Product
Introducing SSO
Streamline your login process and enhance security by enabling Single Sign-On (SSO) on the Socket platform, now available for all customers on the Enterprise plan, supporting 20+ identity providers.
Product
Streamline your login process and enhance security by enabling Single Sign-On (SSO) on the Socket platform, now available for all customers on the Enterprise plan, supporting 20+ identity providers.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.
Security News
GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.
Security News
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
Research
Security News
The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username, Git username, and Git email.
Security News
OpenJS is warning of social engineering takeovers targeting open source projects after receiving a credible attempt on the foundation.
Company News
Come meet the Socket team at BSidesSF and RSA! We're sponsoring several fun networking events and we would love to see you there.
Security News
OSI is starting a conversation aimed at removing the excuse of the SaaS loophole for companies navigating licensing and the complexities of doing business with open source.
Product
We're introducing dependency visualization for reports - get a quick impression of the state of your dependencies without getting lost in the details.
Security News
RansomHub claims to have over 4TB of sensitive data from the Change Healthcare ransomware attack. They are threatening to sell it, if the company doesn't pay a second ransom.
Security News
On the most recent episode of the Chinchilla Squeaks podcast, Socket CEO Feross Aboukhadijeh discusses some of the overlooked risks of using open source code and how modern tools can leverage AI to secure dependencies.
Security News
Major open source foundations are uniting to create CRA-compliant security standards in preparation for EU Cyber Resilience Act regulations that go into effect in 2027.
Security News
NIST has acknowledged the growing backlog of vulnerabilities at the NVD and plans to publish the process for forming an outside consortium, but is getting pushback from security professionals.
Security News
ENISA has identified software supply chain attacks as the top cybersecurity threat for the next five years, just prior to the accidental discovery of a backdoored package used in nearly every Linux distribution.
Security News
XZ utils, a package for data compression software used in nearly every Linux distribution, was found to be backdoored and may allow unauthorized access to affected systems.
Security News
Valkey, a high-performance key-value store and open source Redis fork, gains momentum with Linux Foundation backing and support from industry giants like Amazon, Google Cloud, and Oracle.
Security News
CISA has proposed a set of new rules that would require critical infrastructure to report cyber incidents and ransom payments.
Security News
Redis is no longer OSS, breaking its explicit commitment to remain under the BSD 3-Clause License forever. This has angered contributors who are now working to fork the software.
Product
Socket AI now enables 'AI detected potential malware' alerts by default, ensuring users benefit from AI-powered state-of-the-art malware detection without needing to opt-in.
Security News
The Node.js Technical Steering Committee has confirmed that removing npm from the Node.js distribution is not a project goal, amidst continued discussions regarding enabling Corepack by default.
Security News
LockBit, defying law enforcement takedowns, launches a new attack on Crinetics Pharmaceuticals, with the group's leader declaring a commitment to continue their disruptive operations indefinitely.
Security News
The NVD has stopped enriching CVE’s with little explanation, leaving the security community without metadata on 90% of records for the past month.
Security News
The White House published its proposed budget for 2025, with $13 billion earmarked for cybersecurity and safeguarding public services.
Security News
Product
In an effort to give back to the software creators whose contributions benefit the global developer community, open source projects can now get a free upgrade to our Team plan.
Security News
Socket CEO Feross Aboukhadijeh was recently interviewed on Basarat Ali Syed’s YouTube channel ahead of this year's Node Congress event. They discussed NodeJS and the challenges of securing open source dependencies.
Security News
CISA's new initiative collaborates with the open source ecosystem to enhance the security of package registries, promoting a set of best practices in the interest of securing critical infrastructure.
Security News
The Blackcat/ALPHV ransomware gang has executed an elaborate exit scam, falsely claiming law enforcement seizure, while swindling affiliates and severely impacting U.S. healthcare infrastructure.
Security News
Tea.xyz, a new crypto initiative aimed at rewarding open source developers, has sparked frustration within the community due to a flood of spam PRs on GitHub.
Security News
GitHub has enabled push protection by default for all user accounts. This feature prevents accidental leaks of API keys, tokens, and other secrets, a growing problem in open source development.
Security News
JSR, the new JavaScript registry, is now in public beta, designed for TypeScript and ESM.
