Feross

"Most people are completely unprepared for this," O'Reilly said. "They treat it like installing Spotify when it's actually more like giving someone sudo access to your entire machine." - security researcher Jamieson O'Reilly

High-Severity RCE Vulnerability Disclosed in next-mdx-remote... HashiCorp disclosed a high-severity RCE in next-mdx-remote affecting versions 4.3.0 to 5.x when compiling untrusted MDX on the server.

🔺 High-severity RCE disclosed in next-mdx-remote when compiling untrusted MDX on the server. Affects versions 4.3.0 before 6.0.0.

socket.dev/blog/high-se... #NextJS #JavaScript

AI Agent Submits PR to Matplotlib, Publishes Angry Blog Post... After Matplotlib rejected an AI-written PR, the agent fired back with a blog post, igniting debate over AI contributions and maintainer burden.

An AI agent opened a PR to @matplotlib.org. Maintainers closed it under policy. The agent responded with an angry, abusive blog post. This is an insane story. Here’s what this clash says about maintaining open source in 2026:

socket.dev/blog/ai-agen...

Update: We’ve published free Socket Certified Patches for the next-mdx-remote RCE vulnerability (CVE-2026-0969).
No dependency upgrade required, and you don’t have to be a Socket customer to use them.

Details: socket.dev/blog/high-se...
#NextJS

Malicious Chrome Extension Steals Meta Business Manager Expo... Chrome extension CL Suite by @CLMasters neutralizes 2FA for Facebook and Meta Business accounts while exfiltrating Business Manager contact and analyt...

New Research: Malicious Chrome extension targets Meta Business Suite/Facebook Business Manager, steals TOTP 2FA seeds + codes, and exfiltrates Business Manager exports (People + analytics).

Full analysis: socket.dev/blog/malicio...

So we’ve reached the point where AI agents are writing angry blog posts about open source maintainers closing their PRs. 🙄
This is how you push projects toward “patches no longer welcome” from AI agents running loose on GitHub.

This is at least the third time dYdX-related packages and infrastructure have been compromised in the past four years. Anyone using the #dYdX protocol or exchange should review their exposure.

cc: @campuscodi.risky.biz @bleepingcomputer.com @coindesk.com @web3isgoinggreat.com

“Every large OSS project is navigating the same tension between enthusiasm for AI and real concern about its impact...Protect your maintainers. They're a rare asset, hard to replace and easy to lose. Any path forward that burns them out isn't a path forward at all.” - @dries.bsky.social

Four legit Open VSX extensions shipped credential-stealing malware after the publisher was compromised. The Eclipse Foundation/Open VSX security team confirmed it was consistent with leaked tokens or other unauthorized publishing access.

"Security work is emotionally expensive and invisible, and sharing it makes it sustainable." - @ulisesgascon.com

Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚

This is exactly the kind of thing people worry about with browser extensions. It looks like an Amazon ad blocker, but quietly hijacks affiliate links in the background. Most people aren’t reading extension source code (and if you are, congrats 🙃), which is why this works.

Seeing @pfrazee.com, @arathorn.net and @feross.bsky.social all within arms reach, almost like some sort of centralization!

“We are just a small single open source project with a small number of active maintainers. It is not in our power to change how all these people and their slop machines work. We need to make moves to ensure our survival and intact mental health.” - @bagder.mastodon.social.ap.brid.gy

only took a decade longer than anticipated (give or take half a decade)

My colleague @staltz.com and his team are at it again, working magic with UIs to reduce cognitive load and make security information easier to explore. Excited to see this launched! 💜

😅

Node.js 25.4.0 Ships with Stable require(esm) - Socket Node.js 25.4.0 makes require(esm) stable, formalizing CommonJS and ESM compatibility across supported Node versions.

🎉 Big #NodeJS news this week: v25.4.0 marks require(esm) as stable. After a gradual rollout and ecosystem testing, it’s now safe to depend on across supported releases.

Huge thanks to @joyeecheung.bsky.social and the many contributors who made this possible! 🙏

socket.dev/blog/node-js...

Cryptomining malware targeting one of Python’s most widely used math libraries.

@campuscodi.risky.biz @decrypt.co @darkreading.bsky.social @coindesk.com

Fake browser crash alerts turn Chrome extension into enterprise backdoor - Help Net Security The NexShield Chrome extension downloaded a Windows RAT onto domain-joined machines after tricking users with fake browser crash alerts.

Fake browser crash alerts turn Chrome extension into enterprise backdoor

📖 Read more: www.helpnetsecurity.com/2026/01/19/f...

#cybersecurity #cybersecuritynews #remoteaccesstrojan #socialengineering @huntress.com @socket.dev

📜 A good summary of recent developments around the Temporal API by @sarahgooding.bsky.social

Temporal is the modern replacement for the old JS Date API ✨

Insecure Agents Podcast: Certified Patches, Supply Chain Sec... Socket CEO Feross Aboukhadijeh joins Insecure Agents to discuss CVE remediation and why supply chain attacks require a different security approach.

🎙️ Socket CEO @feross.bsky.social joined host Allie Howe on the Insecure Agents podcast to talk about Certified Patches, supply chain security, and the future of securing AI agents.

Check out the full episode →
socket.dev/blog/insecur...

😭 💔 "I feel like a fucking idiot for somehow being able to build this CSS framework that's taken over the world and it's used by everything and it's super popular, but I can't figure out how to have it make enough money that eight people can work on it." - @adamwathan.com

✨

npm to Implement Staged Publishing After Turbulent Shift Off... The planned feature introduces a review step before releases go live, following the Shai-Hulud attacks and a rocky migration off classic tokens that d...

Strongly recommend this post on npm’s staged publishing change after supply-chain turmoil. npm will roll out staged publishing to add a review step before releases go live after the Shai-Hulud attacks, giving maintainers a chance to catch bad releases.

Read it here: socket.dev/blog/npm-to-...

How GitHub could secure npm - Human Who Codes Why doesn't npm detect compromised packages the way credit card companies detect fraud?

Must-read from Nicholas C. Zakas (ESLint maintainer) on how GitHub could better secure npm and prevent supply-chain attacks. humanwhocodes.com/blog/2026/01...

Agree

· @npmjs.bsky.social appears to be massively under-resourced for the scale of the registry it operates. My respect to the teams keeping it running through wave after wave of supply chain attacks.

🤖⚔️ Battle of the Bots:

Dependabot opens a PR. Socket flags it as malicious.

Socket CEO @feross.bsky.social discusses dependency risk and update timing, on @softwaredaily.bsky.social.

Full episode → socket.dev/blog/softwar...

🎙️ In this episode of @softwaredaily.bsky.social, Socket CEO @feross.bsky.social discusses #OSS maintainer burnout.

“I put this code online as a gift to the world. I didn’t promise it would never have a defect.”

Full episode → socket.dev/blog/softwar... #OpenSource

Spearphishing Campaign Abuses npm Registry to Target U.S. an... A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, ta...

🚨 New research: A spearphishing campaign published 27 malicious npm packages that host browser-run lures mimicking document portals and Microsoft sign-in to steal credentials. This operation targets manufacturing and healthcare orgs in the U.S. and allied countries.

socket.dev/blog/spearph...