Feross's Avatar

Feross

@feross.bsky.social

πŸ§™β€β™‚οΈ Mad scientist β€’ ✨ Founder + CEO @Socket.dev (http://socket.dev) β€’πŸŒ² Stanford lecturer (http://cs253.stanford.edu) β€’ ❀️ Open source at WebTorrent + StandardJS

5,760 Followers  |  20 Following  |  116 Posts  |  Joined: 16.01.2023  |  2.2832

Latest posts by feross.bsky.social on Bluesky

Preview
Inside the GitHub Infrastructure Powering North Korea’s Cont... Socket Threat Research maps a rare inside look at OtterCookie’s npm-Vercel-GitHub chain, adding 197 malicious packages and evidence of North Korean op...

The Socket Threat Research Team continues to track North Korea’s Contagious Interview operation as it systematically infiltrates the npm ecosystem. socket.dev/blog/north-k... @socket.dev

01.12.2025 12:53 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 1    πŸ“Œ 0

More malicious Chrome extensions.

Stay vigilant!

25.11.2025 19:57 β€” πŸ‘ 9    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0

Glad to hear it!

25.11.2025 19:56 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Update: at time of writing Eleventy core (0.x, 1.x, 2.x, 3.x, 4.x prereleases) and our official plugins are still unaffected.

(Compromised package count was updated to 834 from 533 in the latest @socket.dev update)

25.11.2025 19:11 β€” πŸ‘ 10    πŸ” 4    πŸ’¬ 1    πŸ“Œ 0

There is an ongoing npm security event.

At time of writing, Eleventy core and our official suite of plugins are unaffected.

24.11.2025 14:39 β€” πŸ‘ 16    πŸ” 3    πŸ’¬ 3    πŸ“Œ 0

Ha, thanks. One of those situations where I'm only partially happy to be right. Mostly just glad that we're building something helpful.

25.11.2025 04:22 β€” πŸ‘ 8    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

*this is fine meme*

24.11.2025 17:38 β€” πŸ‘ 4    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

🀯 The number of affected packages in the Shai-Hulud npm attack has now reached 770. We’re continuing to investigate and will keep the blog post updated:

socket.dev/blog/shai-hu...

24.11.2025 23:19 β€” πŸ‘ 18    πŸ” 10    πŸ’¬ 0    πŸ“Œ 0

that’s a scary read tbh

24.11.2025 23:37 β€” πŸ‘ 5    πŸ” 2    πŸ’¬ 1    πŸ“Œ 0

We have updated this list to include more than 500 packages and 700+ affected versions, as well as a technical analysis of the attack. socket.dev/blog/shai-hu....

cc: @campuscodi.risky.biz @typescript.fm @bleepingcomputer.com @theregister.com

24.11.2025 17:19 β€” πŸ‘ 21    πŸ” 15    πŸ’¬ 0    πŸ“Œ 3

Here we go again

24.11.2025 15:01 β€” πŸ‘ 8    πŸ” 1    πŸ’¬ 0    πŸ“Œ 1
Preview
Introducing Webhook Events for Alert Changes - Socket Add real-time Socket webhook events to your workflows to automatically receive software supply chain alert changes in real time.

Read the full announcement here: socket.dev/blog/introdu...

22.11.2025 00:36 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

Webhooks for Alert Changes just dropped πŸŽ‰

No more refreshing dashboards. Socket now pushes every new, updated, or cleared alert straight into your workflow in real time.

Perfect way to wrap Launch Week: Ruby reachability, Certified Patches, Bun/vlt, OpenVSX… and now this ⚑️

22.11.2025 00:33 β€” πŸ‘ 5    πŸ” 2    πŸ’¬ 1    πŸ“Œ 0
Preview
Introducing Socket Scanning for OpenVSX Extensions - Socket Socket now scans OpenVSX extensions, giving teams early detection of risky behaviors, hidden capabilities, and supply chain threats in developer tools...

Read the full announcement here: socket.dev/blog/introdu...

