Security News

A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.

NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.

A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.

PyPI now supports digital attestations, enhancing security and trust by allowing package maintainers to verify the authenticity of Python packages.

GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.

RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.

Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.

Socket's threat research team has detected five malicious npm packages targeting Roblox developers, deploying malware to steal credentials and personal data.

vlt introduced its new package manager and a serverless registry this week, innovating in a space where npm has stagnated.

The Socket Research Team uncovered a malicious Python package typosquatting the popular 'fabric' SSH library, silently exfiltrating AWS credentials from unsuspecting developers.

At its inaugural meeting, the JSR Working Group outlined plans for an open governance model and a roadmap to enhance JavaScript package management.

An advanced npm supply chain attack is leveraging Ethereum smart contracts for decentralized, persistent malware control, evading traditional defenses.

Attackers are impersonating Sindre Sorhus on npm with a fake 'chalk-node' package containing a malicious backdoor to compromise developers' projects.

The npm package for the LottieFiles Player web component was hit with a supply chain attack after a software engineer's npmjs credentials were compromised.

Python becomes GitHub's top language in 2024, driven by AI and data science projects, while AI-powered security tools are gaining adoption.

Dutch National Police and FBI dismantle Redline and Meta infostealer malware-as-a-service operations in Operation Magnus, seizing servers and source code.

Socket is tracking a new trend where malicious actors are now exploiting the popularity of LLM research to spread malware through seemingly useful open source packages.

Noxia, a new dark web bulletproof host, offers dirt cheap servers for Python, Node.js, Go, and Rust, enabling cybercriminals to distribute malware and execute supply chain attacks.

Socket detected a malicious Python package impersonating a popular browser cookie library to steal passwords, screenshots, webcam images, and Discord tokens.

Deno 2.0 is now available with enhanced package management, full Node.js and npm compatibility, improved performance, and support for major JavaScript frameworks.

The Internet Archive's "Wayback Machine" has been hacked and defaced, with 31 millions records compromised.

TC39 is meeting in Tokyo this week and they have approved nearly a dozen proposals to advance to the next stages.

Our threat research team breaks down two malicious npm packages designed to exploit developer trust, steal your data, and destroy data on your machine.

A senior white house official is urging insurers to stop covering ransomware payments, indicating possible stricter regulations to deter cybercrime.

ESLint has added JSON and Markdown linting support with new officially-supported plugins, expanding its versatility beyond JavaScript.

Members Hub is conducting large-scale campaigns to artificially boost Discord server metrics, undermining community trust and platform integrity.

NIST has failed to meet its self-imposed deadline of clearing the NVD's backlog by the end of the fiscal year. Meanwhile, CVE's awaiting analysis have increased by 33% since June.

Cloudflare has launched a setup wizard allowing users to easily create and manage a security.txt file for vulnerability disclosure on their websites.

The Socket Research team breaks down a malicious npm package targeting the legitimate DOMPurify library. It uses obfuscated code to hide that it is exfiltrating browser and crypto wallet data.

ENISA’s 2024 report highlights the EU’s top cybersecurity threats, including rising DDoS attacks, ransomware, supply chain vulnerabilities, and weaponized AI.

NIST's new password guidelines remove periodic changes and special character requirements, focusing on longer, more secure passwords for better authentication practices.

A record 2,709 developers participated in the 2024 Ruby on Rails Community Survey, revealing key tools, practices, and trends shaping the Rails ecosystem.

In 2023, data breaches surged 78% from zero-day and supply chain attacks, but developers are still buried under alerts that are unable to prevent these threats.

Solo open source maintainers face burnout and security challenges, with 60% unpaid and 60% considering quitting.

License exceptions modify the terms of open source licenses, impacting how software can be used, modified, and distributed. Developers should be aware of the legal implications of these exceptions.

A developer is accusing Tencent of violating the GPL by modifying a Python utility and changing its license to BSD, highlighting the importance of copyleft compliance.

In an open letter, JavaScript community leaders urge Oracle to give up the JavaScript trademark, arguing that it has been effectively abandoned through nonuse.

The initial version of the Socket Python SDK is now on PyPI, enabling developers to more easily interact with the Socket REST API in Python projects.

Floating dependency ranges in npm can introduce instability and security risks into your project by allowing unverified or incompatible versions to be installed automatically, leading to unpredictable behavior and potential conflicts.

