Feross
@feross.bsky.social
🧙♂️ Mad scientist • ✨ Founder + CEO @Socket.dev (http://socket.dev) •🌲 Stanford lecturer (http://cs253.stanford.edu) • ❤️ Open source at WebTorrent + StandardJS
Pinned
🚀 Big news for JavaScript teams: Socket now supports Bun and vlt in beta.
You no longer have to choose between innovation and security. Commit a bun.lock or vlt-lock.json and Socket gives you full supply chain protection.
You no longer have to choose between innovation and security. Commit a bun.lock or vlt-lock.json and Socket gives you full supply chain protection.
More malicious Chrome extensions.
Stay vigilant!
Stay vigilant!
🚨 Socket researchers uncovered a malicious Chrome extension that injects hidden #SOL transfers into Raydium swaps, quietly siphoning fees to an attacker wallet.
Full analysis → socket.dev/blog/malicio... #Solana
Full analysis → socket.dev/blog/malicio... #Solana
Malicious Chrome Extension Injects Hidden SOL Fees Into Sola...
Socket researchers identified a malicious Chrome extension that manipulates Raydium swaps to inject an undisclosed SOL transfer, quietly routing fees ...
socket.dev
November 25, 2025 at 7:57 PM
More malicious Chrome extensions.
Stay vigilant!
Stay vigilant!
Reposted by Feross
Update: at time of writing Eleventy core (0.x, 1.x, 2.x, 3.x, 4.x prereleases) and our official plugins are still unaffected.
(Compromised package count was updated to 834 from 533 in the latest @socket.dev update)
(Compromised package count was updated to 834 from 533 in the latest @socket.dev update)
⚠️ Major Update on the Shai Hulud v2 campaign:
We’ve confirmed 834 malicious packages and now see spillover into Maven Central. The package org.mvnpm:posthog-node:4.18.1 contains the same Bun-based payload used in the npm compromise.
Updated analysis →
socket.dev/blog/shai-hu... #Java
We’ve confirmed 834 malicious packages and now see spillover into Maven Central. The package org.mvnpm:posthog-node:4.18.1 contains the same Bun-based payload used in the npm compromise.
Updated analysis →
socket.dev/blog/shai-hu... #Java
Shai Hulud Strikes Again (v2) - Socket
Another wave of Shai-Hulud campaign has hit npm with more than 500 packages and 700+ versions affected.
socket.dev
November 25, 2025 at 7:11 PM
Update: at time of writing Eleventy core (0.x, 1.x, 2.x, 3.x, 4.x prereleases) and our official plugins are still unaffected.
(Compromised package count was updated to 834 from 533 in the latest @socket.dev update)
(Compromised package count was updated to 834 from 533 in the latest @socket.dev update)
Reposted by Feross
There is an ongoing npm security event.
At time of writing, Eleventy core and our official suite of plugins are unaffected.
At time of writing, Eleventy core and our official suite of plugins are unaffected.
🚨 A new wave of the Shai-Hulud supply chain attack has hit npm, impacting packages across widely used projects from AsyncAPI, ENS, Postman, PostHog, and Zapier. Attackers added a malicious preinstall script following account compromise. The investigation is ongoing:
socket.dev/blog/shai-hu...
socket.dev/blog/shai-hu...
Shai Hulud Strikes Again (v2) - Socket
Another wave of Shai-Hulud campaign hits npm.
socket.dev
November 24, 2025 at 2:39 PM
There is an ongoing npm security event.
At time of writing, Eleventy core and our official suite of plugins are unaffected.
At time of writing, Eleventy core and our official suite of plugins are unaffected.
Reposted by Feross
*this is fine meme*
🚨 A new wave of the Shai-Hulud supply chain attack has hit npm, impacting packages across widely used projects from AsyncAPI, ENS, Postman, PostHog, and Zapier. Attackers added a malicious preinstall script following account compromise. The investigation is ongoing:
socket.dev/blog/shai-hu...
socket.dev/blog/shai-hu...
