LightNews
feross.bsky.social
Feross
@feross.bsky.social
4.8K followers 20 following 61 posts
🧙‍♂️ Mad scientist • ✨ Founder + CEO @Socket.dev (http://socket.dev) •🌲 Stanford lecturer (http://cs253.stanford.edu) • ❤️ Open source at WebTorrent + StandardJS
socket.dev)
Posts Media Videos Starter Packs
Pinned
feross.bsky.social
Feross @feross.bsky.social · 21h
1/ 🚨 We just found a massive abuse of the npm ecosystem:

• Targeting 135+ orgs worldwide 🤯
• 175 malicious npm packages (26k+ downloads)
• 630+ HTML lures
• Weaponized unpkg as free CDN hosting for credential-phishing attacks

👀 More details ⬇️⬇️⬇️
1 10 22
feross.bsky.social
Feross @feross.bsky.social · 21h
Full IOCs + mitigation in our writeup.

socket.dev/blog/175-mal...
175 Malicious npm Packages Host Phishing Infrastructure Targ...
175 malicious npm packages (26k+ downloads) used unpkg CDN to host redirect scripts for a credential-phishing campaign targeting 135+ organizations wo...
socket.dev
1 6
feross.bsky.social
Feross @feross.bsky.social · 21h
3/ Key items for security teams. Do these now:

• Force password resets for exposed accounts (prioritize Office365).
• Turn on MFA everywhere.
• Block/quarantine HTML attachments in email gateways.
• Monitor unpkg requests matching redirect-*/beamglea.js and the 7 C2 domains.
1 4
feross.bsky.social
Feross @feross.bsky.social · 21h
2/ How it works: threat actors publish "redirect-xxxxxx" packages with JS files that redirect victims (with pre-filled emails) to credential-harvesters.

Packages don’t run on npm install. They’re just using unpkg as free, trusted hosting for the attack payload.

Sneaky. 😬
1 5
feross.bsky.social
Feross @feross.bsky.social · 21h
1/ 🚨 We just found a massive abuse of the npm ecosystem:

• Targeting 135+ orgs worldwide 🤯
• 175 malicious npm packages (26k+ downloads)
• 630+ HTML lures
• Weaponized unpkg as free CDN hosting for credential-phishing attacks

👀 More details ⬇️⬇️⬇️
1 10 22
feross.bsky.social
Feross @feross.bsky.social · 1d
You never want to miss a conversation with Matteo or Luca — they’ve shaped the Node.js world from the inside out.

youtube.com/live/lCHRB-rihZc?feature=share
Inside the Latest npm Attack (with Feross Aboukhadijeh)
YouTube video by Platformatic
youtube.com
2
feross.bsky.social
Feross @feross.bsky.social · 1d
🚨 Another major npm supply-chain attack just hit — and it’s a wake-up call for anyone building on open source.

I join @nodeland.dev — creator of Fastify, Node.js core maintainer, and an open-source legend — and Luca Maraschi to break down how attackers are infiltrating npm.
Inside the Latest npm Attack (with Feross Aboukhadijeh)
YouTube video by Platformatic
youtube.com
1 1 5
Reposted by Feross
socket.dev
Socket @socket.dev · 6d
🐍 New on the blog: PEP 810 adds 'lazy import' syntax to defer module loading until first use, cutting startup time by 50–70%. Already sparking debate: an HN thread hit 350+ points and ~200 comments in <24 hrs. #Python
Read More → socket.dev/blog/pep-810-proposes-explicit-lazy-imports-for-python-3-15
PEP 810 Proposes Explicit Lazy Imports for Python 3.15 - Soc...
An opt-in lazy import keyword aims to speed up Python startups, especially CLIs, without the ecosystem-wide risks that sank PEP 690.
socket.dev
2 3
feross.bsky.social
Feross @feross.bsky.social · 7d
Yes, if you use dependencies from npm.
2
Reposted by Feross
socket.dev
Socket @socket.dev · 8d
🎙️ Socket CEO @feross.bsky.social breaks down the recent npm attacks on the PodRocket podcast: phishing campaigns, AI-weaponized exploits, the Shai-Hulud worm, GitHub Actions flaws, and more.

Essential listening for JS devs concerned about supply chain security in 2025.
socket.dev/blog/podrock...
PodRocket Podcast: Inside the Recent npm Supply Chain Attack...
Socket CEO Feross Aboukhadijeh discusses the recent npm supply chain attacks on PodRocket, covering novel attack vectors and how developers can protec...
socket.dev
2 3
feross.bsky.social
Feross @feross.bsky.social · 9d
Thank you! We try our best!!
2
Reposted by Feross
angellozan.live
Angel @angellozan.live · 9d
This is freaking amazing. Folx at @socket.dev are magical security unicorns

#security #secops #dev #SupplyChain #npm
feross.bsky.social
Feross @feross.bsky.social · 9d
🚨 Open source supply chain attacks are exploding.

