
Research
/Security News
Toptal’s GitHub Organization Hijacked: 10 Malicious Packages Published
Threat actors hijacked Toptal’s GitHub org, publishing npm packages with malicious payloads that steal tokens and attempt to wipe victim systems.
Quickly evaluate the security and health of any open source package.
shaiduwkv
912.6
Removed from PyPI
Blocked by Socket
The code poses a significant security risk by sending sensitive system information to suspicious external domains. This behavior is consistent with data exfiltration attempts, and the use of unknown URLs suggests potential malicious intent.
Live on PyPI for 3 hours and 30 minutes before removal. Socket users were protected even while the package was live.
abu-news-api
1.0.0
Removed from npm
Blocked by Socket
The code appears to be collecting sensitive system and environment information and is designed to send this data to a remote server. This behavior is indicative of a data exfiltration attempt, which can be considered malicious depending on the context in which this script is used. However, due to incomplete and malformed request execution code, as presented, the script would not successfully send data as intended.
Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.
discord.js-hex
1.0.0
by xignoticdev
Removed from npm
Blocked by Socket
Given the obfuscation, use of critical node modules, and patterns consistent with malicious scripts such as dynamic execution of code, the script is likely intended to perform unauthorized actions on the system. This includes data manipulation, executing commands, or acting as a backdoor.
Live on npm for 1 day and 37 minutes before removal. Socket users were protected even while the package was live.
akita-poc
1.2.5
by pepolanza
Removed from npm
Blocked by Socket
The script sends the hostname of the machine to a remote server, which poses a significant security risk and indicates malicious behavior.
Live on npm for 1 minute before removal. Socket users were protected even while the package was live.
hydroscript
0.0.2-1.real
by hyperknf
Removed from npm
Blocked by Socket
The code potentially allows execution of arbitrary JavaScript code by manipulating the 'time' input to point to a malicious script. The lack of validation or sanitization of the input combined with the execution rights raises security concerns.
Live on npm for 5 days, 21 hours and 40 minutes before removal. Socket users were protected even while the package was live.
glup-debugger-log
0.0.2
by wzh0505
Removed from npm
Blocked by Socket
The code exhibits potentially malicious behavior with dynamic command execution and file operations that could lead to system compromise. Caution is advised when dealing with this code as it poses a high security risk.
Live on npm for 29 minutes before removal. Socket users were protected even while the package was live.
bfx-svc-integration
99.10.10
Removed from npm
Blocked by Socket
The code engages in potentially malicious behavior by collecting sensitive system information and sending it to a remote server without clear user consent. The hard-coded domain, data obfuscation, and lack of transparency raise significant privacy and security concerns. The risk score is high due to the invasive nature of the code.
Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.
minecraft-coins-free975
1.0.2
by sicrap
Removed from npm
Blocked by Socket
The code exhibits potentially malicious behavior such as unauthorized login attempts and content publishing, as well as obfuscation and hard-coded credentials. The overall security risk is high due to the presence of these factors.
Live on npm for 57 minutes before removal. Socket users were protected even while the package was live.
vite-plugin-svg-paths
1.1.7
by sammd
Live on npm
Blocked by Socket
The code contains a severe security vulnerability due to the use of eval() on remotely fetched data, enabling remote code execution. This represents a critical supply chain security risk. The unknown domain contacted and suspicious headers increase suspicion. The code should not be used in production or trusted environments without significant revision. Malware risk is high due to arbitrary code execution potential.
lotus-symphony-dle682
1.0.0
by afifaljafari112
Removed from npm
Blocked by Socket
The code contains unusual naming conventions and method calls that do not align with standard practices. Without the actual content of the imported modules, it's challenging to determine the exact behavior or intent of the code. The naming and structure raise suspicion but do not definitively indicate malicious intent. There is no evidence of data leakage or clear security risks within the provided code itself. However, the lack of clarity and unusual patterns suggest that a more in-depth review of the imported modules is necessary to rule out potential threats.
Live on npm for 57 days and 54 minutes before removal. Socket users were protected even while the package was live.
ac-base
0.26.999
Removed from npm
Blocked by Socket
The code exhibits malicious behavior by collecting and exfiltrating system information using DNS queries. The heavy obfuscation further suggests an intent to hide these actions. This poses a significant security risk.