Shai Hulud Strikes Again (v2) - Socket
Another wave of Shai-Hulud campaign hits npm.
socket.dev
November 24, 2025 at 5:38 PM
*this is fine meme*
Reposted by Feross
🤯 The number of affected packages in the Shai-Hulud npm attack has now reached 770. We’re continuing to investigate and will keep the blog post updated:
socket.dev/blog/shai-hu...
socket.dev/blog/shai-hu...
🚨 A new wave of the Shai-Hulud supply chain attack has hit npm, impacting packages across widely used projects from AsyncAPI, ENS, Postman, PostHog, and Zapier. Attackers added a malicious preinstall script following account compromise. The investigation is ongoing:
socket.dev/blog/shai-hu...
socket.dev/blog/shai-hu...
Shai Hulud Strikes Again (v2) - Socket
Another wave of Shai-Hulud campaign hits npm.
socket.dev
November 24, 2025 at 11:19 PM
🤯 The number of affected packages in the Shai-Hulud npm attack has now reached 770. We’re continuing to investigate and will keep the blog post updated:
socket.dev/blog/shai-hu...
socket.dev/blog/shai-hu...
Reposted by Feross
that’s a scary read tbh
We have updated this list to include more than 500 packages and 700+ affected versions, as well as a technical analysis of the attack. socket.dev/blog/shai-hu....
cc: @campuscodi.risky.biz @typescript.fm @bleepingcomputer.com @theregister.com
cc: @campuscodi.risky.biz @typescript.fm @bleepingcomputer.com @theregister.com
November 24, 2025 at 11:37 PM
that’s a scary read tbh
Reposted by Feross
We have updated this list to include more than 500 packages and 700+ affected versions, as well as a technical analysis of the attack. socket.dev/blog/shai-hu....
cc: @campuscodi.risky.biz @typescript.fm @bleepingcomputer.com @theregister.com
cc: @campuscodi.risky.biz @typescript.fm @bleepingcomputer.com @theregister.com
November 24, 2025 at 5:19 PM
We have updated this list to include more than 500 packages and 700+ affected versions, as well as a technical analysis of the attack. socket.dev/blog/shai-hu....
cc: @campuscodi.risky.biz @typescript.fm @bleepingcomputer.com @theregister.com
cc: @campuscodi.risky.biz @typescript.fm @bleepingcomputer.com @theregister.com
Here we go again
🚨 A new wave of the Shai-Hulud supply chain attack has hit npm, impacting packages across widely used projects from AsyncAPI, ENS, Postman, PostHog, and Zapier. Attackers added a malicious preinstall script following account compromise. The investigation is ongoing:
socket.dev/blog/shai-hu...
socket.dev/blog/shai-hu...
Shai Hulud Strikes Again (v2) - Socket
Another wave of Shai-Hulud campaign hits npm.
socket.dev
November 24, 2025 at 3:01 PM
Here we go again
Webhooks for Alert Changes just dropped 🎉
No more refreshing dashboards. Socket now pushes every new, updated, or cleared alert straight into your workflow in real time.
Perfect way to wrap Launch Week: Ruby reachability, Certified Patches, Bun/vlt, OpenVSX… and now this ⚡️
No more refreshing dashboards. Socket now pushes every new, updated, or cleared alert straight into your workflow in real time.
Perfect way to wrap Launch Week: Ruby reachability, Certified Patches, Bun/vlt, OpenVSX… and now this ⚡️
November 22, 2025 at 12:33 AM
Webhooks for Alert Changes just dropped 🎉
No more refreshing dashboards. Socket now pushes every new, updated, or cleared alert straight into your workflow in real time.
Perfect way to wrap Launch Week: Ruby reachability, Certified Patches, Bun/vlt, OpenVSX… and now this ⚡️
No more refreshing dashboards. Socket now pushes every new, updated, or cleared alert straight into your workflow in real time.
