banner
LightNews
socket.dev
Socket
@socket.dev
620 followers 280 following 290 posts
Socket is the #1 software supply chain security platform. Next-gen SCA + SBOM + 0-day prevention. LOVED BY DEVELOPERS. https://socket.dev
socket.dev
Posts Media Videos Starter Packs
socket.dev
Socket @socket.dev · 6h
⚠️ Google’s OSV just added 500+ new advisories, not from new vulns, but from fixing a long-standing policy that made disputed CVEs invisible.

Learn more → socket.dev/blog/google-...
Google’s OSV Fix Just Added 500+ New Advisories — All Thanks...
A data handling bug in OSV.dev caused disputed CVEs to disappear from vulnerability feeds until a recent fix restored over 500 advisories.
socket.dev
1
Reposted by Socket
feross.bsky.social
Feross @feross.bsky.social · 13h
1/ 🚨 We just found a massive abuse of the npm ecosystem:

• Targeting 135+ orgs worldwide 🤯
• 175 malicious npm packages (26k+ downloads)
• 630+ HTML lures
• Weaponized unpkg as free CDN hosting for credential-phishing attacks

👀 More details ⬇️⬇️⬇️
1 9 19
socket.dev
Socket @socket.dev · 15h
🚨 175 malicious npm packages (26k+ downloads) abused npm and unpkg to host credential-phishing infrastructure targeting 135+ organizations in industrial, tech, and energy sectors.

Full analysis: socket.dev/blog/175-mal... #NodeJS #JavaScript
175 Malicious npm Packages Host Phishing Infrastructure Targ...
175 malicious npm packages (26k+ downloads) used unpkg CDN to host redirect scripts for a credential-phishing campaign targeting 135+ organizations wo...
socket.dev
1
socket.dev
Socket @socket.dev · 2d
#Python 3.14 just dropped: the “π release.” 🥧It adds template string literals, deferred annotations, and subinterpreters, plus ongoing work on the free-threaded build and an experimental JIT.

Congrats to all the contributors on this release! 🎉
socket.dev/blog/python-...
Python 3.14 Released With Template String Literals, Deferred...
Python 3.14 adds template strings, deferred annotations, and subinterpreters, plus free-threaded mode, an experimental JIT, and Sigstore verification.
socket.dev
9
Reposted by Socket
nodeland.dev
Matteo Collina @nodeland.dev · 2d
🚨 The npm ecosystem just got hit with another major supply chain attack.

If your app uses npm packages (spoiler: it does), you must hear this.

We're sitting down with @feross from @SocketSecurity to dissect what happened and how to protect yourself.

Thread 👇
4 2 6
Reposted by Socket
nodeland.dev
Matteo Collina @nodeland.dev · 2d
Your npm dependencies are only as secure as your weakest link.

Don't wait for the next attack to hit your production systems.
🗓️ Join us October 8th for this critical conversation with @feross

Register now: streamyard.com/watch/Wwawp4...

RT to help secure the ecosystem 🔄
2 1
Reposted by Socket
ecmascript.news
ECMAScript.News @ecmascript.news · 3d
Introducing Socket Firewall: free, proactive protection for your software supply chain
@dale.link @socket.dev
socket.dev/blog/introdu...

#ECMAScript #JavaScript
Introducing Socket Firewall: Free, Proactive Protection for ...
Socket Firewall is a free tool that blocks malicious packages at install time, giving developers proactive protection against rising supply chain atta...
socket.dev
3 7
Reposted by Socket
ahmadnassri.com
Ahmad Nassri @ahmadnassri.com · 3d
Happy to share I'm getting back to my roots in open source, this time around on the side of protecting software development!

If you haven't yet, you should install @socket.dev for your team!
2 15
Reposted by Socket
mike.contribsys.com
Mike Perham @mike.contribsys.com · 3d
a Gem Cooperative emerges, from @socket.dev socket.dev/blog/gem-coo...
Gem Cooperative Emerges as a Community-Run Alternative to Ru...
Former RubyGems maintainers have launched The Gem Cooperative, a new community-run project aimed at rebuilding open governance in the Ruby ecosystem.
socket.dev
2 6
Reposted by Socket
socket.dev
Socket @socket.dev · 4d
🔥 Breaking: Former #RubyGems maintainers have launched the Gem Cooperative, a community-run RubyGems server with open governance.