Live on npm for 59 minutes before removal. Socket users were protected even while the package was live.
relativity123rf
5.98.99
by nevadatan46
Removed from npm
Blocked by Socket
The code is malicious. It collects sensitive system information (hostname, current user, current working directory, and directory listing) without consent, encodes this information in base64 to obfuscate it, and sends it to an external server. This behavior is characteristic of a malware payload designed for data exfiltration.
Live on npm for 26 minutes before removal. Socket users were protected even while the package was live.
pwn
0.5.316
by 0day Inc.
Live on Rubygems
Blocked by Socket
The script 'packer/provisioners/post_install.sh' exhibits malicious behavior by performing several harmful actions: - **Deletes user and root history files**: Uses secure deletion methods to remove history files, potentially to conceal malicious activities. - **Clears system log files**: Erases log files from '/var/log', hindering the ability to audit and investigate system actions. - **Disables the root account**: Locks the root account password without ensuring alternative secure administrative access, possibly preventing legitimate administrative operations. - **Sets a weak default password ('changeme') for the 'admin' user**: Introduces a significant security risk by using an easily guessable password, facilitating unauthorized access. These actions can be exploited by an attacker to gain unauthorized access, disrupt legitimate operations, and prevent system recovery. The combination of log and history deletion, disabling of root access, and setting weak credentials indicates malicious intent to compromise system security and conceal nefarious activities.
01node_worm
1.0.0
by coder_jqy
Removed from npm
Blocked by Socket
The code is designed to fetch and process JSONP data from a remote API. It contains a serious security flaw by using eval() on untrusted network data, which can lead to remote code execution vulnerabilities. There is no direct evidence of malware or obfuscation, but the security risk is high due to unsafe eval usage. The reports provided are invalid and uninformative. It is recommended to avoid eval and use safer JSONP parsing or standard JSON parsing methods. Hardcoded cookies and headers should be handled carefully to avoid leaking sensitive information.
Live on npm for 4 hours and 26 minutes before removal. Socket users were protected even while the package was live.
mre-config-react
2.0.8
by higoarm
Removed from npm
Blocked by Socket
The code snippet transmits the local machine's hostname to an external, suspicious ngrok.io domain without user consent, silently ignoring errors and response. This constitutes a privacy violation and potential data exfiltration, which is suspicious and may be malicious depending on context. There is no obfuscation or complex code, but the use of a dynamic external endpoint and silent error handling increases the security risk. Overall, this code should be treated as potentially malicious or at least privacy-invasive.
Live on npm for 1 hour and 38 minutes before removal. Socket users were protected even while the package was live.
imad213
1.1.1
Removed from PyPI
Blocked by Socket
This Python-based credential harvester masquerades as an Instagram growth tool while implementing multiple layers of deception. The malware uses base64 encoding to conceal its code and checks a remote Netlify-hosted file for authorization before executing. Upon running, it prompts users for Instagram credentials under the pretense of providing follower growth services, stores these credentials in plaintext locally, and then broadcasts the username and password to ten different Turkish bot service websites. Each of these third-party services receives full access to the victim's Instagram account, enabling them to read private messages, post content, harvest follower data, or sell the credentials on underground markets. The tool violates Instagram's Terms of Service through automated bot activity while simultaneously compromising account security, potentially resulting in account suspension, identity theft, or complete account takeover.
Live on PyPI for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.
textvqa
99.10.9
by ujj6dg4z
Removed from npm
Blocked by Socket
The code is designed to collect and send sensitive information to a remote server without the user's knowledge or consent. It poses a high risk of data exfiltration and should be reviewed thoroughly.
Live on npm for 2 hours and 52 minutes before removal. Socket users were protected even while the package was live.
jupphelp
0.1.0
Removed from PyPI
Blocked by Socket
The code poses a significant security risk by downloading and executing a file from an external source without verification. This could lead to arbitrary code execution if the URL is compromised. The use of silent exception handling further obscures potential errors.
Live on PyPI for 5 minutes before removal. Socket users were protected even while the package was live.
@openapi-platform/git-util
9.9.10
by nodeeee123
Live on npm
Blocked by Socket
The source code exhibits highly suspicious and malicious behavior by exfiltrating sensitive system and package information to an untrusted external server without user consent. This represents a serious security risk and privacy violation. The code is not obfuscated but is clearly designed to steal data stealthily. It should be considered malicious and avoided.