Perfect way to wrap Launch Week: Ruby reachability, Certified Patches, Bun/vlt, OpenVSX… and now this ⚡️
IDE extensions are a silent nightmare.
VS Code extensions get full access to your code and creds, and attackers have already slipped malware into VS Code Marketplace and OpenVSX.
So Socket now scans OpenVSX extensions before they ever hit your machine. 🔍⚡️
VS Code extensions get full access to your code and creds, and attackers have already slipped malware into VS Code Marketplace and OpenVSX.
So Socket now scans OpenVSX extensions before they ever hit your machine. 🔍⚡️
November 20, 2025 at 5:39 PM
IDE extensions are a silent nightmare.
VS Code extensions get full access to your code and creds, and attackers have already slipped malware into VS Code Marketplace and OpenVSX.
So Socket now scans OpenVSX extensions before they ever hit your machine. 🔍⚡️
VS Code extensions get full access to your code and creds, and attackers have already slipped malware into VS Code Marketplace and OpenVSX.
So Socket now scans OpenVSX extensions before they ever hit your machine. 🔍⚡️
🚀 Big news for JavaScript teams: Socket now supports Bun and vlt in beta.
You no longer have to choose between innovation and security. Commit a bun.lock or vlt-lock.json and Socket gives you full supply chain protection.
You no longer have to choose between innovation and security. Commit a bun.lock or vlt-lock.json and Socket gives you full supply chain protection.
November 19, 2025 at 5:21 PM
🚀 Big news for JavaScript teams: Socket now supports Bun and vlt in beta.
You no longer have to choose between innovation and security. Commit a bun.lock or vlt-lock.json and Socket gives you full supply chain protection.
You no longer have to choose between innovation and security. Commit a bun.lock or vlt-lock.json and Socket gives you full supply chain protection.
👀
✅ Here I am
✅ Here am I
✅ I am here
✅ Am I here?
❌ I here am
❌ Am here I
✅ Here am I
✅ I am here
✅ Am I here?
❌ I here am
❌ Am here I
November 19, 2025 at 7:46 AM
👀
Reposted by Feross
Certified Patches are available today in closed beta for enterprise teams (JavaScript/TypeScript).
Want early access? Contact [email protected] or your customer success manager.
Want early access? Contact [email protected] or your customer success manager.
November 18, 2025 at 7:39 PM
Certified Patches are available today in closed beta for enterprise teams (JavaScript/TypeScript).
Want early access? Contact [email protected] or your customer success manager.
Want early access? Contact [email protected] or your customer success manager.
Reposted by Feross
Patches live locally in your repo, apply during builds, and require zero workflow changes. No registry proxies. No new infra. Patches belong to you - there's no lock-in.
Pair Certified Patches with Socket Reachability and you get a clear path to zero exploitable CVEs instantly.
Pair Certified Patches with Socket Reachability and you get a clear path to zero exploitable CVEs instantly.
November 18, 2025 at 7:39 PM
Patches live locally in your repo, apply during builds, and require zero workflow changes. No registry proxies. No new infra. Patches belong to you - there's no lock-in.
Pair Certified Patches with Socket Reachability and you get a clear path to zero exploitable CVEs instantly.
Pair Certified Patches with Socket Reachability and you get a clear path to zero exploitable CVEs instantly.
Reposted by Feross
Recent supply chain attacks have shown us a hard truth: updating dependencies can sometimes be risky. With Certified Patches, you can now eliminate CVEs instantly without upgrading or pulling in new, unvetted code.
November 18, 2025 at 7:39 PM
Recent supply chain attacks have shown us a hard truth: updating dependencies can sometimes be risky. With Certified Patches, you can now eliminate CVEs instantly without upgrading or pulling in new, unvetted code.