A new Rust RFC proposes "Trusted Publishing" for Crates.io, introducing short-lived access tokens via OIDC to improve security and reduce risks associated with long-lived API tokens.

Cloudflare is expanding Node.js compatibility for Workers and Pages, enabling developers to use more npm packages through a hybrid approach that combines native code and polyfills for Node.js APIs.

The Python Software Foundation has expanded its CNA scope to include the Pallets Projects, enabling faster, more reliable CVE tracking for critical frameworks used in Python applications.

Elastic’s return to open source with the AGPL license has been met with skepticism, as many developers see it as a strategic move rather than a genuine effort to restore user trust and freedoms.

A new "revival hijack" supply chain attack targets deleted Python packages, with an estimated 22K packages at risk. Socket can detect and block hijacked packages that have added malicious code.

A new OpenSSF report uncovers critical gaps in secure software training, with 75% of new developers unfamiliar with secure practices, highlighting urgent educational needs.

The 2023 Python Developers Survey reveals key trends in packaging, web frameworks, and developer demographics, highlighting a shift toward innovative tools as the Python community diversifies and grows among less experienced developers.

GitHub is combatting a new spam campaign that exploits issues with links to malicious downloads, highlighting the need for better moderation tools to protect open-source maintainers' time and security.

uv, Python's new package manager, offers a faster and more efficient alternative to pip with features that simplify tooling, manage Python versions, and streamline development workflows.

Socket researchers have uncovered 3.7 million fake GitHub stars, highlighting a growing threat linked to scams, fraud, and malware, with these campaigns rapidly increasing over the last six months.

Deno's Standard Library has stabilized after four years of development, offering developers a collection of well-maintained tools compatible with Deno, Node.js, Cloudflare Workers, and browsers with bundlers.

Trivial packages, while convenient, can introduce significant risks such as dependency bloat, security vulnerabilities, and performance issues in modern software projects.

PyPI has drastically improved its malware response times, resolving 90% of issues in under 24 hours and removing 900 projects since March 2024.

The Socket Research team breaks down an obfuscated script designed to facilitate unauthorized file uploads to multiple external services.

Node.js has automated its security release process, doubling the number of releases, and is re-evaluating unsupported experimental features with the Next 10 group to enhance security.

MITRE has just minted its 400th CNA, as the NVD struggles to tame its backlog of CVEs awaiting analysis, which has increased by 30% since June.

New report from the White House aims to address gaps in open source security, calling for more funding, tighter supply chain controls, and stronger collaboration.

Explore the security risks of using npm shrinkwrap, the potential for outdated dependencies, and best practices for mitigating these concerns in your projects.

Node.js is taking steps towards removing Corepack from its distribution, aiming for changes in the next major release.

OpenSSF has released a guide to help package repositories adopt Trusted Publishers, which enhances security by using short-lived identity tokens for authentication, reducing the risks associated with long-lived secrets.

Git dependencies in open source packages can introduce significant risks, including lack of version control, stability issues, dependency drift, and difficulty in auditing, making them potential targets for supply chain attacks.

Node.js has added experimental support for TypeScript, a move that highlights the growing importance of TypeScript in modern development.

In the latest Risky Biz Podcast episode, Socket CEO Feross Aboukhadijeh discussed the limitations of the National Vulnerability Database (NVD) in addressing the modern risks associated with using open source package registries.

Come meet the Socket team at BlackHat and DEF CON! We're sponsoring some fun networking events and we would love to see you there.

Learn how Socket's 'Non-Existent Author' alert helps safeguard your dependencies by identifying npm packages published by deleted accounts. This is one of the fastest ways to determine if a package may be abandoned.

In July, the Python Software Foundation mounted a quick response to address a leaked GitHub token, elected new board members, and added more members to the team supporting PSF and PyPI infrastructure.

Emerging ransomware groups drive a surge in activity in early 2024, with increasing software supply chain attacks predicted to impact critical industries reliant on third-party software.

In June 2023, Google sold all Google Domains accounts to Squarespace but more than a dozen customers have had their domains hijacked in the last week due to weak security defaults and migration issues.

In a reprisal of their previous Tea[.]xyz spam campaign, a new wave of thousands of garbage packages are hitting npm, to artificially inflate the number of dependents for spammers' projects.

