High Salaries No Longer Enough to Attract Top Cybersecurity Talent

Socket, the leader in open source security, is now available on Google Cloud Marketplace for simplified procurement and enhanced protection against supply chain attacks.

Corepack will be phased out from future Node.js releases following a TSC vote.

Research uncovers Black Basta's plans to exploit package registries for ransomware delivery alongside evidence of similar attacks already targeting open source ecosystems.

Oxlint's beta release introduces 500+ built-in linting rules while delivering twice the speed of previous versions, with future support planned for custom plugins and improved IDE integration.

A compromised GitHub Action exposed secrets in CI/CD logs, putting thousands of projects at risk and forcing developers to urgently secure their workflows.

A malicious Maven package typosquatting a popular library is secretly stealing OAuth credentials on the 15th of each month, putting Java developers at risk.

Socket and Seal Security collaborate to fix a critical npm overrides bug, resolving a three-year security issue in the JavaScript ecosystem's most popular package manager.

TypeScript is porting its compiler to Go, delivering 10x faster builds, lower memory usage, and improved editor performance for a smoother developer experience.

The Socket Research Team has discovered six new malicious npm packages linked to North Korea’s Lazarus Group, designed to steal credentials and deploy backdoors.

Socket CEO Feross Aboukhadijeh discusses the open web, open source security, and how Socket tackles software supply chain attacks on The Pair Program podcast.

Opengrep continues building momentum with the alpha release of its Playground tool, demonstrating the project's rapid evolution just two months after its initial launch.

FSF files an amicus brief against Neo4j, defending the AGPL and warning against adding restrictive terms that undermine free software rights.

Malicious PyPI package ‘set-utils’ steals Ethereum private keys by exfiltrating them through blockchain transactions via the Polygon RPC.

Malicious Go packages are impersonating popular libraries to install hidden loader malware on Linux and macOS, targeting developers with obfuscated payloads.

Bybit's $1.46B hack by North Korea's Lazarus Group pushes 2025 crypto losses to $1.6B in just two months, already surpassing all of 2024's $1.49B total.

OpenSSF has published OSPS Baseline, an initiative designed to establish a minimum set of security-related best practices for open source software projects.

Michigan TypeScript founder Dimitri Mitropoulos implements WebAssembly runtime in TypeScript types, enabling Doom to run after processing 177 terabytes of type definitions.

vlt's new "reproduce" tool verifies npm packages against their source code, outperforming traditional provenance adoption in the JavaScript ecosystem.

Socket researchers uncovered a malicious PyPI package exploiting Deezer’s API to enable coordinated music piracy through API abuse and C2 server control.

The Socket Research Team discovered a malicious npm package, '@ton-wallet/create', stealing cryptocurrency wallet keys from developers and users in the TON ecosystem.

Newly introduced telemetry in devenv 1.4 sparked a backlash over privacy concerns, leading to the removal of its AI-powered feature after strong community pushback.

TC39 met in Seattle and advanced 9 JavaScript proposals, including three to Stage 4, introducing new features and enhancements for a future ECMAScript release.

Deno 2.2 enhances Node.js compatibility, improves dependency management, adds OpenTelemetry support, and expands linting and task automation for developers.

React's CRA deprecation announcement sparked community criticism over framework recommendations, leading to quick updates acknowledging build tools like Vite as valid alternatives.

Ransomware payment rates hit an all-time low in 2024 as law enforcement crackdowns, stronger defenses, and shifting policies make attacks riskier and less profitable.

require(esm) backported to Node.js 20, easing the transition to ESM-only packages and reducing complexity for developers as Node 18 nears end-of-life.

PyPI now supports iOS and Android wheels, making it easier for Python developers to distribute mobile packages.

Create React App is officially deprecated due to React 19 issues and lack of maintenance—developers should switch to Vite or other modern alternatives.

Oracle seeks to dismiss fraud claims in the JavaScript trademark dispute, delaying the case and avoiding questions about its right to the name.

The Linux Foundation is warning open source developers that compliance with global sanctions is mandatory, highlighting legal risks and restrictions on contributions.

Maven Central now validates Sigstore signatures, making it easier for developers to verify the provenance of Java packages.

CISOs are racing to adopt AI for cybersecurity, but hurdles in budgets and governance may leave some falling behind in the fight against cyber threats.

Socket researchers uncovered a backdoored typosquat of BoltDB in the Go ecosystem, exploiting Go Module Proxy caching to persist undetected for years.

Socket is joining TC54 to help develop standards for software supply chain security, contributing to the evolution of SBOMs, CycloneDX, and Package URL specifications.

PyPI now allows maintainers to archive projects, improving security and helping users make informed decisions about their dependencies.

Malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems; similarities to past campaigns suggest a North Korean connection.

CISA's KEV data is now on GitHub, offering easier access, API integration, commit history tracking, and automated updates for security teams and researchers.