Reposted by Feross
🚀 Day 2 of Socket Launch Week:
Today we’re introducing a major shift in how developers fix vulnerabilities: Socket Certified Patches.
One-click, safe-by-design remediation for vulnerable dependencies.
Today we’re introducing a major shift in how developers fix vulnerabilities: Socket Certified Patches.
One-click, safe-by-design remediation for vulnerable dependencies.
November 18, 2025 at 7:39 PM
🚀 Day 2 of Socket Launch Week:
Today we’re introducing a major shift in how developers fix vulnerabilities: Socket Certified Patches.
One-click, safe-by-design remediation for vulnerable dependencies.
Today we’re introducing a major shift in how developers fix vulnerabilities: Socket Certified Patches.
One-click, safe-by-design remediation for vulnerable dependencies.
Reposted by Feross
🚨 New npm malware campaign uncovered: 7 malicious packages use Adspect cloaking and fake CAPTCHAs to hide redirects to #crypto scam sites.
Read the full analysis → socket.dev/blog/npm-mal...
Read the full analysis → socket.dev/blog/npm-mal...
npm Malware Campaign Uses Adspect Cloaking to Deliver Malici...
Malicious npm packages use Adspect cloaking and fake CAPTCHAs to fingerprint visitors and redirect victims to crypto-themed scam sites.
socket.dev
November 17, 2025 at 3:00 PM
🚨 New npm malware campaign uncovered: 7 malicious packages use Adspect cloaking and fake CAPTCHAs to hide redirects to #crypto scam sites.
Read the full analysis → socket.dev/blog/npm-mal...
Read the full analysis → socket.dev/blog/npm-mal...
Reposted by Feross
This is a novel technique attackers are using to distribute browser-executed malware through npm.
cc: @campuscodi.risky.biz
cc: @campuscodi.risky.biz
🚨 New npm malware campaign uncovered: 7 malicious packages use Adspect cloaking and fake CAPTCHAs to hide redirects to #crypto scam sites.
Read the full analysis → socket.dev/blog/npm-mal...
Read the full analysis → socket.dev/blog/npm-mal...
npm Malware Campaign Uses Adspect Cloaking to Deliver Malici...
Malicious npm packages use Adspect cloaking and fake CAPTCHAs to fingerprint visitors and redirect victims to crypto-themed scam sites.
socket.dev
November 19, 2025 at 3:20 AM
This is a novel technique attackers are using to distribute browser-executed malware through npm.
cc: @campuscodi.risky.biz
cc: @campuscodi.risky.biz
🚀 Day Two of Socket Launch Week!
We’re launching @socket.dev Certified Patches—a new way to eliminate vulnerabilities instantly without upgrading your package versions or pulling in risky new code.
Tiny, human-reviewed fixes that give teams a clean path to zero exploitable CVEs.
We’re launching @socket.dev Certified Patches—a new way to eliminate vulnerabilities instantly without upgrading your package versions or pulling in risky new code.
Tiny, human-reviewed fixes that give teams a clean path to zero exploitable CVEs.
November 18, 2025 at 8:03 PM
🚀 Day Two of Socket Launch Week!
We’re launching @socket.dev Certified Patches—a new way to eliminate vulnerabilities instantly without upgrading your package versions or pulling in risky new code.
Tiny, human-reviewed fixes that give teams a clean path to zero exploitable CVEs.
We’re launching @socket.dev Certified Patches—a new way to eliminate vulnerabilities instantly without upgrading your package versions or pulling in risky new code.
Tiny, human-reviewed fixes that give teams a clean path to zero exploitable CVEs.
Reposted by Feross
1/ Ruby teams, this one’s for you 🔥
Today we’re launching Reachability for Ruby in beta. It identifies which Ruby vulnerabilities are actually exploitable in your app… and which ones are just noise.
Today we’re launching Reachability for Ruby in beta. It identifies which Ruby vulnerabilities are actually exploitable in your app… and which ones are just noise.
