Socket's Avatar

Socket

@socket.dev.bsky.social

Socket is the #1 software supply chain security platform. Next-gen SCA + SBOM + 0-day prevention. LOVED BY DEVELOPERS. https://socket.dev

489 Followers  |  231 Following  |  229 Posts  |  Joined: 06.11.2024  |  1.7396

Latest posts by socket.dev on Bluesky

Preview
Critical Vulnerability in NestJS Devtools: Localhost RCE via... A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE).

🚨 Critical RCE in @nestjs/devtools-integration:
A broken sandbox + CSRF lets any website trigger code execution on your dev machine if the dev server is running.

Full disclosure: socket.dev/blog/nestjs-...

01.08.2025 18:38 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Introducing License Overlays: Smarter License Management for... Customize license detection with Socket’s new license overlays: gain control, reduce noise, and handle edge cases with precision.

πŸš€ Day 5 of Launch Week!

We're introducing License Overlays: fine-tune Socket’s license detection to match your team’s policy.

Handle edge cases, preserve attribution, and reduce false positives with precision.

socket.dev/blog/introdu...

01.08.2025 14:15 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

πŸš€ Day 4 of Launch Week: Introducing Rust support in Socket!

Search any crate on socket.dev β€” no login required.
Enterprise users get early access to experimental SBOM generation & full supply chain protection.

πŸ¦€ More Details β†’ socket.dev/blog/introdu... #RustLang cc: @thisweekinrust.bsky.social

31.07.2025 17:57 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Preview
Announcing Precomputed Reachability Analysis in Socket - Soc... Socket’s precomputed reachability slashes false positives by flagging up to 80% of vulnerabilities as irrelevant, with no setup and instant results.

⚑️ Instant Analysis: Results are precomputed and cached for popular dependencies, so they're available immediately.

πŸ§˜β€β™€οΈ Zero-Overhead: No additional scans, no agents, no performance impact.

πŸ”’ Privacy-Preserving: We never need access to your source code.

Available now β†’
socket.dev/blog/announc...

30.07.2025 20:24 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Announcing Precomputed Reachability Analysis in Socket - Soc... Socket’s precomputed reachability slashes false positives by flagging up to 80% of vulnerabilities as irrelevant, with no setup and instant results.

πŸš€ Day 3 of Socket Launch Week: We're launching Precomputed Reachability Analysis!

Socket takes a radically different approach, using just your manifest files (package-lock.json, requirements.txt, pom.xml, etc.) to slash false positives by flagging up to 80% of CVEs as irrelevant.

30.07.2025 20:24 β€” πŸ‘ 0    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Preview
Socket Now Protects the Chrome Extension Ecosystem - Socket Socket is launching experimental protection for Chrome extensions, scanning for malware and risky permissions to prevent silent supply chain attacks.

Day 2 of Socket Launch Week: DOUBLE LAUNCH πŸš€
Browser extensions are a growing attack surface for nearly every organization.

Today, we’re launching an experimental release of Chrome extension scanning to detect malware and risky updates.

🧩 Learn more β†’ socket.dev/blog/socket-...

30.07.2025 03:02 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image

πŸš€ Day 2 of Socket Launch Week: Introducing Socket MCP for Claude Desktop!

Add one-click dependency security scanning to your Claude conversations. No CLI, no configuration files: just install and ask #Claude to check your dependencies.

Try it now β†’ socket.dev/blog/introdu...

29.07.2025 20:41 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Preview
Introducing Scala and Kotlin Support in Socket - Socket Socket now supports Scala and Kotlin, bringing AI-powered threat detection to JVM projects with easy manifest generation and fast, accurate scans.

πŸš€ We’re kicking off a big launch week at Socket ahead of Black Hat, dropping a new feature every day this week!

Day 1: Scala & Kotlin Support is now in beta!
AI-powered supply chain threat detection for JVM projects with fast, accurate scans.

socket.dev/blog/introdu... #Java

28.07.2025 21:13 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Preview
npm β€˜is’ Package Hijacked in Expanding Supply Chain Attack -... The ongoing npm phishing campaign escalates as attackers hijack the popular 'is' package, embedding malware in multiple versions.

npm package `is` hijacked in expanding supply chain attack
@sarahgooding.bsky.social @socket.dev
socket.dev/blog/npm-is-...

#ECMAScript #JavaScript

28.07.2025 10:44 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Preview
JupiterOne Secures Immutable Infrastructure with Socket’s St... JupiterOne uses Socket to cut false positives, enforce CI/CD policy, and streamline security in a lean, automated, immutable infrastructure.

Check out our case study to learn how JupiterOne partnered with Socket to:

⚑️ Integrate policy-driven security into CI/CD
⚑️ Cut false positives with reachability analysis
⚑️ Achieve audit-ready compliance automatically
⚑️ Scale security without additional overhead

socket.dev/case-study/j...

