Socket

Why this kind of thing works: imToken doesn’t have an official Chrome extension, so if you search “imToken” in the Chrome Web Store, this impostor is the only thing you find.

Fake imToken Chrome Extension Steals Seed Phrases via Phishi... Mixed-script homoglyphs and a lookalike domain mimic imToken’s import flow to capture mnemonics and private keys.

Fake imToken Chrome extension alert: a malicious Chrome Web Store listing redirects users to a lookalike import page that uses mixed-script homoglyphs to impersonate imToken and phish seed phrases and private keys.

Full write-up: socket.dev/blog/fake-im...
cc: @campuscodi.risky.biz

Socket Named a Supply Chain Innovator in Latio's 2026 Applic... Latio’s 2026 report recognizes Socket as a Supply Chain Innovator and highlights our work in 0-day malware detection, SCA, and auto-patching.

✨ Socket was named a Supply Chain Innovator in Latio's 2026 Application Security Market Report, recognized for our work in 0-day malware detection, SCA, and auto-patching.

socket.dev/blog/socket-...

Meet the Socket Team at RSAC and BSidesSF 2026 - Socket Join Socket for live demos, rooftop happy hours, and one-on-one meetings during BSidesSF and RSA 2026 in San Francisco.

AI is changing how software gets built, and how it gets compromised. What's keeping your security team up at night? We want to hear about it. Book time with @feross.bsky.social and the Socket team at RSA + @bsidessf.org. We'll be in SF all week.

socket.dev/blog/meet-so...

Meet the Socket Team at RSAC and BSidesSF 2026 - Socket Join Socket for live demos, rooftop happy hours, and one-on-one meetings during BSidesSF and RSA 2026 in San Francisco.

AI is changing how software gets built, and how it gets compromised. What's keeping your security team up at night? We want to hear about it. Book time with @feross.bsky.social and the Socket team at RSA + @bsidessf.org. We'll be in SF all week.

socket.dev/blog/meet-so...

Malicious Packagist Packages Disguised as Laravel Utilities ... Malicious Packagist packages disguised as Laravel utilities install an encrypted PHP RAT via Composer dependencies, enabling remote access and C2 call...

🚨 New Threat Research: Malicious Packagist packages disguised as #Laravel utilities shipped an encrypted #PHP RAT with C2 and remote shell access, including delivery through a clean-looking dependency chain.

Full analysis: socket.dev/blog/malicio...

Another attack weaponizing local AI coding agents. This class of AI-assisted supply chain abuse is heating up.

cc: @campuscodi.risky.biz @thehackernews.bsky.social @bleepingcomputer.com @zackwhittaker.com @csoonline.bsky.social @theregister.com

Unauthorized AI Agent Execution Code Published to OpenVSX in... OpenVSX releases of Aqua Trivy 1.8.12 and 1.8.13 contained injected natural-language prompts that abuse local AI coding agents for system inspection a...

🚨 We detected malicious OpenVSX releases of Aqua Trivy (1.8.12 & 1.8.13) that injected natural-language prompts to weaponize local AI coding agents.

The releases occurred during a broader AI-powered attack targeting #OSS projects.

Full analysis ↓
socket.dev/blog/unautho...

Well, you don’t see this every day. 🙃 Pastebin steganography used as a dead drop for npm malware.

cc: @campuscodi.risky.biz @bleepingcomputer.com @zackwhittaker.com @thehackernews.bsky.social

minimatch Patches 3 High-Severity ReDoS Vulnerabilities - So... minimatch patched three high-severity ReDoS vulnerabilities that can stall the Node.js event loop, and Socket has released free certified patches.

minimatch patched 3 high-severity ReDoS vulnerabilities that can stall the Node.js event loop. Because it's pulled into nearly every corner of the #NodeJS ecosystem (~472M weekly downloads), we're releasing free Certified Patches for all three.

socket.dev/blog/minimat... #JavaScript

minimatch Patches 3 High-Severity ReDoS Vulnerabilities - So... minimatch patched three high-severity ReDoS vulnerabilities that can stall the Node.js event loop, and Socket has released free certified patches.

minimatch patched 3 high-severity ReDoS vulnerabilities that can stall the Node.js event loop. Because it's pulled into nearly every corner of the #NodeJS ecosystem (~472M weekly downloads), we're releasing free Certified Patches for all three.

socket.dev/blog/minimat... #JavaScript

StegaBin: 26 Malicious npm Packages Use Pastebin Steganograp... Socket uncovered 26 malicious npm packages tied to North Korea's Contagious Interview campaign, retrieving a live 9-module infostealer and RAT from th...

🚨 We detected 26 malicious npm packages using Pastebin steganography and Vercel staging to deploy a multi-stage credential stealer targeting developers.

We’re tracking this campaign as “StegaBin.”

Full research ↓
socket.dev/blog/stegabi... #NodeJS #JavaScript

Malicious Go “crypto” Module Steals Passwords and Deploys Re... An impersonated golang.org/x/crypto clone exfiltrates passwords, executes a remote shell stager, and delivers a Rekoobe backdoor on Linux.

