Feross
@feross.bsky.social
🧙♂️ Mad scientist • ✨ Founder + CEO @Socket.dev (http://socket.dev) •🌲 Stanford lecturer (http://cs253.stanford.edu) • ❤️ Open source at WebTorrent + StandardJS
Pinned
Feross
@feross.bsky.social
· Nov 19
🚀 Big news for JavaScript teams: Socket now supports Bun and vlt in beta.
You no longer have to choose between innovation and security. Commit a bun.lock or vlt-lock.json and Socket gives you full supply chain protection.
You no longer have to choose between innovation and security. Commit a bun.lock or vlt-lock.json and Socket gives you full supply chain protection.
Reposted by Feross
Fake browser crash alerts turn Chrome extension into enterprise backdoor
📖 Read more: www.helpnetsecurity.com/2026/01/19/f...
#cybersecurity #cybersecuritynews #remoteaccesstrojan #socialengineering @huntress.com @socket.dev
📖 Read more: www.helpnetsecurity.com/2026/01/19/f...
#cybersecurity #cybersecuritynews #remoteaccesstrojan #socialengineering @huntress.com @socket.dev
Fake browser crash alerts turn Chrome extension into enterprise backdoor - Help Net Security
The NexShield Chrome extension downloaded a Windows RAT onto domain-joined machines after tricking users with fake browser crash alerts.
www.helpnetsecurity.com
January 19, 2026 at 2:57 PM
Fake browser crash alerts turn Chrome extension into enterprise backdoor
📖 Read more: www.helpnetsecurity.com/2026/01/19/f...
#cybersecurity #cybersecuritynews #remoteaccesstrojan #socialengineering @huntress.com @socket.dev
📖 Read more: www.helpnetsecurity.com/2026/01/19/f...
#cybersecurity #cybersecuritynews #remoteaccesstrojan #socialengineering @huntress.com @socket.dev
Reposted by Feross
📜 A good summary of recent developments around the Temporal API by @sarahgooding.bsky.social
Temporal is the modern replacement for the old JS Date API ✨
Temporal is the modern replacement for the old JS Date API ✨
🎉 Chrome 144 ships the Temporal API, a long-awaited update to #JavaScript date and time handling that aims to replace the legacy Date object.
socket.dev/blog/tempora... h/t @robpalmer.bsky.social
socket.dev/blog/tempora... h/t @robpalmer.bsky.social
Temporal API Ships in Chrome 144, Marking a Major Shift for ...
Chrome 144 introduces the Temporal API, a modern approach to date and time handling designed to fix long-standing issues with JavaScript’s Date object...
socket.dev
January 16, 2026 at 6:13 PM
📜 A good summary of recent developments around the Temporal API by @sarahgooding.bsky.social
Temporal is the modern replacement for the old JS Date API ✨
Temporal is the modern replacement for the old JS Date API ✨
Reposted by Feross
🎙️ Socket CEO @feross.bsky.social joined host Allie Howe on the Insecure Agents podcast to talk about Certified Patches, supply chain security, and the future of securing AI agents.
Check out the full episode →
socket.dev/blog/insecur...
Check out the full episode →
socket.dev/blog/insecur...
Insecure Agents Podcast: Certified Patches, Supply Chain Sec...
Socket CEO Feross Aboukhadijeh joins Insecure Agents to discuss CVE remediation and why supply chain attacks require a different security approach.
socket.dev
January 8, 2026 at 10:42 PM
🎙️ Socket CEO @feross.bsky.social joined host Allie Howe on the Insecure Agents podcast to talk about Certified Patches, supply chain security, and the future of securing AI agents.
Check out the full episode →
socket.dev/blog/insecur...
Check out the full episode →
socket.dev/blog/insecur...
Reposted by Feross
😭 💔 "I feel like a fucking idiot for somehow being able to build this CSS framework that's taken over the world and it's used by everything and it's super popular, but I can't figure out how to have it make enough money that eight people can work on it." - @adamwathan.com
💔 @tailwindcss.com laid off 75% of its engineering team after revenue dropped 80%, despite being more popular than ever. LLMs are killing documentation traffic, breaking the business model that funds development on many open source projects.
