Socket Outbound Malware Disclosure Policy

Updated 28 August, 2025

Socket may occasionally find malware in third-party code and systems, including open source software. Malware discoveries can be volatile, and each discovery is unique. Socket's policy is to handle each new malware discovery as Socket sees fit under the circumstances, and to adapt as needed to any new developments in an ongoing discovery or investigation.

Socket makes every effort to report confirmed malware discoveries to the appropriate open source package registries (such as npm, PyPI, and others) in order to provide actionable intelligence that strengthens the security of the open source ecosystem. Our goal is to ensure that registry operators and other relevant stakeholders have the information they need to protect developers and users as quickly as possible.

There may be cases in which Socket determines that reaching out to an appropriate third-party prior to public disclosure, like an owner, author, distributor, or maintainer of the third party code or related systems, is helpful. Malware discoveries may implicate time-sensitive matters; Socket is more likely to reach out to appropriate third parties who have previously been responsive and open to cooperative problem solving.