![Node.js Adds Experimental Support for TypeScript](https://cdn.sanity.io/images/cgdhsj6q/production/5fa307ef6135347f38e009b4da8cebcb3b9a386a-1948x1336.png?w=400&fit=max&auto=format)
Security News
Node.js Adds Experimental Support for TypeScript
Node.js has added experimental support for TypeScript, a move that highlights the growing importance of TypeScript in modern development.
Security News
Node.js has added experimental support for TypeScript, a move that highlights the growing importance of TypeScript in modern development.
Product
Check out what's new at Socket with our Product Changelog. It tracks all public-facing updates, improvements, and fixes so you can take full advantage of our features.
Security News
In the latest Risky Biz Podcast episode, Socket CEO Feross Aboukhadijeh discussed the limitations of the National Vulnerability Database (NVD) in addressing the modern risks associated with using open source package registries.
Security News
Come meet the Socket team at BlackHat and DEF CON! We're sponsoring some fun networking events and we would love to see you there.
Security News
Learn how Socket's 'Non-Existent Author' alert helps safeguard your dependencies by identifying npm packages published by deleted accounts. This is one of the fastest ways to determine if a package may be abandoned.
Security News
In July, the Python Software Foundation mounted a quick response to address a leaked GitHub token, elected new board members, and added more members to the team supporting PSF and PyPI infrastructure.
Security News
Emerging ransomware groups drive a surge in activity in early 2024, with increasing software supply chain attacks predicted to impact critical industries reliant on third-party software.
Security News
In June 2023, Google sold all Google Domains accounts to Squarespace but more than a dozen customers have had their domains hijacked in the last week due to weak security defaults and migration issues.
Security News
In a reprisal of their previous Tea[.]xyz spam campaign, a new wave of thousands of garbage packages are hitting npm, to artificially inflate the number of dependents for spammers' projects.
Security News
The maintainer of the node-ip project restored the GitHub repo after disputing an exaggerated CVE rating, highlighting the impact of bogus CVEs on open source projects.
Security News
pnpm 9.5 introduces a Catalogs feature, enabling shareable dependency version specifiers, reducing merge conflicts and improving support for monorepos.
Security News
A threat actor on BreachForums is selling an unverified npm vulnerability for account takeover, but npm has not officially confirmed the existence of this security concern.
Security News
Cyber insurance rates are dropping as the market matures, according to a new report projecting global premiums to reach $43 billion by 2030, driven by international market uptake and growth in the SME sector.
Research
Security News
Socket researchers unpack a typosquatting package with malicious code that logs keystrokes and exfiltrates sensitive data to a remote server.
Security News
The JavaScript community has launched the e18e initiative to improve ecosystem performance by cleaning up dependency trees, speeding up critical parts of the ecosystem, and documenting lighter alternatives to established tools.
Product
Socket now supports four distinct alert actions instead of the previous two, and alert triaging allows users to override the actions taken for all individual alerts.
Security News
Polyfill.io has been serving malware for months via its CDN, after the project's open source maintainer sold the service to a company based in China.
Security News
OpenSSF is warning open source maintainers to stay vigilant against reputation farming on GitHub, where users artificially inflate their status by manipulating interactions on closed issues and PRs.
Security News
A JavaScript library maintainer is under fire after merging a controversial PR to support legacy versions of Node.js.
Security News
Results from the 2023 State of JavaScript Survey highlight key trends, including Vite's dominance, rising TypeScript adoption, and the enduring popularity of React. Discover more insights on developer preferences and technology usage.
Security News
The US Justice Department has penalized two consulting firms $11.3 million for failing to meet cybersecurity requirements on federally funded projects, emphasizing strict enforcement to protect sensitive government data.
Security News
ua-parser-js is set to drop the MIT license and adopt a controversial dual AGPLv3 + PRO licensing model in its upcoming v2.0 release, raising significant concerns among developers and enterprise users.
Security News
Researchers recently demonstrated that the npm Registry is vulnerable to cache poisoning combined with DoS, posing significant risks for package availability.
Security News
The June TC39 meeting wrapped up this week with eight proposals moving on to the next stage. Here's a quick roundup of the features that the committee approved to advance.