We spoke with the team behind it. Read the full story on the Socket blog
→ socket.dev/blog/gem-coo... #RubyLang #Ruby #Rails
Gem Cooperative Emerges as a Community-Run Alternative to Ru...
Former RubyGems maintainers have launched The Gem Cooperative, a new community-run project aimed at rebuilding open governance in the Ruby ecosystem.
socket.dev
2 7
socket.dev
Socket @socket.dev · 4d
🔥 Breaking: Former #RubyGems maintainers have launched the Gem Cooperative, a community-run RubyGems server with open governance.

We spoke with the team behind it. Read the full story on the Socket blog
→ socket.dev/blog/gem-coo... #RubyLang #Ruby #Rails
Gem Cooperative Emerges as a Community-Run Alternative to Ru...
Former RubyGems maintainers have launched The Gem Cooperative, a new community-run project aimed at rebuilding open governance in the Ruby ecosystem.
socket.dev
2 7
socket.dev
Socket @socket.dev · 5d
🐍 New on the blog: PEP 810 adds 'lazy import' syntax to defer module loading until first use, cutting startup time by 50–70%. Already sparking debate: an HN thread hit 350+ points and ~200 comments in <24 hrs. #Python
Read More → socket.dev/blog/pep-810-proposes-explicit-lazy-imports-for-python-3-15
PEP 810 Proposes Explicit Lazy Imports for Python 3.15 - Soc...
An opt-in lazy import keyword aims to speed up Python startups, especially CLIs, without the ecosystem-wide risks that sank PEP 690.
socket.dev
2 3
socket.dev
Socket @socket.dev · 7d
🎙️ Socket CEO @feross.bsky.social breaks down the recent npm attacks on the PodRocket podcast: phishing campaigns, AI-weaponized exploits, the Shai-Hulud worm, GitHub Actions flaws, and more.

Essential listening for JS devs concerned about supply chain security in 2025.
socket.dev/blog/podrock...
PodRocket Podcast: Inside the Recent npm Supply Chain Attack...
Socket CEO Feross Aboukhadijeh discusses the recent npm supply chain attacks on PodRocket, covering novel attack vectors and how developers can protec...
socket.dev
2 3
socket.dev
Socket @socket.dev · 8d
Excited to see The Register cover the launch of Socket Firewall!

This new free tool gives developers real-time protection at install time across multiple ecosystems, including JavaScript, Python, and Rust, with more coming soon. It works out of the box: No API key. No configuration.
theregister.com
The Register @theregister.com · 9d
Socket will block it with free malicious package firewall
Socket will block it with free malicious package firewall
"sfw" stands for Socket Firewall, but perhaps also "safe for work." Software security biz Socket has released a free command line tool to defend developers against supply chain attacks.…
dlvr.it
1 3
Reposted by Socket
notwes.bsky.social
Wes @notwes.bsky.social · 9d
Other than the trusted publishing stuff (which is absolutely not ready for use yet, I will be outlining why in my JS Conf talk) this is a great write up of the recent goings on.
socket.dev
Socket @socket.dev · 9d
GitHub is overhauling npm security after the Shai-Hulud worm. Maintainers welcome the shift to stronger defaults, but are pressing for fixes to CI workflows, enterprise support & token usability.

Details on how community feedback is shaping the rollout:
socket.dev/blog/package...
Package Maintainers Call for Improvements to GitHub’s New np...
Maintainers back GitHub’s npm security overhaul but raise concerns about CI/CD workflows, enterprise support, and token management.
socket.dev
2 4 8
socket.dev
Socket @socket.dev · 9d
GitHub is overhauling npm security after the Shai-Hulud worm. Maintainers welcome the shift to stronger defaults, but are pressing for fixes to CI workflows, enterprise support & token usability.

