Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Sarah Gooding
May 7, 2024
Socket CEO Feross Aboukhadijeh recently joined a16z partner Joel de la Garza and Derrick Harris on the AI + a16z podcast, which features discussions with leading AI engineers, founders, and experts. This episode focuses on the emergence of powerful generative AI models, which offer new defensive capabilities to the security industry at a time when the threats are starting to outpace our outdated detection tools.
The world of software supply chain security is facing an onslaught of attacks, from the highly sophisticated xz-utils backdoor incident to your regular run-of-the-mill, low-effort attempts at stealing credentials or environment variables. Traditional tools focused on scanning for known vulnerabilities are no match for the increasing volume and novelty of these attacks that leverage open source packages to compromise supply chains.
"The whole security industry is pretty focused on, and maybe almost to the point of obsession, with known vulnerabilities,” Feross said. “You don't stop the next backdoor with a CVE database."
This episode also explores how business priorities, resource constraints, and organizational politics often dictate how companies approach security, leading to situations where crucial aspects are addressed too late or lack proper ownership. Socket’s developer-first approach is aimed at integrating proactive measures earlier in the development life cycle.
“That's where we like to encourage people to think about this earlier in the process,” Feross said.
“I know shift left is a buzzword at this point, but it is actually true that it's 10 times more expensive to fix problems once they've landed in the main branch of your repository than if you can kind of nudge the developer earlier on in the process.”
This episode highlights the challenges of using AI for threat detection while also recognizing the importance of providing meaningful alerts to avoid alert fatigue. AI has the potential to augment both detection and explanation, helping security teams identify vulnerabilities and understand the behavior of malicious packages.
Check out the episode below for the full conversation.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.