- Big update!Introducing GitHub Bot Commands. Learn more →
Secure your JavaScript supply chain
Depend on Socket to protect your app from malicious dependencies lurking in your open source supply chain.
Safeguarding leading organizations
Find and compare millions of open source packages
Quickly evaluate the security and health of any npm package.
Detect and block software supply chain attacks
Unlike a traditional vulnerability scanner, Socket can actually detect an active supply chain attack and help you to block it. Socket detects over 60 issues in open source code, for comprehensive protection.
Install scripts
Native code
Bin script confusion
Bin script shell injection
Filesystem access
Network access
Shell access
Debug access
High entropy strings
URL strings
26 more issues →
Missing dependency
Peer dependency
Uncaught optional dependency
Unresolved require
Extraneous dependency
Minified code
Bad text encoding
Unicode homoglyphs
Invalid package.json
File dependency
7 more issues →
Long strings
No bug tracker
No contributors or author data
Deprecated
Unmaintained
Critical CVE
CVE
Mild CVE
Unsafe copyright
License change
Non OSI license
Deprecated license
Missing license
Non SPDX license
Unclear license
Mixed license
Legal notice
Modified license
3 more issues →
Detect suspicious package updates in real-time
Prevent compromised or hijacked packages from infiltrating your supply chain by monitoring changes to
package.json in real-time.
Why developers love Socket
Pro-active security
Depend on Socket to prevent malicious open source dependencies from infiltrating your app.
Easy to install
Install the Socket GitHub App in less than 5 minutes and get protected today.
Comprehensive open source protection
Block 60+ issues in open source code, including malware, typo-squatting, hidden code, misleading packages, permission creep, and more.
Develop faster
Reduce work by surfacing actionable security information directly in GitHub. Empower developers to make better decisions.
Living in a hacker’s paradise
2021 was the year attackers took notice of the opportunity hiding in the open source supply chain. Supply chain attacks rose a whopping 650% in 2021 with over 12,000 recorded attacks.
Jan 06, 2022
Maintainer intentionally adds malware
Rogue maintainer sabotages his own open source package with 100M downloads/month, notably breaking Amazon's AWS SDK.
Nov 15, 2021
npm discovers a platform vulnerability allowing unauthorized publishing of any package
Attackers could publish new versions of any npm package without authorization for multiple years.
Oct 22, 2021
Hijacked package adds cryptominers and password-stealing malware
Multiple packages with 30M downloads/month are hijacked and publish malicious versions directly into the software supply chain.
Nov 26, 2018
Package hijacked adding organization specific backdoors
Obfuscated malware added to a dependency which targeted a single company, went undetected for over a week, and made it into their production build.
Ready to dive in?
Get protected by Socket in just 5 minutes
The latest from the Socket team
Get our latest security research, open source insights, and product updates.
product
Github App Improvements
Finer-grained check runs, new config options, and improved reliability.
By Bret Comnes
product
Announcing Socket for GitHub 1.0
Today we're shipping a big update to Socket for GitHub to help developers protect their apps from software supply chain attacks.
By Feross Aboukhadijeh