Programmer Introspective
Signing is Just the Start
Socket provides an introspective on code signing in relation to the supply chain incident from SolarWinds.
Big news!Introducing Socket AI - ChatGPT-Powered Threat Analysis.Learn more →
Secure your supply chain. Ship with confidence.
Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for JavaScript and Python dependencies.
Protecting the best engineering teams
Find and compare millions of open source packages
Quickly evaluate the security and health of any open source package.
We protect you from vulnerable and malicious packages
Detect and block software supply chain attacks
Socket is not a traditional vulnerability scanner. Socket proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.
AI detected security risk
Git dependency
HTTP dependency
Known Malware
Potential typo squat
Unpublished package
Bidirectional unicode control characters
Bin script confusion
Bin script shell injection
GitHub dependency
30 more issues →
Invalid package.json
Missing package tarball
Unresolved require
Uncaught optional dependency
Bad semver
Bad text encoding
Extraneous dependency
Missing dependency
No README
Unicode homoglyphs
8 more issues →
Deprecated
No bug tracker
No contributors or author data
Unmaintained
Critical CVE
CVE
Mild CVE
Deprecated license
Deprecated SPDX exception
Legal notice
License change
License exception
Missing license
Mixed license
Modified license
Modified license exception
Non OSI license
3 more issues →
Detect suspicious package updates in real-time
Prevent compromised or hijacked packages from infiltrating your supply chain by monitoring changes to
package.json and more in real-time.
Developers love Socket
Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.
Nat Friedman
CEO at GitHub
Congrats to @feross and the hard-working team behind @SocketSecurity on today's launch!
Matteo Collina
Node.js maintainer, Fastify lead maintainer
So awesome to see @SocketSecurity launch with a fresh approach! Excited to have supported the team from the early days.
DC Posch
Director of Technology at AppFolio, CTO at Dynasty
This is going to be super important, especially for crypto projects where a compromised dependency results in stolen user assets.
Luis Naranjo
Software Engineer at Microsoft
If software supply chain attacks through npm don't scare the shit out of you, you're not paying close enough attention.
@SocketSecurity sounds like an awesome product. I'll be using socket.dev instead of npmjs.org to browse npm packages going forward
Elena Nadolinski
Founder and CEO at Iron Fish
Huge congrats to @SocketSecurity! 🙌
Literally the only product that proactively detects signs of JS compromised packages.
Joe Previte
Engineering Team Lead at Coder
Congrats to @feross and the @SocketSecurity team on their seed funding! 🚀 It's been a big help for us at @CoderHQ and we appreciate what y'all are doing!
Josh Goldberg
Staff Developer at Codecademy
This is such a great idea & looks fantastic, congrats & good luck @feross + team!
Security teams trust Socket
The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.
Yan Zhu
Head of Security at Brave, DEFCON, EFF, W3C
glad to hear some of the smartest people i know are working on (npm, etc.) supply chain security finally :). @SocketSecurity
Andrew Peterson
CEO and Co-Founder at Signal Sciences (acq. Fastly)
How do you track the validity of open source software libraries as they get updated? You're prob not. Check out @SocketSecurity and the updated tooling they launched.
Supply chain is a cluster in security as we all know and the tools from Socket are "duh" type tools to be implementing.
Zbyszek Tenerowicz
Senior Security Engineer at ConsenSys
socket.dev is getting more appealing by the hour
Devdatta Akhawe
Head of Security at Figma
The @SocketSecurity team is on fire! Amazing progress and I am exciting to see where they go next.
Ryan Noon
Founder & CEO at Material Security
The NPM ecosystem is a horrible horrible place and I'm glad you're doing something about it.
Sebastian Bensusan
Engineer Manager at Stripe
I find it surprising that we don't have _more_ supply chain attacks in software:
Imagine your airplane (the code running) was assembled (deployed) daily, with parts (dependencies) from internet strangers. How long until you get a bad part?
Excited for Socket to prevent this
Adam Baldwin
VP of Security at npm, Red Team at Auth0/Okta
Congrats to everyone at @SocketSecurity ❤️🤘🏻
Nico Waisman
CISO at Lyft
This is an area that I have personally been very focused on. As Nat Friedman said in the 2019 GitHub Universe keynote, Open Source won, and every time you add a new open source project you rely on someone else's code and you rely on the people that build it.
This is both exciting and problematic. You are bringing real risk into your organization, and I'm excited to see progress in the industry from OpenSSF scorecards and package analyzers to the company that Feross Aboukhadijeh is building!
Why teams choose Socket
Pro-active security
Depend on Socket to prevent malicious open source dependencies from infiltrating your app.
Easy to install
Install the Socket GitHub App in less than 5 minutes and get protected today.
Comprehensive open source protection
Block 70+ issues in open source code, including malware, typo-squatting, hidden code, misleading packages, permission creep, and more.
Develop faster
Reduce work by surfacing actionable security information directly in GitHub. Empower developers to make better decisions.
Supply chain attacks are on the rise
Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.
Jan 06, 2022
Maintainer intentionally adds malware
Rogue maintainer sabotages his own open source package with 100M downloads/month, notably breaking Amazon's AWS SDK.
Nov 15, 2021
npm discovers a platform vulnerability allowing unauthorized publishing of any package
Attackers could publish new versions of any npm package without authorization for multiple years.
Oct 22, 2021
Hijacked package adds cryptominers and password-stealing malware
Multiple packages with 30M downloads/month are hijacked and publish malicious versions directly into the software supply chain.
Nov 26, 2018
Package hijacked adding organization specific backdoors
Obfuscated malware added to a dependency which targeted a single company, went undetected for over a week, and made it into their production build.
Ready to dive in?
Get protected by Socket in just 5 minutes
The latest from the Socket team
Get our latest security research, open source insights, and product updates.
Changelog
Subscribe to the Socket Blog
The Socket blog now offers both full content Atom and JSON feeds which let you subscribe to all future Socket blog posts.
By Bret Comnes
Changelog
Project Health Reports now run on the default branch
The Socket GitHub app now runs Project Health Reports on the default branch instead of in pull requests.
By Bret Comnes