Full story → socket.dev/blog/tailwin... #OSS #CSS
Full story → socket.dev/blog/tailwin... #OSS #CSS
Tailwind CSS Announces 75% Layoffs as LLMs Reshape OSS Busin...
Tailwind Labs laid off 75% of its engineering team after revenue dropped 80%, as LLMs redirect traffic away from documentation where developers discov...
socket.dev
January 8, 2026 at 7:51 PM
😭 💔 "I feel like a fucking idiot for somehow being able to build this CSS framework that's taken over the world and it's used by everything and it's super popular, but I can't figure out how to have it make enough money that eight people can work on it." - @adamwathan.com
Strongly recommend this post on npm’s staged publishing change after supply-chain turmoil. npm will roll out staged publishing to add a review step before releases go live after the Shai-Hulud attacks, giving maintainers a chance to catch bad releases.
Read it here: socket.dev/blog/npm-to-...
Read it here: socket.dev/blog/npm-to-...
npm to Implement Staged Publishing After Turbulent Shift Off...
The planned feature introduces a review step before releases go live, following the Shai-Hulud attacks and a rocky migration off classic tokens that d...
socket.dev
January 7, 2026 at 7:58 PM
Strongly recommend this post on npm’s staged publishing change after supply-chain turmoil. npm will roll out staged publishing to add a review step before releases go live after the Shai-Hulud attacks, giving maintainers a chance to catch bad releases.
Read it here: socket.dev/blog/npm-to-...
Read it here: socket.dev/blog/npm-to-...
Must-read from Nicholas C. Zakas (ESLint maintainer) on how GitHub could better secure npm and prevent supply-chain attacks. humanwhocodes.com/blog/2026/01...
How GitHub could secure npm - Human Who Codes
Why doesn't npm detect compromised packages the way credit card companies detect fraud?
humanwhocodes.com
January 7, 2026 at 7:55 PM
Must-read from Nicholas C. Zakas (ESLint maintainer) on how GitHub could better secure npm and prevent supply-chain attacks. humanwhocodes.com/blog/2026/01...
Reposted by Feross
· @npmjs.bsky.social appears to be massively under-resourced for the scale of the registry it operates. My respect to the teams keeping it running through wave after wave of supply chain attacks.
npm is planning to implement staged publishing, adding a review step before packages go live.
It follows a year of supply chain attacks & a rocky shift away from classic tokens over the past month that left many maintainers struggling.
socket.dev/blog/npm-to-... #NodeJS cc: @campuscodi.risky.biz
It follows a year of supply chain attacks & a rocky shift away from classic tokens over the past month that left many maintainers struggling.
socket.dev/blog/npm-to-... #NodeJS cc: @campuscodi.risky.biz
npm to Implement Staged Publishing After Turbulent Shift Off...
The planned feature introduces a review step before releases go live, following the Shai-Hulud attacks and a rocky migration off classic tokens that d...
socket.dev
January 7, 2026 at 6:25 PM
· @npmjs.bsky.social appears to be massively under-resourced for the scale of the registry it operates. My respect to the teams keeping it running through wave after wave of supply chain attacks.
Reposted by Feross
🤖⚔️ Battle of the Bots:
Dependabot opens a PR. Socket flags it as malicious.
Socket CEO @feross.bsky.social discusses dependency risk and update timing, on @softwaredaily.bsky.social.
Full episode → socket.dev/blog/softwar...
Dependabot opens a PR. Socket flags it as malicious.
Socket CEO @feross.bsky.social discusses dependency risk and update timing, on @softwaredaily.bsky.social.
Full episode → socket.dev/blog/softwar...
January 6, 2026 at 10:23 PM
🤖⚔️ Battle of the Bots:
Dependabot opens a PR. Socket flags it as malicious.
Socket CEO @feross.bsky.social discusses dependency risk and update timing, on @softwaredaily.bsky.social.
Full episode → socket.dev/blog/softwar...
Dependabot opens a PR. Socket flags it as malicious.
