44
Articles
7月31日 05:01
Last updated
Announcing Precomputed Reachability Analysis in Socket

Announcing Precomputed Reachability Analysis in Socket

Socket’s precomputed reachability slashes false positives by flagging up to 80% of vulnerabilities as irrelevant, with no setup and instant results.

Socket
security tool
Socket Now Protects the Chrome Extension Ecosystem

Socket Now Protects the Chrome Extension Ecosystem

Socket is launching experimental protection for Chrome extensions, scanning for malware and risky permissions to prevent silent supply chain attacks.

Socket
security tool
Introducing Socket MCP for Claude Desktop

Introducing Socket MCP for Claude Desktop

Add secure dependency scanning to Claude Desktop with Socket MCP, a one-click extension that keeps your coding conversations safe from malicious packa...

Socket
security tool
Introducing Scala and Kotlin Support in Socket

Introducing Scala and Kotlin Support in Socket

Socket now supports Scala and Kotlin, bringing AI-powered threat detection to JVM projects with easy manifest generation and fast, accurate scans.

Socket
library tool
AI + a16z Podcast: Vibe Coding, Security Risks, and the Path to Progress

AI + a16z Podcast: Vibe Coding, Security Risks, and the Path to Progress

Socket CEO Feross Aboukhadijeh and a16z partner Joel de la Garza discuss vibe coding, AI-driven software development, and how the rise of LLMs, despit...

Socket
api tool
Toptal’s GitHub Organization Hijacked: 10 Malicious Packages Published

Toptal’s GitHub Organization Hijacked: 10 Malicious Packages Published

Threat actors hijacked Toptal’s GitHub org, publishing npm packages with malicious payloads that steal tokens and attempt to wipe victim systems.

Socket
api security tool
Surveillance Malware Hidden in npm and PyPI Packages Targets Developers with Keyloggers, Webcam Capture, and Credential Theft

Surveillance Malware Hidden in npm and PyPI Packages Targets Developers with Keyloggers, Webcam Capture, and Credential Theft

Socket researchers investigate 4 malicious npm and PyPI packages with 56,000+ downloads that install surveillance malware.

Socket
library security tool
npm ‘is’ Package Hijacked in Expanding Supply Chain Attack

npm ‘is’ Package Hijacked in Expanding Supply Chain Attack

The ongoing npm phishing campaign escalates as attackers hijack the popular 'is' package, embedding malware in multiple versions.

Socket
library security tool
Critical Vulnerability in Popular npm form-data Package Used Across Millions of Installs

Critical Vulnerability in Popular npm form-data Package Used Across Millions of Installs

A critical flaw in the popular npm form-data package could allow HTTP parameter pollution, affecting millions of projects until patched versions are a...

Socket
library security tool
Bun 1.2.19 Adds Isolated Installs for Better Monorepo Support

Bun 1.2.19 Adds Isolated Installs for Better Monorepo Support

Bun 1.2.19 introduces isolated installs for smoother monorepo workflows, along with performance boosts, new tooling, and key compatibility fixes.

Socket
library tool
Active Supply Chain Attack: npm Phishing Campaign Leads to Prettier Tooling Packages Compromise

Active Supply Chain Attack: npm Phishing Campaign Leads to Prettier Tooling Packages Compromise

Popular npm packages like eslint-config-prettier were compromised after a phishing attack stole a maintainer’s token, spreading malicious updates.

Socket
library security tool
npm Phishing Email Targets Developers with Typosquatted Domain

npm Phishing Email Targets Developers with Typosquatted Domain

A phishing attack targeted developers using a typosquatted npm domain (npnjs.com) to steal credentials via fake login pages - watch out for similar sc...

Socket
api security tool
Knip Hits 500 Releases with v5.62.0, Improving TypeScript Config Detection and Plugin Integrations

Knip Hits 500 Releases with v5.62.0, Improving TypeScript Config Detection and Plugin Integrations

Knip hits 500 releases with v5.62.0, refining TypeScript config detection and updating plugins as monthly npm downloads approach 12M.

Socket
library tool
Open Source Maintainers Feeling the Weight of the EU’s Cyber Resilience Act

Open Source Maintainers Feeling the Weight of the EU’s Cyber Resilience Act

The EU Cyber Resilience Act is prompting compliance requests that open source maintainers may not be obligated or equipped to handle.

Socket
api security tool
Crates.io Implements Trusted Publishing Support

Crates.io Implements Trusted Publishing Support

Crates.io adds Trusted Publishing support, enabling secure GitHub Actions-based crate releases without long-lived API tokens.