Research
The "hardhat-gas-optimizer" npm package was found to exfiltrate sensitive data to Pastebin, targeting Ethereum developers using Hardhat tools in their development environment.
Security News
Socket CEO Feross Aboukhadijeh was interviewed on the Daytona DotFiles Insider blog on the challenges developers face when selecting open source packages and how Socket is working to create a more secure ecosystem.
Security News
The OpenJS Foundation has launched a new effort to iterate on the informal standardization of package.json and improve the interoperability of JavaScript package metadata for application developers.
Security News
The LockBit ransomware gang's takedown by international law enforcement reveals over $1 billion in stolen funds, along with a next generation version of ransomware they had in development.
Security News
JSR, a new package registry from the Deno team, aims to address npm’s limitations but the JavaScript community is concerned about ecosystem fragmentation.
Security News
International law enforcement organizations have disrupted LockBit, the world’s largest ransomeware gang, seized their operations and infrastructure, and indicted some of the perpetrators.
Research
Security News
Socket discovered two malicious Python packages, enchantv and vibrant, imitating popular packages and targeting victims via a base64 encoded payload in their setup files.
Product
Socket is adding a new dashboard Threat Feed that gives users more visibility into malware detected and blocked across npm and PyPI ecosystems.
Security News
This segment of the Risky Business podcast offers an overview of the volume of malicious packages that are being published to public code repositories and explains why older SCA tools aren’t equipped to detect these threats in a timely way.
Product
Socket is deprecating Project Report v0 in favor of the new, faster Project Report v1.
Security News
A mountain of spam PRs landed in the Express.js project repo after a popular YouTube tutorial used it as an example for contributing to open source. This put a spotlight on the mandate for job seekers to find a way to contribute to OSS.
Security News
Socket CEO Feross Aboukhadijeh joined the Security Podcast in Silicon Valley where they discussed the essence of the security mindset and how this approach has shaped Socket's architecture to swiftly identify and mitigate supply chain threats.
Security News
The Node community is wrestling with the decision to enable Corepack by default, which has sparked a debate about the potential of removing npm from the Node.js binary.
Security News
Application Security
On the CyberBytes podcast, Socket CEO Feross Aboukhadijeh discusses the challenges in OSS security, the hacker mindset, and the shift towards using proactive tools that go beyond traditional vulnerability scanning to prevent supply chain attacks.
Research
Security News
A malicious npm package is targeting Roblox's massive user base to steal sensitive data, with potential impacts for both players and developers on the popular gaming platform.
Application Security
The Tines team created an integration that generates and emails real-time vulnerability reports for repositories protected by Socket.
Application Security
Deprecated npm packages are common in modern software projects. Learn about the risks of using unmaintained code, how to identify these packages, and evaluate alternatives.
Product
Company News
The latest update of Socket for GitHub features a new web-based diff report viewer, enhanced support for PyPI and Golang, faster scan times, and a new syntax for specifying package ignores.
Security News
A German court's controversial ruling fined a security researcher for exposing a company's data vulnerabilities, sparking intense debate over the future of ethical hacking and cybersecurity.
Security News
Underwriters expect a rise in cyber insurance premiums in 2024 due to increased ransomware activity. They predict higher risks, emphasizing the need for a focus on resiliency and better strategies for cyber incident prevention and response.
Security News
Socket CEO Feross Aboukhadijeh joins the hosts of the DevTools podcast to discuss open source maintainership, sustainability, and the challenge of proactively securing dependencies from emerging threats.
Application Security
Security News
This short history of protestware - from punch cards to package managers - explores the intriguing and controversial phenomenon of digital activism and the risks to open source supply chains.
Security News
Orbit Chain is offering an $8M bounty for intel that will lead to the recovery of crypto assets or identification of the attacker who stole $81M on New Year's Eve.
Research
From unprecedented expansion to security challenges: A comprehensive look at npm's dynamic year.
Research
Security News
Socket's research team detected and analyzed a new Python package that distributes Blank Grabber malware for stealing data from applications like Discord and Telegram.
Security News
There's a growing trend of hackers using sophisticated multi-phase attacks leveraging package managers to deploy coinminers, as seen in the recent discovery of three malicious PyPI packages.
Application Security
An NPM user named PatrickJS launched a troll campaign with a package called "everything," which depends on all public npm packages.
