IDE extensions are a silent nightmare.
VS Code extensions get full access to your code and creds, and attackers have already slipped malware into VS Code Marketplace and OpenVSX.
So Socket now scans OpenVSX extensions before they ever hit your machine. πβ‘οΈ
20.11.2025 17:39 β π 6 π 2 π¬ 1 π 0
π Big news for JavaScript teams: Socket now supports Bun and vlt in beta.
You no longer have to choose between innovation and security. Commit a bun.lock or vlt-lock.json and Socket gives you full supply chain protection.
19.11.2025 17:21 β π 9 π 5 π¬ 1 π 0
This is a novel technique attackers are using to distribute browser-executed malware through npm.
cc: @campuscodi.risky.biz
19.11.2025 03:20 β π 7 π 4 π¬ 0 π 0
I had the pleasure of being on-call for a lot of what Elizabeth talked about on this (love is blind & the Tyson fight). It's fun to hear such a polished, clear, and positive message about the absolute *madness* (aka fun) it was to be involved as an engineer on the ground.
12.11.2025 22:39 β π 6 π 1 π¬ 0 π 0
New research from @socket.dev: a malicious Chrome extension posing as an Ethereum wallet steals seed phrases by encoding them into Sui transactions. Wild on-chain exfiltration technique. Still live on the Chrome Web Store.
cc: @campuscodi.risky.biz
13.11.2025 02:55 β π 2 π 1 π¬ 0 π 0
Thrilled to have Jordan joining us at @socket.dev! π
06.11.2025 21:42 β π 3 π 0 π¬ 0 π 0
This is wild. 99% of the code is legit, with just 20 malicious lines buried in thousands of lines of working code.
cc: @campuscodi.risky.biz
06.11.2025 21:41 β π 10 π 6 π¬ 0 π 0
βΌοΈ Update: the MIT-linked βAI-powered ransomwareβ report appears to have been taken offline. We updated our article to include an Internet Archive link to the original paper.
01.11.2025 04:00 β π 25 π 11 π¬ 3 π 0
The Changelog Podcast: Practical Steps to Stay Safe on npm -...
Learn the essential steps every developer should take to stay secure on npm and reduce exposure to supply chain attacks.
Still installing npm packages like itβs 2020? Not all npm installs are treats. π
On the @changelog.com podcast, @feross.bsky.social shares practical steps every developer should take to reduce exposure to supply chain attacks on npm. β
socket.dev/blog/the-cha... #NodeJS #JavaScript
31.10.2025 18:46 β π 2 π 1 π¬ 1 π 0
Thanks Cynthia! I tried but didn't see your DMs open.
31.10.2025 17:19 β π 0 π 0 π¬ 1 π 0
That MIT report is absolutely bonkers btw - it classifies 80% of ransomware groups as using GenAI (made up btw), then says things like Emotet uses AI (what? Itβs a banking trojan from years ago), Ryuk uses AI (?!?!) etc etc.
And itβs published via MIT with their chief security persons name on it.
31.10.2025 11:36 β π 44 π 8 π¬ 6 π 1
This is really well written, if you want to scare your CISO, send them this for Halloween. π
31.10.2025 11:32 β π 59 π 16 π¬ 1 π 1
Thereβs a real conversation to be had about how AI has found real-world use cases across cybercrime, but thereβs no way in heck that β80 percent of ransomware attacks are AI-driven,β as this report claims. π€
h/t @doublepulsar.com
cc: @campuscodi.risky.biz
31.10.2025 02:03 β π 1 π 0 π¬ 1 π 0
Some fairly convincing typosquats in this campaign - a reminder that typosquatting is still an effective attack vector on npm.
cc: @campuscodi.risky.biz
29.10.2025 02:49 β π 4 π 2 π¬ 0 π 0
This is a wild typosquat hiding #NuGet malware:
cc: @campuscodi.risky.biz
22.10.2025 04:20 β π 4 π 3 π¬ 0 π 0
Can you believe it β weβre kicking off another Socket Launch Week! π We'll be announcing a new feature every day.
And weβre starting big: Today we're introducing malware scanning for the Hugging Face ecosystem! #HuggingFace
20.10.2025 17:42 β π 5 π 1 π¬ 1 π 0
Wow! I'm honored to receive this award from the @openjsf.org. It's a privilege to share stories that highlight the people and projects driving open source security forward. I'm thankful my work at @socket.dev lets me support the OSS maintainers and users at the heart of this community. π
16.10.2025 16:08 β π 10 π 1 π¬ 1 π 0
More malicious packages linked to North Korea, leveraging typosquatting.
Targets include Web3, cryptocurrency, and blockchain developers, as well as technical job seekers approached with recruiting lures, leading to multi-stage compromise and financial loss.
cc: @campuscodi.risky.biz
15.10.2025 01:17 β π 0 π 1 π¬ 0 π 0
Ruby Centralβs incident report on the RubyGems.org access dispute sparks community backlash and renewed debate over project governance.
An overview on the latest news from the Ruby gems packaging ecosystem with comments from @indirect.io and @duckinator.bsky.social:
15.10.2025 00:25 β π 1 π 0 π¬ 0 π 0
Big change in Googleβs OSV that hasnβt gotten much attention: 500+ advisories just reappeared after a policy fix that had been hiding disputed CVEs.
cc: @campuscodi.risky.biz
10.10.2025 04:01 β π 3 π 2 π¬ 0 π 0
Thrilled to have @ahmadnassri.com joining us at Socket! πππ
07.10.2025 01:28 β π 6 π 0 π¬ 1 π 0
Gem Cooperative Emerges as a Community-Run Alternative to Ru...
Former RubyGems maintainers have launched The Gem Cooperative, a new community-run project aimed at rebuilding open governance in the Ruby ecosystem.
π₯ Breaking: Former #RubyGems maintainers have launched the Gem Cooperative, a community-run RubyGems server with open governance.
We spoke with the team behind it. Read the full story on the Socket blogβ¨β socket.dev/blog/gem-coo... #RubyLang #Ruby #Rails
06.10.2025 04:28 β π 8 π 2 π¬ 0 π 0
This week we released Socket Firewall, a free CLI tool that protects developers from malicious packages at install time. We're excited to extend protection beyond npm to other ecosystems like #Python and #Rust, with more rolling out soon!
@thisweekinrust.bsky.social @campuscodi.risky.biz
#rustlang
03.10.2025 02:59 β π 4 π 1 π¬ 0 π 0
Excited to see The Register cover the launch of Socket Firewall!
This new free tool gives developers real-time protection at install time across multiple ecosystems, including JavaScript, Python, and Rust, with more coming soon. It works out of the box: No API key. No configuration.
01.10.2025 13:52 β π 3 π 1 π¬ 0 π 0
Other than the trusted publishing stuff (which is absolutely not ready for use yet, I will be outlining why in my JS Conf talk) this is a great write up of the recent goings on.
01.10.2025 02:36 β π 11 π 5 π¬ 2 π 0
β‘οΈ Follow Socket on Instagram! www.instagram.com/socketsecuri...
19.09.2025 10:49 β π 1 π 1 π¬ 0 π 0
β¦what a time to be in the JavaScript web security spaceβ¦
16.09.2025 21:44 β π 5 π 1 π¬ 1 π 0
Ongoing Supply Chain Attack Targets CrowdStrike npm Packages...
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that previously hit Tinycolor and dozen...
π¨ Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
16.09.2025 18:15 β π 31 π 15 π¬ 1 π 5
DC resident and cybersecurity writer, analyst, book author, publisher. https://metacurity.com/ https://cyberriskbook.com/
https://www.csoonline.com/profile/cynthia-brumfield/ https://infosec.exchange/@metacurity
Send tips to Cynthia.507 via Signal.
A safe and modern home for the web
OpenJS promotes the widespread adoption and continued development of key JavaScript technologies worldwide.
a pile of small dogs in a meaty land vessel β’ KC1QGV β’ they/them
prone to creating technological cognitohazards
playing with synths again
#rustlang, #rubylang, #pythonlang, #cprogramming
thought misleader at cuberule.com
tired of saying actually.men
community gem server at gem.coop
ruby tools and consulting at spinel.coop
Bun is a fast, all-in-one toolkit for installing, bundling, running and testing JavaScript & TypeScript.
To install Bun:
```
curl https://bun.sh/install | bash -s
```
https://bun.sh
Executive Director at OpenJS Foundation
amateur drummer
she/her
The two TypeScript Fools, @kamranicus.com and @erikonarheim.com, get together once a week to bring you news, updates, and interviews about TypeScript and the broader web development ecosystem.
tafka @kuvos
eng @socket.dev
- 15yr js/ts
- rust
- ex vercel
- ex fb
- js1k-guy
OpenTelemetry Maintainer
Iβd just like a bagel please
I write curl. I don't know anything. I am @bagder@mastodon.social
Weekly email at https://lists.haxx.se/listinfo/daniel
The latest news, updates, and advisories served with good vibes by your @woocommerce.com developer experience team. Need help? Visit http://wcm.rs/support
Lodash creator β’ sometimes TC39 delegate β’ protecting supply chains at https://Socket.dev β’ Ex (Bun, Salesforce, Node core, Electron WG, Microsoft)
Fast, disk space efficient package manager
pnpm.io
Artificer of Code.
OpenSource, TC39 Signals, StarbeamJS & @emberjs.com enthusiast and advocate
Former @react.dev
Where i'm at
nullvoxpopuli.com/page/links
Projects
tutorial.glimdown.com
limber.glimdown.com
#SwarmLyfe
Queen of Blades, she/her, obv
Public health warnings & health policy. Epidemiologist & health economist. Chair and Faculty at NECSI. Former 16 years at Harvard. DC & Virginia.
Bio & contact: necsi.edu/eric-feigl-ding
A story: bit.ly/raisealarm
π: drericding.substack.com/subscribe
Socket is the #1 software supply chain security platform. Next-gen SCA + SBOM + 0-day prevention. LOVED BY DEVELOPERS.
https://socket.dev
β‘Securing Software Supply Chains @SocketSecurity (http://socket.dev)
π Scientific computing for the web via @stdlibjs (http://stdlib.io)
JavaScript and open source guy. Working at @socket.dev Previously: Manyverse, SSB, Cycle.js, RxJS