Opengrep forks Semgrep to preserve open source SAST in response to controversial licensing changes.

Critics call the Node.js EOL CVE a misuse of the system, sparking debate over CVE standards and the growing noise in vulnerability databases.

cURL and Go security teams are publicly rejecting CVSS as flawed for assessing vulnerabilities and are calling for more accurate, context-aware approaches.

Bun 1.2 enhances its JavaScript runtime with 90% Node.js compatibility, built-in S3 and Postgres support, HTML Imports, and faster, cloud-first performance.

Biden's executive order pushes for AI-driven cybersecurity, software supply chain transparency, and stronger protections for federal and open source systems.

Fluent Assertions is facing backlash after dropping the Apache license for a commercial model, leaving users blindsided and questioning contributor rights.

Socket researchers uncover the risks of a malicious Python package targeting Discord developers.

The UK is proposing a bold ban on ransomware payments by public entities to disrupt cybercrime, protect critical services, and lead global cybersecurity efforts.

Snyk's use of malicious npm packages for research raises ethical concerns, highlighting risks in public deployment, data exfiltration, and unauthorized testing.

Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.

pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.

Socket now supports uv.lock files to ensure consistent, secure dependency resolution for Python projects and enhance supply chain security.

Socket researchers have discovered multiple malicious npm packages targeting Solana private keys, abusing Gmail to exfiltrate the data and drain Solana wallets.

PEP 770 proposes adding SBOM support to Python packages to improve transparency and catch hidden non-Python dependencies that security tools often miss.

Socket CEO Feross Aboukhadijeh discusses open source security challenges, including zero-day attacks and supply chain risks, on the Cyber Security Council podcast.

Socket researchers uncover how threat actors weaponize Out-of-Band Application Security Testing (OAST) techniques across the npm, PyPI, and RubyGems ecosystems to exfiltrate sensitive data.

A malicious npm campaign is targeting Ethereum developers by impersonating Hardhat plugins and the Nomic Foundation, stealing sensitive data like private keys.

Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.

A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.

Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.

Sonar’s acquisition of Tidelift highlights a growing industry shift toward sustainable open source funding, addressing maintainer burnout and critical software dependencies.

Ransomware negotiators share how modern cybercriminals operate like corporations, using specialized teams, negotiation tactics, and reputation management.

PyPI confirms no security flaws were exploited in the Ultralytics supply chain attack and highlights improvements for safer package publishing.

The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.

Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.

The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.

Socket researchers found a malicious Maven package impersonating the legitimate ‘XZ for Java’ library, introducing a backdoor for remote code execution.

Node.js v22.12.0 (LTS) debuts with require(esm) enabled by default, alongside security milestones and automated workflows for faster, more stable releases.

npm has a revamped search experience with new, more transparent sorting options—Relevance, Downloads, Dependents, and Publish Date.

A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the popular @solana/web3.js library.

A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.

Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.

Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.

A Stanford study reveals 9.5% of engineers contribute almost nothing, costing tech $90B annually, with remote work fueling the rise of "ghost engineers."

Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.

MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.

In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.

A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.

NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.

A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.

PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.

GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.

RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.

Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.

Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.

vlt introduced its new package manager and a serverless registry this week, innovating in a space where npm has stagnated.

The Socket Research Team uncovered a malicious Python package typosquatting the popular 'fabric' SSH library, silently exfiltrating AWS credentials from unsuspecting developers.

At its inaugural meeting, the JSR Working Group outlined plans for an open governance model and a roadmap to enhance JavaScript package management.

An advanced npm supply chain attack is leveraging Ethereum smart contracts for decentralized, persistent malware control, evading traditional defenses.

Attackers are impersonating Sindre Sorhus on npm with a fake 'chalk-node' package containing a malicious backdoor to compromise developers' projects.

The npm package for the LottieFiles Player web component was hit with a supply chain attack after a software engineer's npmjs credentials were compromised.

Socket has been recognized for the second consecutive year on the Fortune Cyber 60 list, which identifies the most significant venture-backed cybersecurity startups.

Python becomes GitHub's top language in 2024, driven by AI and data science projects, while AI-powered security tools are gaining adoption.

Dutch National Police and FBI dismantle Redline and Meta infostealer malware-as-a-service operations in Operation Magnus, seizing servers and source code.

Socket is tracking a new trend where malicious actors are now exploiting the popularity of LLM research to spread malware through seemingly useful open source packages.

Noxia, a new dark web bulletproof host, offers dirt cheap servers for Python, Node.js, Go, and Rust, enabling cybercriminals to distribute malware and execute supply chain attacks.

Socket safeguards companies from software supply chain attacks by detecting and preventing threats in open source code and empowering developers to secure their applications and critical services against malware and other security risks.

Socket is launching Ruby support for all users. Enhance your Rails projects with AI-powered security scans for vulnerabilities and supply chain threats. Now in Beta!