Security News
Cyber extortion in the US and Canada hit record levels in 2023, with ransomware attacks surging and median ransom demands skyrocketing, though fewer companies are choosing to pay ransoms.
Security News
Ecma TC39 is meeting this week and has moved key ECMAScript proposals forward, advancing Deferred Import Evaluation, Error.isError(), RegExp Escaping, and Promise.try to the next stages.
Security News
Researchers have demonstrated that teams of LLM agents can exploit zero-day vulnerabilities with a 53% success rate, and the costs of using AI to do so are rapidly becoming more affordable than hiring a human penetration tester.
Security News
In an unprecedented surge, May 2024 saw the publication of over 5,000 CVEs, marking a historic milestone in cybersecurity with an average of 164 CVEs per day, nearly double the 2023 daily average.
Security News
The White House is addressing fragmented cybersecurity regulations as CISOs report spending up to 50% of their time on compliance, aiming to harmonize requirements and improve cybersecurity outcomes.
Security News
Research
The Socket Research Team has identified a malicious Python package that is typosquatting the popular crytic-compile utility, frequently used in popular toolkits and development environments for smart contracts and crypto applications.
Security News
NIST updates on the NVD backlog after media reports that over 50% of KEVs were unenriched since mid-February. They've contracted additional support and partnered with CISA to clear the backlog by fiscal year-end.
Security News
A hospital in Mobile, Alabama, agreed to a settlement in a landmark ransomware death lawsuit, but is now reportedly reconsidering the agreement and refusing to pay.
Security News
A new report explores how advancements in LLMs are enhancing cyber threats, including polymorphic malware, personalized spearphishing, and the risk of hijacking customer service bots.
Security News
ESLint has approved an RFC that adds support for TypeScript configuration files, which is aimed at improving the developer experience and recognizing changes in the evolving JavaScript ecosystem.
Security News
The NVD is facing a significant backlog with over 12,500 CVEs awaiting analysis, and more than 50% of known exploited vulnerabilities (KEVs) left unenriched since mid-February.
Security News
Ransomware costs victims an estimated $30 billion per year and has gotten so out of control that global support for banning payments is gaining momentum.
Application Security
New SEC disclosure rules aim to enforce timely cyber incident reporting, but fear of job loss and inadequate resources lead to significant underreporting.
Security News
The Python Software Foundation has secured a 5-year sponsorship from Fastly that supports PSF's activities and events, most notably the security and reliability of the Python Package Index (PyPI).
Security News
LDAPjs, an LDAP Client and Server API for Node.js, was decommissioned after its maintainer received an abusive email from a user, raising concerns about this form of abuse as a potential attack vector.
Security News
CISA launched a new project called Vulnrichment to enrich CVEs with details that help prioritize patching and mitigation efforts, as the NVD backlog of unenriched CVEs awaiting analysis surpasses 10,000.
Security News
Socket is joining forces with CISA and other industry leaders at the RSA Conference to sign the Secure by Design pledge, committing to uphold the highest security standards in our products.
Research
The Socket research team breaks down a sampling of malicious packages that download and execute files, among other suspicious behaviors, targeting the popular Discord platform.
Security News
Socket CEO Feross Aboukhadijeh joins a16z partners to discuss how modern, sophisticated supply chain attacks require AI-driven defenses and explore the challenges and solutions in leveraging AI for threat detection early in the development life cycle.
Security News
NIST's new AI Risk Management Framework aims to enhance the security and reliability of generative AI systems and address the unique challenges of malicious AI exploits.
Security News
This episode of the Risky Biz podcast discusses how the rise of small open source packages and the shift towards individual maintainers makes the ecosystem more vulnerable to supply chain attacks.
Product
Streamline your login process and enhance security by enabling Single Sign-On (SSO) on the Socket platform, now available for all customers on the Enterprise plan, supporting 20+ identity providers.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.
Security News
GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.
Security News
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
Research
Security News
The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username, Git username, and Git email.
Security News
OpenJS is warning of social engineering takeovers targeting open source projects after receiving a credible attempt on the foundation.
