Ahmad Nassri

🚀 Socket Launch Week Day 5!

Malicious packages are infiltrating development environments before they ever reach production.

Today we're answering these threats with the release of Socket Firewall Enterprise: configurable, enterprise-grade protection for modern package ecosystems.

YouTube video by Socket Security Announcing Experimental Malware Scanning for the Hugging Face Ecosystem

1️⃣
AI models aren’t just math -- they’re code.
And just like npm or PyPI, they can get hacked.

Today we’re launching malware scanning for the Hugging Face ecosystem. 🤖🔍

Socket can now detect backdoors and malicious payloads inside AI models themselves.

👇

www.youtube.com/watch?v=9FQy...

for better security: I use 1password cli with direnv to dynamically load env values (ssh keys, tokens, secrets, etc ...)

AWS outage -> 1password thinks it's offline -> can't run anything locally which requires secrets🥲

Recognition for Sarah! So deserved! @sarahgooding.bsky.social

Join me next week at the @workos.bsky.social Enterprise Ready Conf. will be speaking on a panel on all things security & how developers can take back control of their software supply chain.

If you're attending, lchat with me & the @socket.dev team IRL!

enterprise-ready.com

Socket Integrates With Bun 1.3’s Security Scanner API - Sock... Socket now integrates with Bun 1.3’s Security Scanner API to block risky packages at install time and enforce your organization’s policies in local de...

@bun.sh users can now install any package with confidence, knowing that @socket.dev got their back!

Free from malicious packages, typosquatting, and other supply chain attacks.

socket.dev/blog/socket-...

175 Malicious npm Packages Host Phishing Infrastructure Targ... 175 malicious npm packages (26k+ downloads) used unpkg CDN to host redirect scripts for a credential-phishing campaign targeting 135+ organizations wo...

→ 175 malicious packages
→ 135+ targeted organizations
→ 26,800+ downloads
→ Fully automated victim generation
→ Pre-filled credential forms
→ Complete PyInstaller toolkit included

Technical deep-dive with full IOCs: 👉 socket.dev/blog/175-mal...

AppSec is not just protecting your product/business, it's about protecting everyone!

These packages do nothing malicious to developers/products they infect. Instead, they are targeting web visitors of the infected apps, with the ultimate goal of mass credential harvesting.

175 Malicious npm Packages Host Phishing Infrastructure Targ... 175 malicious npm packages (26k+ downloads) used unpkg CDN to host redirect scripts for a credential-phishing campaign targeting 135+ organizations wo...

Supply chain attacks are evolving and so should your security practices.

case-in-point: Beamglea - a campaign that turns npm 💔 into a phishing-as-a-service platform

This isn't your typical supply chain attack. It's infrastructure weaponization.

socket.dev/blog/175-mal...

Happy to share I'm getting back to my roots in open source, this time around on the side of protecting software development!

If you haven't yet, you should install @socket.dev for your team!

🚨 npm phishing alert!
Attackers are sending emails from spoofed support@npmjs.org addresses linking to a typosquatted clone site (npnjs.com) to steal credentials. This attack is designed to hijack npm accounts. Careful with those email links: socket.dev/blog/npm-phi... #nodejs #JavaScript

get some perspective.

2 million people, surrounded by walls and the sea, under a 17+ year blockade.

what if it was in your city?

#GazaAttack #Gaza #GazaEverywhere

ahmadnassri.github.io/gaza-everywh...

what's with the recent explosion of PMP certification spam on LinkedIn ????

I'm starting to document some of my fundamental learnings in this industry in writing ... took a first stab at some of it in a guesr post at Unified's blog (disclaimer: I'm an advisor)

next post will be about TCO & MVP architecture needs for startups

note: those existed in non-fractional roles as well, but I saw those as my ownership to fix / address, and for the most part, I managed to resolve ~80% of the time

the staggering amount of over-engineering, horrible leadership, and clueles product owners I've seen after ~3 years of being a Fractional CTO really makes me question this entire career / industry...

if I had to do it all over again, I'd probably go into banking or law ...

dev++ 🧠: write a custom TF module to group & manage domains with a yaml data source that shares reusable configs

normal 🧠: need to update a single DNS record for my domain

dev 🧠: now is the right time to migrate 50+ domains from Google Domains to CloudFlare AND do a full Terraform automation pipeline on GH Actions to manage them all!

I AM HERE!