Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Product
Bret Comnes
July 26, 2022
Today, we're shipping 3 important improvements for the Socket Github app!
When we launched Socket for GitHub 1.0, we quietly added a useful new feature called Project Health Reports which give you an overview of all dependencies (direct and transitive) found in your repository.
Project Health Reports help security teams or developers get a pulse on the existing security risks detected in a GitHub repository. You can use them to answer questions such as "which of my dependencies uses an install script?" or "which of my dependencies accesses the network?".
When we added support for Project Health Reports alongside our existing Pull Request Alerts, we reported the status of these two tasks in a single check run (the status indicator that shows up above the merge button in a pull request):
After gathering feedback from our 1.0 launch, we are separating out these two reports into individual check runs. Now you will see two check run status lines in PRs.
Here's how it looks:
This has a number of benefits:
To summarize:
Pull Request Alerts highlight any new critical issues that the pull request would directly introduce to the project if it were to be merged.
Pull Request Alerts look at the simulated result of merging the pull request branch into the target branch and detect changes from that context. These alerts take the form of a check run status, check run details page, and a comment left in your pull request discussion thread.
Project Health Reports provide an overview of all of dependencies (direct and transient) found in your repository for a given commit.
These reports help security teams or developers get a pulse on the existing security risks detected in a GitHub repository. You can use it to answer questions such as "which of my dependencies uses an install script?" or "which of my dependencies accesses the network?".
This dual check pattern is very similar to how GitHub Actions can run your tests in a push
and pull_request
event context in order to validate changes to a branch directly, as well as preview the results of merging the pull request.
Along with finer-grained check runs, we're releasing finer-grained (and always optional) settings in our socket.yml
file.
These are the new settings we support:
pullRequestAlertsEnabled
: Enable or disable pull request alerts (comments and check runs).projectReportsEnabled
: Enable or disable project report generation and the associated check run.You can read more about these in the docs.
We are working diligently to improve the reliability and observability of our report generation pipeline and will be silently rolling out a number of backend changes that should improve report success rates over the next few weeks.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.