Socket is proud to introduce an exciting new tool—“safe npm”—that protects developers whenever they use npm install.

Redis is no longer OSS, breaking its explicit commitment to remain under the BSD 3-Clause License forever. This has angered contributors who are now w...

package.json contains a local aliasing mechanism for import paths called "imports" it satisfies many use cases without tooling specific solutions like...

JSR, the new JavaScript registry, is now in public beta, designed for TypeScript and ESM.

JSR, a new package registry from the Deno team, aims to address npm’s limitations but the JavaScript community is concerned about ecosystem fragmentat...

The Node.js Technical Steering Committee has confirmed that removing npm from the Node.js distribution is not a project goal, amidst continued discuss...

Socket is joining the Open Source Security Foundation (OpenSSF), the cross-industry organization working on the most important open source security in...

XZ utils, a package for data compression software used in nearly every Linux distribution, was found to be backdoored and may allow unauthorized acces...

Examples of recent supply chain attacks and concrete steps you can take to protect your team from this emerging threat.

Socket explains the newly released npm provenance provided by GitHub.

From unprecedented expansion to security challenges: A comprehensive look at npm's dynamic year 2024.

Socket has successfully completed the SOC 2 Type I audit by meeting rigorous security and confidentiality standards.

The OpenJS Foundation has launched a new effort to iterate on the informal standardization of package.json and improve the interoperability of JavaScr...

Top-500 npm package maintainers now require 2FA

The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username...

Examples of recent supply chain attacks and concrete steps you can take to protect your team from this emerging threat.

Dismiss Socket pull request alerts using bot commands.

A German court's controversial ruling fined a security researcher for exposing a company's data vulnerabilities, sparking intense debate over the futu...

LDAPjs, an LDAP Client and Server API for Node.js, was decommissioned after its maintainer received an abusive email from a user, raising concerns abo...

GitHub has enabled push protection by default for all user accounts. This feature prevents accidental leaks of API keys, tokens, and other secrets, a ...

We share some feedback and directions on Socket's npm wrapper.

Introducing a VS Code editor integration for Socket Security.

I'm laser-focused on growing Socket right now. Socket helps developers and security teams to ship faster and spend less time on security busywork.

ENISA has identified software supply chain attacks as the top cybersecurity threat for the next five years, just prior to the accidental discovery of ...

Socket discusses the results of using different package managers to install your packages and introduces a GitHub action to expose those differences.

Socket for GitHub has added the option to customize which issue alerts your pull request receives.

JSON is a simple technology but has a lot of underlying topics to think about. This guide can help uncover those topics.

OSI is starting a conversation aimed at removing the excuse of the SaaS loophole for companies navigating licensing and the complexities of doing busi...

We have been using GPT at Socket to help triage the npm package firehose for a couple months now. Here is what it is like after actual experience.

Socket's new Audit Log feature allows administrators to monitor important account changes and the history of all events in Socket.

International law enforcement organizations have disrupted LockBit, the world’s largest ransomeware gang, seized their operations and infrastructure, ...

Socket introduces an overall project health report for viewing relevant data to entire projects at a glance.

A malicious npm package is targeting Roblox's massive user base to steal sensitive data, with potential impacts for both players and developers on the...

Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for JavaScript, Python, and Go dependencies.

At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party depen...

Proposing a more usable RegExp for JS in light of async I/O and streaming.

Socket's research team detected and analyzed a new Python package that distributes Blank Grabber malware for stealing data from applications like Disc...

The ALPHV/Blackcat ransomware group has responded to the FBI's disruption of their operations with increased hostility, following the release of a dec...

This short history of protestware - from punch cards to package managers - explores the intriguing and controversial phenomenon of digital activism an...

An NPM user named PatrickJS launched a troll campaign with a package called "everything," which depends on all public npm packages.

An article detailing the massive bug at the heart of the npm ecosystem; encompassing a lack of validation by the public registry, package manifest inconsistancies & assumptions about package managers...

Socket has been protecting organizations from "manifest confusion" attacks for 9 months before it was publicly disclosed.

255 Posts, 25 Following, 115 Followers · Secure your JavaScript supply chain. Depend on Socket to protect your app from malicious dependencies lurking in your open source supply chain.

The Node community is wrestling with the decision to enable Corepack by default, which has sparked a debate about the potential of removing npm from t...

The Socket blog now offers both full content Atom and JSON feeds which let you subscribe to all future Socket blog posts.

Socket CEO Feross Aboukhadijeh was recently interviewed on Basarat Ali Syed’s YouTube channel ahead of this year's Node Congress event. They discussed...

GitHub is where people build software. More than 100 million people use GitHub to discover, fork, and contribute to over 420 million projects.

GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.

The "hardhat-gas-optimizer" npm package was found to exfiltrate sensitive data to Pastebin, targeting Ethereum developers using Hardhat tools in their...

In an effort to give back to the software creators whose contributions benefit the global developer community, open source projects can now get a free...

LockBit, defying law enforcement takedowns, launches a new attack on Crinetics Pharmaceuticals, with the group's leader declaring a commitment to cont...

Node Congress 2022 #NodeCongress #Node #GitNationWebsite – https://nodecongress.com/Follow the link to watch the full version of all the conference talks, Qn...

The latest update of Socket for GitHub features a new web-based diff report viewer, enhanced support for PyPI and Golang, faster scan times, and a new...

As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabil...

Donate to the Electronic Frontier Foundation and support the mission to defend civil liberties and human rights online. You can help EFF’s attorneys, activists, and technologists protect privacy,...

Valkey, a high-performance key-value store and open source Redis fork, gains momentum with Linux Foundation backing and support from industry giants l...

The Socket research team breaks down a sampling of malicious packages that download and execute files, among other suspicious behaviors, targeting the...

Digging into the Skeleton Squad's recent expansion from PyPI to the npm ecosystem.

A recently uncovered Python script highlights a spam campaign tactic where malicious actors automate the publishing of spam packages to the npm packag...

CISA launched a new project called Vulnrichment to enrich CVEs with details that help prioritize patching and mitigation efforts, as the NVD backlog o...