Socket
api tool
Tracking Protestware Spread: 28 npm Packages Affected by Payload Targeting Russian-Language Users

Tracking Protestware Spread: 28 npm Packages Affected by Payload Targeting Russian-Language Users

Undocumented protestware found in 28 npm packages disrupts UI for Russian-language users visiting Russian and Belarusian domains.

Socket
api tool
Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader

Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader

North Korean threat actors deploy 67 malicious npm packages using the newly discovered XORIndex malware loader.

Socket
api security tool
Meet Socket at Black Hat and DEF CON 2025 in Las Vegas

Meet Socket at Black Hat and DEF CON 2025 in Las Vegas

Meet Socket at Black Hat & DEF CON 2025 for 1:1s, insider security talks at Allegiant Stadium, and a private dinner with top minds in software supply ...

Socket
platform security tool
Open Source CAI Framework Handles Pen Testing Tasks up to 3,600× Faster Than Humans

Open Source CAI Framework Handles Pen Testing Tasks up to 3,600× Faster Than Humans

CAI is a new open source AI framework that automates penetration testing tasks like scanning and exploitation up to 3,600× faster than humans.

Socket
security tool
Deno 2.4 Brings Back deno bundle, Improves Dependency Management and Observability

Deno 2.4 Brings Back deno bundle, Improves Dependency Management and Observability

Deno 2.4 brings back bundling, improves dependency updates and telemetry, and makes the runtime more practical for real-world JavaScript projects.

Socket
runtime tool
New CVE Forecasting Tool Predicts 47,000 Disclosures in 2025

New CVE Forecasting Tool Predicts 47,000 Disclosures in 2025

CVEForecast.org uses machine learning to project a record-breaking surge in vulnerability disclosures in 2025.

Socket
api security tool
Browserslist-rs Gets Major Refactor, Cutting Binary Size by Over 1MB

Browserslist-rs Gets Major Refactor, Cutting Binary Size by Over 1MB

Browserslist-rs now uses static data to reduce binary size by over 1MB, improving memory use and performance for Rust-based frontend tools.

Socket
library tool
8 More Malicious Firefox Extensions: Exploiting Popular Game Recognition, Hijacking User Sessions, and Stealing OAuth Credentials

8 More Malicious Firefox Extensions: Exploiting Popular Game Recognition, Hijacking User Sessions, and Stealing OAuth Credentials

Eight new malicious Firefox extensions impersonate games, steal OAuth tokens, hijack sessions, and exploit browser permissions to spy on users.

Socket
security tool
Official Go SDK for MCP in Development, Stable Release Expected in August

Official Go SDK for MCP in Development, Stable Release Expected in August

The official Go SDK for the Model Context Protocol is in development, with a stable, production-ready release expected by August 2025.

Socket
library tool
Django Joins curl in Pushing Back on AI Slop Security Reports

Django Joins curl in Pushing Back on AI Slop Security Reports

Django has updated its security policies to reject AI-generated vulnerability reports that include fabricated or unverifiable content.

Socket
api security tool
ECMAScript 2025 Finalized with Iterator Helpers, Set Methods, RegExp.escape, and More

ECMAScript 2025 Finalized with Iterator Helpers, Set Methods, RegExp.escape, and More

ECMAScript 2025 introduces Iterator Helpers, Set methods, JSON modules, and more in its latest spec update approved by Ecma in June 2025.

Socket
framework library tool
Node.js Homepage Adds Paid Support Link, Prompting Contributor Pushback

Node.js Homepage Adds Paid Support Link, Prompting Contributor Pushback

A new Node.js homepage button linking to paid support for EOL versions has sparked a heated discussion among contributors and the wider community.

Socket
security tool
Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages

Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages

North Korean threat actors linked to the Contagious Interview campaign return with 35 new malicious npm packages using a stealthy multi-stage malware ...

Socket
security tool
Malicious Python Package Typosquats Popular passlib Library, Shuts Down Windows Systems

Malicious Python Package Typosquats Popular passlib Library, Shuts Down Windows Systems

The Socket Research Team investigates a malicious Python typosquat of a popular password library that forces Windows shutdowns when input is incorrect...

Socket
api security tool
A Fresh Look for the Socket Dashboard

A Fresh Look for the Socket Dashboard

We’ve redesigned the Socket dashboard with simpler navigation, less visual clutter, and a cleaner UI that highlights what really matters.