@chegg/wtai-upload-widget
9.999.2
by frankoiuuu
Live on npm
Blocked by Socket
The code is designed to exfiltrate system information to an external server, which is a clear security risk and potentially malicious behavior.
posctss-value-parser
4.2.0
by nsrvmzuq
Removed from npm
Blocked by Socket
The code is dangerous and should not be used. The file downloaded from the external source should be verified and validated before being executed, and errors and exceptions should be handled properly.
Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.
airbnb-dev
6.8.0
by jpdtest1
Removed from npm
Blocked by Socket
The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.
Live on npm for 23 hours and 28 minutes before removal. Socket users were protected even while the package was live.
qumra-ui
0.0.75
by abdalstar
Live on npm
Blocked by Socket
The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. Therefore, it is marked as malware only because it freezes interactions for many users. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.
bender-event-definition-loader
8.989.1
by hbsp0t
Removed from npm
Blocked by Socket
The source code contains a serious security issue where environment variables are sent to a remote server without user consent. This is a clear indication of data exfiltration and poses a high security risk.
Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.
azure-graphrbac
13.26.1000
Removed from npm
Blocked by Socket
Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package
Live on npm for 3 hours and 1 minute before removal. Socket users were protected even while the package was live.
shaiduwkv
912.6
Removed from PyPI
Blocked by Socket
The code poses a significant security risk by sending sensitive system information to suspicious external domains. This behavior is consistent with data exfiltration attempts, and the use of unknown URLs suggests potential malicious intent.
Live on PyPI for 3 hours and 30 minutes before removal. Socket users were protected even while the package was live.
abu-news-api
1.0.0
Removed from npm
Blocked by Socket
The code appears to be collecting sensitive system and environment information and is designed to send this data to a remote server. This behavior is indicative of a data exfiltration attempt, which can be considered malicious depending on the context in which this script is used. However, due to incomplete and malformed request execution code, as presented, the script would not successfully send data as intended.
Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.
discord.js-hex
1.0.0
by xignoticdev
Removed from npm
Blocked by Socket
Given the obfuscation, use of critical node modules, and patterns consistent with malicious scripts such as dynamic execution of code, the script is likely intended to perform unauthorized actions on the system. This includes data manipulation, executing commands, or acting as a backdoor.
Live on npm for 1 day and 37 minutes before removal. Socket users were protected even while the package was live.
akita-poc
1.2.5
by pepolanza
Removed from npm
Blocked by Socket
The script sends the hostname of the machine to a remote server, which poses a significant security risk and indicates malicious behavior.
Live on npm for 1 minute before removal. Socket users were protected even while the package was live.
hydroscript
0.0.2-1.real
by hyperknf
Removed from npm
Blocked by Socket
The code potentially allows execution of arbitrary JavaScript code by manipulating the 'time' input to point to a malicious script. The lack of validation or sanitization of the input combined with the execution rights raises security concerns.
Live on npm for 5 days, 21 hours and 40 minutes before removal. Socket users were protected even while the package was live.
glup-debugger-log
0.0.2
by wzh0505
Removed from npm
Blocked by Socket
The code exhibits potentially malicious behavior with dynamic command execution and file operations that could lead to system compromise. Caution is advised when dealing with this code as it poses a high security risk.
Live on npm for 29 minutes before removal. Socket users were protected even while the package was live.
bfx-svc-integration
99.10.10
Removed from npm
Blocked by Socket
The code engages in potentially malicious behavior by collecting sensitive system information and sending it to a remote server without clear user consent. The hard-coded domain, data obfuscation, and lack of transparency raise significant privacy and security concerns. The risk score is high due to the invasive nature of the code.
Live on npm for 18 minutes before removal. Socket users were protected even while the package was live.
minecraft-coins-free975
1.0.2
by sicrap
Removed from npm
Blocked by Socket
The code exhibits potentially malicious behavior such as unauthorized login attempts and content publishing, as well as obfuscation and hard-coded credentials. The overall security risk is high due to the presence of these factors.
