Socket
Socket is the #1 software supply chain security platform. Next-gen SCA + SBOM + 0-day prevention. LOVED BY DEVELOPERS.
https://socket.dev
- 🚨 New threat research: Malicious #Python packages are abusing TikTok & Instagram APIs to verify stolen emails, enabling targeted account attacks and dark web credential sales. socket.dev/blog/malicio...
- 🚨 Too many security alerts? We're fixing that. Excited to see @theregister.com cover our acquisition of Coana, an elite team building next-gen reachability analysis to cut through vulnerability noise.
- The Node.js TSC has declined to endorse a feature bounty program, citing concerns over incentives, governance, and project neutrality. Full breakdown of the decision on the Socket blog → socket.dev/blog/node-js... #nodejs #javascript
- ⚠️ New Node.js security release patches a high-severity bug: async cryptographic operations on untrusted input could crash your server (CVE-2025-23166). If you’re on 20.x, 22.x, 23.x, or 24.x, update now. #nodejs
- The Node.js security release is out! 💚 We have released new versions of 20, 22, 23, and 24 release lines in order to address: - 1 high severity issue - 1 moderate severity issue - 1 low severity issue nodejs.org/en/blog/vuln...
- 📦 Not all packages are what they seem. In our 2025 mid-year threat report, we break down the top trends in how attackers are weaponizing open source dependencies to infiltrate supply chains. → socket.dev/blog/malicio...
- Latest update from CISA on its plan to kill off RSS feeds in favor of publishing updates on X: "We have paused immediate changes while we re-assess the best approach to sharing with our stakeholders."
- CISA has quietly killed off its RSS feeds for KEVs and cyber alerts, replacing an open, automation-friendly format with email and social media alerts. A small change with big consequences for threat monitoring tools that relied on RSS: socket.dev/blog/cisa-ki...
- 🛠️ ESLint continues its journey to language-agnostic linting, now officially supporting HTML! This new integration brings 48 rules for best practices, accessibility, SEO, and more. Learn more → socket.dev/blog/eslint-... @eslint.org #HTML
- CISA has quietly killed off its RSS feeds for KEVs and cyber alerts, replacing an open, automation-friendly format with email and social media alerts. A small change with big consequences for threat monitoring tools that relied on RSS: socket.dev/blog/cisa-ki...
- 🤖 The MCP community just announced work on an official metaregistry to standardize AI tool discovery. It will enable agents to dynamically find & install MCP servers, a game-changer for autonomous systems that can extend their capabilities on demand. Learn more → socket.dev/blog/officia...
- 🚨 Socket researchers discovered an npm package targeting #crypto traders. It hunts for wallet keys & #BullX credentials, then exfiltrates them via Telegram. A second package serves as a minimal wrapper to execute the payload. Full report → socket.dev/blog/malicio... #JavaScript
- 🚨 The Socket Threat Research Team has discovered a set of malicious npm packages targeting macOS developers using the Cursor AI code editor. They steal credentials, disable updates, and add a persistent backdoor to the IDE. socket.dev/blog/malicio... #JavaScript #CursorAI
- The latest AI grift: fake security reports on bug bounty platforms. The reports include vague repro steps, imaginary functions, and nonsense patches. One landed in curl’s inbox - @bagder.mastodon.social.ap.brid.gy & team quickly identified it as AI slop. socket.dev/blog/ai-slop...
- 🚨 Socket researchers investigate a malicious PyPI package disguised as a #Discord debugger. The attacker used it to deliver a remote access trojan (RAT), and it was downloaded over 11,000 times before removal. Full analysis from the Socket team → socket.dev/blog/malicio... #Python
- We’ve redesigned the Socket dashboard overview! Get clearer insights into your organization's supply chain security with new visuals, alerts, and stats at a glance. 📈 Check it out: socket.dev/blog/new-ove...
- 🔥 Launch Day 5: We’re so excited to launch socket fix — a CLI tool that automatically upgrades vulnerable dependencies, runs your tests, and even auto-merges safe updates in CI. From alert to merged fix. Zero friction.
- socket fix works locally or in CI: ✅ socket fix → upgrade dependencies ✅ --test → only keep changes if tests pass ✅ --autopilot → test + auto-merge in GitHub Actions ⭐️ Available now, in open beta → socket.dev/blog/introdu...
