Socket CEO Feross Aboukhadijeh joins Insecure Agents to discuss CVE remediation and why supply chain attacks require a different security approach.
January 8, 2026
2 min read
In a recent episode of the Insecure Agents podcast, Socket CEO Feross Aboukhadijeh joined host Allie Howe to talk about what dependency security actually looks like today in the era of AI.
He explains why CVE scanning alone doesn’t catch modern supply chain attacks, with incidents like Shai-Hulud showing the world just how fast malicious packages can spread before anyone reacts. He also breaks down Socket’s new certified patches, which let teams fix vulnerabilities without jumping multiple major versions or risking production breakage.
The conversation also looks ahead to AI coding agents and what changes when software installs and runs dependencies without human oversight. From sandboxing to policy enforcement, Feross contends that agents will need real guardrails if they’re going to ship code safely:
I think with most new technology security is typically an afterthought. This was true with the cloud and I think has been true with AI and with agents as well. The promise of what the tech can do is so exciting that people just push forward before they've figured out all the security implications and effects. And then we just kind of spend the next decade as an industry, trying to clean up the the damage and the the poor design decisions. And that's just kind of how it is.
In an ideal world, you'd sit down and figure out all the security primitives that you need, and the standards that you need to do all this correctly and then ship the new stuff. But that's just not how it works. It's too exciting to get stuff out today. The other thing too is you can't really predict all the things you're going to see from attackers and all the ways that things can go wrong. There is an iterative element of making a system secure that happens over time.
If you’re working with open source software, dependency risk, and the security implications of AI-written code, this is a great conversation you'll want to add to your podcast queue. Check out the episode below.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Research
/Security News
Bitwarden CLI 2026.4.0 was compromised in the Checkmarx supply chain campaign after attackers abused a GitHub Action in Bitwarden’s CI/CD pipeline.
Research
/Security News
Docker and Socket have uncovered malicious Checkmarx KICS images and suspicious code extension releases in a broader supply chain compromise.
Security News
NIST will stop enriching most CVEs under a new risk-based model, narrowing the NVD's scope as vulnerability submissions continue to surge.
