Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Application Security
Sarah Gooding
February 6, 2024
Socket CEO Feross Aboukhadijeh was recently a guest on the CyberBytes podcast with host Steffan Foley where they discussed open source software and common mistakes companies make when it comes to supply chain security.
Feross highlighted the pressure developers face to ship features rapidly, often without full awareness of the open source code they are utilizing. Security teams don’t want to impede developers moving fast but at the same time are struggling with the challenge of securing massive dependency trees, which are frequently comprised of thousands and thousands of dependencies — source code that almost nobody reads.
The inspiration for Socket came from Feross’ experience creating the Wormhole app with more than 1,000 dependencies. He interviewed more than 40 CISO’s about how they vet their open source dependencies for supply chain attacks and found that most were still tethered to traditional SCA tools that only catch known vulnerabilities. It’s for this reason Socket was designed to drill down into the code of each dependency and analyze it for malicious behavior.
This podcast episode explores the hacker mindset and the complex problem of protecting against threat actors who are naturally inclined to poke at systems. Open source security is currently experiencing a major platform shift towards a more proactive approach, as companies can no longer afford to be obsessed with vulnerabilities to the exclusion of supply chain attacks.
Check out the episode on Spotify or watch the video on YouTube.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.