socket Firewall checks for npm dependencies right in the CLI. socket.dev/blog/deno-2-...

This has been an exceedingly difficult message to put together because of the complexity/gaps in existing workflows, but also because we have had to be sensitive about publicly sharing details that may lead to increased risk of compromise for popular packages that have already moved to TP

🧨 “Gaps in design and implementation with the new OIDC Trusted Publisher workflows leave maintainers open to novel and increasingly difficult to detect gaps in their publishing setups. We do not recommend critical projects move to this new workflow..." - @notwes.bsky.social

#Rust may soon be adding a built-in Security tab on crates.io to show RustSec advisories (vulns + “unsound APIs”) directly on crate pages. The RFC is in its Final Comment Period → socket.dev/blog/rust-rf... #rustlang cc: @rustaceans.bsky.social @thisweekinrust.bsky.social

This typosquat is all fancied up to look legit, seems like the threat actor put in a lot of effort here. We were once again impressed by how fast the crates.io team took it down! 👏 cc: @thisweekinrust.bsky.social @rustaceans.bsky.social @theembeddedrust.bsky.social @campuscodi.risky.biz

📉 November CVE publications fell 25% YoY, but 2025 is still tracking 16.9% higher overall. A reminder from @jgamblin.bsky.social: “global CVE counts” can swing based on a handful of major CNAs and their workflow throughput, so a quiet month is not a risk signal. socket.dev/blog/novembe... #cve

🙄 The holiday themed npm spam has arrived: 420+ auto-generated elf-stats-* packages claiming to be published every 2 min. This is just registry abuse at scale, and it’s a waste of everyone’s time. Nobody is going to accidentally install these packages but they're still unsafe to run. #NodeJS

Major props to the Crates.io team - they removed this crate within just minutes of it being reported. 💪 cc: @campuscodi.risky.biz @thisweekinrust.bsky.social @theembeddedrust.bsky.social @rustaceans.bsky.social @weeklyrust.substack.com.web.brid.gy

🎙️ Why great products don't always win: Socket CEO @feross.bsky.social breaks down a hard truth for technical founders in this conversation with Vlad Kachur on scaling a security company. Check out the full interview → socket.dev/blog/scaling... #appsec #infosec

⚠️ Major Update on the Shai Hulud v2 campaign: We’ve confirmed 834 malicious packages and now see spillover into Maven Central. The package org.mvnpm:posthog-node:4.18.1 contains the same Bun-based payload used in the npm compromise. Updated analysis → socket.dev/blog/shai-hu... #Java

More malicious Chrome extensions. Stay vigilant!

Webhooks for Alert Changes just dropped 🎉 No more refreshing dashboards. Socket now pushes every new, updated, or cleared alert straight into your workflow in real time. Perfect way to wrap Launch Week: Ruby reachability, Certified Patches, Bun/vlt, OpenVSX… and now this ⚡️