Ensure open-source compliance with Socket’s License Enforcement Beta. Set up your License Policy and secure your software!

We're launching a new set of license analysis and compliance features for analyzing, managing, and complying with licenses across a range of supported languages and ecosystems.

We're excited to introduce Socket Optimize, a powerful CLI command to secure open source dependencies with tested, optimized package overrides.

We're excited to announce that Socket now supports the Java programming language.

Socket detected a malicious Python package impersonating a popular browser cookie library to steal passwords, screenshots, webcam images, and Discord tokens.

Deno 2.0 is now available with enhanced package management, full Node.js and npm compatibility, improved performance, and support for major JavaScript frameworks.

The Internet Archive's "Wayback Machine" has been hacked and defaced, with 31 millions records compromised.

TC39 is meeting in Tokyo this week and they have approved nearly a dozen proposals to advance to the next stages.

Our threat research team breaks down two malicious npm packages designed to exploit developer trust, steal your data, and destroy data on your machine.

A senior white house official is urging insurers to stop covering ransomware payments, indicating possible stricter regulations to deter cybercrime.

ESLint has added JSON and Markdown linting support with new officially-supported plugins, expanding its versatility beyond JavaScript.

Members Hub is conducting large-scale campaigns to artificially boost Discord server metrics, undermining community trust and platform integrity.

NIST has failed to meet its self-imposed deadline of clearing the NVD's backlog by the end of the fiscal year. Meanwhile, CVE's awaiting analysis have increased by 33% since June.

Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.

The Socket Research team breaks down a malicious npm package targeting the legitimate DOMPurify library. It uses obfuscated code to hide that it is exfiltrating browser and crypto wallet data.

ENISA’s 2024 report highlights the EU’s top cybersecurity threats, including rising DDoS attacks, ransomware, supply chain vulnerabilities, and weaponized AI.

NIST's new password guidelines remove periodic changes and special character requirements, focusing on longer, more secure passwords for better authentication practices.

A record 2,709 developers participated in the 2024 Ruby on Rails Community Survey, revealing key tools, practices, and trends shaping the Rails ecosystem.

In 2023, data breaches surged 78% from zero-day and supply chain attacks, but developers are still buried under alerts that are unable to prevent these threats.

Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.

License exceptions modify the terms of open source licenses, impacting how software can be used, modified, and distributed. Developers should be aware of the legal implications of these exceptions.

A developer is accusing Tencent of violating the GPL by modifying a Python utility and changing its license to BSD, highlighting the importance of copyleft compliance.

In an open letter, JavaScript community leaders urge Oracle to give up the JavaScript trademark, arguing that it has been effectively abandoned through nonuse.

The initial version of the Socket Python SDK is now on PyPI, enabling developers to more easily interact with the Socket REST API in Python projects.

Floating dependency ranges in npm can introduce instability and security risks into your project by allowing unverified or incompatible versions to be installed automatically, leading to unpredictable behavior and potential conflicts.

A new Rust RFC proposes "Trusted Publishing" for Crates.io, introducing short-lived access tokens via OIDC to improve security and reduce risks associated with long-lived API tokens.

Cloudflare is expanding Node.js compatibility for Workers and Pages, enabling developers to use more npm packages through a hybrid approach that combines native code and polyfills for Node.js APIs.

The Python Software Foundation has expanded its CNA scope to include the Pallets Projects, enabling faster, more reliable CVE tracking for critical frameworks used in Python applications.

Elastic’s return to open source with the AGPL license has been met with skepticism, as many developers see it as a strategic move rather than a genuine effort to restore user trust and freedoms.

A new "revival hijack" supply chain attack targets deleted Python packages, with an estimated 22K packages at risk. Socket can detect and block hijacked packages that have added malicious code.

We're introducing a new Analytics feature in the Socket dashboard so you can view changes in your organization's and repositories' alerts over time.

A new OpenSSF report uncovers critical gaps in secure software training, with 75% of new developers unfamiliar with secure practices, highlighting urgent educational needs.

The 2023 Python Developers Survey reveals key trends in packaging, web frameworks, and developer demographics, highlighting a shift toward innovative tools as the Python community diversifies and grows among less experienced developers.

GitHub is combatting a new spam campaign that exploits issues with links to malicious downloads, highlighting the need for better moderation tools to protect open-source maintainers' time and security.

uv, Python's new package manager, offers a faster and more efficient alternative to pip with features that simplify tooling, manage Python versions, and streamline development workflows.

Socket researchers have uncovered 3.7 million fake GitHub stars, highlighting a growing threat linked to scams, fraud, and malware, with these campaigns rapidly increasing over the last six months.

Deno's Standard Library has stabilized after four years of development, offering developers a collection of well-maintained tools compatible with Deno, Node.js, Cloudflare Workers, and browsers with bundlers.

