Socket CEO Feross Aboukhadijeh recently joined the Risky Business podcast for an episode hosted by Patrick Gray and Adam Boileau. The show features topics for information security professionals and the hosts discuss the latest news across the industry. This episode includes a wide-ranging discussion of everything from Azure misconfigurations to Starlink’s complicated political situation.
Feross gave an overview of the volume of malicious packages that are being published to code repositories and explained why older SCA tools aren’t equipped to detect these threats in a timely way.
Socket is flagging 100 malicious packages every week across the JavaScript, Python, and Go ecosystems. We report every malicious package we detect to the public registries, and they remove them. Unfortunately, there is no notification system in place in cases where someone has already installed these packages. Malware takedowns are not put into the GitHub Advisory database, so they disappear from public knowledge.
Socket tracks the packages that are removed - we have records of approximately 7-8,000 deleted packages. There’s no easy way for teams to figure out if they are already using code that was flagged as malicious, so we provide tools that block these packages for Socket users. When new users install the Socket for GitHub app (it’s a 2-click install) they get visibility into all the open source code they are using and are alerted if any of it is malicious. The app offers a good way for developers to quickly uncover any risks with the code they’re running.
Feross also discussed the alternative to using a tool like Socket - which is simply waiting for vulnerabilities to be caught and added to the database that everyone uses. This approach is not nimble enough to prevent malware and supply chain attacks from hitting your software.
Socket is now leading the shift towards proactively detecting malicious packages and getting them removed from the public registries, as part of the process of supporting organizations that can’t afford to rely on a traditional SCA tool for supply chain security.
Check out this segment on YouTube or listen to the full episode on the Risky Business website.