Company News
Come meet the Socket team at BSidesSF and RSA! We're sponsoring several fun networking events and we would love to see you there.
Security News
OSI is starting a conversation aimed at removing the excuse of the SaaS loophole for companies navigating licensing and the complexities of doing business with open source.
Product
We're introducing dependency visualization for reports - get a quick impression of the state of your dependencies without getting lost in the details.
Security News
RansomHub claims to have over 4TB of sensitive data from the Change Healthcare ransomware attack. They are threatening to sell it, if the company doesn't pay a second ransom.
Security News
On the most recent episode of the Chinchilla Squeaks podcast, Socket CEO Feross Aboukhadijeh discusses some of the overlooked risks of using open source code and how modern tools can leverage AI to secure dependencies.
Security News
Major open source foundations are uniting to create CRA-compliant security standards in preparation for EU Cyber Resilience Act regulations that go into effect in 2027.
Security News
NIST has acknowledged the growing backlog of vulnerabilities at the NVD and plans to publish the process for forming an outside consortium, but is getting pushback from security professionals.
Security News
ENISA has identified software supply chain attacks as the top cybersecurity threat for the next five years, just prior to the accidental discovery of a backdoored package used in nearly every Linux distribution.
Security News
XZ utils, a package for data compression software used in nearly every Linux distribution, was found to be backdoored and may allow unauthorized access to affected systems.
Security News
Valkey, a high-performance key-value store and open source Redis fork, gains momentum with Linux Foundation backing and support from industry giants like Amazon, Google Cloud, and Oracle.
Security News
CISA has proposed a set of new rules that would require critical infrastructure to report cyber incidents and ransom payments.
Security News
Redis is no longer OSS, breaking its explicit commitment to remain under the BSD 3-Clause License forever. This has angered contributors who are now working to fork the software.
Product
Socket AI now enables 'AI detected potential malware' alerts by default, ensuring users benefit from AI-powered state-of-the-art malware detection without needing to opt-in.
Security News
The Node.js Technical Steering Committee has confirmed that removing npm from the Node.js distribution is not a project goal, amidst continued discussions regarding enabling Corepack by default.
Security News
LockBit, defying law enforcement takedowns, launches a new attack on Crinetics Pharmaceuticals, with the group's leader declaring a commitment to continue their disruptive operations indefinitely.
Security News
The NVD has stopped enriching CVE’s with little explanation, leaving the security community without metadata on 90% of records for the past month.
Security News
The White House published its proposed budget for 2025, with $13 billion earmarked for cybersecurity and safeguarding public services.
Security News
Product
In an effort to give back to the software creators whose contributions benefit the global developer community, open source projects can now get a free upgrade to our Team plan.
Security News
Socket CEO Feross Aboukhadijeh was recently interviewed on Basarat Ali Syed’s YouTube channel ahead of this year's Node Congress event. They discussed NodeJS and the challenges of securing open source dependencies.
Security News
CISA's new initiative collaborates with the open source ecosystem to enhance the security of package registries, promoting a set of best practices in the interest of securing critical infrastructure.
Security News
The Blackcat/ALPHV ransomware gang has executed an elaborate exit scam, falsely claiming law enforcement seizure, while swindling affiliates and severely impacting U.S. healthcare infrastructure.
Security News
Tea.xyz, a new crypto initiative aimed at rewarding open source developers, has sparked frustration within the community due to a flood of spam PRs on GitHub.
Security News
GitHub has enabled push protection by default for all user accounts. This feature prevents accidental leaks of API keys, tokens, and other secrets, a growing problem in open source development.
Security News
JSR, the new JavaScript registry, is now in public beta, designed for TypeScript and ESM.
Research
The "hardhat-gas-optimizer" npm package was found to exfiltrate sensitive data to Pastebin, targeting Ethereum developers using Hardhat tools in their development environment.
Security News
Socket CEO Feross Aboukhadijeh was interviewed on the Daytona DotFiles Insider blog on the challenges developers face when selecting open source packages and how Socket is working to create a more secure ecosystem.
Security News
The OpenJS Foundation has launched a new effort to iterate on the informal standardization of package.json and improve the interoperability of JavaScript package metadata for application developers.