Trivial packages, while convenient, can introduce significant risks such as dependency bloat, security vulnerabilities, and performance issues in modern software projects.

PyPI has drastically improved its malware response times, resolving 90% of issues in under 24 hours and removing 900 projects since March 2024.

The Socket Research team breaks down an obfuscated script designed to facilitate unauthorized file uploads to multiple external services.

Node.js has automated its security release process, doubling the number of releases, and is re-evaluating unsupported experimental features with the Next 10 group to enhance security.

Can you spot malicious malicious packages on the web at a glance? Socket can. Check out our updated Web Extension!

Socket introduces three new customizable default security policies for users to choose from: Low Noise (traditional SCA), Default, and Higher Noise.

MITRE has just minted its 400th CNA, as the NVD struggles to tame its backlog of CVEs awaiting analysis, which has increased by 30% since June.

New report from the White House aims to address gaps in open source security, calling for more funding, tighter supply chain controls, and stronger collaboration.

Explore the security risks of using npm shrinkwrap, the potential for outdated dependencies, and best practices for mitigating these concerns in your projects.

Node.js is taking steps towards removing Corepack from its distribution, aiming for changes in the next major release.

OpenSSF has released a guide to help package repositories adopt Trusted Publishers, which enhances security by using short-lived identity tokens for authentication, reducing the risks associated with long-lived secrets.

Philipp Burckhardt recounts his journey from childhood computer fascinations, to building an e-learning platform at Carnegie Mellon University, and on to his current role at Socket.

Git dependencies in open source packages can introduce significant risks, including lack of version control, stability issues, dependency drift, and difficulty in auditing, making them potential targets for supply chain attacks.

Node.js has added experimental support for TypeScript, a move that highlights the growing importance of TypeScript in modern development.

Check out what's new at Socket with our Product Changelog. It tracks all public-facing updates, improvements, and fixes so you can take full advantage of our features.

In the latest Risky Biz Podcast episode, Socket CEO Feross Aboukhadijeh discussed the limitations of the National Vulnerability Database (NVD) in addressing the modern risks associated with using open source package registries.

Come meet the Socket team at BlackHat and DEF CON! We're sponsoring some fun networking events and we would love to see you there.

Learn how Socket's 'Non-Existent Author' alert helps safeguard your dependencies by identifying npm packages published by deleted accounts. This is one of the fastest ways to determine if a package may be abandoned.

In July, the Python Software Foundation mounted a quick response to address a leaked GitHub token, elected new board members, and added more members to the team supporting PSF and PyPI infrastructure.

Emerging ransomware groups drive a surge in activity in early 2024, with increasing software supply chain attacks predicted to impact critical industries reliant on third-party software.

In June 2023, Google sold all Google Domains accounts to Squarespace but more than a dozen customers have had their domains hijacked in the last week due to weak security defaults and migration issues.

In a reprisal of their previous Tea[.]xyz spam campaign, a new wave of thousands of garbage packages are hitting npm, to artificially inflate the number of dependents for spammers' projects.

The maintainer of the node-ip project restored the GitHub repo after disputing an exaggerated CVE rating, highlighting the impact of bogus CVEs on open source projects.

pnpm 9.5 introduces a Catalogs feature, enabling shareable dependency version specifiers, reducing merge conflicts and improving support for monorepos.

A threat actor on BreachForums is selling an unverified npm vulnerability for account takeover, but npm has not officially confirmed the existence of this security concern.

Cyber insurance rates are dropping as the market matures, according to a new report projecting global premiums to reach $43 billion by 2030, driven by international market uptake and growth in the SME sector.

Socket researchers unpack a typosquatting package with malicious code that logs keystrokes and exfiltrates sensitive data to a remote server.

The JavaScript community has launched the e18e initiative to improve ecosystem performance by cleaning up dependency trees, speeding up critical parts of the ecosystem, and documenting lighter alternatives to established tools.

Socket now supports four distinct alert actions instead of the previous two, and alert triaging allows users to override the actions taken for all individual alerts.

Polyfill.io has been serving malware for months via its CDN, after the project's open source maintainer sold the service to a company based in China.

OpenSSF is warning open source maintainers to stay vigilant against reputation farming on GitHub, where users artificially inflate their status by manipulating interactions on closed issues and PRs.

A JavaScript library maintainer is under fire after merging a controversial PR to support legacy versions of Node.js.

Results from the 2023 State of JavaScript Survey highlight key trends, including Vite's dominance, rising TypeScript adoption, and the enduring popularity of React. Discover more insights on developer preferences and technology usage.

The US Justice Department has penalized two consulting firms $11.3 million for failing to meet cybersecurity requirements on federally funded projects, emphasizing strict enforcement to protect sensitive government data.

ua-parser-js is set to drop the MIT license and adopt a controversial dual AGPLv3 + PRO licensing model in its upcoming v2.0 release, raising significant concerns among developers and enterprise users.

