Socket

We started Socket with a simple but audacious goal: to safeguard the open source ecosystem for everyone. Today, that dream is a bit brighter—literally! Our logo is lighting up Times Square! Every great company is a conspiracy to change the world. Thank you to our many co-conspirators — our early customers, founding employees, investors, mentors, and the open source and security communities — we wouldn't be here without your support. We're just getting started.

A fascinating Reddit AMA is happening right now with ransomware negotiators, offering a rare glimpse into how modern #ransomware operations really work. https://lnkd.in/exN56WY8 #cybersecurity

PyPI confirms no security flaws were exploited in the Ultralytics supply chain attack and the team is working on two new efforts to nudge developers towards more secure publishing configurations. https://lnkd.in/gayiQFkg #Python Python Software Foundation

🚨 Socket researchers discovered a wrapper package on #npm that uses obfuscation to harvest credentials and exfiltrate sensitive data. This threat actor is a repeat publisher of malicious packages, which have accumulated over 10K downloads in the past year. https://lnkd.in/eiRRy2uH #JavaScript

Another typosquatting attack on npm - this time targeting developers attempting to install the popular #TypeScript ESLint plugin. The malicious package compromised development environments, exfiltrated data, and enabled real-time exploitation. https://lnkd.in/gEjZDPsX #JavaScript

The Ultralytics' #PyPI Package was compromised 4 times in one weekend through GitHub Actions cache poisoning and failure to rotate compromised API tokens. This attack shows the limitation of attestation in scenarios where build artifacts can be tampered with through cache poisoning. https://lnkd.in/eiZDNm-x #Python #Cybersecurity

🚨 Java Security Alert: Socket researchers found a malicious Maven package impersonating the legitimate ‘XZ for Java’ library, introducing a backdoor for remote code execution. Details → https://lnkd.in/eunUceDp #Java

🚀 Big news for Node.js!
The latest LTS release (v22.12.0) enables require(esm) by default, accelerating ESM adoption. Plus, automated processes are speeding up releases and enhancing security. ➳ https://lnkd.in/ex55mWmR https://lnkd.in/ex55mWmR #NodeJS #JavaScript

📰 Have you seen npm’s new search experience? The registry has completely revamped the sorting options to be more objective and you may notice some changes with package search results. More details ➳ https://lnkd.in/eZt4ChGA #NodeJS

We updated our post with more info on the impact of the supply chain attack detected in Solana's web3.js library, including Anza's disclosure and the estimated $160K crypto assets stolen in the incident. https://lnkd.in/ej4UpKDW #web3 #Solana