
Research
PyPI Package Disguised as Instagram Growth Tool Harvests User Credentials
A deceptive PyPI package posing as an Instagram growth tool collects user credentials and sends them to third-party bot services.
Product
Bret Comnes
July 26, 2022
Today, we're shipping 3 important improvements for the Socket Github app!
When we launched Socket for GitHub 1.0, we quietly added a useful new feature called Project Health Reports which give you an overview of all dependencies (direct and transitive) found in your repository.
Project Health Reports help security teams or developers get a pulse on the existing security risks detected in a GitHub repository. You can use them to answer questions such as "which of my dependencies uses an install script?" or "which of my dependencies accesses the network?".
When we added support for Project Health Reports alongside our existing Pull Request Alerts, we reported the status of these two tasks in a single check run (the status indicator that shows up above the merge button in a pull request):
After gathering feedback from our 1.0 launch, we are separating out these two reports into individual check runs. Now you will see two check run status lines in PRs.
Here's how it looks:
This has a number of benefits:
To summarize:
Pull Request Alerts highlight any new critical issues that the pull request would directly introduce to the project if it were to be merged.
Pull Request Alerts look at the simulated result of merging the pull request branch into the target branch and detect changes from that context. These alerts take the form of a check run status, check run details page, and a comment left in your pull request discussion thread.
Project Health Reports provide an overview of all of dependencies (direct and transient) found in your repository for a given commit.
These reports help security teams or developers get a pulse on the existing security risks detected in a GitHub repository. You can use it to answer questions such as "which of my dependencies uses an install script?" or "which of my dependencies accesses the network?".
This dual check pattern is very similar to how GitHub Actions can run your tests in a push
and pull_request
event context in order to validate changes to a branch directly, as well as preview the results of merging the pull request.
Along with finer-grained check runs, we're releasing finer-grained (and always optional) settings in our socket.yml
file.
These are the new settings we support:
pullRequestAlertsEnabled
: Enable or disable pull request alerts (comments and check runs).projectReportsEnabled
: Enable or disable project report generation and the associated check run.You can read more about these in the docs.
We are working diligently to improve the reliability and observability of our report generation pipeline and will be silently rolling out a number of backend changes that should improve report success rates over the next few weeks.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
A deceptive PyPI package posing as an Instagram growth tool collects user credentials and sends them to third-party bot services.
Product
Socket now supports pylock.toml, enabling secure, reproducible Python builds with advanced scanning and full alignment with PEP 751's new standard.
Security News
Research
Socket uncovered two npm packages that register hidden HTTP endpoints to delete all files on command.