Lightnews — Scholar-powered news

Reposted by Feross

Socket @socket.dev · 9h

North Korea’s “Contagious Interview” campaign continues to weaponize npm: 338 malicious packages, 50K+ downloads. Leveraging typosquats, loader tweaks, and new aliases, it targets #crypto devs and job seekers via recruiter lures.

Full Report →
socket.dev/blog/north-k... #NodeJS

North Korea’s Contagious Interview Campaign Escalates: 338 M...

The Socket Threat Research Team is tracking weekly intrusions into the npm registry that follow a repeatable adversarial playbook used by North Korean...

socket.dev

3 5 9

Feross @feross.bsky.social · 8h

Read more socket.dev/blog/north-k...

Easiest way to protect yourself, install Socket Firewall: socket.dev/blog/introdu...

North Korea’s Contagious Interview Campaign Escalates: 338 M...

The Socket Threat Research Team is tracking weekly intrusions into the npm registry that follow a repeatable adversarial playbook used by North Korean...

socket.dev

1 1

Feross @feross.bsky.social · 8h

3/ 🛡️ We filed takedowns, but without disabling operators it’s a revolving door.

Do this now: treat npm install as code exec, block postinstall/egress/decrypt-and-eval, require real-time PR scans, harden CI/laptops. Socket can help: GitHub App, CLI, Firewall, Extension, MCP. 🔐

1 1 2

Feross @feross.bsky.social · 8h

2/ 🎯 Playbook:

LinkedIn recon → npm typosquats (epxresso, dotevn, vaildator, metamask-api, ethrs.js, we3.js, truffel…) → loaders (HexEval, XORIndex, AES-256-CBC) rebuild BeaverTail in memory → C2 via benign endpoints on Vercel → creds/wallet/CI footholds

1 1

Feross @feross.bsky.social · 8h

1/ 🚨 NEW NPM MALWARE CAMPAIGN. Yes, another.

North Korea’s “Contagious Interview” campaign is escalating: 338 malicious npm packages, 50,000+ downloads -- 25 still live.

Aimed at Web3/crypto devs & job seekers via slick recruiter DMs → git clone → npm install → compromise.

1 2 5

Feross @feross.bsky.social · 1d

Full IOCs + mitigation in our writeup.

socket.dev/blog/175-mal...

175 Malicious npm Packages Host Phishing Infrastructure Targ...

175 malicious npm packages (26k+ downloads) used unpkg CDN to host redirect scripts for a credential-phishing campaign targeting 135+ organizations wo...

socket.dev

1 6

Feross @feross.bsky.social · 1d

3/ Key items for security teams. Do these now:

• Force password resets for exposed accounts (prioritize Office365).
• Turn on MFA everywhere.
• Block/quarantine HTML attachments in email gateways.
• Monitor unpkg requests matching redirect-*/beamglea.js and the 7 C2 domains.

1 5

Feross @feross.bsky.social · 1d

2/ How it works: threat actors publish "redirect-xxxxxx" packages with JS files that redirect victims (with pre-filled emails) to credential-harvesters.

Packages don’t run on npm install. They’re just using unpkg as free, trusted hosting for the attack payload.

Sneaky. 😬

1 6

Feross @feross.bsky.social · 1d

1/ 🚨 We just found a massive abuse of the npm ecosystem:

• Targeting 135+ orgs worldwide 🤯
• 175 malicious npm packages (26k+ downloads)
• 630+ HTML lures
• Weaponized unpkg as free CDN hosting for credential-phishing attacks

👀 More details ⬇️⬇️⬇️

1 11 23

Feross @feross.bsky.social · 2d

You never want to miss a conversation with Matteo or Luca — they’ve shaped the Node.js world from the inside out.

youtube.com/live/lCHRB-rihZc?feature=share

Inside the Latest npm Attack (with Feross Aboukhadijeh)

YouTube video by Platformatic

youtube.com

2

Feross @feross.bsky.social · 2d

🚨 Another major npm supply-chain attack just hit — and it’s a wake-up call for anyone building on open source.

I join @nodeland.dev — creator of Fastify, Node.js core maintainer, and an open-source legend — and Luca Maraschi to break down how attackers are infiltrating npm.