November 17, 2025 at 7:57 PM
1/ Ruby teams, this one’s for you 🔥
Today we’re launching Reachability for Ruby in beta. It identifies which Ruby vulnerabilities are actually exploitable in your app… and which ones are just noise.
Today we’re launching Reachability for Ruby in beta. It identifies which Ruby vulnerabilities are actually exploitable in your app… and which ones are just noise.
November 17, 2025 at 6:24 PM
1/ Ruby teams, this one’s for you 🔥
Today we’re launching Reachability for Ruby in beta. It identifies which Ruby vulnerabilities are actually exploitable in your app… and which ones are just noise.
Today we’re launching Reachability for Ruby in beta. It identifies which Ruby vulnerabilities are actually exploitable in your app… and which ones are just noise.
Recently went on @changelog.com to talk about the wild surge of npm supply chain attacks… and what developers can actually do to stay safe 🔥
We broke down the real, practical steps every team should take:
• Lockfiles matter more than people think
• Delay new package versions to dodge fresh malware
We broke down the real, practical steps every team should take:
• Lockfiles matter more than people think
• Delay new package versions to dodge fresh malware
Feross on the most serious supply chain attacks in npm history (and what we can do about it)
YouTube video by Changelog
www.youtube.com
November 12, 2025 at 7:04 PM
Recently went on @changelog.com to talk about the wild surge of npm supply chain attacks… and what developers can actually do to stay safe 🔥
We broke down the real, practical steps every team should take:
• Lockfiles matter more than people think
• Delay new package versions to dodge fresh malware
We broke down the real, practical steps every team should take:
• Lockfiles matter more than people think
• Delay new package versions to dodge fresh malware
Today, we’re launching Socket Firewall Enterprise — built to stop malicious packages before they ever reach your apps or developer systems.
October 24, 2025 at 3:56 PM
Today, we’re launching Socket Firewall Enterprise — built to stop malicious packages before they ever reach your apps or developer systems.
You’d never clone a random repo and give it your production keys… But that’s literally what your GitHub Actions do every time they run.
Think about it — your GitHub Actions pipeline pulls in random code straight from the internet, runs it with full access to secrets, tokens, everything.
Think about it — your GitHub Actions pipeline pulls in random code straight from the internet, runs it with full access to secrets, tokens, everything.
October 23, 2025 at 8:24 PM
You’d never clone a random repo and give it your production keys… But that’s literally what your GitHub Actions do every time they run.
Think about it — your GitHub Actions pipeline pulls in random code straight from the internet, runs it with full access to secrets, tokens, everything.
Think about it — your GitHub Actions pipeline pulls in random code straight from the internet, runs it with full access to secrets, tokens, everything.
Security shouldn’t require duct-taping scanners together. Today we’re launching Socket Basics — one platform for:
🧠 Static analysis
🔑 Secrets detection
🐳 Container scanning
🧩 CVE checks
All built on proven open source tools. One setup. One dashboard. Zero noise.
www.youtube.com/watch?v=WZEV...
🧠 Static analysis
🔑 Secrets detection
🐳 Container scanning
🧩 CVE checks
All built on proven open source tools. One setup. One dashboard. Zero noise.
www.youtube.com/watch?v=WZEV...
Unify Your Security Stack with Socket Basics
YouTube video by Socket Security
www.youtube.com
October 21, 2025 at 7:00 PM
Security shouldn’t require duct-taping scanners together. Today we’re launching Socket Basics — one platform for:
🧠 Static analysis
🔑 Secrets detection
🐳 Container scanning
🧩 CVE checks
All built on proven open source tools. One setup. One dashboard. Zero noise.
www.youtube.com/watch?v=WZEV...
🧠 Static analysis
🔑 Secrets detection
🐳 Container scanning
🧩 CVE checks
All built on proven open source tools. One setup. One dashboard. Zero noise.
www.youtube.com/watch?v=WZEV...