Researchers recently demonstrated that the npm Registry is vulnerable to cache poisoning combined with DoS, posing significant risks for package availability.

The June TC39 meeting wrapped up this week with eight proposals moving on to the next stage. Here's a quick roundup of the features that the committee approved to advance.

Cyber extortion in the US and Canada hit record levels in 2023, with ransomware attacks surging and median ransom demands skyrocketing, though fewer companies are choosing to pay ransoms.

Ecma TC39 is meeting this week and has moved key ECMAScript proposals forward, advancing Deferred Import Evaluation, Error.isError(), RegExp Escaping, and Promise.try to the next stages.

Researchers have demonstrated that teams of LLM agents can exploit zero-day vulnerabilities with a 53% success rate, and the costs of using AI to do so are rapidly becoming more affordable than hiring a human penetration tester.

In an unprecedented surge, May 2024 saw the publication of over 5,000 CVEs, marking a historic milestone in cybersecurity with an average of 164 CVEs per day, nearly double the 2023 daily average.

The White House is addressing fragmented cybersecurity regulations as CISOs report spending up to 50% of their time on compliance, aiming to harmonize requirements and improve cybersecurity outcomes.

The Socket Research Team has identified a malicious Python package that is typosquatting the popular crytic-compile utility, frequently used in popular toolkits and development environments for smart contracts and crypto applications.

NIST updates on the NVD backlog after media reports that over 50% of KEVs were unenriched since mid-February. They've contracted additional support and partnered with CISA to clear the backlog by fiscal year-end.

A hospital in Mobile, Alabama, agreed to a settlement in a landmark ransomware death lawsuit, but is now reportedly reconsidering the agreement and refusing to pay.

A new report explores how advancements in LLMs are enhancing cyber threats, including polymorphic malware, personalized spearphishing, and the risk of hijacking customer service bots.

ESLint has approved an RFC that adds support for TypeScript configuration files, which is aimed at improving the developer experience and recognizing changes in the evolving JavaScript ecosystem.

The NVD is facing a significant backlog with over 12,500 CVEs awaiting analysis, and more than 50% of known exploited vulnerabilities (KEVs) left unenriched since mid-February.

Ransomware costs victims an estimated $30 billion per year and has gotten so out of control that global support for banning payments is gaining momentum.

New SEC disclosure rules aim to enforce timely cyber incident reporting, but fear of job loss and inadequate resources lead to significant underreporting.

The Python Software Foundation has secured a 5-year sponsorship from Fastly that supports PSF's activities and events, most notably the security and reliability of the Python Package Index (PyPI).

LDAPjs, an LDAP Client and Server API for Node.js, was decommissioned after its maintainer received an abusive email from a user, raising concerns about this form of abuse as a potential attack vector.

CISA launched a new project called Vulnrichment to enrich CVEs with details that help prioritize patching and mitigation efforts, as the NVD backlog of unenriched CVEs awaiting analysis surpasses 10,000.

Socket is joining forces with CISA and other industry leaders at the RSA Conference to sign the Secure by Design pledge, committing to uphold the highest security standards in our products.

The Socket research team breaks down a sampling of malicious packages that download and execute files, among other suspicious behaviors, targeting the popular Discord platform.

Socket CEO Feross Aboukhadijeh joins a16z partners to discuss how modern, sophisticated supply chain attacks require AI-driven defenses and explore the challenges and solutions in leveraging AI for threat detection early in the development life cycle.

NIST's new AI Risk Management Framework aims to enhance the security and reliability of generative AI systems and address the unique challenges of malicious AI exploits.

This episode of the Risky Biz podcast discusses how the rise of small open source packages and the shift towards individual maintainers makes the ecosystem more vulnerable to supply chain attacks.

Streamline your login process and enhance security by enabling Single Sign-On (SSO) on the Socket platform, now available for all customers on the Enterprise plan, supporting 20+ identity providers.

Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.

As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.

UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.

GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.

At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.

The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username, Git username, and Git email.

OpenJS is warning of social engineering takeovers targeting open source projects after receiving a credible attempt on the foundation.

Come meet the Socket team at BSidesSF and RSA! We're sponsoring several fun networking events and we would love to see you there.

OSI is starting a conversation aimed at removing the excuse of the SaaS loophole for companies navigating licensing and the complexities of doing business with open source.

We're introducing dependency visualization for reports - get a quick impression of the state of your dependencies without getting lost in the details.

RansomHub claims to have over 4TB of sensitive data from the Change Healthcare ransomware attack. They are threatening to sell it, if the company doesn't pay a second ransom.

On the most recent episode of the Chinchilla Squeaks podcast, Socket CEO Feross Aboukhadijeh discusses some of the overlooked risks of using open source code and how modern tools can leverage AI to secure dependencies.

