News
Announcing: Socket CLI Preview
We're excited to preview a brand new way to use Socket, a CLI tool! This will be especially useful to those of you not using GitHub or those who want more control over how you interact with Socket..
- Big update!Introducing GitHub Bot Commands. Learn more →
Secure your JavaScript supply chain
Depend on Socket to protect your app from malicious dependencies lurking in your open source supply chain.
Safeguarding leading organizations
Find and compare millions of open source packages
Quickly evaluate the security and health of any npm package.
Detect and block software supply chain attacks
Unlike a traditional vulnerability scanner, Socket can actually detect an active supply chain attack and help you to block it. Socket detects over 60 issues in open source code, for comprehensive protection.
Bidirectional unicode control characters
Bin script confusion
Bin script shell injection
Chronological version anomaly
Debug access
Dynamic require
Empty package
Environment variable access
Filesystem access
Git dependency
27 more issues →
Bad dependency semver
Bad semver
Bad text encoding
CommonJS depending on ESModule
Extraneous dependency
File dependency
Invalid package.json
Minified code
Missing dependency
No README
7 more issues →
Deprecated
No bug tracker
No contributors or author data
Unmaintained
Critical CVE
CVE
Mild CVE
Deprecated license
Deprecated SPDX exception
Legal notice
License change
License exception
Missing license
Mixed license
Modified license
Modified license exception
Non OSI license
3 more issues →
Detect suspicious package updates in real-time
Prevent compromised or hijacked packages from infiltrating your supply chain by monitoring changes to
package.json in real-time.
Why developers love Socket
Pro-active security
Depend on Socket to prevent malicious open source dependencies from infiltrating your app.
Easy to install
Install the Socket GitHub App in less than 5 minutes and get protected today.
Comprehensive open source protection
Block 60+ issues in open source code, including malware, typo-squatting, hidden code, misleading packages, permission creep, and more.
Develop faster
Reduce work by surfacing actionable security information directly in GitHub. Empower developers to make better decisions.
Living in a hacker’s paradise
'2021 was the year attackers took notice of the opportunity hiding in the open source supply chain. Supply chain attacks rose a whopping 650% in 2021 with over 12,000 recorded attacks.
Jan 06, 2022
Maintainer intentionally adds malware
Rogue maintainer sabotages his own open source package with 100M downloads/month, notably breaking Amazon's AWS SDK.
Nov 15, 2021
npm discovers a platform vulnerability allowing unauthorized publishing of any package
Attackers could publish new versions of any npm package without authorization for multiple years.
Oct 22, 2021
Hijacked package adds cryptominers and password-stealing malware
Multiple packages with 30M downloads/month are hijacked and publish malicious versions directly into the software supply chain.
Nov 26, 2018
Package hijacked adding organization specific backdoors
Obfuscated malware added to a dependency which targeted a single company, went undetected for over a week, and made it into their production build.
Ready to dive in?
Get protected by Socket in just 5 minutes
The latest from the Socket team
Get our latest security research, open source insights, and product updates.
Product
Customize your GitHub Issue Alerts
Socket for GitHub has added the option to customize which issue alerts your pull request receives.
By Bret Comnes
Research
These Chinese devs are storing 1000s of eBooks on GitHub and npm
Circumventing Chinese censorship: Plethora of eBooks pervade these GitHub and npm repositories containing contents of banned websites like 'The Economist'
By Ax Sharma