Profile avatar
socket.dev
Socket is the #1 software supply chain security platform. Next-gen SCA + SBOM + 0-day prevention. LOVED BY DEVELOPERS. https://socket.dev
193 posts 460 followers 222 following
Prolific Poster
Posts 50 Comments 0

🪇🎉 ECMAScript 2025 is official! Iterator Helpers, Set methods, JSON Modules, Promise.try, and more have landed in the spec. See what's new → socket.dev/blog/ecmascr... #JavaScript

submitted 2 days ago • 0 comments

Over the weekend, Node.js quietly added a homepage button linking to paid third-party support for EOL versions. This controversial move sparked pushback and now the TSC is weighing next steps. Full story → socket.dev/blog/node-js... #NodeJS

submitted 3 days ago • 0 comments

Over the weekend, Node.js quietly added a homepage button linking to paid third-party support for EOL versions. This controversial move sparked pushback and now the TSC is weighing next steps. Full story → socket.dev/blog/node-js... #NodeJS

submitted 3 days ago • 0 comments

The Socket Threat Research Team has uncovered an extended and ongoing North Korean supply chain attack that hides behind typosquatted npm packages. socket.dev/blog/north-k... @socket.dev

submitted 3 days ago • 0 comments

🚨 Contagious Interview returns:
North Korean threat actors just dropped 35 new malicious npm packages that use a HexEval loader to deploy BeaverTail malware.
These attacks target devs via fake job offers and coding tests laced with malware. Full analysis: socket.dev/blog/north-k... #NodeJS

submitted 4 days ago • 0 comments

🚨 The Socket Research Team has spotted a malicious #Python package typosquatting the popular 'passlib' library on PyPI: It shuts down Windows systems when users enter incorrect passwords. Details & IOCs: socket.dev/blog/malicio...

submitted 4 days ago • 0 comments

🚀 The Socket dashboard just got a major refresh! We've streamlined navigation, reduced visual clutter, and put your most critical security insights front and center. ✨ Check out what we've been building, now live for all users! socket.dev/blog/fresh-l...

submitted 5 days ago • 0 comments

So much good security leadership advice packed into this super dense interview @feross.bsky.social did w/ Amplitude’s Terry O’Daniel on his journey from infra engineer to CISO. If you want to learn more about building high-impact security teams, this is a great read: socket.dev/blog/terry-o...

submitted 5 days ago • 0 comments

From Yahoo to Netflix to Amplitude: Terry O’Daniel’s path from infra engineer to #CISO is full of lessons for security leaders on earning engineers’ trust, measuring what matters, and why AI is a hopeful shift for defenders. Check out @feross.bsky.social’ interview: socket.dev/blog/terry-o...

submitted 5 days ago • 0 comments

Seriously, I was sure that libxml2 was maintained by someone at Redhat or something. Apparently it's used and deployed everywhere (from Apple to Microsoft, Google even) and they're not contributing and of course not even donating money. socket.dev/blog/libxml2...

submitted 8 days ago • 1 comment

✨ New MCP spec update adds structured tool output, stronger OAuth 2.1 security, resource binding, and protocol cleanups. Here’s a breakdown of what’s new and why it matters for teams building on MCP. socket.dev/blog/mcp-spe...

submitted 9 days ago • 0 comments

New survey finds more than 50% of CISOs now oversee 10+ security areas, often with few legal protections and short tenures. Here’s how they are justifying their budgets → socket.dev/blog/survey-... #CISO #cybersecurity #infosec

submitted 9 days ago • 0 comments

🚨 New Research: We uncovered hidden protestware in multiple #JavaScript UI toolkits on npm that disables all mouse-based interaction on websites for Russian-language users and plays the Ukrainian anthem. Read the full investigation: socket.dev/blog/protest...

submitted 10 days ago • 0 comments

What is common knowledge in your field, but shocks outsiders? Modern software development is mostly taking code from strangers for free and running it in production without reading it first. With a bit of your own code sprinkled on top.

submitted 11 days ago • 0 comments

The solo maintainer for libxml2 is no longer accepting embargoed vulnerability reports, citing the unsustainable burden as an unpaid volunteer. Security issues will be treated like any other bug report moving forward. socket.dev/blog/libxml2... #opensource #cybersecurity

submitted 11 days ago • 3 comments

"The basic idea is to treat security issues like any other bug. They will be made public immediately and fixed whenever maintainers have the time. There will be no deadlines. This policy will probably make some downstream users nervous but maybe it encourages them to contribute a little more."