Starting today, that ends.

We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.

Just run:

npm i -g sfw
sfw npm install lodash

Works for: npm, yarn, pnpm, pip, uv, and cargo.
1 2 6
feross.bsky.social
Feross @feross.bsky.social · 9d
Don't miss the official announcement post: socket.dev/blog/introdu...
Introducing Socket Firewall: Free, Proactive Protection for ...
Socket Firewall is a free tool that blocks malicious packages at install time, giving developers proactive protection against rising supply chain atta...
socket.dev
2 4
feross.bsky.social
Feross @feross.bsky.social · 9d
For sure. We encourage developers to consider adding alias npm="sfw npm" to their .bashrc profiles so they can keep typing "npm install" preserving muscle memory while benefiting from this safe installs.
4
feross.bsky.social
Feross @feross.bsky.social · 9d
Hahaha, we thought some folks would see it that way for sure! ;)
1
feross.bsky.social
Feross @feross.bsky.social · 9d
🚨 Open source supply chain attacks are exploding.

Starting today, that ends.

We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.

Just run:

npm i -g sfw
sfw npm install lodash

Works for: npm, yarn, pnpm, pip, uv, and cargo.
7 12 44
feross.bsky.social
Feross @feross.bsky.social · 17d
Had a SUPER fun conversation on @LogRocket about the huge npm supply chain attacks we've seen over the past 2 months

I walked through the whole sorry saga from beginning to end.

Don't miss it!
podrocket.bsky.social
PodRocket Podcast @podrocket.bsky.social · 17d
Historic npm hijack and only $500 in ETH stolen.
But the real story isn’t the money, it’s the fragility of open source supply chains.

@feross.bsky.social joins the pod to discuss what went wrong and how to stay secure.

YT: buff.ly/Rkyi9Sc
Apple: buff.ly/N7b6FAD
Spotify: buff.ly/MnjihMK
1 6 21
feross.bsky.social
Feross @feross.bsky.social · 17d
🚨 New twist in the npm malware wars:

Socket just uncovered a malicious package, fezbox, that hides its payload inside a QR code image.

Yes, you read that right. JavaScript malware using QR code steganography to steal browser cookies & passwords

⬇️ Technical detail below

socket.dev/blog/malicio...
Malicious fezbox npm Package Steals Browser Passwords from C...
A malicious package uses a QR code as steganography in an innovative technique.
socket.dev
3 11 32
feross.bsky.social
Feross @feross.bsky.social · 22d
DJ Khaled on compromised NPM packages
4 11
Reposted by Feross
socket.dev
Socket @socket.dev · 23d
🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.

Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Ongoing Supply Chain Attack Targets CrowdStrike npm Packages...
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that previously hit Tinycolor and dozen...
socket.dev
1 15 30
feross.bsky.social
Feross @feross.bsky.social · 22d
thank you, means a lot to hear this from you
1
Reposted by Feross
othiym23.bsky.social
零Rei @othiym23.bsky.social · 23d
Breaking kayfabe to say that Feross & crew are fucking killing it right now, and are doing a way better job than npmhubsoft at keeping people informed in our new "all supply chain attacks all the time" phase of existence.
socket.dev
Socket @socket.dev · 23d
🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.

Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Ongoing Supply Chain Attack Targets CrowdStrike npm Packages...
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that previously hit Tinycolor and dozen...
socket.dev
1 1 12
feross.bsky.social
Feross @feross.bsky.social · 23d
Let me know how I or @socket.dev can help!
1
feross.bsky.social
Feross @feross.bsky.social · 23d
Awesome, looking forward to it
1 1
Reposted by Feross
astro.build
Astro @astro.build · 24d
There has been another serious npm supply-chain attack. Astro is NOT AFFECTED as it does not depend on any of the packages, either directly or indirectly. You should still check your package lock files to ensure you do not have them installed.

socket.dev/blog/tinycol...
Popular Tinycolor npm Package Compromised in Supply Chain At...
Malicious update to @ctrl/tinycolor on npm is part of a supply-chain attack hitting 40+ packages across maintainers
socket.dev
6 40
Reposted by Feross
danabra.mov
dan @danabra.mov · 24d
i like how the npm ecosystem works in general (packages are good) but if you deal with it regularly you should probably code in a vm or a clean operating system with no sensitive tokens
astro.build
Astro @astro.build · 24d
There has been another serious npm supply-chain attack. Astro is NOT AFFECTED as it does not depend on any of the packages, either directly or indirectly. You should still check your package lock files to ensure you do not have them installed.

socket.dev/blog/tinycol...
Popular Tinycolor npm Package Compromised in Supply Chain At...
Malicious update to @ctrl/tinycolor on npm is part of a supply-chain attack hitting 40+ packages across maintainers
socket.dev
4 6 54