Major open source foundations are uniting to create CRA-compliant security standards in preparation for EU Cyber Resilience Act regulations that go into effect in 2027.

NIST has acknowledged the growing backlog of vulnerabilities at the NVD and plans to publish the process for forming an outside consortium, but is getting pushback from security professionals.

ENISA has identified software supply chain attacks as the top cybersecurity threat for the next five years, just prior to the accidental discovery of a backdoored package used in nearly every Linux distribution.

XZ utils, a package for data compression software used in nearly every Linux distribution, was found to be backdoored and may allow unauthorized access to affected systems.

Valkey, a high-performance key-value store and open source Redis fork, gains momentum with Linux Foundation backing and support from industry giants like Amazon, Google Cloud, and Oracle.

CISA has proposed a set of new rules that would require critical infrastructure to report cyber incidents and ransom payments.

Redis is no longer OSS, breaking its explicit commitment to remain under the BSD 3-Clause License forever. This has angered contributors who are now working to fork the software.

Socket AI now enables 'AI detected potential malware' alerts by default, ensuring users benefit from AI-powered state-of-the-art malware detection without needing to opt-in.

The Node.js Technical Steering Committee has confirmed that removing npm from the Node.js distribution is not a project goal, amidst continued discussions regarding enabling Corepack by default.

LockBit, defying law enforcement takedowns, launches a new attack on Crinetics Pharmaceuticals, with the group's leader declaring a commitment to continue their disruptive operations indefinitely.

The NVD has stopped enriching CVE’s with little explanation, leaving the security community without metadata on 90% of records for the past month.

The White House published its proposed budget for 2025, with $13 billion earmarked for cybersecurity and safeguarding public services.

In an effort to give back to the software creators whose contributions benefit the global developer community, open source projects can now get a free upgrade to our Team plan.

Socket CEO Feross Aboukhadijeh was recently interviewed on Basarat Ali Syed’s YouTube channel ahead of this year's Node Congress event. They discussed NodeJS and the challenges of securing open source dependencies.

CISA's new initiative collaborates with the open source ecosystem to enhance the security of package registries, promoting a set of best practices in the interest of securing critical infrastructure.

The Blackcat/ALPHV ransomware gang has executed an elaborate exit scam, falsely claiming law enforcement seizure, while swindling affiliates and severely impacting U.S. healthcare infrastructure.

Tea.xyz, a new crypto initiative aimed at rewarding open source developers, has sparked frustration within the community due to a flood of spam PRs on GitHub.

GitHub has enabled push protection by default for all user accounts. This feature prevents accidental leaks of API keys, tokens, and other secrets, a growing problem in open source development.

JSR, the new JavaScript registry, is now in public beta, designed for TypeScript and ESM.

The "hardhat-gas-optimizer" npm package was found to exfiltrate sensitive data to Pastebin, targeting Ethereum developers using Hardhat tools in their development environment.

Socket CEO Feross Aboukhadijeh was interviewed on the Daytona DotFiles Insider blog on the challenges developers face when selecting open source packages and how Socket is working to create a more secure ecosystem.

The OpenJS Foundation has launched a new effort to iterate on the informal standardization of package.json and improve the interoperability of JavaScript package metadata for application developers.

The LockBit ransomware gang's takedown by international law enforcement reveals over $1 billion in stolen funds, along with a next generation version of ransomware they had in development.

JSR, a new package registry from the Deno team, aims to address npm’s limitations but the JavaScript community is concerned about ecosystem fragmentation.

International law enforcement organizations have disrupted LockBit, the world’s largest ransomeware gang, seized their operations and infrastructure, and indicted some of the perpetrators.

Socket discovered two malicious Python packages, enchantv and vibrant, imitating popular packages and targeting victims via a base64 encoded payload in their setup files.

Socket is adding a new dashboard Threat Feed that gives users more visibility into malware detected and blocked across npm and PyPI ecosystems.

This segment of the Risky Business podcast offers an overview of the volume of malicious packages that are being published to public code repositories and explains why older SCA tools aren’t equipped to detect these threats in a timely way.

Socket is deprecating Project Report v0 in favor of the new, faster Project Report v1.

A mountain of spam PRs landed in the Express.js project repo after a popular YouTube tutorial used it as an example for contributing to open source. This put a spotlight on the mandate for job seekers to find a way to contribute to OSS.

Socket CEO Feross Aboukhadijeh joined the Security Podcast in Silicon Valley where they discussed the essence of the security mindset and how this approach has shaped Socket's architecture to swiftly identify and mitigate supply chain threats.

The Node community is wrestling with the decision to enable Corepack by default, which has sparked a debate about the potential of removing npm from the Node.js binary.

On the CyberBytes podcast, Socket CEO Feross Aboukhadijeh discusses the challenges in OSS security, the hacker mindset, and the shift towards using proactive tools that go beyond traditional vulnerability scanning to prevent supply chain attacks.