20.11.2025 17:47 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

IDE extensions are a silent nightmare.

VS Code extensions get full access to your code and creds, and attackers have already slipped malware into VS Code Marketplace and OpenVSX.

So Socket now scans OpenVSX extensions before they ever hit your machine. πŸ”βš‘οΈ

20.11.2025 17:39 β€” πŸ‘ 7    πŸ” 2    πŸ’¬ 1    πŸ“Œ 0
Video thumbnail

πŸš€ Big news for JavaScript teams: Socket now supports Bun and vlt in beta.

You no longer have to choose between innovation and security. Commit a bun.lock or vlt-lock.json and Socket gives you full supply chain protection.

19.11.2025 17:21 β€” πŸ‘ 9    πŸ” 5    πŸ’¬ 1    πŸ“Œ 0

Thanks for sharing!

19.11.2025 07:46 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

πŸ‘€

19.11.2025 07:46 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Certified Patches are available today in closed beta for enterprise teams (JavaScript/TypeScript).
Want early access? Contact sales@socket.dev or your customer success manager.

18.11.2025 19:39 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image

Patches live locally in your repo, apply during builds, and require zero workflow changes. No registry proxies. No new infra. Patches belong to you - there's no lock-in.
Pair Certified Patches with Socket Reachability and you get a clear path to zero exploitable CVEs instantly.

18.11.2025 19:39 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0

Recent supply chain attacks have shown us a hard truth: updating dependencies can sometimes be risky. With Certified Patches, you can now eliminate CVEs instantly without upgrading or pulling in new, unvetted code.

18.11.2025 19:39 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Post image

πŸš€ Day 2 of Socket Launch Week:

Today we’re introducing a major shift in how developers fix vulnerabilities: Socket Certified Patches.
One-click, safe-by-design remediation for vulnerable dependencies.

18.11.2025 19:39 β€” πŸ‘ 4    πŸ” 3    πŸ’¬ 1    πŸ“Œ 0
Preview
npm Malware Campaign Uses Adspect Cloaking to Deliver Malici... Malicious npm packages use Adspect cloaking and fake CAPTCHAs to fingerprint visitors and redirect victims to crypto-themed scam sites.

🚨 New npm malware campaign uncovered: 7 malicious packages use Adspect cloaking and fake CAPTCHAs to hide redirects to #crypto scam sites.

Read the full analysis β†’ socket.dev/blog/npm-mal...

17.11.2025 15:00 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 1

This is a novel technique attackers are using to distribute browser-executed malware through npm.

cc: @campuscodi.risky.biz

19.11.2025 03:20 β€” πŸ‘ 8    πŸ” 4    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

πŸš€ Day Two of Socket Launch Week!

We’re launching @socket.dev Certified Patchesβ€”a new way to eliminate vulnerabilities instantly without upgrading your package versions or pulling in risky new code.

Tiny, human-reviewed fixes that give teams a clean path to zero exploitable CVEs.

18.11.2025 20:03 β€” πŸ‘ 9    πŸ” 3    πŸ’¬ 1    πŸ“Œ 0

Yes, we support Go in the enterprise version of the firewall. You can reach out to us at sales@socket.dev to get access.

17.11.2025 20:41 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Woo!!!

🫢🏼 #socket

17.11.2025 19:57 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Preview
Reachability for Ruby Now in Beta - Socket Reachability analysis for Ruby is now in beta, helping teams identify which vulnerabilities are truly exploitable in their applications.

7/ Dive in here: socket.dev/blog/reachab...

17.11.2025 18:24 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

6/ You can try it today:
β€’ Precomputed reachability in the Socket Dashboard
β€’ Full application reachability via CLI with socket scan create --reach

This is another step toward bringing precise, function-level reachability to every major ecosystem πŸš€

17.11.2025 18:24 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0

5/ It’s conservative by design: when Ruby gets wild, we don’t guess. We err on the side of safety so real issues never slip through.

17.11.2025 18:24 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0

@feross is following 19 prominent accounts