Socket
@SocketSecurity
Socket is the #1 software supply chain security platform. Next-gen SCA + SBOM + 0-day prevention. LOVED BY DEVELOPERS. 👀 @npm_malware
🚀 We’re thrilled to announce Socket’s $40M Series B led by @AbstractVC with participation from @eladgil and @a16z!
Amazing @SocketSecurity research covered by @arstechnica and the amazing @dangoodin001
Open source repositories are seeing a rash of supply-chain attacks arstechnica.com/security/2025/…
Vibe coding with LLMs is making developers faster, but also creating new attack surfaces. Socket CEO @feross talks with Joel de la Garza of @a16z about the future of AI-assisted software and supply chain security. 🎙️Check out the full episode: socket.dev/blog/ai-a16z-p…
Open source repositories are seeing a rash of supply-chain attacks arstechnica.com/security/2025/…
Never run `npm install` on your bare laptop. Not using devcontainers, dev VM, or some other sandbox, is now basically negligence
🚨 73 Toptal repos hijacked. 10 npm packages laced with malware to steal GitHub tokens & wipe systems (rm -rf /). ~5,000 downloads before removed by npm. ICYMI: the supply chain is under attack.
Not pretty, not Windows-only: npm phishing attack laces popular packages with malware dlvr.it/TM58rX
‼️npm + PyPI packages delivering surveillance malware to thousands: • Keylogging • Screen capture • Webcam access 56,000+ downloads and growing. Full investigation → lnkd.in/e6VXAJdC #infosec #Python #JavaScript #CyberSecurity
🚨 Supply chain attack alert: A threat actor gained access to @toptal’s GitHub org, making 73 repos public and injecting malicious payloads into 10+ npm packages. Full research: socket.dev/blog/toptal-s-… #NodeJS #JavaScript
4/ Worst part? The malware persisted itself by rewriting index.js inside node_modules. That means deleting the folder won’t save you. You’d need to reset lockfiles + clear all cached builds. This stuff stayed.
5/ One developer on HN took these steps: * Unplug their machine * Replace SSD * Reinstall Windows * Rotate every SSH key This wasn’t just a CI scare. It owned local dev machines.
🚨 New Threat Research: We uncovered 4 malicious packages (3 on npm, 1 on PyPI) with 56,000+ downloads, all delivering surveillance malware capable of keylogging, screen capture, and webcam access. Here’s what we found: socket.dev/blog/surveilla… #NodeJS #JavaScript #Python
🚨 Attackers have hijacked the npm 'is' package (~2.8M weekly downloads), adding a malicious JS loader. This compromise is linked to the recent npm phishing campaign. Read our update on this ongoing supply chain attack: socket.dev/blog/npm-is-pa… #NodeJS #JavaScript
6/ If you’re doing `npm install` in 2025 without protection, you’re a sitting duck. Socket is an AI-powered proactive defense layer for the software supply chain. We protect your software from everyone else's. Install Socket for free here: socket.dev
1/ 🚨 Major supply chain breach just hit the JavaScript ecosystem. Attackers hijacked popular npm packages — including is (~3M downloads/week) — to silently ship remote access malware into dev environments. Here’s what happened, and how Socket caught it 🧵
🚨 A critical vulnerability in the widely used npm form-data package could allow HTTP Parameter Pollution, potentially impacting millions of projects. The package sees 100M+ downloads weekly. Details → socket.dev/blog/critical-… #NodeJS #JavaScript
Bun 1.2.19 introduces isolated installs for monorepos, smarter package management, and 5x faster Bun.sql. 🎉 Congrats to @jarredsumner and all the @bunjavascript contributors: socket.dev/blog/bun-1-2-1… #NodeJS