@burckhap.bsky.social
β‘Securing Software Supply Chains @SocketSecurity (http://socket.dev) π Scientific computing for the web via @stdlibjs (http://stdlib.io)
π¨ New research: A spearphishing campaign published 27 malicious npm packages that host browser-run lures mimicking document portals and Microsoft sign-in to steal credentials. This operation targets manufacturing and healthcare orgs in the U.S. and allied countries.
socket.dev/blog/spearph...
Read more on our blog: socket.dev/blog/malicio... and socket.dev/blog/two-mal...
26.09.2025 22:44 β π 0 π 0 π¬ 0 π 0Given an ongoing PyPI phishing campaign that continues to target users with new domains through legitimate-looking emails requesting "email verification" that actually steal credentials, we are on the lookout for any compromised packages in the PyPI ecosystem specifically.
26.09.2025 22:44 β π 0 π 0 π¬ 1 π 0Two malicious Rust crates (faster_log and async_println) impersonated the popular fast_log library to steal Solana and Ethereum wallet keys from source code. Downloaded 8,424 times before removal, these packages scanned developer files for private keys and exfiltrated them to a C2 server.
26.09.2025 22:44 β π 1 π 0 π¬ 1 π 0QR Code Steganography in npm: We discovered fezbox, a malicious npm package using an innovative steganographic technique for obfuscation - hiding malware inside a QR code! The package fetches a QR code from a remote URL and executes code hidden within it to steal browser credentials.
26.09.2025 22:44 β π 1 π 0 π¬ 1 π 0While we haven't seen major supply chain attacks hitting any of the major open-source ecosystems, the Socket Threat Research Team uncovered some fascinating and creative attack techniques worth sharing:
26.09.2025 22:44 β π 2 π 1 π¬ 1 π 0
Read the full blog post here: blog.stdlib.io/reflection-o...
17.07.2025 20:00 β π 6 π 2 π¬ 0 π 0Published my take on METR's surprising study that I participated in: AI tools made experienced developers 19% slower (expectation was that they would become 40% faster with AI!)π€―
I dive into the why, where AI coding tools actually help, and how I've shifted from handholding AI to async delegation.
We found hidden functionality in 28+ npm packages that disables UI for Russian-language users visiting .ru or .by domains. No CVEs. No advisories. No documentation. Just behavior-based disruption quietly copied into packages and shipped to production.
Read more: socket.dev/blog/protest...
The latest North Korean "Contagious Interview" wave includes 67 new malicious packages with a previously unknown malware loader, accumulating over 17,000 downloads.
Read more on out blog: socket.dev/blog/contagi...
Two major npm supply chain discoveries this week from the Socket Research Team highlight a critical gap in traditional security approaches. Both threats would slip past security tools that rely on vulnerability databases or metadata alone.
16.07.2025 20:13 β π 0 π 0 π¬ 1 π 0
These packages, disguised as "the cheapest Cursor API," install backdoors that steal credentials and modify crucial files. sw-cur, sw-cur1, and aiide-cur have been downloaded 3,200+ times before discovery.
Read about them on the Socket blog:
socket.dev/blog/malicio...
π¨ With vibe coding being on everyone's minds and AI code generations seemingly becoming ubiquitous, it is not surprising that this attracts also malicious actors. Kirill Boychenko uncovered three malicious npm packages targeting Cursor users on macOS.
08.05.2025 17:31 β π 1 π 0 π¬ 1 π 0Over the last few months, I have been picking up Cursor again after finding it not substantially improving my productivity when I tried it last year. It, and the LLMs powering AI code completions, have gotten so much better that I now really enjoy its agent workflow.
08.05.2025 17:31 β π 2 π 0 π¬ 1 π 0
The attack was comprised of three malicious modules with hidden destructive code, using array-based string obfuscation and dynamic payload execution, targeting Linux servers and dev environments.
Check our full technical analysis and protection tips:
socket.dev/blog/wget-to...
#CyberSecurity
Our team at Socket has uncovered a Go module supply chain attack that deploys destructive disk-erasing payloads.
A single code line triggers a shell script that overwrites disks, making data irretrievable. The attack leverages Go's open ecosystem, exploiting namespace confusion.
The threat actor started publishing these packages in 2021, consistently employing comparable strategies while remaining undetected.
Full technical analysis here:
socket.dev/blog/using-t...
These packages use embedded credentials to connect to Gmail's SMTP server, relay signals to emails under the control of attackers, and initiate WebSocket connections that can bypass firewalls since the connection starts from within the network.
30.04.2025 20:33 β π 0 π 0 π¬ 1 π 0
The Socket research team discovered seven "Coffin-Codes" packages that leveraged Gmail's SMTP protocol to create covert channels for extracting data and executing commands.
30.04.2025 20:33 β π 1 π 0 π¬ 1 π 0
Remember: If any code asks for your seed phrase, there's no salvation - it's not a feature, it's a scam.
Here's the complete write-up: socket.dev/blog/malicio...
With over 8,000 combined downloads, these digital highwaymen use Google Analytics and Telegram for exfiltration - truly where the wild roses grow.
While Socket is celebrating our launch week and Coana acquisition, the bad actors never take a break.
π¨SECURITY ALERT: Uncovering "The Bad Seeds" in Package Registries π¨
Socket researchers have identified three malicious npm and PyPI packages that, like their namesake, are doing the devil's work - harvesting crypto wallet credentials while posing as innocent developer tools.
What makes these attacks concerning is that they
target business-critical workflows
use sophisticated disguises that implement legitimate functionality
execute at specific runtime events, not installation
The malicious packages have been reported and are meanwhile removed from the npm registry.
The second attack involves an npm package disguised as an Advcash payment integration that triggers a reverse shell during payment success callbacks, allowing attackers to gain control of servers processing transactions.
Read more about it here: socket.dev/blog/npm-pac...
Read the full analysis on the Socket blog: socket.dev/blog/npm-mal...
20.04.2025 22:52 β π 0 π 0 π¬ 1 π 0The first attack targets Telegram bot developers with typosquatted packages (node-telegram-utils, node-telegram-bots-api, node-telegram-util) that install persistent SSH backdoors on Linux machines, masquerading as the legitimate node-telegram-bot-api library (4.17M+ downloads).
20.04.2025 22:52 β π 0 π 0 π¬ 1 π 0
Last week, Socket researchers have discovered malicious npm packages deploying backdoors through fake Telegram bot libraries and payment integrations - details in thread below.
20.04.2025 22:52 β π 0 π 1 π¬ 2 π 0This is tremendous for TypeScript and JavaScript developers everywhere. We're building a new TypeScript that runs lighter, goes faster, and scales well on enormous codebases.
This was a big decision and a lot of work, but we are seeing promising results for this new foundation!
If you go to the GitHub repository for any of these packages, you will see a `tea.yml` file, a file associated with the decentralized tea.xyz protocol to reward open-source contributions with crypto tokens.
We previously reported on similar spam campaigns:
socket.dev/blog/massive...
If youβre interested in open source, numerical computing, or just love hearing about non-traditional paths into software, this episode is a must-listen.
π§ Check it out here: https://buff.ly/4bk7ojd
Huge thanks to our incredible contributor community!
Would love to hear your thoughts! ππ‘