Socket CEO @feross.bsky.social discusses dependency risk and update timing, on @softwaredaily.bsky.social.
Full episode → socket.dev/blog/softwar...
Reposted by Feross
🎙️ In this episode of @softwaredaily.bsky.social, Socket CEO @feross.bsky.social discusses #OSS maintainer burnout.
“I put this code online as a gift to the world. I didn’t promise it would never have a defect.”
Full episode → socket.dev/blog/softwar... #OpenSource
“I put this code online as a gift to the world. I didn’t promise it would never have a defect.”
Full episode → socket.dev/blog/softwar... #OpenSource
January 6, 2026 at 6:02 PM
🎙️ In this episode of @softwaredaily.bsky.social, Socket CEO @feross.bsky.social discusses #OSS maintainer burnout.
“I put this code online as a gift to the world. I didn’t promise it would never have a defect.”
Full episode → socket.dev/blog/softwar... #OpenSource
“I put this code online as a gift to the world. I didn’t promise it would never have a defect.”
Full episode → socket.dev/blog/softwar... #OpenSource
Reposted by Feross
🚨 New research: A spearphishing campaign published 27 malicious npm packages that host browser-run lures mimicking document portals and Microsoft sign-in to steal credentials. This operation targets manufacturing and healthcare orgs in the U.S. and allied countries.
socket.dev/blog/spearph...
socket.dev/blog/spearph...
Spearphishing Campaign Abuses npm Registry to Target U.S. an...
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, ta...
socket.dev
December 23, 2025 at 7:47 PM
🚨 New research: A spearphishing campaign published 27 malicious npm packages that host browser-run lures mimicking document portals and Microsoft sign-in to steal credentials. This operation targets manufacturing and healthcare orgs in the U.S. and allied countries.
socket.dev/blog/spearph...
socket.dev/blog/spearph...
Reposted by Feross
Another example of attackers abusing npm as infrastructure. Our threat research team found a spearphishing campaign that published 27 malicious packages to host browser-run phishing pages.
cc: @campuscodi.risky.biz @cisoseries.bsky.social @zackwhittaker.com
cc: @campuscodi.risky.biz @cisoseries.bsky.social @zackwhittaker.com
🚨 New research: A spearphishing campaign published 27 malicious npm packages that host browser-run lures mimicking document portals and Microsoft sign-in to steal credentials. This operation targets manufacturing and healthcare orgs in the U.S. and allied countries.
socket.dev/blog/spearph...
socket.dev/blog/spearph...
Spearphishing Campaign Abuses npm Registry to Target U.S. an...
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, ta...
socket.dev
December 23, 2025 at 8:32 PM
Another example of attackers abusing npm as infrastructure. Our threat research team found a spearphishing campaign that published 27 malicious packages to host browser-run phishing pages.
cc: @campuscodi.risky.biz @cisoseries.bsky.social @zackwhittaker.com
cc: @campuscodi.risky.biz @cisoseries.bsky.social @zackwhittaker.com
Reposted by Feross
Don’t trust free VPNs, don’t install joke Chrome extensions. You know what, just don’t install anything at all from now on. And get a new PC.
🚨 Socket’s Threat Research Team uncovered two malicious "Phantom Shuttle" Chrome extensions masquerading as a VPN since at least 2017, intercepting traffic and exfiltrating credentials via attacker-controlled proxies.
Full research → socket.dev/blog/malicio...
Full research → socket.dev/blog/malicio...
Malicious Chrome Extensions “Phantom Shuttle” Masquerade as ...
Fake “Phantom Shuttle” VPN Chrome extensions (active since 2017) hijack proxy auth to intercept traffic and continuously exfiltrate user credentials t...
socket.dev
December 23, 2025 at 5:43 AM
Don’t trust free VPNs, don’t install joke Chrome extensions. You know what, just don’t install anything at all from now on. And get a new PC.
Reposted by Feross
🚨 Socket’s Threat Research Team uncovered two malicious "Phantom Shuttle" Chrome extensions masquerading as a VPN since at least 2017, intercepting traffic and exfiltrating credentials via attacker-controlled proxies.