23.07.2025 18:15 β€” πŸ‘ 1    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

Vibe coding with LLMs is making developers faster, but also creating new attack surfaces. Socket CEO @feross.bsky.social talks with Joel de la Garza of a16z about the future of AI-assisted software and supply chain security.
πŸŽ™οΈ Check out the full episode: socket.dev/blog/ai-a16z...

25.07.2025 19:50 β€” πŸ‘ 0    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Preview
Open source repositories are seeing a rash of supply-chain attacks Attacks affected packages, including one with ~2.8 million weekly downloads.
25.07.2025 15:50 β€” πŸ‘ 27    πŸ” 9    πŸ’¬ 0    πŸ“Œ 1
Preview
Not pretty, not Windows-only: npm phishing attack laces popular packages with malware The "is" package was infected with cross-platform malware after a scam targeting maintainers The popular npm package "is" was infected with cross-platform malware, around the same time that linting utility packages used with the prettier code formatter were infected with Windows-only malware.…

Not pretty, not Windows-only: npm phishing attack laces popular packages with malware

24.07.2025 10:06 β€” πŸ‘ 7    πŸ” 5    πŸ’¬ 0    πŸ“Œ 0
Preview
Toptal’s GitHub Organization Hijacked: 10 Malicious Packages... Threat actors hijacked Toptal’s GitHub org, publishing npm packages with malicious payloads that steal tokens and attempt to wipe victim systems.

🚨 Supply chain attack alert: A threat actor gained access to Toptal's GitHub org, making 73 repos public and injecting malicious payloads into 10+ npm packages.

Full research: socket.dev/blog/toptal-... #NodeJS #JavaScript

23.07.2025 20:58 β€” πŸ‘ 0    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Preview
JupiterOne Secures Immutable Infrastructure with Socket’s St... JupiterOne uses Socket to cut false positives, enforce CI/CD policy, and streamline security in a lean, automated, immutable infrastructure.

Check out our case study to learn how JupiterOne partnered with Socket to:

⚑️ Integrate policy-driven security into CI/CD
⚑️ Cut false positives with reachability analysis
⚑️ Achieve audit-ready compliance automatically
⚑️ Scale security without additional overhead

socket.dev/case-study/j...

23.07.2025 18:15 β€” πŸ‘ 1    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Post image

"We tried a variety of different solutions, but Socket turned out to be the most cost-effective and efficient, replacing all the others."

- Kenneth Kaye, Lead Security Engineer at JupiterOne

23.07.2025 18:15 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Surveillance Malware Hidden in npm and PyPI Packages Targets... Socket researchers investigate 4 malicious npm and PyPI packages with 56,000+ downloads that install surveillance malware.

🚨 New Threat Research: We uncovered 4 malicious packages (3 on npm, 1 on PyPI) with 56,000+ downloads, all delivering surveillance malware capable of keylogging, screen capture, and webcam access.

Here’s what we found: socket.dev/blog/surveil... #NodeJS #JavaScript #Python

23.07.2025 15:47 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
npm β€˜is’ Package Hijacked in Expanding Supply Chain Attack -... The ongoing npm phishing campaign escalates as attackers hijack the popular 'is' package, embedding malware in multiple versions.

🚨 Attackers have hijacked the npm 'is' package (~2.8M weekly downloads), adding a malicious JS loader. This compromise is linked to the recent npm phishing campaign. Read our update on this ongoing supply chain attack: socket.dev/blog/npm-is-... #NodeJS #JavaScript

22.07.2025 20:09 β€” πŸ‘ 11    πŸ” 7    πŸ’¬ 1    πŸ“Œ 0
Preview
npm β€˜is’ Package Hijacked in Expanding Supply Chain Attack -... The ongoing npm phishing campaign escalates as attackers hijack the popular 'is' package, embedding malware in multiple versions.

🚨 Attackers have hijacked the npm 'is' package (~2.8M weekly downloads), adding a malicious JS loader. This compromise is linked to the recent npm phishing campaign. Read our update on this ongoing supply chain attack: socket.dev/blog/npm-is-... #NodeJS #JavaScript

22.07.2025 20:09 β€” πŸ‘ 11    πŸ” 7    πŸ’¬ 1    πŸ“Œ 0
Preview
Critical Vulnerability in Popular npm form-data Package Used... A critical flaw in the popular npm form-data package could allow HTTP parameter pollution, affecting millions of projects until patched versions are a...

🚨 A critical vulnerability in the widely used npm form-data package could allow HTTP Parameter Pollution, potentially impacting millions of projects. The package sees 100M+ downloads weekly.