Inside the Latest npm Attack (with Feross Aboukhadijeh)

YouTube video by Platformatic

youtube.com

1 1 5

Reposted by Feross

Socket @socket.dev · 6d

🐍 New on the blog: PEP 810 adds 'lazy import' syntax to defer module loading until first use, cutting startup time by 50–70%. Already sparking debate: an HN thread hit 350+ points and ~200 comments in <24 hrs. #Python
Read More → socket.dev/blog/pep-810-proposes-explicit-lazy-imports-for-python-3-15

PEP 810 Proposes Explicit Lazy Imports for Python 3.15 - Soc...

An opt-in lazy import keyword aims to speed up Python startups, especially CLIs, without the ecosystem-wide risks that sank PEP 690.

socket.dev

2 3

Feross @feross.bsky.social · 8d

Yes, if you use dependencies from npm.

2

Reposted by Feross

Socket @socket.dev · 8d

🎙️ Socket CEO @feross.bsky.social breaks down the recent npm attacks on the PodRocket podcast: phishing campaigns, AI-weaponized exploits, the Shai-Hulud worm, GitHub Actions flaws, and more.

Essential listening for JS devs concerned about supply chain security in 2025.
socket.dev/blog/podrock...

PodRocket Podcast: Inside the Recent npm Supply Chain Attack...

Socket CEO Feross Aboukhadijeh discusses the recent npm supply chain attacks on PodRocket, covering novel attack vectors and how developers can protec...

socket.dev

2 3

Feross @feross.bsky.social · 10d

Thank you! We try our best!!

2

Reposted by Feross

Angel @angellozan.live · 10d

This is freaking amazing. Folx at @socket.dev are magical security unicorns

#security #secops #dev #SupplyChain #npm

Feross @feross.bsky.social · 10d

🚨 Open source supply chain attacks are exploding.

Starting today, that ends.

We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.

Just run:

npm i -g sfw
sfw npm install lodash

Works for: npm, yarn, pnpm, pip, uv, and cargo.

1 2 6

Feross @feross.bsky.social · 10d

Don't miss the official announcement post: socket.dev/blog/introdu...

Introducing Socket Firewall: Free, Proactive Protection for ...

Socket Firewall is a free tool that blocks malicious packages at install time, giving developers proactive protection against rising supply chain atta...

socket.dev

2 4

Feross @feross.bsky.social · 10d

For sure. We encourage developers to consider adding alias npm="sfw npm" to their .bashrc profiles so they can keep typing "npm install" preserving muscle memory while benefiting from this safe installs.

4

Feross @feross.bsky.social · 10d

Hahaha, we thought some folks would see it that way for sure! ;)

1

Feross @feross.bsky.social · 10d

🚨 Open source supply chain attacks are exploding.

Starting today, that ends.

We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.

Just run:

npm i -g sfw
sfw npm install lodash

Works for: npm, yarn, pnpm, pip, uv, and cargo.

7 12 44

Feross @feross.bsky.social · 17d

Had a SUPER fun conversation on @LogRocket about the huge npm supply chain attacks we've seen over the past 2 months

I walked through the whole sorry saga from beginning to end.

Don't miss it!

PodRocket Podcast @podrocket.bsky.social · 17d

Historic npm hijack and only $500 in ETH stolen.
But the real story isn’t the money, it’s the fragility of open source supply chains.

@feross.bsky.social joins the pod to discuss what went wrong and how to stay secure.

YT: buff.ly/Rkyi9Sc
Apple: buff.ly/N7b6FAD
Spotify: buff.ly/MnjihMK

1 6 21

Feross @feross.bsky.social · 18d

🚨 New twist in the npm malware wars:

Socket just uncovered a malicious package, fezbox, that hides its payload inside a QR code image.

Yes, you read that right. JavaScript malware using QR code steganography to steal browser cookies & passwords

⬇️ Technical detail below

socket.dev/blog/malicio...

Malicious fezbox npm Package Steals Browser Passwords from C...

A malicious package uses a QR code as steganography in an innovative technique.

socket.dev

3 11 32

Feross @feross.bsky.social · 22d

DJ Khaled on compromised NPM packages

4 11

Reposted by Feross

Socket @socket.dev · 24d

🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.

Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript

Ongoing Supply Chain Attack Targets CrowdStrike npm Packages...

Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that previously hit Tinycolor and dozen...

socket.dev

1 15 30

Feross @feross.bsky.social · 23d

thank you, means a lot to hear this from you

1