🚀 Advanced: Socket (@SocketSecurity) / X

Socket

3,154 posts

Socket

@SocketSecurity

Socket is the #1 software supply chain security platform. Next-gen SCA + SBOM + 0-day prevention. LOVED BY DEVELOPERS. 👀 @npm_malware

https://socket.dev/careers

Joined November 2021

Pinned
Socket
@SocketSecurity
May 22
Today is a big day for Socket.
Feross
@feross
May 20
Today is a big day for @SocketSecurity. We just raised a $60M Series C at a $1B valuation, led by @ThriveCapital with participation from @a16z, @AbstractVC, and @CapitalOne Ventures. Total funding is now $125M. Four years ago, we started Socket because open source dependencies
25K
Socket reposted
Socket
@SocketSecurity
8h
Replying to @SocketSecurity
Update: We added our technical analysis for the Mastra npm supply chain attack. The second-stage protocal.cjs implant beacons to C2, supports remote tasking, inventories 166 #crypto wallet browser extensions, collects Chrome/Edge/Brave history, and persists via Windows Run keys,
140+ Mastra npm Packages Compromised in Coordinated Supply C...
From socket.dev
1.8K
Socket reposted
LuemmelSec
@theluemmel
10h
Really insightful and a clear sign that we currently can not leave it just to AI to come up with verdicts on Threats. The cat and mouse game continues.
Socket
@SocketSecurity
17h
New Socket research: We’re seeing more packages designed to trip up AI malware scanners. This new npm package uses prompt-injection-style comments, safety-triggering content, context flooding, and obfuscated JS to probe where scanners refuse, truncate, or miss the code that
825
Socket reposted
Socket
@SocketSecurity
9h
🚨 More than 140 Mastra npm packages were compromised in a supply chain attack published under the @mastra/* namespace, including @mastra/core, which receives more than 918K weekly npm downloads. The attack used easy-day-js, a typosquatted dependency, to deliver a
7.3K
Socket
@SocketSecurity
9h
🚨 More than 140 Mastra npm packages were compromised in a supply chain attack published under the @mastra/* namespace, including @mastra/core, which receives more than 918K weekly npm downloads. The attack used easy-day-js, a typosquatted dependency, to deliver a
7.3K
Socket
@SocketSecurity
9h
This is a developing story. Socket flagged the malicious dependency within six minutes of publication, and Socket users were protected automatically. We’re continuing to analyze the malware and will publish a full technical analysis.
140+ Mastra npm Packages Compromised in Coordinated Supply C...
From socket.dev
2K
Socket
@SocketSecurity
8h
Update: We added our technical analysis for the Mastra npm supply chain attack. The second-stage protocal.cjs implant beacons to C2, supports remote tasking, inventories 166 #crypto wallet browser extensions, collects Chrome/Edge/Brave history, and persists via Windows Run keys,
140+ Mastra npm Packages Compromised in Coordinated Supply C...
From socket.dev
1.8K
Socket reposted
Thomas Roccia 🤘
@fr0gger_
11h
Context flooding to overwhelm and bypass your AI analysis with unrelated content! Simple but efficient!
Socket
@SocketSecurity
17h
New Socket research: We’re seeing more packages designed to trip up AI malware scanners. This new npm package uses prompt-injection-style comments, safety-triggering content, context flooding, and obfuscated JS to probe where scanners refuse, truncate, or miss the code that
2.7K
Socket
@SocketSecurity
17h
New Socket research: We’re seeing more packages designed to trip up AI malware scanners. This new npm package uses prompt-injection-style comments, safety-triggering content, context flooding, and obfuscated JS to probe where scanners refuse, truncate, or miss the code that
11K
Socket
@SocketSecurity
17h
🤡 Scanner bait: This package appears designed to bait, test, or provoke supply chain security tooling and the researchers/vendors behind it. It names JFrog, Socket, and SafeDep directly.
1.9K
Socket reposted
Socket
@SocketSecurity
Jun 16
New Research: Trojanized Open VSX extensions are shipping GlassWASM, a new WebAssembly malware variant. It hides malware logic in TinyGo-compiled WASM and pulls C2 instructions from Solana transaction memos.
GlassWASM: WebAssembly Malware Found in Trojanized Open VSX ...
From socket.dev
12K
Socket
@SocketSecurity
Jun 16
🚀 Day 2 of Socket Launch Week: We’re excited to introduce Manifest Alerts! Socket now detects supply chain risks found in project manifests, starting with missing lockfiles that can make dependency installs non-reproducible.
1.8K
Socket
@SocketSecurity
Jun 16
Manifest Alerts appear alongside Dependency Alerts in scan results, with details that explain the impact, remediation steps, and affected manifest. Read more: socket.dev/blog/introduci…
873