Security News
The LockBit ransomware gang's takedown by international law enforcement reveals over $1 billion in stolen funds, along with a next generation version of ransomware they had in development.
Security News
JSR, a new package registry from the Deno team, aims to address npm’s limitations but the JavaScript community is concerned about ecosystem fragmentation.
Security News
International law enforcement organizations have disrupted LockBit, the world’s largest ransomeware gang, seized their operations and infrastructure, and indicted some of the perpetrators.
Research
Security News
Socket discovered two malicious Python packages, enchantv and vibrant, imitating popular packages and targeting victims via a base64 encoded payload in their setup files.
Product
Socket is adding a new dashboard Threat Feed that gives users more visibility into malware detected and blocked across npm and PyPI ecosystems.
Security News
This segment of the Risky Business podcast offers an overview of the volume of malicious packages that are being published to public code repositories and explains why older SCA tools aren’t equipped to detect these threats in a timely way.
Product
Socket is deprecating Project Report v0 in favor of the new, faster Project Report v1.
Security News
A mountain of spam PRs landed in the Express.js project repo after a popular YouTube tutorial used it as an example for contributing to open source. This put a spotlight on the mandate for job seekers to find a way to contribute to OSS.
Security News
Socket CEO Feross Aboukhadijeh joined the Security Podcast in Silicon Valley where they discussed the essence of the security mindset and how this approach has shaped Socket's architecture to swiftly identify and mitigate supply chain threats.
Security News
The Node community is wrestling with the decision to enable Corepack by default, which has sparked a debate about the potential of removing npm from the Node.js binary.
Security News
Application Security
On the CyberBytes podcast, Socket CEO Feross Aboukhadijeh discusses the challenges in OSS security, the hacker mindset, and the shift towards using proactive tools that go beyond traditional vulnerability scanning to prevent supply chain attacks.
Research
Security News
A malicious npm package is targeting Roblox's massive user base to steal sensitive data, with potential impacts for both players and developers on the popular gaming platform.
Application Security
The Tines team created an integration that generates and emails real-time vulnerability reports for repositories protected by Socket.
Application Security
Deprecated npm packages are common in modern software projects. Learn about the risks of using unmaintained code, how to identify these packages, and evaluate alternatives.
Product
Company News
The latest update of Socket for GitHub features a new web-based diff report viewer, enhanced support for PyPI and Golang, faster scan times, and a new syntax for specifying package ignores.
Security News
A German court's controversial ruling fined a security researcher for exposing a company's data vulnerabilities, sparking intense debate over the future of ethical hacking and cybersecurity.
Security News
Underwriters expect a rise in cyber insurance premiums in 2024 due to increased ransomware activity. They predict higher risks, emphasizing the need for a focus on resiliency and better strategies for cyber incident prevention and response.
Security News
Socket CEO Feross Aboukhadijeh joins the hosts of the DevTools podcast to discuss open source maintainership, sustainability, and the challenge of proactively securing dependencies from emerging threats.
Application Security
Security News
This short history of protestware - from punch cards to package managers - explores the intriguing and controversial phenomenon of digital activism and the risks to open source supply chains.
Security News
Orbit Chain is offering an $8M bounty for intel that will lead to the recovery of crypto assets or identification of the attacker who stole $81M on New Year's Eve.
Research
From unprecedented expansion to security challenges: A comprehensive look at npm's dynamic year.
Research
Security News
Socket's research team detected and analyzed a new Python package that distributes Blank Grabber malware for stealing data from applications like Discord and Telegram.
Security News
There's a growing trend of hackers using sophisticated multi-phase attacks leveraging package managers to deploy coinminers, as seen in the recent discovery of three malicious PyPI packages.
Application Security
An NPM user named PatrickJS launched a troll campaign with a package called "everything," which depends on all public npm packages.
Security News
Crypto draining attacks are ramping up, as hackers exploit weaknesses in tools used to transfer funds across cryptocurrencies. Orbit Bridge was the most recent target in an attack that stole an estimated $81 million in virtual assets on New Year's Eve.