- 📍 New developments in the #CVE Program saga as CISA states “there was no funding issue” while former Director Jen Easterly questions the transparency of the new CVE Foundation formed by a subset of current CVE Board members. socket.dev/blog/cisa-re... #cybersecurity
- 🔥 Launch Week Day 4: Historical Analytics is now in beta! This is a massive upgrade to Socket’s visibility and reporting capabilities. Socket now retains 30 days of daily scan data, giving you powerful new insight into how your supply chain risks evolve over time.
- 📊 With these new tools, you can: - Track changes in alerts and dependencies over time - Drill into historical data on the updated Analytics page - Export historical alerts via API to power custom dashboards or integration - And more to come! 📉 Explore Analytics → socket.dev/blog/histori...
- 🚀 Launch Week Day 3: Introducing Module Reachability — now live in your Socket dashboard! Today we’re rolling out our first iteration of Module Reachability across all the ecosystems we support, our first step in filtering out the CVEs that don’t matter. 🧵
- When you enable Reachability, you'll see a significant reduction in noise. On average, we're seeing 25–35% of transitive dependencies are filtered out as unused. That means fewer alerts, fewer false positives, and a shorter list of vulns to triage. socket.dev/blog/introdu...
- And this is just the beginning! Our reachability support is about to get turbocharged. With our acquisition of Coana, the best-in-class reachability engine, we’re bringing deep static analysis and precomputed results to every Socket user. Stay tuned. 🔥 socket.dev/blog/socket-...
- 🚀 Big news! Socket is acquiring Coana, bringing best-in-class reachability analysis to modern SCA! Coana's technology reduces false positives by up to 80%, letting teams focus on vulnerabilities that actually matter. #AppSec 1/4
-
View full threadIn the coming months, we’ll be working to integrate Coana’s reachability analysis technology directly into the Socket platform. Soon, every Socket user will start seeing reachability context in their vulnerability reports and dashboards. 3/4
- For Socket users, this means automated vulnerability prioritization based on actual exploitability. Soon, whenever Socket identifies a vulnerability in your dependencies, you'll immediately see whether it's reachable in your application. No guesswork, no manual triage. 4/4
- With this acquisition, Socket welcomes world-class engineers from Aarhus University, led by Professor Anders Møller. Together we're setting a new standard for supply chain security. Read the announcement: socket.dev/blog/socket-... 2/4
- 🔥 Day 2 of Socket Launch Week! Today we're shipping Repository Labels + Security Policies — a powerful way to organize repos and apply fine-grained security controls. Live now in public beta 🎯 socket.dev/blog/introdu...
- 🚨 Socket researchers uncovered malicious npm & PyPI packages posing as dev tools — stealing wallet seed phrases via Google Analytics and Telegram bots. Inside the malware and how it works:
- 🚀 We’re excited to announce our public beta support for .NET! Secure your NuGet dependencies from typosquatting, dependency confusion, and more. Start protecting your C# projects today → socket.dev/blog/introdu... #dotnet #nuget
- 🚨 Malicious npm packages posing as #Telegram bot libraries are installing SSH backdoors and exfiltrating data from developer machines. Read the full report from Socket's Threat Research Team: socket.dev/blog/npm-mal... #JavaScript
- 📌 Just two weeks after PEP 751 was accepted, Python’s new pylock.toml lock file format is already becoming a fast-emerging standard. 📦 pip, pip-audit, PDM, and more are jumping in. Here's how fast the ecosystem is moving 👇 socket.dev/blog/pylock-... #Python
- 🚀 Socket's Go support is now generally available! All users can now get automatic scanning and deep code analysis for Go projects. We detect supply chain threats other tools miss by analyzing the actual code that gets installed. Learn more → socket.dev/blog/go-supp... #golang
- 🚀 The @vlt.sh team just launched real-time dependency analysis powered by Socket! Developers can now explore supply chain risks directly in their graph, with rich security metadata from Socket built in. More on the integration → socket.dev/blog/vlt-lau... #JavaScript
- 🚩 CISA has extended MITRE’s contract by 11 months, avoiding a shutdown but leaving long-term governance issues unresolved. Alternative CVE coordination efforts are emerging in the wake of yesterday’s funding chaos. Read more → socket.dev/blog/cisa-ex... #cybersecurity #cve
- 🎉 Big news for #Ruby teams! After 6 months of successful beta testing, our Rubygems ecosystem support is now GA. Socket's scanning catches supply chain threats that traditional tools miss. Secure your repos today! → socket.dev/blog/rubygem... #rails @lucianghinda.com
- New from the Socket Research Team: A malicious npm package disguised as an #Advcash integration triggers a reverse shell during payment success. Unlike many malicious packages that execute code during installation, this payload is delayed until runtime. socket.dev/blog/npm-pac... #JavaScript
- [Not loaded yet]
- Had to give credit where it’s due! You gave it an unforgettable name. 😂
- In case you missed it last week - we shipped a redesign for our GitHub PR comments: score diffs, risk alerts, and dependency context, all in one place.