Full research → socket.dev/blog/malicio...
Full research → socket.dev/blog/malicio...
Malicious Chrome Extensions “Phantom Shuttle” Masquerade as ...
Fake “Phantom Shuttle” VPN Chrome extensions (active since 2017) hijack proxy auth to intercept traffic and continuously exfiltrate user credentials t...
socket.dev
December 22, 2025 at 9:21 PM
🚨 Socket’s Threat Research Team uncovered two malicious "Phantom Shuttle" Chrome extensions masquerading as a VPN since at least 2017, intercepting traffic and exfiltrating credentials via attacker-controlled proxies.
Full research → socket.dev/blog/malicio...
Full research → socket.dev/blog/malicio...
Reposted by Feross
Chrome extensions are still a wild west ecosystem.
This fake “VPN” ran for years and charged users for the privilege of silently intercepting their traffic.
cc: @campuscodi.risky.biz @zackwhittaker.com @cisoseries.bsky.social
This fake “VPN” ran for years and charged users for the privilege of silently intercepting their traffic.
cc: @campuscodi.risky.biz @zackwhittaker.com @cisoseries.bsky.social
🚨 Socket’s Threat Research Team uncovered two malicious "Phantom Shuttle" Chrome extensions masquerading as a VPN since at least 2017, intercepting traffic and exfiltrating credentials via attacker-controlled proxies.
Full research → socket.dev/blog/malicio...
Full research → socket.dev/blog/malicio...
Malicious Chrome Extensions “Phantom Shuttle” Masquerade as ...
Fake “Phantom Shuttle” VPN Chrome extensions (active since 2017) hijack proxy auth to intercept traffic and continuously exfiltrate user credentials t...
socket.dev
December 22, 2025 at 9:58 PM
Chrome extensions are still a wild west ecosystem.
This fake “VPN” ran for years and charged users for the privilege of silently intercepting their traffic.
cc: @campuscodi.risky.biz @zackwhittaker.com @cisoseries.bsky.social
This fake “VPN” ran for years and charged users for the privilege of silently intercepting their traffic.
cc: @campuscodi.risky.biz @zackwhittaker.com @cisoseries.bsky.social
Reposted by Feross
Free JavaScript security course from @openjsf.org / @linuxfoundation.org training.linuxfoundation.org/training/int...
Introduction to JavaScript Security (LFS184) | Linux Foundation Education
Master secure coding with our free course, Introduction to JavaScript Security (LFS184)—essential for today’s web developers.
training.linuxfoundation.org
December 22, 2025 at 6:03 PM
Free JavaScript security course from @openjsf.org / @linuxfoundation.org training.linuxfoundation.org/training/int...
Congrats @docker.com! This is the right move for the ecosystem.
In case you missed this detail: with Docker Hardened Images teams get secure application dependencies by default. @socket.dev Firewall is built in.
In case you missed this detail: with Docker Hardened Images teams get secure application dependencies by default. @socket.dev Firewall is built in.
Hardened images should be the baseline, not a bonus feature.
@thenewstack.io breaks down why we made Docker Hardened Images free. Featuring Docker's VP of Product, Mike Donovan, on security, open source, and what comes next.
🔗 https://bit.ly/3N4DXt6
#DHI #OpenSource
@thenewstack.io breaks down why we made Docker Hardened Images free. Featuring Docker's VP of Product, Mike Donovan, on security, open source, and what comes next.
🔗 https://bit.ly/3N4DXt6
#DHI #OpenSource
Docker Sets Free the Hardened Container Images
Docker has made Docker Hardened Images (DHI) a fee service, offering prepatched, secure SBOM-ready versions of widely used open source applications.
thenewstack.io
December 17, 2025 at 7:03 PM
Congrats @docker.com! This is the right move for the ecosystem.
In case you missed this detail: with Docker Hardened Images teams get secure application dependencies by default. @socket.dev Firewall is built in.
In case you missed this detail: with Docker Hardened Images teams get secure application dependencies by default. @socket.dev Firewall is built in.