Details on how community feedback is shaping the rollout:
socket.dev/blog/package...
Package Maintainers Call for Improvements to GitHub’s New np...
Maintainers back GitHub’s npm security overhaul but raise concerns about CI/CD workflows, enterprise support, and token management.
socket.dev
13
Reposted by Socket
feross.bsky.social
Feross @feross.bsky.social · 9d
Don't miss the official announcement post: socket.dev/blog/introdu...
Introducing Socket Firewall: Free, Proactive Protection for ...
Socket Firewall is a free tool that blocks malicious packages at install time, giving developers proactive protection against rising supply chain atta...
socket.dev
2 4
Reposted by Socket
feross.bsky.social
Feross @feross.bsky.social · 9d
🚨 Open source supply chain attacks are exploding.

Starting today, that ends.

We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.

Just run:

npm i -g sfw
sfw npm install lodash

Works for: npm, yarn, pnpm, pip, uv, and cargo.
7 12 44
Reposted by Socket
angellozan.live
Angel @angellozan.live · 9d
This is freaking amazing. Folx at @socket.dev are magical security unicorns

#security #secops #dev #SupplyChain #npm
feross.bsky.social
Feross @feross.bsky.social · 9d
🚨 Open source supply chain attacks are exploding.

Starting today, that ends.

We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.

Just run:

npm i -g sfw
sfw npm install lodash

Works for: npm, yarn, pnpm, pip, uv, and cargo.
1 2 6
socket.dev
Socket @socket.dev · 9d
Supply chain attacks aren’t slowing down. Developers need protection at install time and we're moving with urgency to keep open source safe to use, starting with this new free tool.

⚡ Read the announcement and try Socket Firewall today: socket.dev/blog/introdu...
Introducing Socket Firewall: Free, Proactive Protection for ...
Socket Firewall is a free tool that blocks malicious packages at install time, giving developers proactive protection against rising supply chain atta...
socket.dev
socket.dev
Socket @socket.dev · 9d
If you’ve used our “safe npm” tool before, Socket Firewall will feel familiar. It now covers #Python and #Rustlang as well as #JavaScript, with more ecosystems rolling out quickly. This new approach comes with greater flexibility, which allows for more integrations with package managers.
1
socket.dev
Socket @socket.dev · 9d
Socket Firewall is super lightweight and works out of the box, with no API key and no configuration required. It protects developer machines in real time, blocking malicious dependencies before they can reach your laptop or build system. socket.dev/blog/introdu...
1
socket.dev
Socket @socket.dev · 9d
Maintainer compromises used to be rare. Now they’re happening at an alarming rate, as seen in recent attacks. Today we’re giving developers a new layer of defense with Socket Firewall, a free tool that blocks malicious dependencies at install time.
1 2 9
Reposted by Socket
feross.bsky.social
Feross @feross.bsky.social · 16d
Had a SUPER fun conversation on @LogRocket about the huge npm supply chain attacks we've seen over the past 2 months

I walked through the whole sorry saga from beginning to end.

Don't miss it!
podrocket.bsky.social
PodRocket Podcast @podrocket.bsky.social · 16d
Historic npm hijack and only $500 in ETH stolen.
But the real story isn’t the money, it’s the fragility of open source supply chains.

@feross.bsky.social joins the pod to discuss what went wrong and how to stay secure.

YT: buff.ly/Rkyi9Sc
Apple: buff.ly/N7b6FAD
Spotify: buff.ly/MnjihMK
1 6 21
Reposted by Socket
feross.bsky.social
Feross @feross.bsky.social · 17d
🚨 New twist in the npm malware wars:

Socket just uncovered a malicious package, fezbox, that hides its payload inside a QR code image.

Yes, you read that right. JavaScript malware using QR code steganography to steal browser cookies & passwords

⬇️ Technical detail below

socket.dev/blog/malicio...
Malicious fezbox npm Package Steals Browser Passwords from C...
A malicious package uses a QR code as steganography in an innovative technique.
socket.dev
3 11 32