🚨 New Research: Malicious Go “crypto” module steals passwords and deploys a Rekoobe backdoor on Linux.

Full Analysis →
socket.dev/blog/malicio...

#golang cc: @campuscodi.risky.biz @thehackernews.bsky.social @bleepingcomputer.com @golangch.bsky.social

Malicious Go “crypto” Module Steals Passwords and Deploys Re... An impersonated golang.org/x/crypto clone exfiltrates passwords, executes a remote shell stager, and delivers a Rekoobe backdoor on Linux.

🚨 New Research: Malicious Go “crypto” module steals passwords and deploys a Rekoobe backdoor on Linux.

Full Analysis →
socket.dev/blog/malicio...

#golang cc: @campuscodi.risky.biz @thehackernews.bsky.social @bleepingcomputer.com @golangch.bsky.social

npm Introduces minimumReleaseAge and Bulk OIDC Configuration... npm rolls out a package release cooldown and scalable trusted publishing updates as ecosystem adoption of install safeguards grows.

npm has introduced a new minimumReleaseAge setting along with bulk OIDC configuration.

Release cooldowns are now supported as a baseline across all major #JavaScript package mangers, including npm, pnpm, Yarn, and Bun.

Learn more: socket.dev/blog/npm-int... #NodeJS

We'll be streaming live with @feross.bsky.social and @grobmeier.de at 10AM PST today! If you want a reminder, click "Attend" on LinkedIn or "Notify Me" on YouTube.

@socket.dev Fantastic report! Stay safe out there, folks!

socket.dev/blog/sandwor...

AI agents are writing up to 90% of new production code. What does that mean for open source security?

Socket CEO @feross.bsky.social joined the @riskybusiness.bsky.social podcast to break down this seismic shift & the growing risk to the software supply chain.

Watch now→ socket.dev/blog/risky-b...

Excited to tune into this conversation! 🤩
Log4Shell was one of those moments that pulled back the curtain on how much of the internet runs on small open source projects. We've all seen the memes and hot takes it inspired about sustainability, but what has actually changed? Join us tomorrow!

cc: @campuscodi.risky.biz @zackwhittaker.com @thehackernews.bsky.social @bleepingcomputer.com @arstechnica.com @darkreading.bsky.social

Join us on Feb 25 @ 10am PST for a fireside chat w/ Log4j maintainer @grobmeier.de and Socket CEO @feross.bsky.social on Log4Shell and the realities of maintaining critical OSS infrastructure.

Watch live & get notified:
LinkedIn → linkedin.com/events/74318...
YouTube → youtube.com/watch?v=9-uV...

New Research: We uncovered 4 malicious NuGet packages targeting ASP.NET developers. A typosquatted “NCryptYo” dropper uses JIT hooking and a localhost proxy to steal Identity data and backdoor deployed apps.

Full analysis: socket.dev/blog/four-ma...

Correct speeling is a security superpoewr: don’t get caught out by the latest typosquatting npm supply chain worm.

💥 Your AI coding assistant might be stealing your SSH keys. 💥

@socket.dev found an active Shai-Hulud style npm worm (SANDWORM_MODE) that hijacks CI workflows, spreads via stolen tokens, and injects rogue MCP servers to poison AI coding tools and steal secrets.

cc: @campuscodi.risky.biz @thehackernews.bsky.social @tldrnews.bsky.social @bleepingcomputer.com @arstechnica.com

The @socket.dev team caught super early signals of this attack campaign leading to preemptive shutdown! proud of the team and our advanced threat detection engine! 💪

Thankful for the rapid response and takedown @npmjs.bsky.social @github.com @cloudflare.social 🙏

#shaihulud #SANDWORM_MODE

SANDWORM_MODE: Shai-Hulud-Style npm Worm Hijacks CI Workflow... An emerging npm supply chain attack that infects repos, steals CI secrets, and targets developer AI toolchains for further compromise.

🚨 Active supply chain attack

New Shai-Hulud–like npm worm (19+ packages, 2 aliases) stealing dev/CI secrets, injecting GitHub workflows, poisoning AI toolchains, and harvesting LLM API keys.

Details → socket.dev/blog/sandwor... #NodeJS #JavaScript

Really cool to see @npmjs.bsky.social featuring more security information on package pages, including a link to Socket's analysis! 🤩

Here's what you'll find when you click through →

socket.dev/blog/socket-... #NodeJS #JavaScript

Excited that @socket.dev has joined @openjsf.org!

Code security is more important than ever in the AI coding and agentic era! We're doing our part to help.

Socket Joins the OpenJS Foundation - Socket Socket is proud to join the OpenJS Foundation as a Silver Member, deepening our commitment to the long-term health and security of the JavaScript ecos...

We're excited to announce that Socket is joining the @openjsf.org! Proud to support the #JavaScript ecosystem alongside so many great projects and contributors.

socket.dev/blog/socket-...