Security News
Socket CEO Feross Aboukhadijeh joined the Syntax podcast, discussing the balance between open source innovation and safety in the npm ecosystem.
Engineering
JSON is a simple technology but has a lot of underlying topics to think about. This guide can help uncover those topics.
Product
Get a comprehensive, organization-wide view of security risks across all repositories in your organization – even if you have hundreds of thousands of dependencies across thousands of repositories.
Security News
The ALPHV/Blackcat ransomware group has responded to the FBI's disruption of their operations with increased hostility, following the release of a decryption tool to more than 500 victims.
Security News
Socket CEO Feross Aboukhadijeh joins the Decipher podcast to discuss the necessity of using AI-powered early threat detection tools to protect the immense trust placed in the hands of open source maintainers.
Product
Socket's new Audit Log feature allows administrators to monitor important account changes and the history of all events in Socket.
Security News
Supply chain attacks targeting the crypto industry are becoming increasingly complex, requiring more proactive measures to prevent costly exploits. It's time for crypto to get serious about security.
Security News
Follow the @npm_malware account to get live alerts from the Socket threat feed.
Security News
The Ledger Connect Kit was compromised in a supply chain attack, leading to crypto fund theft and highlighting Socket's AI scanner's effectiveness in detecting such threats.
Company News
Socket has been recognized in Fortune’s new Cyber 60 list, among other companies innovating in the cybersecurity industry.
Research
A recently uncovered Python script highlights a spam campaign tactic where malicious actors automate the publishing of spam packages to the npm package registry.
Application Security
Product
Learn how to integrate Socket into your Bitbucket pipeline for added security, reducing your dependency supply chain risk!
Security News
Ransomware payment demands are rising in 2023, driving a higher demand for cyber insurance and an increase in premiums.
Product
We just released v0.9.0 of the Socket CLI with some improvements to the socket info command so you can get useful information about an npm package, right in the terminal.
Security News
The financial services sector has been hit by a recent surge of ransomware attacks, disrupting operations at major institutions such as Fidelity National Financial and the Industrial and Commercial Bank of China. These attacks underscore the importance of swift security measures in addressing vulnerabilities on enterprise systems.
Application Security
Supply chain attacks that leverage typosquatting are steeply rising over previous years. Learn how Socket for GitHub and Socket CLI can protect your app.
Application Security
Product
A short walkthrough of how to integrate Socket into the Gitlab CI/CD process
Product
Get more information about the most popular JavaScript packages with Socket's new AI-generated package summaries.
Product
Our new and improved Project Health Reports are now generally available.
Engineering
Socket discusses the results of using different package managers to install your packages and introduces a GitHub action to expose those differences.
Application Security
How Socket uses LLMs to enhance both the analysis and explanation of open-source software packages.
Product
Socket is happy to enable developers to customize their own feature plan choices with the announcement of self-service payment plans.
Research
Socket AI detected a malicious package on PyPI that had an abnormally high potential impact and the Socket security researchers investigated finding malicious behavior.
Engineering
package.json contains a local aliasing mechanism for import paths called "imports" it satisfies many use cases without tooling specific solutions like tsconfig.json
Research
Digging into the Skeleton Squad's recent expansion from PyPI to the npm ecosystem.
Research
Socket AI detected threats in package ecosystems, including counterfeit Roblox and Discord packages. Malware hidden in DNS records and selective data attacks were also spotted, showcasing Socket Security's robust defense capabilities.
Application Security
What supply chain attacks are, and how Socket can help protect you from them.
Product
Get visibility and control over your open source dependencies, across your whole organization
Product
We're excited to announce that Socket now supports the Go programming language.
Company News
Empowering Developers: Our Journey to a Safer Open Source Ecosystem
Product
Socket is now offering a free browser extension to verify the security and quality of packages on NPM.
Research
The Lazarus Group launched a sophisticated social engineering campaign targeting developers in the cryptocurrency and cybersecurity sectors, using compromised accounts and malware-laden NPM packages.
Company News
Socket is back at Black Hat and DEF CON. Stop by our suite to hangout!
Application Security
Vulnerability scanners provide a false sense of security to appsec teams and do little to prevent supply chain attacks.
Research
Socket has been protecting organizations from "manifest confusion" attacks for 9 months before it was publicly disclosed.
Application Security
Exposing the flaws of traditional SCA tools, and introducing a solution.
Product
The Socket Security extension for VSCode now supports Python.
Product
You can now send Socket Pull Request Notifications to Slack!
Engineering
Socket provides an introspective on code signing in relation to the supply chain incident from SolarWinds.
Company News
The Socket blog now offers both full content Atom and JSON feeds which let you subscribe to all future Socket blog posts.
Product
The Socket GitHub app now runs Project Health Reports on the default branch instead of in pull requests.
Application Security
Socket explains the newly released npm provenance provided by GitHub.
Company News
Socket is back at BSidesSF and RSA! Stop by to meet the team and hang out.
Product
We share some feedback and directions on Socket's npm wrapper.
Product
Socket introduces an overall project health report for viewing relevant data to entire projects at a glance.
Product
Socket is using ChatGPT to examine every npm and PyPI package for security issues.
Research
The npm public registry is drowning in a tsunami of spam and phishing, and it's all thanks to everyone's favorite gun-toting antihero, John Wick.
Product
Socket Dependency Overview helps developers understand the risk of dependency changes by leaving an in-depth comment on any pull request that adds, updates, or removes dependencies.
Product
Socket is proud to introduce an exciting new tool—“safe npm”—that protects developers whenever they use npm install.
Company News
Socket partners with Ecosystems to build and maintain secure, resilient, and sustainable open source ecosystems.
Product
Socket now supports the pnpm package manager!
Product
We're excited to announce that Socket now supports the Python programming language.
Company News
Socket is thrilled to announce that we have achieved a sparkling clean SOC 2 Type 2 attestation report.
Research
Engineering
Proposing a more usable RegExp for JS in light of async I/O and streaming.
Company News
Socket is nominating Bradley Meck Farias as a representative to the OpenSSF Governing Board.
Product
We have a new configuration file format and library for working with it!
Product
Socket is proud to announce improved support for npm and Yarn, including full support for npm versions 6, 7, 8, and 9 and full support for Yarn versions 1, 2, and 3.
Product
Engineering
Introducing a VS Code editor integration for Socket Security.
Product
Socket has introduced a new dashboard functionality to aid in self service and auditing in one centralized location.
Research
Engineering
We have been using GPT at Socket to help triage the npm package firehose for a couple months now. Here is what it is like after actual experience.
Engineering
File explorers are great tools for programmers when they can let code be understood, but what does it take to ship a file explorer and what does it mean to help programmers by providing one.
Research
A package published an anomalous 11460 versions in 4 months, Socket Security had to figure out if it was something to be concerned about.
Product
Socket for GitHub requires a new GitHub permission. Here are the details.
Company News
Socket has successfully completed the SOC 2 Type I audit by meeting rigorous security and confidentiality standards.
Company News
Socket is joining the Open Source Security Foundation (OpenSSF), the cross-industry organization working on the most important open source security initiatives.
Product
We're excited to preview a brand new way to use Socket, a CLI tool! This will be especially useful to those of you not using GitHub or those who want more control over how you interact with Socket..
Product
Socket for GitHub has added the option to customize which issue alerts your pull request receives.
Research
Circumventing Chinese censorship: Plethora of eBooks pervade these GitHub and npm repositories containing contents of banned websites like 'The Economist'
Product
We added 5 new issues to our GitHub pull request alerts.
Research
npm package ‘state-counter’ mimics StatCounter but instead pops open a very NSFW website.
Research
Yet another attack vector that allows malicious packages to pwn you.
Product
Dismiss Socket pull request alerts using bot commands.
Product
Finer-grained check runs, new config options, and improved reliability.
Company News
Today we're shipping a big update to Socket for GitHub to help developers protect their apps from software supply chain attacks.
Company News
Redefining open source security through proactive supply chain risk management
Company News
Socket's mission is to make open source safer.
Application Security
Examples of recent supply chain attacks and concrete steps you can take to protect your team from this emerging threat.
Application Security
Confidence is good but overconfidence always sinks the ship.