Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

Security News

Risky Business Podcast: How Socket Combats Malware in Open Source Package Registries

This segment of the Risky Business podcast offers an overview of the volume of malicious packages that are being published to public code repositories and explains why older SCA tools aren’t equipped to detect these threats in a timely way.

Risky Business Podcast: How Socket Combats Malware in Open Source Package Registries

Sarah Gooding

February 15, 2024


Socket CEO Feross Aboukhadijeh recently joined the Risky Business podcast for an episode hosted by Patrick Gray and Adam Boileau. The show features topics for information security professionals and the hosts discuss the latest news across the industry. This episode includes a wide-ranging discussion of everything from Azure misconfigurations to Starlink’s complicated political situation.

Why Older SCA Tools Are Not Equipped to Detect Malicious Packages#

Feross gave an overview of the volume of malicious packages that are being published to code repositories and explained why older SCA tools aren’t equipped to detect these threats in a timely way.

Socket is flagging 100 malicious packages every week across the JavaScript, Python, and Go ecosystems. We report every malicious package we detect to the public registries, and they remove them. Unfortunately, there is no notification system in place in cases where someone has already installed these packages. Malware takedowns are not put into the GitHub Advisory database, so they disappear from public knowledge.

Socket tracks the packages that are removed - we have records of approximately 7-8,000 deleted packages. There’s no easy way for teams to figure out if they are already using code that was flagged as malicious, so we provide tools that block these packages for Socket users. When new users install the Socket for GitHub app (it’s a 2-click install) they get visibility into all the open source code they are using and are alerted if any of it is malicious. The app offers a good way for developers to quickly uncover any risks with the code they’re running.

Feross also discussed the alternative to using a tool like Socket - which is simply waiting for vulnerabilities to be caught and added to the database that everyone uses. This approach is not nimble enough to prevent malware and supply chain attacks from hitting your software.

Socket is now leading the shift towards proactively detecting malicious packages and getting them removed from the public registries, as part of the process of supporting organizations that can’t afford to rely on a traditional SCA tool for supply chain security.

Check out this segment on YouTube or listen to the full episode on the Risky Business website.

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Try it now

Ready to block malicious and vulnerable dependencies?

Install GitHub AppBook a demo

Related posts

Back to all posts
SocketSocket SOC 2 Logo

Product

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc