🚀 Huge news!
@SocketSecurity
has raised $20M Series A funding led by Andreessen Horowitz (
@a16z
).
⭐️ This funding fuels our mission to make open source safer for everyone!
🚀🚀🚀 We're also announcing 4 new products this week as part of Socket Launch Week! ✨
🧵 1/10
@kentcdodds
Consider using
@SocketSecurity
to catch these types of issues.
Specifically, you can install "safe npm" to warn you before you make typos like this:
Redis is no longer
#OSS
, breaking its explicit commitment to remain under the BSD 3-Clause License forever. This has angered contributors who are now working to fork the software.
We saw some interest in path aliases from a few community tools and things lately on social media so we made a little blog post to explain how they can be done in a less tool specific manner for JS/TS! Hope this helps those who are looking to learn.
Big news: The
@deno_land
team announced
@jsr_io
, the new package registry, is now in public beta: "With the emergence of Deno, Bun, and other new
#JavaScript
environments, a Node-centric package registry no longer makes sense for the entire JS ecosystem."
If you haven't been following, there's a new JavaScript package registry in town. JSR, created by the
@deno_land
team, is still in the early stages. Here are some initial impressions and reactions from developers across the
#JavaScript
ecosystem:
✨ HUGE NEWS! ✨
🤖 Introducing Socket AI – ChatGPT-Powered Threat Analysis
@SocketSecurity
is using ChatGPT to examine every npm and PyPI package for security issues!
🤯 In just 2 days, we confirmed 227 vulnerable and malware packages, all discovered with the help of ChatGPT
👋 Hello everyone! We're the company behind Wormhole (
@Wormhole_App
) at !
Follow us here to be the first to hear about our newest product – launching soon! ✨
We're thrilled to share that Socket has joined the Open Source Security Foundation (
@theopenssf
)
But why did we join? tldr:
💪 Open source has won.
🔒 But security has often been an afterthought
Thread 🧵⬇️
We started Socket with a simple but audacious goal: to safeguard the open source ecosystem for everyone.
Today, that dream is a bit brighter—literally! Our logo is lighting up Times Square!
A heartfelt thanks to our passionate team, our brave customers, and everyone who has
Today, we are excited to introduce dependency visualization for reports - get a quick impression of the state of your dependencies without getting lost in the details.
Today we're excited to announce the 1.0 release of
@SocketSecurity
for GitHub – we're finally out of beta! 🎉
We're shipping a big update to Socket for GitHub to help developers protect their apps from software supply chain attacks. 💪
Thread 🧵⬇️
Another week, another npm supply chain attack 😢
If you haven't read our post "What's Really Going On Inside Your node_modules Folder?", don't miss it.
It's a must read.
Socket CLI v0.9.0 Now Available!
We updated the socket info command so you can get useful information about an npm package, right in the terminal:
📦 View package scores
🚨 View package issues
🔎 Use dist tags
Read more:
Socket is proud to announce that we’ve received a clean SOC 2 Type 1 attestation report.
Read this thread to learn:
⭐️ How does Socket put security first?
⭐️ What is a SOC 2 audit?
⭐️ Why does SOC 2 compliance matter?
🧵 See thread ⬇️⬇️⬇️
@mikemaccana
✅ Socket analyzes the *behavior* of a package to catch install scripts, obfuscated code, privileged APIs such as shell, network, filesystem, and environment variables.
❌ Snyk compares your dependency list to a list of known vulnerabilities and tells you if there's a match.
1. 🚨 Alert! The 'Skeleton Squad' is now targeting NPM! Our research team at Socket has discovered a new threat to the JavaScript ecosystem, and specifically, the npm package manager. 😱
📦 Some interesting discussions are happening around
@openjsf
new effort to iterate on the informal standardization of package.json and improve the interoperability of
#JavaScript
package metadata for application developers:
🚨 A Socket investigation has uncovered an npm package for a React components library that exfiltrates sensitive developer information, including your operating system username, Git username, and Git email.
#reactjs
#extjs
We're honored that
@GitHub
interviewed
@feross
(founder and CEO of Socket) to discuss how he got started in open source, what he learned along the way, and why the software supply chain needs protecting with .
Every time
@feross
sees something missing from open source, he tries to build it, contributing “lego blocks” for others to use and create whatever they can dream up.
🎉 Introducing Socket Security Bot Commands! 🎉
👍 Ignore Socket PR alerts that you deem acceptable
🙋♀️ Quit bugging your org admins. By ignoring issues, you can make your branch protections pass.
👀 See more in our blogpost and give it a try!
LDAPjs, an LDAP client and server API for Node.js, was decommissioned after its maintainer received an abusive email from a user, raising concerns about this form of abuse as a potential attack vector.
#nodejs
#JavaScript
#opensource
GitHub detected 1 million+ leaked secrets in the first 8 weeks of 2024. Push protection is now on by default for all user accounts. This is a major step towards reducing the overall number of leaked secrets available to threat actors.
@github
Users of Socket are protected from attacks like the recent npm "logic flaw" (see below)
Socket analyzes the ✨ package content ✨ of every npm package in your app to detect typosquat attacks and risky packages.
Try it in 2 minutes:
A "logical flaw" has been disclosed in the
#NPM
package manager that allowed attackers to pass off malicious libraries as legitimate by adding notable developers as contributors without their knowledge, tricking unsuspecting devs into installing them.
Add the Socket wrapper to "npm" and "npx" and protect your machine from insecure + low quality packages!
✅ Warns you before running install scripts
✅ Warns you when you typo a package name
✅ Takes just 30 seconds to set up!
🚀 Get it here:
We are excited to share some feedback updates about `socket npm` and what we are seeing it is being used for, what issues people are having, and what features they are wanting in the future!
Security tooling should be simple and provide ways to help before investing time into big code commitments. The new VS Code editor extension allows our first step into expanding when Socket can help in your dev workflow.
🚀 Since launching, Socket AI has scanned hundreds of thousands of packages, uncovering tens of thousands of new vulnerabilities, anomalies, and malware instances. After a year of refining our system and processes, we're excited to update the default AI settings.
“Anyone who suggests this was any kind of success is a fool. No system caught this, it was luck and individual heroics. That's not acceptable when unauthorized access to ~every server on the internet is on the table.” -
@damienmiller
People are looking at different package managers which means different versions (and security potentially) can get installed in addition different performance! We made a GH action to expose these perf and version differences!
📃Check out the latest extensive resource from
@bradleymeck
on our blog exploring the nuances and best practices of using JSON. Take a deep dive into advanced concepts, standards, and practical insights to elevate your JSON game:
OSI is starting a conversation aimed at removing the excuse of the "SaaS loophole" for companies navigating licensing and the complexities of doing business with open source.
@OpenSourceOrg
We have been using GPT3 in production for a few months now! Here is a brief writeup of the experience we are seeing using it. Amazing stuff; hopefully we will start seeing more ways it can help in the future.
1/5 🚨 Security Update: Did you know your
#npm
packages could be under threat from a security risk called "manifest confusion"? Huge shoutout to
@darcy
for bringing this critical issue into the spotlight!
#Cybersecurity
🚀 We’re pleased to introduce our new Audit Log feature today, which allows administrators to track important account changes:
🔍 Get comprehensive details and context on events
⏱️ Save time in debugging
📤 Easily export records in CSV and JSON formats
🚨 In a massive international operation, authorities have dismantled LockBit, the world's largest ransomware gang. Security researchers claim authorities compromised
#LockBit
through an unpatched
#PHP
vulnerability. Details on this historic takedown:
Watching all the data you get in a full security report can be overwhelming or time consuming. We are pushing forward on a more usable experience for this with Project Health Reports!
🚨 Alert to
#Roblox
developers: The Socket research team took a deep dive into a malicious npm package we flagged, which is masquerading as Noblox.js. It targets Roblox users for data theft. Read our full analysis on the blog:
☃️ It’s snowing on our website! As you enjoy the festive season, we’re here to keep your packages safe and sound. Happy holidays from our team to yours! (P.S. There’s a grinch mode: Go to your Profile Settings to turn it off.) ❄️❄️❄️
What does a software supply chain attack look like? Check out
@feross
' talk at
@NodeCongress
on the Dark Side of Open Source. If you enjoy digging into examples of malicious code, this is a fun video!
@mikemaccana
Supply chain attacks and vulnerabilities are very different, and they need very different solutions.
Socket is built with a very different assumption: What if we assume all open source packages may be malicious and work backwards from there?
Have you ever had some odd issues with RegExp in JS due to strings being split up into pieces? We are looking into how to make RegExp work better with one of JS' biggest design patterns, streaming/chunked data!
🚨 From the Socket Research Team: We detected a malicious Python package using the open source Blank Grabber malware to steal data from applications like Discord and Telegram
Today on the blog: A short history of protestware - from punch cards to package managers - we'll explore the intriguing and controversial phenomenon of digital activism and the risks to open source supply chains.
Looks like we’re off to an interesting start in 2024! Today’s hijinks: a troll campaign that comes in the form of an npm package named ‘everything.’ It creates millions of transitive dependencies, exhausting storage space and resources:
5/5 The discovery by
@darcy
underscores the importance of accurate dev & security tools.
Read
@darcy
's post for more about the massive bug at the heart of the npm ecosystem:
2/5 The issue stems from an npm package's manifest being published separately from its tarball, with no full validation between the two. This can allow bad actors to sneak in hidden malware & scripts! 😱
Read more here:
🚀 Big Update from Socket today!
Introducing our new Organization Alerts, a highly requested feature that offers a comprehensive view of all risks across your organization’s repositories – even if you have hundreds of thousands of dependencies across thousands of repositories!