Details β†’ socket.dev/blog/critica... #NodeJS #JavaScript

22.07.2025 18:37 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Active Supply Chain Attack: npm Phishing Campaign Leads to P... Popular npm packages like eslint-config-prettier were compromised after a phishing attack stole a maintainer’s token, spreading malicious updates.

"Hours after we reported on the npm phishing campaign using the typosquatted npnjs com site, we’re now seeing the first major fallout: popular npm packages, including eslint-config-prettier and eslint-plugin-prettier, were compromised" #eslint #npm #nodejs

socket.dev/blog/npm-phi...

21.07.2025 22:16 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 2    πŸ“Œ 0
Preview
Bun 1.2.19 Adds Isolated Installs for Better Monorepo Suppor... Bun 1.2.19 introduces isolated installs for smoother monorepo workflows, along with performance boosts, new tooling, and key compatibility fixes.

Bun 1.2.19 introduces isolated installs for monorepos, smarter package management, and 5x faster Bun.sql. πŸŽ‰ Congrats to @jarredsumner.com and all the @bun.sh contributors: socket.dev/blog/bun-1-2... #NodeJS

22.07.2025 02:43 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

Be aware and don't fall for this ☝️

19.07.2025 08:21 β€” πŸ‘ 0    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

Thanks for that feedback! I'll share it with the team. The AI package summary tab there could use some improvements, especially for packages where there is no README. We're looking into it, and thank you for reporting the issue. πŸ™

19.07.2025 02:29 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Active Supply Chain Attack: npm Phishing Campaign Leads to P... Popular npm packages like eslint-config-prettier were compromised after a phishing attack stole a maintainer’s token, spreading malicious updates.

🚨 Active supply chain attack on npm:
Multiple Prettier tooling packages were compromised through the phishing campaign we published about just hours ago. Watch out for more compromised accounts and malicious packages.

Follow-up: socket.dev/blog/npm-phi... #nodejs #npm

19.07.2025 01:02 β€” πŸ‘ 8    πŸ” 6    πŸ’¬ 0    πŸ“Œ 0
Post image

🚨 npm phishing alert!
Attackers are sending emails from spoofed support@npmjs.org addresses linking to a typosquatted clone site (npnjs.com) to steal credentials. This attack is designed to hijack npm accounts. Careful with those email links: socket.dev/blog/npm-phi... #nodejs #JavaScript

18.07.2025 20:20 β€” πŸ‘ 20    πŸ” 14    πŸ’¬ 1    πŸ“Œ 1
Preview
Knip Hits 500 Releases with v5.62.0, Improving TypeScript Co... Knip hits 500 releases with v5.62.0, refining TypeScript config detection and updating plugins as monthly npm downloads approach 12M.

βœ‚οΈ Knip, the popular open source tool for finding unused code and dependencies, just hit 500 releases with v5.62.0. This release features #TypeScript config refinements and plugin updates. Congrats to @larskappert.nl & all the Knip contributors! πŸŽ‰ socket.dev/blog/knip-hi... #JavaScript

18.07.2025 17:59 β€” πŸ‘ 8    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
Open Source Maintainers Feeling the Weight of the EU’s Cyber... The EU Cyber Resilience Act is prompting compliance requests that open source maintainers may not be obligated or equipped to handle.

EU’s Cyber Resilience Act isn’t fully in effect yet but #OSS maintainers are already bracing for compliance requests. cURL is among the first to receive one (from a Fortune 500 company using a 2 year old version.)
What happens when companies treat volunteers like vendors? socket.dev/blog/oss-mai...

17.07.2025 22:14 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 1    πŸ“Œ 0
Preview
Open Source Maintainers Feeling the Weight of the EU’s Cyber... The EU Cyber Resilience Act is prompting compliance requests that open source maintainers may not be obligated or equipped to handle.

EU’s Cyber Resilience Act isn’t fully in effect yet but #OSS maintainers are already bracing for compliance requests. cURL is among the first to receive one (from a Fortune 500 company using a 2 year old version.)
What happens when companies treat volunteers like vendors? socket.dev/blog/oss-mai...

17.07.2025 22:14 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 1    πŸ“Œ 0
Preview
Crates.io Implements Trusted Publishing Support - Socket Crates.io adds Trusted Publishing support, enabling secure GitHub Actions-based crate releases without long-lived API tokens.

πŸ¦€ Rust is the latest open source ecosystem to adopt Trusted Publishing, joining PyPI and RubyGems in moving away from long-lived API tokens.

πŸ“¦ Crates can now be published using short-lived credentials from trusted CI workflows.

socket.dev/blog/crates-... #RustLang #OpenSource

16.07.2025 22:12 β€” πŸ‘ 4    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

@socket.dev is following 20 prominent accounts