Live on npm for 57 minutes before removal. Socket users were protected even while the package was live.
vite-plugin-svg-paths
1.1.7
by sammd
Live on npm
Blocked by Socket
The code contains a severe security vulnerability due to the use of eval() on remotely fetched data, enabling remote code execution. This represents a critical supply chain security risk. The unknown domain contacted and suspicious headers increase suspicion. The code should not be used in production or trusted environments without significant revision. Malware risk is high due to arbitrary code execution potential.
lotus-symphony-dle682
1.0.0
by afifaljafari112
Removed from npm
Blocked by Socket
The code contains unusual naming conventions and method calls that do not align with standard practices. Without the actual content of the imported modules, it's challenging to determine the exact behavior or intent of the code. The naming and structure raise suspicion but do not definitively indicate malicious intent. There is no evidence of data leakage or clear security risks within the provided code itself. However, the lack of clarity and unusual patterns suggest that a more in-depth review of the imported modules is necessary to rule out potential threats.
Live on npm for 57 days and 54 minutes before removal. Socket users were protected even while the package was live.
ac-base
0.26.999
Removed from npm
Blocked by Socket
The code exhibits malicious behavior by collecting and exfiltrating system information using DNS queries. The heavy obfuscation further suggests an intent to hide these actions. This poses a significant security risk.
Live on npm for 59 minutes before removal. Socket users were protected even while the package was live.
relativity123rf
5.98.99
by nevadatan46
Removed from npm
Blocked by Socket
The code is malicious. It collects sensitive system information (hostname, current user, current working directory, and directory listing) without consent, encodes this information in base64 to obfuscate it, and sends it to an external server. This behavior is characteristic of a malware payload designed for data exfiltration.
Live on npm for 26 minutes before removal. Socket users were protected even while the package was live.
pwn
0.5.316
by 0day Inc.
Live on Rubygems
Blocked by Socket
The script 'packer/provisioners/post_install.sh' exhibits malicious behavior by performing several harmful actions: - **Deletes user and root history files**: Uses secure deletion methods to remove history files, potentially to conceal malicious activities. - **Clears system log files**: Erases log files from '/var/log', hindering the ability to audit and investigate system actions. - **Disables the root account**: Locks the root account password without ensuring alternative secure administrative access, possibly preventing legitimate administrative operations. - **Sets a weak default password ('changeme') for the 'admin' user**: Introduces a significant security risk by using an easily guessable password, facilitating unauthorized access. These actions can be exploited by an attacker to gain unauthorized access, disrupt legitimate operations, and prevent system recovery. The combination of log and history deletion, disabling of root access, and setting weak credentials indicates malicious intent to compromise system security and conceal nefarious activities.
01node_worm
1.0.0
by coder_jqy
Removed from npm
Blocked by Socket
The code is designed to fetch and process JSONP data from a remote API. It contains a serious security flaw by using eval() on untrusted network data, which can lead to remote code execution vulnerabilities. There is no direct evidence of malware or obfuscation, but the security risk is high due to unsafe eval usage. The reports provided are invalid and uninformative. It is recommended to avoid eval and use safer JSONP parsing or standard JSON parsing methods. Hardcoded cookies and headers should be handled carefully to avoid leaking sensitive information.
Live on npm for 4 hours and 26 minutes before removal. Socket users were protected even while the package was live.
mre-config-react
2.0.8
by higoarm
Removed from npm
Blocked by Socket
The code snippet transmits the local machine's hostname to an external, suspicious ngrok.io domain without user consent, silently ignoring errors and response. This constitutes a privacy violation and potential data exfiltration, which is suspicious and may be malicious depending on context. There is no obfuscation or complex code, but the use of a dynamic external endpoint and silent error handling increases the security risk. Overall, this code should be treated as potentially malicious or at least privacy-invasive.
Live on npm for 1 hour and 38 minutes before removal. Socket users were protected even while the package was live.
imad213
1.1.1
Removed from PyPI
Blocked by Socket
This Python-based credential harvester masquerades as an Instagram growth tool while implementing multiple layers of deception. The malware uses base64 encoding to conceal its code and checks a remote Netlify-hosted file for authorization before executing. Upon running, it prompts users for Instagram credentials under the pretense of providing follower growth services, stores these credentials in plaintext locally, and then broadcasts the username and password to ten different Turkish bot service websites. Each of these third-party services receives full access to the victim's Instagram account, enabling them to read private messages, post content, harvest follower data, or sell the credentials on underground markets. The tool violates Instagram's Terms of Service through automated bot activity while simultaneously compromising account security, potentially resulting in account suspension, identity theft, or complete account takeover.
