Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Company News
Feross Aboukhadijeh
March 1, 2022
We've been in closed beta for the past seven months, but as of today, Socket is open for anyone to install and try out.
Over the past decade, it's become clear that open source software has won. Sharing code freely has made it drastically cheaper and faster to build software – and tech innovation has accelerated as a result. But security has often been an afterthought. New technology spreads because it's useful, not because it's safe.
We are a team of open source maintainers with over 1 billion monthly downloads to our names. Working on the frontlines of open source, we've witnessed firsthand how supply chain attacks have swept across our communities and damaged trust in open source.
In 2021, we saw an unprecedented growth in the scale of open source supply chain attacks. Criminals are exploiting the trust in open source software to carry out brazen attacks that spread destructive malware. From event-stream
to ua-parser-js
, the attacks keep on coming and they seem to be accelerating.
Meanwhile, the entire security industry is obsessed with identifying known vulnerabilities. There are hundreds of variations of CVE scanners. They all miss the point. Looking for known vulnerabilities is reactive. Vulnerabilities take weeks or months to be discovered. In today's culture of fast development, a malicious dependency can be updated, merged, and running in production in days or even hours.
Socket turns the problem on its head and asks: what if we assume all open source may be malicious? Can we proactively detect indicators of compromised packages? What's the simplest way to mitigate this risk without hurting usability?
We are taking an entirely new approach to one of the hardest problems in security in a stagnant part of the industry that has historically been obsessed with just reporting on known vulnerabilities.
Unlike other tools, Socket detects and blocks supply chain attacks before they strike, mitigating the worst consequences. Socket uses deep package inspection to peel back the layers of a dependency to characterize its actual behavior.
package.json
in real-time.Socket looks for indicators present in all of the recent npm supply chain attacks. And we're proactively auditing every package on npm to find these supply chain attacks.
The market is flooded with vulnerability scanners (which find CVEs in your dependencies) and static analysis tools (which analyze your app code).
These approaches are almost entirely useless at detecting the types of supply chain attacks we've seen exploding in the open source ecosystem.
Socket, on the other hand, was specifically designed to detect supply chain attacks in your dependencies.
Unlike a traditional security scanner, Socket can actually detect an active supply chain attack and help you to block it. Unlike a traditional static analysis tool, Socket provides actionable feedback about dependency risk instead of hundreds of meaningless alerts.
Socket uses "deep package inspection" to characterize the behavior of an open source package. By actually analyzing the package code, Socket can detect when packages use security-relevant platform capabilities, such as the network, filesystem, or shell.
For instance, to detect if a package uses the network, Socket looks at whether fetch()
, or Node's net
, dgram
, dns
, http
or https
modules are used within the package or any of its dependencies.
This entails running static analysis (and soon, dynamic analysis) on a package – and all of its dependencies – to look for specific risk markers.
In this way, Socket can detect the tell-tale signs of a supply chain attack, including the introduction of install scripts, obfuscated code, high entropy strings, or usage of privileged APIs such as shell, filesystem, eval()
, and environment variables.
Every member of the Socket team is an open source maintainer. That's why we care so much about this problem.
Most security software is typically sold to executives, so it tends to suck to actually use it. In the best case, it gets purchased and sits around on a shelf bothering – and protecting – no one. In the worst case, it prevents developers from getting things done.
As developers ourselves, we understand there is an inherent tension between usability and security, but we refuse to compromise one for other. We're driven to protect the open source ecosystem with usable security.
Ultimately, that's the only way to make open source safe for everyone.
Today, our early customers are using Socket to protect their apps from typo-sqatting attacks, with more features coming later in March. If you're interested in trying out Socket, you can install the GitHub App in less than 5 minutes. Feel free to reach out to us as well if you'd like to chat and get a more in-depth demo.
We have a lot of exciting product releases planned for the coming year – if you'd like to stay in the loop, you can subscribe to updates below.
P.S. We're hiring at Socket! Check out our jobs page if you're interested in working to secure the software supply chain.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.