Reposted by Feross
We’re partnering with @docker.com to make software development safer for everyone!
Socket Firewall Free is now bundled into Docker Hardened Images, adding build-time and dependency-install supply chain protection for @nodejs.org, @python.org, and @rust-lang.org
socket.dev/blog/socket-...
Socket Firewall Free is now bundled into Docker Hardened Images, adding build-time and dependency-install supply chain protection for @nodejs.org, @python.org, and @rust-lang.org
socket.dev/blog/socket-...
Socket Firewall Now Available in Docker Hardened Images - So...
Socket Firewall Free is now bundled into Docker Hardened Images, adding build-time and dependency-install supply chain protection on top of hardened b...
socket.dev
December 17, 2025 at 3:39 PM
We’re partnering with @docker.com to make software development safer for everyone!
Socket Firewall Free is now bundled into Docker Hardened Images, adding build-time and dependency-install supply chain protection for @nodejs.org, @python.org, and @rust-lang.org
socket.dev/blog/socket-...
Socket Firewall Free is now bundled into Docker Hardened Images, adding build-time and dependency-install supply chain protection for @nodejs.org, @python.org, and @rust-lang.org
socket.dev/blog/socket-...
Reposted by Feross
🥷 In this @softwaredaily.bsky.social episode, @feross.bsky.social talks about the dark side of Chrome extensions getting bought and sold to unknown buyers, a super common supply chain risk most users never see.
Check out the full episode → socket.dev/blog/softwar...
Check out the full episode → socket.dev/blog/softwar...
December 15, 2025 at 9:37 PM
🥷 In this @softwaredaily.bsky.social episode, @feross.bsky.social talks about the dark side of Chrome extensions getting bought and sold to unknown buyers, a super common supply chain risk most users never see.
Check out the full episode → socket.dev/blog/softwar...
Check out the full episode → socket.dev/blog/softwar...
Reposted by Feross
It's not only NPM.
🚨 New threat research: An impostor #NuGet package typosquatted a popular .NET tracing library and its author, using homoglyph tricks to blend in, then exfiltrated #Stratis wallet JSON and passwords to a Russian IP address.
Full report →
socket.dev/blog/malicio... #dotnet
Full report →
socket.dev/blog/malicio... #dotnet
Malicious NuGet Package Typosquats Popular .NET Tracing Libr...
Impostor NuGet package Tracer.Fody.NLog typosquats Tracer.Fody and its author, using homoglyph tricks, and exfiltrates Stratis wallet JSON/passwords t...
socket.dev
December 15, 2025 at 10:26 PM
It's not only NPM.
Reposted by Feross
This is an extremely convincing typosquat. Also a good reminder that Google’s AI summaries are not a reliable way to determine whether a package is safe to use. 😵💫
🚨 New threat research: An impostor #NuGet package typosquatted a popular .NET tracing library and its author, using homoglyph tricks to blend in, then exfiltrated #Stratis wallet JSON and passwords to a Russian IP address.
Full report →
socket.dev/blog/malicio... #dotnet
Full report →
socket.dev/blog/malicio... #dotnet
Malicious NuGet Package Typosquats Popular .NET Tracing Libr...
Impostor NuGet package Tracer.Fody.NLog typosquats Tracer.Fody and its author, using homoglyph tricks, and exfiltrates Stratis wallet JSON/passwords t...
socket.dev
December 15, 2025 at 4:38 PM
This is an extremely convincing typosquat. Also a good reminder that Google’s AI summaries are not a reliable way to determine whether a package is safe to use. 😵💫
Reposted by Feross
🔮 The Myth of Magical Code from the Sky: Modern apps run on mountains of open source code that almost no one is actually reviewing.
In this @softwaredaily.bsky.social episode, @feross.bsky.social joins @joshuakgoldberg.com to talk about why that’s so risky.
Check it out→ socket.dev/blog/softwar...
In this @softwaredaily.bsky.social episode, @feross.bsky.social joins @joshuakgoldberg.com to talk about why that’s so risky.
Check it out→ socket.dev/blog/softwar...