submitted 11 days ago • 0 comments

The solo maintainer for libxml2 is no longer accepting embargoed vulnerability reports, citing the unsustainable burden as an unpaid volunteer. Security issues will be treated like any other bug report moving forward. socket.dev/blog/libxml2... #opensource #cybersecurity

submitted 11 days ago • 3 comments

🚨 New Socket research on malicious browser extensions: 🔹 Fake Apple popups (tech support scams) 🔹 Wikipedia redirects with XSS risks 🔹 Extensions faking likes & views Our investigation into threats undermining browser security → socket.dev/blog/the-gro...

submitted 15 days ago • 0 comments

Last call to register! Join us tomorrow to learn how Socket's reachability analysis can help you: ✔️ Slash false positives by 80% ✔️ Remediate issues 10× faster ✔️ Save $300,000+ annually for the average 100-engineer team 🗓️ Jun 13, 2025 1:30 PM EDT Sign up (it's free) - lnkd.in/eysjCDdd

submitted 16 days ago • 0 comments

📌 We've just released our 2025 #Blockchain & #Cryptocurrency Threat Report: Learn more about how credential stealers, drainers, cryptojackers & clippers are abusing open source package registries to target #Web3 devs. Full report → socket.dev/blog/2025-bl... #infosec

submitted 16 days ago • 0 comments

📦 Big news in the package management space this week: pnpm 10.12.1 is out with a new experimental global virtual store for near-instant installs and smarter version catalog controls. socket.dev/blog/pnpm-in... @pnpm.io #NodeJS

submitted 17 days ago • 0 comments

Node.js just released Amaro 1.0, its official #TypeScript loader. This sets the stage for TypeScript support in Node to move from “experimental” to “stable” later this year. socket.dev/blog/node-js... #nodejs h/t @robpalmer.bsky.social

submitted 18 days ago • 0 comments

🚨 Think twice before chasing Instagram growth hacks. Socket researchers uncovered a PyPI package disguised as an #Instagram followers booster that harvests user credentials and sends them to bot services. Full investigation → socket.dev/blog/pypi-pa... #Python

submitted 22 days ago • 0 comments

🎉 Socket now supports pylock.toml, enabling secure, reproducible #Python builds with advanced scanning and full alignment with PEP 751. Built for the new standard. Ready when you are. socket.dev/blog/socket-...

submitted 23 days ago • 0 comments

🧨 Socket’s Threat Research team uncovered two npm packages disguised as utilities, which came with a hidden kill switch. Add them to your app, and a secret POST request can delete everything. Read the investigation: socket.dev/blog/destruc... #JavaScript #NodeJS

submitted 23 days ago • 0 comments

We're excited to host a webinar on how Socket’s new reachability analysis is changing vulnerability management. See why teams are ditching noisy SCA tools for smarter, risk-focused prioritization. 📅 Jun 13, 2025 1:30 PM EDT 🎟️ Free to attend 🔗 Register: lnkd.in/eysjCDdd

submitted 23 days ago • 0 comments

Two malicious RubyGems packages posing as popular Fastlane CI/CD plugins redirect Telegram API requests to attacker-controlled servers to intercept and steal data.

submitted 25 days ago • 0 comments

🚨 New from the Socket Threat Research Team: Malicious #Ruby gems are impersonating Fastlane plugins to steal #Telegram tokens, messages, and files, just days after Vietnam's Telegram ban. socket.dev/blog/malicio...

submitted 26 days ago • 0 comments

🚨 New from the Socket Threat Research Team: We uncovered 4 malicious npm packages targeting #Ethereum and #BSC wallets, stealing up to 85% of a user's balance using obfuscated code. Yes, the maintainer was literally named "crypto-exploit" 🤦‍♀️ socket.dev/blog/malicio... #crypto

submitted 26 days ago • 0 comments

TC39 update: #JavaScript is getting some powerful new features! ✅ Array.fromAsync ✅ Error.isError ✅ `using` for explicit resource management All three are headed to the ECMAScript spec, plus 6 more proposals advanced. → socket.dev/blog/tc39-ad...

submitted 26 days ago • 0 comments

The #rustlang revolution in #JavaScript tooling continues! 🦀 @vite.dev has released Rolldown-Vite, a technical preview of its new Rust-based bundler. Early adopters are seeing 10x+ faster builds and huge memory savings. Available as drop-in replacement: socket.dev/blog/rolldow...