Live on PyPI for 1 hour and 4 minutes before removal. Socket users were protected even while the package was live.
textvqa
99.10.9
by ujj6dg4z
Removed from npm
Blocked by Socket
The code is designed to collect and send sensitive information to a remote server without the user's knowledge or consent. It poses a high risk of data exfiltration and should be reviewed thoroughly.
Live on npm for 2 hours and 52 minutes before removal. Socket users were protected even while the package was live.
jupphelp
0.1.0
Removed from PyPI
Blocked by Socket
The code poses a significant security risk by downloading and executing a file from an external source without verification. This could lead to arbitrary code execution if the URL is compromised. The use of silent exception handling further obscures potential errors.
Live on PyPI for 5 minutes before removal. Socket users were protected even while the package was live.
@openapi-platform/git-util
9.9.10
by nodeeee123
Live on npm
Blocked by Socket
The source code exhibits highly suspicious and malicious behavior by exfiltrating sensitive system and package information to an untrusted external server without user consent. This represents a serious security risk and privacy violation. The code is not obfuscated but is clearly designed to steal data stealthily. It should be considered malicious and avoided.
@chegg/wtai-upload-widget
9.999.2
by frankoiuuu
Live on npm
Blocked by Socket
The code is designed to exfiltrate system information to an external server, which is a clear security risk and potentially malicious behavior.
posctss-value-parser
4.2.0
by nsrvmzuq
Removed from npm
Blocked by Socket
The code is dangerous and should not be used. The file downloaded from the external source should be verified and validated before being executed, and errors and exceptions should be handled properly.
Live on npm for 6 minutes before removal. Socket users were protected even while the package was live.
airbnb-dev
6.8.0
by jpdtest1
Removed from npm
Blocked by Socket
The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.
Live on npm for 23 hours and 28 minutes before removal. Socket users were protected even while the package was live.
qumra-ui
0.0.75
by abdalstar
Live on npm
Blocked by Socket
The package contains a hidden payload that targets Russian language users visiting Russian and Belarusian sites. For those users, it will disable user interaction and play a looping audio of the Ukrainian anthem after 3 days. Therefore, it is marked as malware only because it freezes interactions for many users. This behavior is not disclosed in any documentation of the package and seriously disrupts user experience.
bender-event-definition-loader
8.989.1
by hbsp0t
Removed from npm
Blocked by Socket
The source code contains a serious security issue where environment variables are sent to a remote server without user consent. This is a clear indication of data exfiltration and poses a high security risk.
Live on npm for 8 minutes before removal. Socket users were protected even while the package was live.
azure-graphrbac
13.26.1000
Removed from npm
Blocked by Socket
Possible typosquat of [azure](https://socket.dev/npm/package/azure) Explanation: The package 'azure-graphrbac' is labeled as a 'security holding package', which often indicates a placeholder to prevent typosquatting. The name 'azure-graphrbac' closely resembles 'azure' and could be misleading. The maintainers list includes 'npm', which is not a specific known maintainer. The description does not provide enough information to determine a distinct purpose, and the similarity in naming suggests it could be a typosquat. azure-graphrbac is a security-holding package
Live on npm for 3 hours and 1 minute before removal. Socket users were protected even while the package was live.
Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.
Known malware
Possible typosquat attack
Chrome Extension Permission
Chrome Extension Wildcard Host Permission
NPM Shrinkwrap
Git dependency
HTTP dependency
Suspicious Stars on GitHub
Protestware or potentially unwanted behavior
Unstable ownership
Critical CVE
High CVE
Medium CVE
Low CVE
Bad dependency semver
Wildcard dependency
Unpopular package
Minified code
Socket optimized override available
Deprecated
Unmaintained
Explicitly Unlicensed Item
License Policy Violation
Misc. License Issues
Non-permissive License
Ambiguous License Classifier
Copyleft License
Unidentified License
No License Found
License exception
Socket detects and blocks malicious dependencies, often within just minutes of them being published to public registries, making it the most effective tool for blocking zero-day supply chain attacks.
Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.
Nat Friedman
CEO at GitHub
Suz Hinton
Senior Software Engineer at Stripe
heck yes this is awesome!!! Congrats team 🎉👏
Matteo Collina
Node.js maintainer, Fastify lead maintainer
So awesome to see @SocketSecurity launch with a fresh approach! Excited to have supported the team from the early days.
DC Posch
Director of Technology at AppFolio, CTO at Dynasty
This is going to be super important, especially for crypto projects where a compromised dependency results in stolen user assets.