A malicious npm package is targeting Roblox's massive user base to steal sensitive data, with potential impacts for both players and developers on the popular gaming platform.

The Tines team created an integration that generates and emails real-time vulnerability reports for repositories protected by Socket.

Deprecated npm packages are common in modern software projects. Learn about the risks of using unmaintained code, how to identify these packages, and evaluate alternatives.

The latest update of Socket for GitHub features a new web-based diff report viewer, enhanced support for PyPI and Golang, faster scan times, and a new syntax for specifying package ignores.

A German court's controversial ruling fined a security researcher for exposing a company's data vulnerabilities, sparking intense debate over the future of ethical hacking and cybersecurity.

Underwriters expect a rise in cyber insurance premiums in 2024 due to increased ransomware activity. They predict higher risks, emphasizing the need for a focus on resiliency and better strategies for cyber incident prevention and response.

Socket CEO Feross Aboukhadijeh joins the hosts of the DevTools podcast to discuss open source maintainership, sustainability, and the challenge of proactively securing dependencies from emerging threats.

This short history of protestware - from punch cards to package managers - explores the intriguing and controversial phenomenon of digital activism and the risks to open source supply chains.

Orbit Chain is offering an $8M bounty for intel that will lead to the recovery of crypto assets or identification of the attacker who stole $81M on New Year's Eve.

From unprecedented expansion to security challenges: A comprehensive look at npm's dynamic year 2024.

Socket's research team detected and analyzed a new Python package that distributes Blank Grabber malware for stealing data from applications like Discord and Telegram.

There's a growing trend of hackers using sophisticated multi-phase attacks leveraging package managers to deploy coinminers, as seen in the recent discovery of three malicious PyPI packages.

An NPM user named PatrickJS launched a troll campaign with a package called "everything," which depends on all public npm packages.

Crypto draining attacks are ramping up, as hackers exploit weaknesses in tools used to transfer funds across cryptocurrencies. Orbit Bridge was the most recent target in an attack that stole an estimated $81 million in virtual assets on New Year's Eve.

Socket CEO Feross Aboukhadijeh joined the Syntax podcast, discussing the balance between open source innovation and safety in the npm ecosystem.

JSON is a simple technology but has a lot of underlying topics to think about. This guide can help uncover those topics.

Get a comprehensive, organization-wide view of security risks across all repositories in your organization – even if you have hundreds of thousands of dependencies across thousands of repositories.

The ALPHV/Blackcat ransomware group has responded to the FBI's disruption of their operations with increased hostility, following the release of a decryption tool to more than 500 victims.

Socket CEO Feross Aboukhadijeh joins the Decipher podcast to discuss the necessity of using AI-powered early threat detection tools to protect the immense trust placed in the hands of open source maintainers.

Socket's new Audit Log feature allows administrators to monitor important account changes and the history of all events in Socket.

Supply chain attacks targeting the crypto industry are becoming increasingly complex, requiring more proactive measures to prevent costly exploits. It's time for crypto to get serious about security.

Follow the @npm_malware account to get live alerts from the Socket threat feed.

The Ledger Connect Kit was compromised in a supply chain attack, leading to crypto fund theft and highlighting Socket's AI scanner's effectiveness in detecting such threats.

Socket has been recognized in Fortune’s new Cyber 60 list, among other companies innovating in the cybersecurity industry.

A recently uncovered Python script highlights a spam campaign tactic where malicious actors automate the publishing of spam packages to the npm package registry.

Learn how to integrate Socket into your Bitbucket pipeline for added security, reducing your dependency supply chain risk!

Ransomware payment demands are rising in 2023, driving a higher demand for cyber insurance and an increase in premiums.

We just released v0.9.0 of the Socket CLI with some improvements to the socket info command so you can get useful information about an npm package, right in the terminal.

The financial services sector has been hit by a recent surge of ransomware attacks, disrupting operations at major institutions such as Fidelity National Financial and the Industrial and Commercial Bank of China. These attacks underscore the importance of swift security measures in addressing vulnerabilities on enterprise systems.

Supply chain attacks that leverage typosquatting are steeply rising over previous years. Learn how Socket for GitHub and Socket CLI can protect your app.

A short walkthrough of how to integrate Socket into the Gitlab CI/CD process

Get more information about the most popular JavaScript packages with Socket's new AI-generated package summaries.

Our new and improved Project Health Reports are now generally available.

Socket discusses the results of using different package managers to install your packages and introduces a GitHub action to expose those differences.

How Socket uses LLMs to enhance both the analysis and explanation of open-source software packages.

Socket is happy to enable developers to customize their own feature plan choices with the announcement of self-service payment plans.