Socket CEO
@feross
was interviewed by the
@daytonaio
team on the challenges developers face when selecting open source packages for their projects and how Socket is working to create a more secure ecosystem. Check out the interview here:
Open-source security is paramount. The CEO of
@SocketSecurity
,
@feross
, shares with Daytona insights on the proactive approach Socket takes to help developers and security teams navigate the complexities of open-source software. Check it out in the comments!
#OpenSource
#Security
What are supply chain attacks? ☠️⛓️
Why is it crucial to know and understand them when it comes to building software?
I'll explain it to you in simple terms 🧵
The
#Node
community is wrestling with the decision to enable Corepack by default, which has sparked a debate about the potential of removing npm from the Node.js binary. Here's an overview of the diverse opinions on this contentious matter:
#nodejs
The seemingly innocuous events surrounding the XZ-utils attack - complaints about bugs, contributor offers, maintainer changes - regular open source stuff - were precisely what made it so difficult to detect.
The Socket team is in Las Vegas for
@AWSreInvent
✨
Send us a DM if you want to chat about open source, software supply chain, or see a demo of
@SocketSecurity
!
We’re proud to share that we have successfully renewed our SOC 2 Type 2 unqualified opinion attestation for the next 12 months. This audit report is a third-party industry validation that Socket provides enterprise-level security for our customers’ data.
Socket CEO
@feross
was interviewed by
@basarat
for his
@NodeCongress
Speaker Showcase series. Check out this fun conversation about
#NodeJS
and the challenges of securing open source dependencies.
At Socket, we're committed to fighting vulnerabilities & protecting your supply chain. Install us from the GitHub Marketplace today and get protected from
#ManifestConfusion
.
Install it here in 2 clicks!
🚨 The Socket Research team has uncovered a malicious npm package targeting
#Ethereum
developers using
#Hardhat
tools in their development environments:
In case you missed it last week, we formalized our program to support open source projects. Get in touch with your GitHub organization name and we will upgrade you to our Team plan for free:
#opensource
#oss
Looks like LockBit's back in business, resurfacing with an attack on a pharmaceutical company, a $4M ransom demand, and a recommendation for a hairstylist in Colorado:
4/5 We've upped our game with a new proactive detection against this technique. If any of your dependencies try this trick, Socket will alert you immediately. Just enable "Manifest Confusion" detection in your dashboard settings. 🚨🔒
@mikemaccana
Snyk, and most of the security industry, are obsessed with scanning for "known vulnerabilities", an approach which is too reactive to stop a supply chain attack.
Vulnerabilities can take weeks or months to be discovered.
Lack of funding for open source projects and contributors can lead to burnout. It's a challenging problem the ecosystem is still working to figure out:
@feross
amazing eye opener presentation of inner workings of node_modules and the risks involved at
@NodeCongress
most interesting session this year
#NodeCongress
Don’t miss this conversation between Socket founder
@feross
and
@bdougieYO
where they discuss:
- Feross’s open source journey
- The inside story of the npm funding experiment
- Why Feross started Socket to improve OSS security
- Many stories of interesting attacks in the wild!
📦 This update also significantly improves support for PyPI and Golang, speeds up scan times, and includes a new syntax for specifying package ignores. Check out everything that's new:
Researchers claim to have created a GPT-4 agent that can autonomously exploit web vulnerabilities in real-world systems with an 87% success rate. We're not too far away from seeing fully autonomous exploits.
As maintainers of open source packages which are installed over 1 billion times per month, the Socket team is intimately familiar with the massive growth in open source usage.
On a recent episode of the
@DevtoolsFM
podcast,
@feross
explained how Socket uses LLMs to analyze packages and detect supply chain security risks. Check out the full episode this weekend:
Join us in supporting online privacy, free speech, and digital access.
@EFF
has fought for tech users for over 30 years, and it's more important now than ever before.
Valkey, one of the newest open source Redis forks, gains momentum with Linux Foundation backing and support from industry giants like Amazon, Google Cloud, and Oracle.
@reconditerose
@linuxfoundation
@awscloud
Pleased to announce our latest sponsor,
@SocketSecurity
!
It's been inspiring to follow their new approach to mitigating the very real JS supply chain risks with the platform.
Thank you for supporting JSPM, another step towards sustainability...!
Socket flags a near constant stream of malicious code uploaded to public package registries targeting Discord. On the blog today our research team breaks down a few of these trends:
2. The culprit? A seemingly harmless NPM package called 'pyautodllxd'. It doesn't impersonate any popular package, but a closer look at the postinstall command reveals a hidden trove of suspicious code. 🕵️♂️
🚨 An investigation into npm registry spam: Socket researchers deconstruct a Python script automating a massive campaign that published 5,000+ spam packages to npm.
Read more about how this trend in spam campaigns is impacting the open source ecosystem:
CISA launched a new project called Vulnrichment to enrich CVEs with details that help prioritize patching and mitigation efforts. Meanwhile, the NVD backlog has surpassed 10,000. Conflicting CPE strings pose challenges for implementation.
#security