Security News
Crypto draining attacks are ramping up, as hackers exploit weaknesses in tools used to transfer funds across cryptocurrencies. Orbit Bridge was the most recent target in an attack that stole an estimated $81 million in virtual assets on New Year's Eve.
Security News
Socket CEO Feross Aboukhadijeh joined the Syntax podcast, discussing the balance between open source innovation and safety in the npm ecosystem.
Engineering
JSON is a simple technology but has a lot of underlying topics to think about. This guide can help uncover those topics.
Product
Get a comprehensive, organization-wide view of security risks across all repositories in your organization – even if you have hundreds of thousands of dependencies across thousands of repositories.
Security News
The ALPHV/Blackcat ransomware group has responded to the FBI's disruption of their operations with increased hostility, following the release of a decryption tool to more than 500 victims.
Security News
Socket CEO Feross Aboukhadijeh joins the Decipher podcast to discuss the necessity of using AI-powered early threat detection tools to protect the immense trust placed in the hands of open source maintainers.
Product
Socket's new Audit Log feature allows administrators to monitor important account changes and the history of all events in Socket.
Security News
Supply chain attacks targeting the crypto industry are becoming increasingly complex, requiring more proactive measures to prevent costly exploits. It's time for crypto to get serious about security.
Security News
Follow the @npm_malware account to get live alerts from the Socket threat feed.
Security News
The Ledger Connect Kit was compromised in a supply chain attack, leading to crypto fund theft and highlighting Socket's AI scanner's effectiveness in detecting such threats.
Company News
Socket has been recognized in Fortune’s new Cyber 60 list, among other companies innovating in the cybersecurity industry.
Research
A recently uncovered Python script highlights a spam campaign tactic where malicious actors automate the publishing of spam packages to the npm package registry.
Application Security
Product
Learn how to integrate Socket into your Bitbucket pipeline for added security, reducing your dependency supply chain risk!
Security News
Ransomware payment demands are rising in 2023, driving a higher demand for cyber insurance and an increase in premiums.
Product
We just released v0.9.0 of the Socket CLI with some improvements to the socket info command so you can get useful information about an npm package, right in the terminal.
Security News
The financial services sector has been hit by a recent surge of ransomware attacks, disrupting operations at major institutions such as Fidelity National Financial and the Industrial and Commercial Bank of China. These attacks underscore the importance of swift security measures in addressing vulnerabilities on enterprise systems.
Application Security
Supply chain attacks that leverage typosquatting are steeply rising over previous years. Learn how Socket for GitHub and Socket CLI can protect your app.
Application Security
Product
A short walkthrough of how to integrate Socket into the Gitlab CI/CD process
Product
Get more information about the most popular JavaScript packages with Socket's new AI-generated package summaries.
Product
Our new and improved Project Health Reports are now generally available.
Engineering
Socket discusses the results of using different package managers to install your packages and introduces a GitHub action to expose those differences.
Application Security
How Socket uses LLMs to enhance both the analysis and explanation of open-source software packages.
Product
Socket is happy to enable developers to customize their own feature plan choices with the announcement of self-service payment plans.
Research
Socket AI detected a malicious package on PyPI that had an abnormally high potential impact and the Socket security researchers investigated finding malicious behavior.
Engineering
package.json contains a local aliasing mechanism for import paths called "imports" it satisfies many use cases without tooling specific solutions like tsconfig.json
Research
Digging into the Skeleton Squad's recent expansion from PyPI to the npm ecosystem.
Research
Socket AI detected threats in package ecosystems, including counterfeit Roblox and Discord packages. Malware hidden in DNS records and selective data attacks were also spotted, showcasing Socket Security's robust defense capabilities.
Application Security
What supply chain attacks are, and how Socket can help protect you from them.
Product
Get visibility and control over your open source dependencies, across your whole organization
Product
We're excited to announce that Socket now supports the Go programming language.
Company News
Empowering Developers: Our Journey to a Safer Open Source Ecosystem
Product
Socket is now offering a free browser extension to verify the security and quality of packages on NPM.
Research
The Lazarus Group launched a sophisticated social engineering campaign targeting developers in the cryptocurrency and cybersecurity sectors, using compromised accounts and malware-laden NPM packages.
Company News
Socket is back at Black Hat and DEF CON. Stop by our suite to hangout!