Socket AI detected a malicious package on PyPI that had an abnormally high potential impact and the Socket security researchers investigated finding malicious behavior.

package.json contains a local aliasing mechanism for import paths called "imports" it satisfies many use cases without tooling specific solutions like tsconfig.json

Digging into the Skeleton Squad's recent expansion from PyPI to the npm ecosystem.

Socket AI detected threats in package ecosystems, including counterfeit Roblox and Discord packages. Malware hidden in DNS records and selective data attacks were also spotted, showcasing Socket Security's robust defense capabilities.

What supply chain attacks are, and how Socket can help protect you from them.

Get visibility and control over your open source dependencies, across your whole organization

We're excited to announce that Socket now supports the Go programming language.

Empowering Developers: Our Journey to a Safer Open Source Ecosystem

Socket is now offering a free browser extension to verify the security and quality of packages on NPM.

The Lazarus Group launched a sophisticated social engineering campaign targeting developers in the cryptocurrency and cybersecurity sectors, using compromised accounts and malware-laden NPM packages.

Socket is back at Black Hat and DEF CON. Stop by our suite to hangout!

Vulnerability scanners provide a false sense of security to appsec teams and do little to prevent supply chain attacks.

Socket has been protecting organizations from "manifest confusion" attacks for 9 months before it was publicly disclosed.

Exposing the flaws of traditional SCA tools, and introducing a solution.

The Socket Security extension for VSCode now supports Python.

You can now send Socket Pull Request Notifications to Slack!

Socket provides an introspective on code signing in relation to the supply chain incident from SolarWinds.

The Socket blog now offers both full content Atom and JSON feeds which let you subscribe to all future Socket blog posts.

The Socket GitHub app now runs Project Health Reports on the default branch instead of in pull requests.

Socket explains the newly released npm provenance provided by GitHub.

Socket is back at BSidesSF and RSA! Stop by to meet the team and hang out.

We share some feedback and directions on Socket's npm wrapper.

Socket introduces an overall project health report for viewing relevant data to entire projects at a glance.

Socket is using ChatGPT to examine every npm and PyPI package for security issues.

The npm public registry is drowning in a tsunami of spam and phishing, and it's all thanks to everyone's favorite gun-toting antihero, John Wick.

Socket Dependency Overview helps developers understand the risk of dependency changes by leaving an in-depth comment on any pull request that adds, updates, or removes dependencies.

Socket is proud to introduce an exciting new tool—“safe npm”—that protects developers whenever they use npm install.

Socket partners with Ecosystems to build and maintain secure, resilient, and sustainable open source ecosystems.

Socket now supports the pnpm package manager! Check it out and stay away from vulnerable and malicious packages.

We're excited to announce that Socket now supports the Python programming language.

Socket is thrilled to announce that we have achieved a sparkling clean SOC 2 Type 2 attestation report.

Proposing a more usable RegExp for JS in light of async I/O and streaming.

Socket is nominating Bradley Meck Farias as a representative to the OpenSSF Governing Board.

We have a new configuration file format and library for working with it!

Socket is proud to announce improved support for npm and Yarn, including full support for npm versions 6, 7, 8, and 9 and full support for Yarn versions 1, 2, and 3.

Introducing a VS Code editor integration for Socket Security.

Socket has introduced a new dashboard functionality to aid in self service and auditing in one centralized location.

We have been using GPT at Socket to help triage the npm package firehose for a couple months now. Here is what it is like after actual experience.

File explorers are great tools for programmers when they can let code be understood, but what does it take to ship a file explorer and what does it mean to help programmers by providing one.

A package published an anomalous 11460 versions in 4 months, Socket Security had to figure out if it was something to be concerned about.

Socket for GitHub requires a new GitHub permission. Here are the details.

Socket has successfully completed the SOC 2 Type I audit by meeting rigorous security and confidentiality standards.

Socket is joining the Open Source Security Foundation (OpenSSF), the cross-industry organization working on the most important open source security initiatives.

We're excited to preview a brand new way to use Socket, a CLI tool! This will be especially useful to those of you not using GitHub or those who want more control over how you interact with Socket..

Socket for GitHub has added the option to customize which issue alerts your pull request receives.

Circumventing Chinese censorship: Plethora of eBooks pervade these GitHub and npm repositories containing contents of banned websites like 'The Economist'

We added 5 new issues to our GitHub pull request alerts.

npm package ‘state-counter’ mimics StatCounter but instead pops open a very NSFW website.

Yet another attack vector that allows malicious packages to pwn you.

Dismiss Socket pull request alerts using bot commands.

Finer-grained check runs, new config options, and improved reliability.

Today we're shipping a big update to Socket for GitHub to help developers protect their apps from software supply chain attacks.

Redefining open source security through proactive supply chain risk management

Socket's mission is to make open source safer.

Examples of recent supply chain attacks and concrete steps you can take to protect your team from this emerging threat.

Confidence is good but overconfidence always sinks the ship.