December 12, 2025 at 2:18 AM
🔮 The Myth of Magical Code from the Sky: Modern apps run on mountains of open source code that almost no one is actually reviewing.
In this @softwaredaily.bsky.social episode, @feross.bsky.social joins @joshuakgoldberg.com to talk about why that’s so risky.
Check it out→ socket.dev/blog/softwar...
In this @softwaredaily.bsky.social episode, @feross.bsky.social joins @joshuakgoldberg.com to talk about why that’s so risky.
Check it out→ socket.dev/blog/softwar...
Reposted by Feross
🧨 “Gaps in design and implementation with the new OIDC Trusted Publisher workflows leave maintainers open to novel and increasingly difficult to detect gaps in their publishing setups. We do not recommend critical projects move to this new workflow..." - @notwes.bsky.social
npm has revoked classic tokens for publishing, pushing maintainers toward OIDC trusted publishing or granular tokens. But @openjsf.org warns trusted publishing still has risky gaps for critical projects. What maintainers should do next:
socket.dev/blog/npm-rev... #NodeJS #JavaScript
socket.dev/blog/npm-rev... #NodeJS #JavaScript
npm Revokes Classic Tokens, as OpenJS Warns Maintainers Abou...
GitHub has revoked npm classic tokens for publishing; maintainers must migrate, but OpenJS warns OIDC trusted publishing still has risky gaps for crit...
socket.dev
December 10, 2025 at 6:03 AM
🧨 “Gaps in design and implementation with the new OIDC Trusted Publisher workflows leave maintainers open to novel and increasingly difficult to detect gaps in their publishing setups. We do not recommend critical projects move to this new workflow..." - @notwes.bsky.social
Reposted by Feross
Feross Aboukhadijeh is the founder and CEO of @socket.dev. He joins @joshuakgoldberg.com to talk about his career, open source supply chain attacks, practical security lessons, the expanding attack surface in software development, and more.
@feross.bsky.social
bit.ly/4iMDU14
@feross.bsky.social
bit.ly/4iMDU14
Blocking Software Supply Chain Attacks with Feross Aboukhadijeh - Software Engineering Daily
Modern software relies heavily on open source dependencies, often pulling in thousands of packages maintained by developers all over the world. This accelerates innovation but also creates serious sup...
softwareengineeringdaily.com
December 9, 2025 at 10:36 AM
Feross Aboukhadijeh is the founder and CEO of @socket.dev. He joins @joshuakgoldberg.com to talk about his career, open source supply chain attacks, practical security lessons, the expanding attack surface in software development, and more.
@feross.bsky.social
bit.ly/4iMDU14
@feross.bsky.social
bit.ly/4iMDU14
Reposted by Feross
Want to work with me and a number of world-class JS open source developers at @socket.dev protecting ALL open source libraries from supply chain attacks?
We're looking for stellar frontend developers. DM me
We're looking for stellar frontend developers. DM me
December 10, 2025 at 6:12 PM
Want to work with me and a number of world-class JS open source developers at @socket.dev protecting ALL open source libraries from supply chain attacks?
We're looking for stellar frontend developers. DM me
We're looking for stellar frontend developers. DM me
Excellent work, crates.io team!
This typosquat is all fancied up to look legit, seems like the threat actor put in a lot of effort here. We were once again impressed by how fast the crates.io team took it down! 👏
cc: @thisweekinrust.bsky.social @rustaceans.bsky.social @theembeddedrust.bsky.social @campuscodi.risky.biz
cc: @thisweekinrust.bsky.social @rustaceans.bsky.social @theembeddedrust.bsky.social @campuscodi.risky.biz
🚨 New Socket Threat Research: We found a malicious typosquat targeting Rust devs. The finch-rust crate mimics the legit finch crate but loads a credential-stealing payload and exfiltrates data to rust-docs-build[.]vercel[.]app.
Details + IOCs: socket.dev/blog/malicio... #Rustlang
Details + IOCs: socket.dev/blog/malicio... #Rustlang
December 5, 2025 at 11:40 PM
Excellent work, crates.io team!