Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Sarah Gooding
January 17, 2024
Socket CEO Feross Aboukhadijeh was recently a guest on the DevTools.fm podcast with hosts Andrew Lisowski and Justin Bennett. The show features industry leaders discussing modern development tools. In this episode, they explored the inspirations behind Feross’ journey to becoming an open source developer, where he began investing inordinate amounts of free time fixing bugs, fueled by the initial excitement of having other people use his code.
The episode explores some of the realities and challenges of maintaining popular open source projects, which are often the utilities that attain near ubiquitous use across the web. Developers have contributed countless unpaid hours to these projects but maintainer burnout is a real issue that impacts the longevity of some of the web's most critical infrastructure.
Sustaining open source software is a problem that the ecosystem is still wrestling with, and Feross shared a few of his experiments in funding this valuable contribution to the development community.
Socket was created as a response to the challenge of securing an increasingly complex ecosystem of interconnected dependencies. As the average number of dependencies continues to climb in tandem with rising supply chain attacks, the open source security space has reached a point of reckoning where the obsession with known vulnerabilities is now glaringly inadequate.
The industry is shifting towards a more vigilant scrutiny of the entire software supply chain, including behavior analysis and proactive detection of emerging threats.
Feross dives deeper into how Socket uses LLM’s to detect malicious code at scale, combined with a human review queue to reduce false positives. He envisions a future where developers take a more cautious and conscious approach to open source dependency management while actively improving the quality of the packages they are using.
Check out the episode embedded below or visit the DevTools website for the full transcript.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.