Luis Naranjo
Software Engineer at Microsoft
If software supply chain attacks through npm don't scare the shit out of you, you're not paying close enough attention.
@SocketSecurity sounds like an awesome product. I'll be using socket.dev instead of npmjs.org to browse npm packages going forward
Elena Nadolinski
Founder and CEO at Iron Fish
Huge congrats to @SocketSecurity! 🙌
Literally the only product that proactively detects signs of JS compromised packages.
Joe Previte
Engineering Team Lead at Coder
Congrats to @feross and the @SocketSecurity team on their seed funding! 🚀 It's been a big help for us at @CoderHQ and we appreciate what y'all are doing!
Josh Goldberg
Staff Developer at Codecademy
This is such a great idea & looks fantastic, congrats & good luck @feross + team!
The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.
Scott Roberts
CISO at UiPath
As a happy Socket customer, I've been impressed with how quickly they are adding value to the product, this move is a great step!
Yan Zhu
Head of Security at Brave, DEFCON, EFF, W3C
glad to hear some of the smartest people i know are working on (npm, etc.) supply chain security finally :). @SocketSecurity
Andrew Peterson
CEO and Co-Founder at Signal Sciences (acq. Fastly)
How do you track the validity of open source software libraries as they get updated? You're prob not. Check out @SocketSecurity and the updated tooling they launched.
Supply chain is a cluster in security as we all know and the tools from Socket are "duh" type tools to be implementing. Check them out and follow Feross Aboukhadijeh to see more updates coming from them in the future.
Zbyszek Tenerowicz
Senior Security Engineer at ConsenSys
socket.dev is getting more appealing by the hour
Devdatta Akhawe
Head of Security at Figma
The @SocketSecurity team is on fire! Amazing progress and I am exciting to see where they go next.
Sebastian Bensusan
Engineer Manager at Stripe
I find it surprising that we don't have _more_ supply chain attacks in software:
Imagine your airplane (the code running) was assembled (deployed) daily, with parts (dependencies) from internet strangers. How long until you get a bad part?
Excited for Socket to prevent this
Adam Baldwin
VP of Security at npm, Red Team at Auth0/Okta
Congrats to everyone at @SocketSecurity ❤️🤘🏻
Nico Waisman
CISO at Lyft
This is an area that I have personally been very focused on. As Nat Friedman said in the 2019 GitHub Universe keynote, Open Source won, and every time you add a new open source project you rely on someone else code and you rely on the people that build it.
This is both exciting and problematic. You are bringing real risk into your organization, and I'm excited to see progress in the industry from OpenSSF scorecards and package analyzers to the company that Feross Aboukhadijeh is building!
Depend on Socket to prevent malicious open source dependencies from infiltrating your app.
Install the Socket GitHub App in just 2 clicks and get protected today.
Block 70+ issues in open source code, including malware, typo-squatting, hidden code, misleading packages, permission creep, and more.
Reduce work by surfacing actionable security information directly in GitHub. Empower developers to make better decisions.
Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.
Dec 14, 2023
Hijacked cryptocurrency library adds malware
Widely-used library in cryptocurrency frontend was compromised to include wallet-draining code, following the hijacking of NPM account credentials via phishing.
Jan 06, 2022
Maintainer intentionally adds malware
Rogue maintainer sabotages his own open source package with 100M downloads/month, notably breaking Amazon's AWS SDK.
Nov 15, 2021
npm discovers a platform vulnerability allowing unauthorized publishing of any package
Attackers could publish new versions of any npm package without authorization for multiple years.
Oct 22, 2021
Hijacked package adds cryptominers and password-stealing malware
Multiple packages with 30M downloads/month are hijacked and publish malicious versions directly into the software supply chain.
Nov 26, 2018
Package hijacked adding organization specific backdoors
Obfuscated malware added to a dependency which targeted a single company, went undetected for over a week, and made it into their production build.
Get our latest security research, open source insights, and product updates.
Research
/Security News
Threat actors hijacked Toptal’s GitHub org, publishing npm packages with malicious payloads that steal tokens and attempt to wipe victim systems.
Research
/Security News
Socket researchers investigate 4 malicious npm and PyPI packages with 56,000+ downloads that install surveillance malware.
Security News
The ongoing npm phishing campaign escalates as attackers hijack the popular 'is' package, embedding malware in multiple versions.