submitted 29 days ago • 0 comments

🚨 A single mistyped npm install can give an attacker remote access to wipe your entire codebase. This malicious package typosquats a popular Excel-to-JSON library—and silently deletes your project when triggered by a French command: remise à zéro. socket.dev/blog/npm-pac... #JavaScript #NodeJS

submitted 29 days ago • 0 comments

🚨 PyPI malware alert: A single malicious #Python package is silently hijacking #Solana wallets by monkey-patching key generation. 5 decoy packages, 25K+ downloads, and the stolen keys are exfiltrated on-chain. Full research → socket.dev/blog/monkey-... #crypto #CyberSecurity

submitted 30 days ago • 0 comments

The OpenJS Foundation is now a CNA for 40 hosted #JavaScript projects, including ESLint, Express, webpack, Fastify, Electron & more. It can assign CVEs, but each project still owns its own disclosure process. ☂️ Learn more: socket.dev/blog/openjs-... #CVE #CyberSecurity

submitted 30 days ago • 0 comments

🚀 Introducing Socket MCP: real-time dependency scoring for AI-generated code.
Stop risky packages at the prompt—before they hit your codebase. 🔹 Fits naturally into AI-assisted workflows 🔹 Uses Socket’s depscore API 🔹 Checks for supply chain risk, vulns, maintenance socket.dev/blog/socket-...

submitted 31 days ago • 1 comment

NIST is now under federal audit for its management of the NVD, as delays and data gaps mount. Meanwhile, CISA faces major leadership losses & budget cuts. The #CVE Foundation has proposed a roadmap to fill the gap. Vulnerability infrastructure is shifting: socket.dev/blog/us-gove... #cybersecurity

submitted 32 days ago • 0 comments

Look Mom, I'm famous! @socket.dev quoted me in their blog post. socket.dev/blog/node-js...

submitted 34 days ago • 0 comments

🚨 Socket’s Threat Research Team has uncovered 60 npm packages using post-install scripts to silently exfiltrate hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint. The payload is identical across all 60 packages: socket.dev/blog/60-mali... #JavaScript #NodeJS

submitted 37 days ago • 0 comments

🚨 Socket’s Threat Research Team has uncovered 60 npm packages using post-install scripts to silently exfiltrate hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint. The payload is identical across all 60 packages: socket.dev/blog/60-mali... #JavaScript #NodeJS

submitted 37 days ago • 0 comments

Microsoft just announced "TypeScript Native Previews." 🎉 The new Go-based compiler is now on npm for public testing, with 10x faster builds and a VS Code extension for early editor support. Here’s what’s new → socket.dev/blog/typescr... #JavaScript #Typescript

submitted 37 days ago • 0 comments

Big thanks to @dangoodin.bsky.social for covering our latest threat research. This npm malware campaign includes 8 destructive packages targeting developers using #React, #Vue, #Vite, and the Quill editor.

submitted 37 days ago • 0 comments

🚨 We uncovered a malware campaign on npm targeting devs using #React, #Vue, #Vite, #Nodejs & the Quill rich text editor. These destructive packages delete files, crash systems, and break apps in subtle, chaotic ways. Full report → socket.dev/blog/malicio... #JavaScript #infosec

submitted 38 days ago • 0 comments

By me @forbes.com: Instagram and TikTok accounts targeted by trio of automated credential checking tools. #kudos @socket.dev for the excellent research, as always. #Infosec www.forbes.com/sites/daveyw...

submitted 39 days ago • 1 comment

⛔ Open source maintainers are urging GitHub to let them block Copilot from submitting AI-generated issues and PRs to their repos. They’re tired of AI slop wasting their time and draining limited resources. socket.dev/blog/oss-mai...

submitted 39 days ago • 0 comments

🚨 Socket found a malicious npm plugin that backdoors Koishi chatbots, exfiltrating any message containing an 8-character hex string to a QQ account. A concrete example of supply chain threats in open source #chatbot frameworks. socket.dev/blog/malicio... #JavaScript

submitted 40 days ago • 0 comments

📦 Not all packages are what they seem. In our 2025 mid-year threat report, we break down the top trends in how attackers are weaponizing open source dependencies to infiltrate supply chains. → socket.dev/blog/malicio...

submitted 45 days ago • 0 comments

🚨 New threat research: Malicious #Python packages are abusing TikTok & Instagram APIs to verify stolen emails, enabling targeted account attacks and dark web credential sales. socket.dev/blog/malicio...

submitted 44 days ago • 0 comments

🚨 Too many security alerts? We're fixing that. Excited to see @theregister.com cover our acquisition of Coana, an elite team building next-gen reachability analysis to cut through vulnerability noise.

submitted 44 days ago • 0 comments

I was among the voices strongly against this type of program, and yes, the key issues are largely around how an officially endorsed bounty program would put the wrong incentives in place at the detriment of other key areas.

submitted 44 days ago • 2 comments

The Node.js TSC has declined to endorse a feature bounty program, citing concerns over incentives, governance, and project neutrality. Full breakdown of the decision on the Socket blog → socket.dev/blog/node-js... #nodejs #javascript

submitted 44 days ago • 0 comments