Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

Security News

Syntax Podcast: "Is Running Random Code From npm Safe?"

Socket CEO Feross Aboukhadijeh joined the Syntax podcast, discussing the balance between open source innovation and safety in the npm ecosystem.

Syntax Podcast: "Is Running Random Code From npm Safe?"

Sarah Gooding

January 2, 2024


Socket CEO Feross Aboukhadijeh recently joined Wes Bos and Scott Tolinski, hosts of the Syntax podcast, for an episode titled “Is Running Random Code From npm Safe?

This episode explores the enormous amount of trust developers place in code downloaded from npm and the importance of modern security tools in protecting this ecosystem from malicious actors and compromised packages.

They discussed the power of systems like npm to amplify open source contributions but also the contrasting fragility of unprotected supply chains in the face of targeted attacks. This is one of the unique challenges of enabling the open source ecosystem to flourish while avoiding excessive bureaucratic hurdles that could hinder contributions.

Feross related a story about how the popular EventStream node package was hijacked to steal users' cryptocurrency. This became a timely reference, as the podcast episode was published the same week that Ledger’s connect-kit, a package used by many crypto frontends, was compromised when an attacker added wallet-draining code that stole an estimated $600K in virtual assets.

Socket’s AI-powered threat detection discovers an estimated 400 malicious packages per week. This episode includes a few wild stories from the npm ecosystem. It also explores Socket's methodology in identifying suspicious packages by scanning for 70+ signals, such as new network requests or automatically running code on installation.

Check out the episode below, along with the complete transcript on the Syntax.fm website.

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Try it now

Ready to block malicious and vulnerable dependencies?

Install GitHub AppBook a demo

Related posts

Back to all posts
SocketSocket SOC 2 Logo

Product

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc