🔓 CISA admin GitHub App key still LIVE 2 days after Krebs reported it. And there was more: 🔑 Org-wide GitHub admin access 📦 6 JFrog tokens master keys 🔐 Guessable DB passwords 👉trufflesecurity.com/blog/cis…

Today is a big day for @SocketSecurity. We just raised a $60M Series C at a $1B valuation, led by @ThriveCapital with participation from @a16z, @AbstractVC, and @CapitalOne Ventures. Total funding is now $125M. Four years ago, we started Socket because open source dependencies were flowing into production faster than anyone could vet them. AI has massively accelerated that. Code is being written, shipped, and deployed before any human reads it. Security has to operate at that same speed. One data point from Thrive's diligence that I keep coming back to: they first discovered Socket because @cursor_ai, @OpenAI, and @AnthropicAI all independently told them it was the most important security tool they'd adopted for AI-driven development. Three of the most sophisticated AI companies converging on the same vendor unprompted. Since our Series B, Socket has grown to more than 20,000 organizations, protecting over 1.5 million repositories and blocking more than 1,000 supply chain attacks every week. The team is now over 100 people. Three out of five FAANG companies are Socket customers. So are the companies building the most ambitious AI products: @AnthropicAI, @cursor_ai, @xai, @figma, @vercel, @Replit, @scale_AI, @GustoHQ, @Mercadolibre, and @cribl_io, alongside Fortune 100s in financial services and global media. What we've shipped since the last round: • Socket Firewall blocks malicious packages at install time, before they reach a developer's laptop or CI pipeline. Free for everyone. • Reachability analysis via our acquisition of Coana, eliminating 50-80% of irrelevant vulnerability alerts by focusing only on CVEs that are actually exploitable. • Socket Certified Patches for remediating exploitable CVEs in seconds without waiting on upstream maintainers. • Coverage extending to browser extensions, editor extensions, MCP servers, and AI tools via our acquisition of @secureannex. When the Axios compromise hit, our detection systems flagged the malicious dependency within six minutes. Within 24 hours, more than 2,000 organizations onboarded to Socket to block it. Where the funding goes: deeper investment in Firewall, massively expanding Certified Patches, moving protection closer to every point of install across the developer toolchain, and new product launches pushing Socket into a category we haven't entered before. We're hiring across engineering, sales, customer success, and threat intel. ❤️ Thank you to our customers, investors, and the open-source community for your support. Together, we’re making software safer for everyone.

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

What if an agent could walk around the rsa show floor. How many companies do you think it'd try to vibecode? turns out its a lot. vibecoded.vc/cooked

What if an agent could walk around the rsa show floor. How many companies do you think it'd try to vibecode? turns out its a lot. vibecoded.vc/cooked

attribution is gonna be a PAIN for this one

Claude (and other models) are hacking systems WITHOUT YOU ASKING. That’s what we found across dozens of experiments. When faced with innocent tasks that can only be accomplished via hacking, they often choose to hack. We found this alarming. What does this mean for the future of AI safety? 🚨🚨🚨 🔗trufflesecurity.com/blog/cla…

Claude (and other models) are hacking systems WITHOUT YOU ASKING. That’s what we found across dozens of experiments. When faced with innocent tasks that can only be accomplished via hacking, they often choose to hack. We found this alarming. What does this mean for the future of AI safety? 🚨🚨🚨 🔗trufflesecurity.com/blog/cla…

i really don't like doing things that every other company is doing is there anyone out there trying to destroy open source? we'd like to fund them