Security News
The Risks of Misguided Research in Supply Chain Security
Snyk's use of malicious npm packages for research raises ethical concerns, highlighting risks in public deployment, data exfiltration, and unauthorized testing.
Security News
Charlie Gerard
December 15, 2023
Socket helps improve your open source security posture by detecting attacks which aren't caught by standard vulnerability scanners.
While these tools detect and report known vulnerabilities (CVEs), Socket also proactively catches attacks such as typosquats, hidden code, suspicious package updates, and more.
To help you stay up to date with the latest malware threats on the npm ecosystem, you can now follow the @npm_malware account where Socket is publishing real-time alerts from our threat feed.
Whenever Socket detects malware in a package, this account will tweet the details. Oftentimes these packages have been or will be removed from the npm registry.
Clicking on the tweet takes you to the file where the threat was detected for the version of the package in question, which is logged in our Socket package library. It displays more details on the issues detected in the package, which can also be viewed inline.
In addition to catching malware in our Socket for GitHub app and Socket CLI tool, you can also follow our threat feed account on Twitter for immediate updates on packages that are getting flagged as malware, so you can take prompt action if they exist in your projects. IT professionals, security analysts, and anyone who wants to keep a finger on the pulse of emerging malware detected on npm can follow this new account on X for a reliable source of threat intelligence.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Snyk's use of malicious npm packages for research raises ethical concerns, highlighting risks in public deployment, data exfiltration, and unauthorized testing.
Research
Security News
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data theft.
Security News
pnpm 10 blocks lifecycle scripts by default to improve security, addressing supply chain attack risks but sparking debate over compatibility and workflow changes.