Security News
Crates.io Implements Trusted Publishing Support
Crates.io adds Trusted Publishing support, enabling secure GitHub Actions-based crate releases without long-lived API tokens.
By Sarah Gooding - Jul 16, 2025
You're Invited:Meet the Socket Team at BlackHat and DEF CON in Las Vegas, Aug 4-6.RSVP →
Back
Security News
The Dark Side of Open Source
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
Sarah Gooding
April 19, 2024
Socket CEO Feross Aboukhadijeh presented at Node Congress earlier this month on the darker aspects of open source, particularly in the npm and JavaScript ecosystems. He dives into some interesting examples of malicious code from recent software supply chain attacks.
What is the Supply Chain?#
It’s not uncommon to see applications where 90% of the code comes from open source dependencies, most of which are not written in house. The average open source dependency has 79 transitive dependencies attached to it.
“In this world where your application is built on thousands of dependencies, software security is not just about your code — it's about every piece of code that you depend on,” Feross said.
"Fundamentally, the problem here is that we're using so many packages but we just don't have the time to read every line of code in our dependencies."
Software supply chains include all of this third-party code, APIs, cloud services, and even dependencies like your operating system.
Open Source Supply Chains Are Under Attack#
"As developers, we’re always trusting other people,” Feross said. “Open source is built on trust, and for the most part, this trust is well-placed." There are a few bad actors who abuse public registries by releasing malicious packages or hijacking legitimate ones.
According to a research paper published in 2021, it was previously taking over 200 days for the security community to detect a malicious package. Socket now has the ability to catch these attempts often minutes after they are published to the public registries. We’re detecting and blocking over 100 of these types of attacks every week.
Feross explained that even after these malicious packages are reported and taken down, they’re often not cataloged or saved in any way. They don’t go into the typical vulnerability tracking systems like the NVD - they just get taken down and then developers don’t know whether or not they may have installed that package in the past. This is something we’re trying to change at Socket.
In this talk, Feross breaks down a few examples of malicious code in supply chain attacks we have seen recently. Check out the video below to get a broader picture of what open source security means and some real world examples of how attackers are exploiting open source dependencies.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Ready to block malicious and vulnerable dependencies?
Related posts
Back to all posts
Research
/Security News
Tracking Protestware Spread: 28 npm Packages Affected by Payload Targeting Russian-Language Users
Undocumented protestware found in 28 npm packages disrupts UI for Russian-language users visiting Russian and Belarusian domains.
By Olivia Brown - Jul 15, 2025
Research
/Security News
Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader
North Korean threat actors deploy 67 malicious npm packages using the newly discovered XORIndex malware loader.
By Kirill Boychenko - Jul 14, 2025