The maintainer of the node-ip project restored the GitHub repo after disputing an exaggerated CVE rating, highlighting the impact of bogus CVEs on open source projects.

pnpm 9.5 introduces a Catalogs feature, enabling shareable dependency version specifiers, reducing merge conflicts and improving support for monorepos.

A threat actor on BreachForums is selling an unverified npm vulnerability for account takeover, but npm has not officially confirmed the existence of this security concern.

Cyber insurance rates are dropping as the market matures, according to a new report projecting global premiums to reach $43 billion by 2030, driven by international market uptake and growth in the SME sector.

Socket researchers unpack a typosquatting package with malicious code that logs keystrokes and exfiltrates sensitive data to a remote server.

The JavaScript community has launched the e18e initiative to improve ecosystem performance by cleaning up dependency trees, speeding up critical parts of the ecosystem, and documenting lighter alternatives to established tools.

Polyfill.io has been serving malware for months via its CDN, after the project's open source maintainer sold the service to a company based in China.

OpenSSF is warning open source maintainers to stay vigilant against reputation farming on GitHub, where users artificially inflate their status by manipulating interactions on closed issues and PRs.

A JavaScript library maintainer is under fire after merging a controversial PR to support legacy versions of Node.js.

Results from the 2023 State of JavaScript Survey highlight key trends, including Vite's dominance, rising TypeScript adoption, and the enduring popularity of React. Discover more insights on developer preferences and technology usage.

The US Justice Department has penalized two consulting firms $11.3 million for failing to meet cybersecurity requirements on federally funded projects, emphasizing strict enforcement to protect sensitive government data.

ua-parser-js is set to drop the MIT license and adopt a controversial dual AGPLv3 + PRO licensing model in its upcoming v2.0 release, raising significant concerns among developers and enterprise users.

Researchers recently demonstrated that the npm Registry is vulnerable to cache poisoning combined with DoS, posing significant risks for package availability.

The June TC39 meeting wrapped up this week with eight proposals moving on to the next stage. Here's a quick roundup of the features that the committee approved to advance.

Cyber extortion in the US and Canada hit record levels in 2023, with ransomware attacks surging and median ransom demands skyrocketing, though fewer companies are choosing to pay ransoms.

Ecma TC39 is meeting this week and has moved key ECMAScript proposals forward, advancing Deferred Import Evaluation, Error.isError(), RegExp Escaping, and Promise.try to the next stages.

Researchers have demonstrated that teams of LLM agents can exploit zero-day vulnerabilities with a 53% success rate, and the costs of using AI to do so are rapidly becoming more affordable than hiring a human penetration tester.

In an unprecedented surge, May 2024 saw the publication of over 5,000 CVEs, marking a historic milestone in cybersecurity with an average of 164 CVEs per day, nearly double the 2023 daily average.

The White House is addressing fragmented cybersecurity regulations as CISOs report spending up to 50% of their time on compliance, aiming to harmonize requirements and improve cybersecurity outcomes.

The Socket Research Team has identified a malicious Python package that is typosquatting the popular crytic-compile utility, frequently used in popular toolkits and development environments for smart contracts and crypto applications.

NIST updates on the NVD backlog after media reports that over 50% of KEVs were unenriched since mid-February. They've contracted additional support and partnered with CISA to clear the backlog by fiscal year-end.

A hospital in Mobile, Alabama, agreed to a settlement in a landmark ransomware death lawsuit, but is now reportedly reconsidering the agreement and refusing to pay.

A new report explores how advancements in LLMs are enhancing cyber threats, including polymorphic malware, personalized spearphishing, and the risk of hijacking customer service bots.

ESLint has approved an RFC that adds support for TypeScript configuration files, which is aimed at improving the developer experience and recognizing changes in the evolving JavaScript ecosystem.

The NVD is facing a significant backlog with over 12,500 CVEs awaiting analysis, and more than 50% of known exploited vulnerabilities (KEVs) left unenriched since mid-February.

Ransomware costs victims an estimated $30 billion per year and has gotten so out of control that global support for banning payments is gaining momentum.

The Python Software Foundation has secured a 5-year sponsorship from Fastly that supports PSF's activities and events, most notably the security and reliability of the Python Package Index (PyPI).

LDAPjs, an LDAP Client and Server API for Node.js, was decommissioned after its maintainer received an abusive email from a user, raising concerns about this form of abuse as a potential attack vector.

CISA launched a new project called Vulnrichment to enrich CVEs with details that help prioritize patching and mitigation efforts, as the NVD backlog of unenriched CVEs awaiting analysis surpasses 10,000.

Socket is joining forces with CISA and other industry leaders at the RSA Conference to sign the Secure by Design pledge, committing to uphold the highest security standards in our products.

Socket CEO Feross Aboukhadijeh joins a16z partners to discuss how modern, sophisticated supply chain attacks require AI-driven defenses and explore the challenges and solutions in leveraging AI for threat detection early in the development life cycle.

NIST's new AI Risk Management Framework aims to enhance the security and reliability of generative AI systems and address the unique challenges of malicious AI exploits.

This episode of the Risky Biz podcast discusses how the rise of small open source packages and the shift towards individual maintainers makes the ecosystem more vulnerable to supply chain attacks.

Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.

As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.

UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.

GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.

At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.

The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username, Git username, and Git email.

OpenJS is warning of social engineering takeovers targeting open source projects after receiving a credible attempt on the foundation.

OSI is starting a conversation aimed at removing the excuse of the SaaS loophole for companies navigating licensing and the complexities of doing business with open source.

RansomHub claims to have over 4TB of sensitive data from the Change Healthcare ransomware attack. They are threatening to sell it, if the company doesn't pay a second ransom.

On the most recent episode of the Chinchilla Squeaks podcast, Socket CEO Feross Aboukhadijeh discusses some of the overlooked risks of using open source code and how modern tools can leverage AI to secure dependencies.

Major open source foundations are uniting to create CRA-compliant security standards in preparation for EU Cyber Resilience Act regulations that go into effect in 2027.

NIST has acknowledged the growing backlog of vulnerabilities at the NVD and plans to publish the process for forming an outside consortium, but is getting pushback from security professionals.

ENISA has identified software supply chain attacks as the top cybersecurity threat for the next five years, just prior to the accidental discovery of a backdoored package used in nearly every Linux distribution.

XZ utils, a package for data compression software used in nearly every Linux distribution, was found to be backdoored and may allow unauthorized access to affected systems.

Valkey, a high-performance key-value store and open source Redis fork, gains momentum with Linux Foundation backing and support from industry giants like Amazon, Google Cloud, and Oracle.

CISA has proposed a set of new rules that would require critical infrastructure to report cyber incidents and ransom payments.

Redis is no longer OSS, breaking its explicit commitment to remain under the BSD 3-Clause License forever. This has angered contributors who are now working to fork the software.

The Node.js Technical Steering Committee has confirmed that removing npm from the Node.js distribution is not a project goal, amidst continued discussions regarding enabling Corepack by default.

LockBit, defying law enforcement takedowns, launches a new attack on Crinetics Pharmaceuticals, with the group's leader declaring a commitment to continue their disruptive operations indefinitely.

The NVD has stopped enriching CVE’s with little explanation, leaving the security community without metadata on 90% of records for the past month.

The White House published its proposed budget for 2025, with $13 billion earmarked for cybersecurity and safeguarding public services.

In an effort to give back to the software creators whose contributions benefit the global developer community, open source projects can now get a free upgrade to our Team plan.

Socket CEO Feross Aboukhadijeh was recently interviewed on Basarat Ali Syed’s YouTube channel ahead of this year's Node Congress event. They discussed NodeJS and the challenges of securing open source dependencies.

CISA's new initiative collaborates with the open source ecosystem to enhance the security of package registries, promoting a set of best practices in the interest of securing critical infrastructure.

The Blackcat/ALPHV ransomware gang has executed an elaborate exit scam, falsely claiming law enforcement seizure, while swindling affiliates and severely impacting U.S. healthcare infrastructure.

Tea.xyz, a new crypto initiative aimed at rewarding open source developers, has sparked frustration within the community due to a flood of spam PRs on GitHub.

GitHub has enabled push protection by default for all user accounts. This feature prevents accidental leaks of API keys, tokens, and other secrets, a growing problem in open source development.

JSR, the new JavaScript registry, is now in public beta, designed for TypeScript and ESM.

Socket CEO Feross Aboukhadijeh was interviewed on the Daytona DotFiles Insider blog on the challenges developers face when selecting open source packages and how Socket is working to create a more secure ecosystem.

The OpenJS Foundation has launched a new effort to iterate on the informal standardization of package.json and improve the interoperability of JavaScript package metadata for application developers.

The LockBit ransomware gang's takedown by international law enforcement reveals over $1 billion in stolen funds, along with a next generation version of ransomware they had in development.

JSR, a new package registry from the Deno team, aims to address npm’s limitations but the JavaScript community is concerned about ecosystem fragmentation.

International law enforcement organizations have disrupted LockBit, the world’s largest ransomeware gang, seized their operations and infrastructure, and indicted some of the perpetrators.

Socket discovered two malicious Python packages, enchantv and vibrant, imitating popular packages and targeting victims via a base64 encoded payload in their setup files.

This segment of the Risky Business podcast offers an overview of the volume of malicious packages that are being published to public code repositories and explains why older SCA tools aren’t equipped to detect these threats in a timely way.

A mountain of spam PRs landed in the Express.js project repo after a popular YouTube tutorial used it as an example for contributing to open source. This put a spotlight on the mandate for job seekers to find a way to contribute to OSS.

Socket CEO Feross Aboukhadijeh joined the Security Podcast in Silicon Valley where they discussed the essence of the security mindset and how this approach has shaped Socket's architecture to swiftly identify and mitigate supply chain threats.

The Node community is wrestling with the decision to enable Corepack by default, which has sparked a debate about the potential of removing npm from the Node.js binary.

On the CyberBytes podcast, Socket CEO Feross Aboukhadijeh discusses the challenges in OSS security, the hacker mindset, and the shift towards using proactive tools that go beyond traditional vulnerability scanning to prevent supply chain attacks.

A malicious npm package is targeting Roblox's massive user base to steal sensitive data, with potential impacts for both players and developers on the popular gaming platform.

A German court's controversial ruling fined a security researcher for exposing a company's data vulnerabilities, sparking intense debate over the future of ethical hacking and cybersecurity.

Underwriters expect a rise in cyber insurance premiums in 2024 due to increased ransomware activity. They predict higher risks, emphasizing the need for a focus on resiliency and better strategies for cyber incident prevention and response.

Socket CEO Feross Aboukhadijeh joins the hosts of the DevTools podcast to discuss open source maintainership, sustainability, and the challenge of proactively securing dependencies from emerging threats.

This short history of protestware - from punch cards to package managers - explores the intriguing and controversial phenomenon of digital activism and the risks to open source supply chains.

Orbit Chain is offering an $8M bounty for intel that will lead to the recovery of crypto assets or identification of the attacker who stole $81M on New Year's Eve.

Socket's research team detected and analyzed a new Python package that distributes Blank Grabber malware for stealing data from applications like Discord and Telegram.

There's a growing trend of hackers using sophisticated multi-phase attacks leveraging package managers to deploy coinminers, as seen in the recent discovery of three malicious PyPI packages.

Crypto draining attacks are ramping up, as hackers exploit weaknesses in tools used to transfer funds across cryptocurrencies. Orbit Bridge was the most recent target in an attack that stole an estimated $81 million in virtual assets on New Year's Eve.

Socket CEO Feross Aboukhadijeh joined the Syntax podcast, discussing the balance between open source innovation and safety in the npm ecosystem.

The ALPHV/Blackcat ransomware group has responded to the FBI's disruption of their operations with increased hostility, following the release of a decryption tool to more than 500 victims.

Socket CEO Feross Aboukhadijeh joins the Decipher podcast to discuss the necessity of using AI-powered early threat detection tools to protect the immense trust placed in the hands of open source maintainers.

Supply chain attacks targeting the crypto industry are becoming increasingly complex, requiring more proactive measures to prevent costly exploits. It's time for crypto to get serious about security.

Follow the @npm_malware account to get live alerts from the Socket threat feed.

The Ledger Connect Kit was compromised in a supply chain attack, leading to crypto fund theft and highlighting Socket's AI scanner's effectiveness in detecting such threats.

Ransomware payment demands are rising in 2023, driving a higher demand for cyber insurance and an increase in premiums.

The financial services sector has been hit by a recent surge of ransomware attacks, disrupting operations at major institutions such as Fidelity National Financial and the Industrial and Commercial Bank of China. These attacks underscore the importance of swift security measures in addressing vulnerabilities on enterprise systems.