I joined @SocketSecurity as Sales Engineer, Commercial! Excited to deep dive into software supply chain security and discussions with customers 🎉 SocketにSales Engineerとしてジョインしました！これからまた技術を通してお客様とお話できるのが楽しみです😊

New Research: Trojanized Open VSX extensions are shipping GlassWASM, a new WebAssembly malware variant. It hides malware logic in TinyGo-compiled WASM and pulls C2 instructions from Solana transaction memos. socket.dev/blog/glasswasm-ma…

This is exciting! The demand has been high 😎

Received a suspicious coding assessment for a crypto company I had zero mutual followers with (yet they had 100K followers on twitter), I just checked the package.json and found this dependency lol (thank you @SocketSecurity)

The US government forced Anthropic to pull Claude Fable on Friday night, days after launch. Users spent the week one-shotting code reviews and migrations. Some upgraded specifically for Fable. Now they’re demanding refunds. Government intervention can now reach directly into a commercial AI product and pull it from the market. socket.dev/blog/us-governmen…

🧩 New Research: 152 Chrome "live wallpaper" extensions hid ad tracking behind false privacy disclosures and faked Google search traffic to support ad monetization. The network spanned 38 publisher accounts, 3 backend brands, and ~105K installs. socket.dev/blog/152-chrome-l…

Welcome to the Socket family @andrewbecherer !

thrilled to finally announce something I've been working on for a while: @SocketSecurity is officially powering @Replit’s new Package Firewall! By evaluating dependencies directly at the install path, we are protecting builders from hallucinated or malicious packages before they can execute. We're currently blocking 8,000 bad packages a day across builders on Replit. Ship fast, vibe safely. 🛡️ Read the full breakdown: socket.dev/blog/socket-partn…

🔥 Socket Firewall is now built into @Replit's AI-powered development experience. It’s already blocking 8K malicious packages/day across builders on the platform, giving Replit users stronger protection by default the moment dependencies are introduced. socket.dev/blog/socket-partn…

npm accidentally marked a bunch of one-character packages as security holders, including c, i, n, x, several numbers, and even the - package. The registry confirmed it was a tooling bug and said a rollback is underway. socket.dev/blog/npm-tooling-…

🚨 Mini Shai-Hulud, Miasma, and Hades worms are now targeting Bioinformatics & AI devs! hiding JS stealers inside native Python extensions & .pth files, and even use prompt injection to blind AI security scanners. socket.dev/blog/mini-shai-hu…

Mini Shai-Hulud/Miasma/Hades are now targeting bioinformatics and MCP developers in a newer PyPI wave. Socket found 23 newly compromised PyPI package-version artifacts using multiple execution paths: → native .abi3.so extensions that run the JavaScript stealer at import time → .pth startup loaders that bootstrap Bun → a new loader variant that searches sys.path for _index.js instead of bundling it in the same wheel The payload also includes a fake prompt-injection header at the top of _index.js to interfere with LLM-based malware triage before scanners reach the obfuscated code.

🚨 Mini Shai-Hulud/Miasma has now spread to PyPI. Socket found 37 malicious artifacts across 19 PyPI packages. The packages abuse #Python .pth startup behavior to launch a Bun-powered credential stealer targeting developer, cloud, and CI/CD secrets. socket.dev/blog/shai-hulud-d…

RubyGems 4.0.13 adds a cooldown feature to Bundler for newly published gems. The opt-in setting lets projects delay dependency resolution for new gem versions, reducing exposure during the short window when malicious releases often spread fastest. socket.dev/blog/rubygems-add…

📦 @pnpmjs 11.5 adds support for recognizing npm staged publishes after staged approval metadata triggered a false downgrade signal. As npm adds more release paths, registry metadata needs to make it clear how each package version was published. socket.dev/blog/pnpm-11-5-ad…

💸 The Department of Commerce has released a sharply critical audit report on NIST’s management of the National Vulnerability Database. Federal auditors found NIST: • Had no strategic plan to clear NVD backlog • Set an unrealistic backlog deadline • Delayed use of CISA enrichment data • Failed to prioritize KEVs quickly • Relied on inefficient enrichment processes • Eroded trust in the NVD through poor communication The report also found that NIST and CISA ran overlapping enrichment programs without coordination, sometimes using the same contractor to perform the same work. Auditors identified at least 21,000 duplicated enrichment activities and ~$200K in wasted funds. socket.dev/blog/federal-audi…

🚨 Active supply chain attack: A mini Shai-Hulud campaign hit npm packages under the @​redhat-cloud-services namespace. The compromised packages execute install-time malware to harvest developer and CI/CD secrets, with encrypted exfiltration and GitHub-based fallback mechanisms.

Rust is moving toward a formal LLM contribution policy after months of heated internal debate, driven by a wave of low-effort "slop PRs" straining maintainers. The proposal bans LLM authorship but allows private use. socket.dev/blog/rust-moves-t…

Famous Chollima, the North Korean threat group known for fake job interview lures, appears to have used a PHP/Packagist package path in a targeted developer lure. We found the loader in a compromised Laravel package, on a branch that could be installed through Composer. It was appended after a normal Tailwind config and used TRON, Aptos, and BNB Smart Chain RPC infrastructure to retrieve and run remote JavaScript. Developers should be careful with “interview task” or “take-home project” requests that ask them to clone a repo, check out a specific branch, or install an exact dev dependency.