Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Company News
Feross Aboukhadijeh
August 1, 2023
Open source has fundamentally reshaped the way developers write software. Yet, it's a twisted irony that what makes open source great – unparalleled transparency, collaboration, and speed of development – is also the source of our greatest challenges when it comes to shipping secure software. Open source software has won, but security has been an afterthought.
When we first announced Socket one year ago, we set out with a clear mission: to redefine how teams think about application security. Modern applications use tens of thousands of dependencies written by thousands of maintainers. In this interconnected web, shipping secure software isn't just about securing your own code but about securing every piece of code that you rely upon.
That's why we're excited to announce our $20M Series A led by Andreessen Horowitz (a16z) as well as a suite of new features designed to make open source safer for everyone. See full investor list below.
Today marks an important milestone. We're announcing $20M of new funding led by Andreessen Horowitz. The round was led by Zane Lackey, who was an early believer in Socket and most importantly has already built a company of similar ambition. Joining him in the round are some of the sharpest independent minds in security and tech, including Abstract Ventures, Michael Ovitz, Wndrco, Arash Ferdowsi, Aaron Levie, and Jawed Karim, as well as existing investors Elad Gil, Dylan Field, Nat Friedman, Guillermo Rauch, and Julia & Kevin Hartz (full list below).
We'll use the new capital to improve our product capabilities, grow our team, and further extend our core technology to new applications. We're focused on meeting the needs of our customers with support for more programming languages, ecosystems, and integrations.
I'm also thrilled to welcome Zane, General Partner at a16z and cofounder of Signal Sciences, to our board of directors. Zane's leadership has been instrumental in shaping the way organizations think about security in the context of fast-paced software delivery and modern infrastructure.
“We invested in Socket because the best companies come from the people who are passionate about the problems they’re solving. This team knows how to build products that developers love, they understand security, and they’re tackling an urgent problem for a community they’ve been part of for more than two decades.” – Zane Lackey, General Partner at Andreessen Horowitz & cofounder of Signal Sciences
“Socket shows all the signs of becoming an iconic security company: experienced leadership, a beloved commercial product, and the technical ability to solve a real problem for their customers.” – Martin Casado, General Partner at Andreessen Horowitz
When we unveiled Socket last year, we brought with us the combined experience of open source maintainers with over a billion monthly downloads. Our mission was clear and urgent: make open source safer.
We looked at the hundreds of dependency security tools on the market and were disappointed to find the tools were imprecise, noisy, and reactive. Not only did they generate thousands of low-value alerts but they were incapable at a fundamental level of detecting and stopping the fastest-growing security threat: software supply chain attacks.
Trying to secure an application built on a foundation of ten thousand third-party dependencies that constantly update and change is like trying to build a stable structure on shifting sands. With today's rapid and continuous development cycles, a malicious dependency can be updated, merged, and running in production in a matter of days or even hours after publication.
Socket tackles this problem head on. We're taking an entirely new approach to one of the hardest problems in security in a stagnant part of the industry.
Socket revolutionizes dependency security by using "content-based analysis" to analyze dependency behavior and get a ground-truth understanding of open source risk. There's nothing else like it, and our customers love it.
“Our goal is to help the teams at Figma ship products and features as securely as possible, without impacting the pace of development. Socket is a natural fit for us because it's frictionless and doesn't get in the way of developers.” – Devdatta Akhawe, Chief Information Security Officer at Figma
“For many years, organizations have been installing open source dependencies without insight into potential vulnerabilities and issues. Socket is like an X-ray into open source dependencies, going above and beyond to detect issues that aren’t yet known vulnerabilities within the security community. It’s so easy-to-use, it’s a no-brainer.” – Yan Zhu, Chief Information Security Officer at Brave
"Socket goes beyond relying solely on CVEs or third-party sources for threat intelligence. They conduct first-hand analysis to identify unknown issues in open-source dependencies before they can impact our code. Early detection, coupled with supporting documentation, means Socket not only strengthens our security but also saves valuable time and resources that would otherwise be spent on remediation efforts." – Aaron Brown, Head of Cloud Security at Vercel
We're launching a free browser extension to verify that the open source package you’re about to install is secure and trustworthy. It’s currently available for Chrome, Edge, Brave, and any other Chromium-based browser, as well as Firefox.
Go support is now available, in addition to JavaScript and Python. We're aggressively expanding Socket language support in the coming months.
This powerful search function lets you delve into your codebase – across your whole organization – to find any dependency at any time. Socket tracks every change to your dependencies in real-time and ensures you have the most recent dependency information at your fingertips. Now you have the freedom to investigate malicious or vulnerable packages in your codebase and eradicate the threat, even when there’s no official security disclosure yet.
At Socket, we move incredibly fast and constantly ship improvements to our product. The new product announcements today join the list of significant features that Socket has introduced over the past few months to support developers and security teams throughout every stage of development. Here are a few highlights:
npm
command and protects developers from installing malware, risky dependencies, and enforces policies on allowed dependencies.We've also shipped an organization dashboard, VSCode extension, SOC 2 compliance, and support for new package managers yarn and pnpm.
Every great company is a conspiracy to change the world. Thank you to our many co-conspirators; we wouldn't be here without your support. We're so grateful to our early customers, founding employees, investors, mentors, and the open source and security communities. On behalf of everyone at Socket, it's an honor to share my eternal gratitude for you all.
Every leap we take is not just for us, but for the countless developers and organizations that trust us. Here's to safer open source software for all.
Want to be part of this journey? We're recruiting for various roles – from engineering, security, operations, and sales. Explore roles at socket.dev/careers.
Questions, feedback, or just want a chat? Schedule a demo with our technical experts. Or, get protected in 2 clicks by installing Socket for GitHub.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.