Can you spot malicious malicious packages on the web at a glance? Socket can.
Why?#
Copy-pasting code is such a common action when developing. You may need to evaluate a new package or add some dependencies. So you end up on some blog post, tutorial, or Stack Overflow. The web is vast, and so are the threats.
You're tired, it's the end of a hot day, and you're thinking about the weekend. Years of muscle memory, in no time, you copy a command you found, paste it, and press return in your terminal:
npm install vite vitetest react react-router react-lntl react-hook-forms faker
Did you notice? If you found the four issues with this command, congrats!
But it's too late, the command has run. One of the packages had an auto-install script, and your computer is now infected. Worse, you push these in production causing irreparable damage to your business.
You may think that running commands from official docs may be safer but quite often packages have hundreds of dependencies. How can you tell if one of them hasn't gone rogue a few hours before you installed it? What about lesser-used packages or previously popular packages that have become unmaintained?
Attacks are getting increasingly complex with bad actors using AI or playing the long game on deep dependencies (xz supply-chain attack was in preparation for four years).
At Socket, we want to make the web a safer place for developers.
Our completely revamped web extension helps you detect these threats in real-time and identify safe packages directly from your browser. It offers instant security metrics, identifying potential threats such as malware, typosquatting, and vulnerable dependencies.
We have also expanded support beyond npm to include PyPI, Go, and Maven package and search results.
With the web extension installed, you can quickly browse security scores and package capabilities when searching, without having to leave the page.
✨ A Few Highlights:#
Peace of mind at ~0.02MB only
Nobody likes a heavy web extension. So we've focused on making it as lightweight as possible. It's dependency-free and uses only the latest browser API.
Thousands of checks in seconds
Socket detects 70+ alerts and checks not only the package itself but also all of its dependencies regularly. When browsing only 10 packages with 20 dependencies each, that's more than 14,000+ checks automatically done for you!
Designed with privacy in mind
To enhance your security, our extension now requires broader site access. This permission allows us to identify and mark potentially dangerous packages on websites you visit.
The extension is also designed with your privacy in mind and only communicates package names if any are found on the page you are visiting. If no package is detected, there is absolutely no request to Socket's servers being made. This ensures that your browsing activities remain private and secure.
You can adjust or limit this permission at any time by going to the extension settings. Check our docs for details.
Most popular open source ecosystems supported
The extension checks npm, PyPI, Go, Ruby, and Maven packages. Using other languages? We have more ecosystems on the way!
Trusted by the best engineering teams
Socket protects top engineering teams like OpenAI, Anthropic, Figma, Replit, Vercel, Brave, Sanity, Expo, Render, and now this real-time threat detection is available in your browser.
Quick Install: Get Protected in Seconds#
The new Socket extension is simple, free, and unobtrusive. You never know when you'll encounter a malicious package but it's always better to be safe than sorry.
It takes just 10 seconds to install and get started.
Good news, Firefox users—we’ve got you covered! Our new Socket web extension is also available for Firefox, ensuring you can enjoy the same powerful security features no matter your browser of choice!
If you have any feature requests or feedback, feel free to get in touch. We would love to incorporate your suggestions into the next update!