Supply chain attacks that leverage typosquatting are steeply rising over previous years. Learn how Socket for GitHub and Socket CLI can protect your app.

A short walkthrough of how to integrate Socket into the Gitlab CI/CD process

Get more information about the most popular JavaScript packages with Socket's new AI-generated package summaries.

Our new and improved Project Health Reports are now generally available.

Socket discusses the results of using different package managers to install your packages and introduces a GitHub action to expose those differences.

How Socket uses LLMs to enhance both the analysis and explanation of open-source software packages.

Socket is happy to enable developers to customize their own feature plan choices with the announcement of self-service payment plans.

Socket AI detected a malicious package on PyPI that had an abnormally high potential impact and the Socket security researchers investigated finding malicious behavior.

package.json contains a local aliasing mechanism for import paths called "imports" it satisfies many use cases without tooling specific solutions like tsconfig.json

Digging into the Skeleton Squad's recent expansion from PyPI to the npm ecosystem.

Socket AI detected threats in package ecosystems, including counterfeit Roblox and Discord packages. Malware hidden in DNS records and selective data attacks were also spotted, showcasing Socket Security's robust defense capabilities.

What supply chain attacks are, and how Socket can help protect you from them.

Get visibility and control over your open source dependencies, across your whole organization

We're excited to announce that Socket now supports the Go programming language.

Empowering Developers: Our Journey to a Safer Open Source Ecosystem

Socket is now offering a free browser extension to verify the security and quality of packages on NPM.

The Lazarus Group launched a sophisticated social engineering campaign targeting developers in the cryptocurrency and cybersecurity sectors, using compromised accounts and malware-laden NPM packages.

Socket is back at Black Hat and DEF CON. Stop by our suite to hangout!

Vulnerability scanners provide a false sense of security to appsec teams and do little to prevent supply chain attacks.

Socket has been protecting organizations from "manifest confusion" attacks for 9 months before it was publicly disclosed.

Exposing the flaws of traditional SCA tools, and introducing a solution.

The Socket Security extension for VSCode now supports Python.

You can now send Socket Pull Request Notifications to Slack!

Socket provides an introspective on code signing in relation to the supply chain incident from SolarWinds.

The Socket blog now offers both full content Atom and JSON feeds which let you subscribe to all future Socket blog posts.

The Socket GitHub app now runs Project Health Reports on the default branch instead of in pull requests.

Socket explains the newly released npm provenance provided by GitHub.

Socket is back at BSidesSF and RSA! Stop by to meet the team and hang out.

We share some feedback and directions on Socket's npm wrapper.

Socket introduces an overall project health report for viewing relevant data to entire projects at a glance.

Socket is using ChatGPT to examine every npm and PyPI package for security issues.

The npm public registry is drowning in a tsunami of spam and phishing, and it's all thanks to everyone's favorite gun-toting antihero, John Wick.

Socket Dependency Overview helps developers understand the risk of dependency changes by leaving an in-depth comment on any pull request that adds, updates, or removes dependencies.

Socket is proud to introduce an exciting new tool—“safe npm”—that protects developers whenever they use npm install.

Socket partners with Ecosystems to build and maintain secure, resilient, and sustainable open source ecosystems.

Socket now supports the pnpm package manager! Check it out and stay away from vulnerable and malicious packages.

We're excited to announce that Socket now supports the Python programming language.

Socket is thrilled to announce that we have achieved a sparkling clean SOC 2 Type 2 attestation report.

Proposing a more usable RegExp for JS in light of async I/O and streaming.

Socket is nominating Bradley Meck Farias as a representative to the OpenSSF Governing Board.

We have a new configuration file format and library for working with it!

Socket is proud to announce improved support for npm and Yarn, including full support for npm versions 6, 7, 8, and 9 and full support for Yarn versions 1, 2, and 3.

Introducing a VS Code editor integration for Socket Security.

Socket has introduced a new dashboard functionality to aid in self service and auditing in one centralized location.

We have been using GPT at Socket to help triage the npm package firehose for a couple months now. Here is what it is like after actual experience.

File explorers are great tools for programmers when they can let code be understood, but what does it take to ship a file explorer and what does it mean to help programmers by providing one.

A package published an anomalous 11460 versions in 4 months, Socket Security had to figure out if it was something to be concerned about.

Socket for GitHub requires a new GitHub permission. Here are the details.

Socket has successfully completed the SOC 2 Type I audit by meeting rigorous security and confidentiality standards.

Socket is joining the Open Source Security Foundation (OpenSSF), the cross-industry organization working on the most important open source security initiatives.

We're excited to preview a brand new way to use Socket, a CLI tool! This will be especially useful to those of you not using GitHub or those who want more control over how you interact with Socket..

Socket for GitHub has added the option to customize which issue alerts your pull request receives.

Circumventing Chinese censorship: Plethora of eBooks pervade these GitHub and npm repositories containing contents of banned websites like 'The Economist'

We added 5 new issues to our GitHub pull request alerts.

npm package ‘state-counter’ mimics StatCounter but instead pops open a very NSFW website.

Yet another attack vector that allows malicious packages to pwn you.