Socket
tool ui
From Infra Engineer to CISO: A Conversation with Amplitude’s Terry O’Daniel

From Infra Engineer to CISO: A Conversation with Amplitude’s Terry O’Daniel

Terry O’Daniel, Head of Security at Amplitude, shares insights on building high-impact security teams, aligning with engineering, and why AI gives def...

Socket
infra security tool
MCP Spec Updated to Add Structured Tool Output and Improved OAuth 2.1 Compliance

MCP Spec Updated to Add Structured Tool Output and Improved OAuth 2.1 Compliance

MCP spec updated with structured tool output, stronger OAuth 2.1 security, resource indicators, and protocol cleanups for safer, more reliable AI work...

Socket
api security tool
Survey Finds Over Half of CISOs Manage 10+ Security Areas with Limited Legal Protections and Short Tenure

Survey Finds Over Half of CISOs Manage 10+ Security Areas with Limited Legal Protections and Short Tenure

More than half of CISOs now manage 10+ security areas, often with few legal safeguards and short tenures, yet continue to secure budgets and higher pa...

Socket
security
libxml2 Maintainer Ends Embargoed Vulnerability Reports, Citing Unsustainable Burden

libxml2 Maintainer Ends Embargoed Vulnerability Reports, Citing Unsustainable Burden

Libxml2’s solo maintainer drops embargoed security fixes, highlighting the burden on unpaid volunteers who keep critical open source software secure.

Socket
library security tool
The Growing Risk of Malicious Browser Extensions

The Growing Risk of Malicious Browser Extensions

Socket researchers uncover how browser extensions in trusted stores are used to hijack sessions, redirect traffic, and manipulate user behavior.

Socket
api security tool
2025 Blockchain and Cryptocurrency Threat Report: Malware in the Open Source Supply Chain

2025 Blockchain and Cryptocurrency Threat Report: Malware in the Open Source Supply Chain

An in-depth analysis of credential stealers, crypto drainers, cryptojackers, and clipboard hijackers abusing open source package registries to comprom...

Socket
api security tool
pnpm 10.12 Introduces Global Virtual Store and Expanded Version Catalogs

pnpm 10.12 Introduces Global Virtual Store and Expanded Version Catalogs

pnpm 10.12.1 introduces a global virtual store for faster installs and new options for managing dependencies with version catalogs.

Socket
framework library tool
Node.js Moves Toward Stable TypeScript Support with Amaro 1.0

Node.js Moves Toward Stable TypeScript Support with Amaro 1.0

Amaro 1.0 lays the groundwork for stable TypeScript support in Node.js, bringing official .ts loading closer to reality.

Socket
library runtime tool
PyPI Package Disguised as Instagram Growth Tool Harvests User Credentials

PyPI Package Disguised as Instagram Growth Tool Harvests User Credentials

A deceptive PyPI package posing as an Instagram growth tool collects user credentials and sends them to third-party bot services.

Socket
api security tool
Socket Now Supports pylock.toml Files

Socket Now Supports pylock.toml Files

Socket now supports pylock.toml, enabling secure, reproducible Python builds with advanced scanning and full alignment with PEP 751's new standard.

Socket
library security tool
Destructive npm Packages Disguised as Utilities Enable Remote System Wipe

Destructive npm Packages Disguised as Utilities Enable Remote System Wipe

Socket uncovered two npm packages that register hidden HTTP endpoints to delete all files on command.

Socket
api security tool
Malicious Ruby Gems Exfiltrate Telegram Tokens and Messages Following Vietnam Ban

Malicious Ruby Gems Exfiltrate Telegram Tokens and Messages Following Vietnam Ban

Malicious Ruby gems typosquat Fastlane plugins to steal Telegram bot tokens, messages, and files, exploiting demand after Vietnam’s Telegram ban.

Socket
api library security
Malicious npm Packages Target BSC and Ethereum to Drain Crypto Wallets

Malicious npm Packages Target BSC and Ethereum to Drain Crypto Wallets

Socket uncovered four malicious npm packages that exfiltrate up to 85% of a victim’s Ethereum or BSC wallet using obfuscated JavaScript.

Socket
api security tool
TC39 Advances Array.fromAsync, Error.isError, and Explicit Resource Management to Stage 4

TC39 Advances Array.fromAsync, Error.isError, and Explicit Resource Management to Stage 4

TC39 advances 9 JavaScript proposals, including Array.fromAsync, Error.isError, and Explicit Resource Management, which are now headed into the ECMASc...

Socket
api framework library