Application Security
Vulnerability scanners provide a false sense of security to appsec teams and do little to prevent supply chain attacks.
Research
Socket has been protecting organizations from "manifest confusion" attacks for 9 months before it was publicly disclosed.
Application Security
Exposing the flaws of traditional SCA tools, and introducing a solution.
Product
The Socket Security extension for VSCode now supports Python.
Product
You can now send Socket Pull Request Notifications to Slack!
Engineering
Socket provides an introspective on code signing in relation to the supply chain incident from SolarWinds.
Company News
The Socket blog now offers both full content Atom and JSON feeds which let you subscribe to all future Socket blog posts.
Product
The Socket GitHub app now runs Project Health Reports on the default branch instead of in pull requests.
Application Security
Socket explains the newly released npm provenance provided by GitHub.
Company News
Socket is back at BSidesSF and RSA! Stop by to meet the team and hang out.
Product
We share some feedback and directions on Socket's npm wrapper.
Product
Socket introduces an overall project health report for viewing relevant data to entire projects at a glance.
Product
Socket is using ChatGPT to examine every npm and PyPI package for security issues.
Research
The npm public registry is drowning in a tsunami of spam and phishing, and it's all thanks to everyone's favorite gun-toting antihero, John Wick.
Product
Socket Dependency Overview helps developers understand the risk of dependency changes by leaving an in-depth comment on any pull request that adds, updates, or removes dependencies.
Product
Socket is proud to introduce an exciting new tool—“safe npm”—that protects developers whenever they use npm install.
Company News
Socket partners with Ecosystems to build and maintain secure, resilient, and sustainable open source ecosystems.
Product
Socket now supports the pnpm package manager!
Product
We're excited to announce that Socket now supports the Python programming language.
Company News
Socket is thrilled to announce that we have achieved a sparkling clean SOC 2 Type 2 attestation report.
Research
Engineering
Proposing a more usable RegExp for JS in light of async I/O and streaming.
Company News
Socket is nominating Bradley Meck Farias as a representative to the OpenSSF Governing Board.
Product
We have a new configuration file format and library for working with it!
Product
Socket is proud to announce improved support for npm and Yarn, including full support for npm versions 6, 7, 8, and 9 and full support for Yarn versions 1, 2, and 3.
Product
Engineering
Introducing a VS Code editor integration for Socket Security.
Product
Socket has introduced a new dashboard functionality to aid in self service and auditing in one centralized location.
Research
Engineering
We have been using GPT at Socket to help triage the npm package firehose for a couple months now. Here is what it is like after actual experience.
Engineering
File explorers are great tools for programmers when they can let code be understood, but what does it take to ship a file explorer and what does it mean to help programmers by providing one.
Research
A package published an anomalous 11460 versions in 4 months, Socket Security had to figure out if it was something to be concerned about.
Product
Socket for GitHub requires a new GitHub permission. Here are the details.
Company News
Socket has successfully completed the SOC 2 Type I audit by meeting rigorous security and confidentiality standards.
Company News
Socket is joining the Open Source Security Foundation (OpenSSF), the cross-industry organization working on the most important open source security initiatives.
Product
We're excited to preview a brand new way to use Socket, a CLI tool! This will be especially useful to those of you not using GitHub or those who want more control over how you interact with Socket..
Product
Socket for GitHub has added the option to customize which issue alerts your pull request receives.
Research
Circumventing Chinese censorship: Plethora of eBooks pervade these GitHub and npm repositories containing contents of banned websites like 'The Economist'
Product
We added 5 new issues to our GitHub pull request alerts.
Research
npm package ‘state-counter’ mimics StatCounter but instead pops open a very NSFW website.
Research
Yet another attack vector that allows malicious packages to pwn you.
Product
Dismiss Socket pull request alerts using bot commands.
Product
Finer-grained check runs, new config options, and improved reliability.
Company News
Today we're shipping a big update to Socket for GitHub to help developers protect their apps from software supply chain attacks.
Company News
Redefining open source security through proactive supply chain risk management
Company News
Socket's mission is to make open source safer.
Application Security
Examples of recent supply chain attacks and concrete steps you can take to protect your team from this emerging threat.
Application Security
Confidence is good but overconfidence always sinks the ship.