- 🚀 We just rolled out a brand new design for our GitHub PR comments! Here’s what’s new: 📦 Each direct dependency, clearly listed 📊 Score changes at a glance (security, quality, etc.) ⚠️ Blocking + warning alerts, right in the PR More Details → socket.dev/blog/github-...
- 🐚 New from the Socket Threat Research Team: threat actors are weaponizing shell techniques to persist, pivot, and exfiltrate across npm, PyPI, Go, and more. Reverse shells. Web shells. TCP tunnels. It's all in here. 🐢 Read: socket.dev/blog/shell-u... #JavaScript #Golang #Python #Java
- At #VulnCon, NIST revealed that the NVD is scrapping its consortium plan, walking back last year’s promise of reform, while pitching new tools that critics say won't meaningfully address the backlog or transparency problem. socket.dev/blog/vulncon... #CVE #CyberSecurity #VulnCon2025
- 🚀 We just rolled out a brand new design for our GitHub PR comments! Here’s what’s new: 📦 Each direct dependency, clearly listed 📊 Score changes at a glance (security, quality, etc.) ⚠️ Blocking + warning alerts, right in the PR More Details → socket.dev/blog/github-...
- Slopsquatting: a new supply chain threat where AI tools hallucinate package names & attackers register them. 📊 A new study finds: • 1 in 5 suggested packages didn’t exist • OSS models hallucinate 4x more than commercial • Researchers found 205K+ unique hallucinated names socket.dev/blog/slopsqu...
- 🧪 New research finds 1 in 5 packages suggested by AI code tools don't exist. Attackers can register these hallucinations. This emerging threat has been dubbed "slopsquatting." socket.dev/blog/slopsqu... #LLM #cybersecurity #Python #JavaScript
- 🚀 Big upgrade just dropped: we completely redesigned the Repositories page in the Socket dashboard! Now it’s easier than ever to spot risk, triage alerts, and keep your projects secure.
- Here’s what’s new: ⚠️ Alert severity at a glance 🧪 Tabs for Alerts, Dependencies, and Scans 🔎 Smarter search ✨ A cleaner, more focused UI Full breakdown here → socket.dev/blog/reposit...
- ⚡️ Multiple critical deserialization vulnerabilities in PyTorch Lightning could lead to remote code execution when loading model files. socket.dev/blog/pytorch... #MLops #PyTorch #AIsecurity
- 🚀 Join Socket and CSide, @arcjet.com, & @incident.io for TWO epic rooftop parties during #RSAC and #BSidesSF 2025! 📅 Sunday, April 27 & Wednesday, April 30 🕕 6-10PM ✨ Plus: Exclusive #CISO Dinner hosted w/ WndrCo and 1:1 demos with our team all week! RSVP now: socket.dev/blog/meet-th...
- 🚨 NVD just reclassified 20,000 older CVEs as “Deferred.” The database is quietly removing them from its processing pipeline and will no longer enrich them, leaving major gaps in public vulnerability data for those still relying on the NVD. socket.dev/blog/nvd-qui... #CyberSecurity
- 🚨 North Korean threat actors are back - and scaling up. The #Lazarus Group is expanding its npm malware campaign with new RAT loaders, hex obfuscation, fresh aliases, and over 5,600 downloads across 11 packages. Our latest research: socket.dev/blog/lazarus... #JavaScript #malware
- 🎉 Safari 18.4 shipped 3 new #JavaScript features from the @tc39.bsky.social pipeline: • Iterator Helpers (Stage 4) • Error.isError (Stage 3) • Atomics.pause (Stage 3) Modern JavaScript is moving fast, from proposal to production in record time. 🚀 socket.dev/blog/safari-...
