Feross
@feross.bsky.social
🧙♂️ Mad scientist • ✨ Founder + CEO @Socket.dev (http://socket.dev) •🌲 Stanford lecturer (http://cs253.stanford.edu) • ❤️ Open source at WebTorrent + StandardJS
Pinned
Feross
@feross.bsky.social
· Nov 19
🚀 Big news for JavaScript teams: Socket now supports Bun and vlt in beta.
You no longer have to choose between innovation and security. Commit a bun.lock or vlt-lock.json and Socket gives you full supply chain protection.
You no longer have to choose between innovation and security. Commit a bun.lock or vlt-lock.json and Socket gives you full supply chain protection.
Reposted by Feross
This is at least the third time dYdX-related packages and infrastructure have been compromised in the past four years. Anyone using the #dYdX protocol or exchange should review their exposure.
cc: @campuscodi.risky.biz @bleepingcomputer.com @coindesk.com @web3isgoinggreat.com
cc: @campuscodi.risky.biz @bleepingcomputer.com @coindesk.com @web3isgoinggreat.com
🚨 We detected malicious #dYdX client packages published to npm and PyPI after a maintainer account compromise, enabling wallet theft and remote code execution.
Full investigation → socket.dev/blog/malicio... #crypto
Full investigation → socket.dev/blog/malicio... #crypto
Malicious dYdX Packages Published to npm and PyPI After Main...
Malicious dYdX client packages were published to npm and PyPI after a maintainer compromise, enabling wallet credential theft and remote code executio...
socket.dev
February 7, 2026 at 4:18 PM
This is at least the third time dYdX-related packages and infrastructure have been compromised in the past four years. Anyone using the #dYdX protocol or exchange should review their exposure.
cc: @campuscodi.risky.biz @bleepingcomputer.com @coindesk.com @web3isgoinggreat.com
cc: @campuscodi.risky.biz @bleepingcomputer.com @coindesk.com @web3isgoinggreat.com
Reposted by Feross
“Every large OSS project is navigating the same tension between enthusiasm for AI and real concern about its impact...Protect your maintainers. They're a rare asset, hard to replace and easy to lose. Any path forward that burns them out isn't a path forward at all.” - @dries.bsky.social
Anthropic says Claude Opus 4.6 uncovered 500+ high-severity open source vulnerabilities.
What that means for disclosure, patching, and the maintainers at the heart of open source security.
socket.dev/blog/the-nex... #oss
What that means for disclosure, patching, and the maintainers at the heart of open source security.
socket.dev/blog/the-nex... #oss
The Next Open Source Security Race: Triage at Machine Speed ...
Claude Opus 4.6 has uncovered more than 500 open source vulnerabilities, raising new considerations for disclosure, triage, and patching at scale.
socket.dev
February 7, 2026 at 12:19 AM
“Every large OSS project is navigating the same tension between enthusiasm for AI and real concern about its impact...Protect your maintainers. They're a rare asset, hard to replace and easy to lose. Any path forward that burns them out isn't a path forward at all.” - @dries.bsky.social
Reposted by Feross
Four legit Open VSX extensions shipped credential-stealing malware after the publisher was compromised. The Eclipse Foundation/Open VSX security team confirmed it was consistent with leaked tokens or other unauthorized publishing access.
🚨 New research: Threat actors compromised four #OpenVSX extensions, pushed malicious updates that load encrypted malware, evade Russian locales, and fetch C2 instructions via #Solana memos, leading to macOS credential and wallet theft.
Full analysis: socket.dev/blog/glasswo...
Full analysis: socket.dev/blog/glasswo...
GlassWorm Loader Hits Open VSX via Suspected Developer Accou...
Threat actors compromised four oorzc Open VSX extensions with than 22,000 downloads, pushing malicious versions that install a staged loader, evade Ru...
socket.dev
January 31, 2026 at 5:21 PM
Four legit Open VSX extensions shipped credential-stealing malware after the publisher was compromised. The Eclipse Foundation/Open VSX security team confirmed it was consistent with leaked tokens or other unauthorized publishing access.
Reposted by Feross
"Security work is emotionally expensive and invisible, and sharing it makes it sustainable." - @ulisesgascon.com
Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚
Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚
Lodash is critical #JavaScript infrastructure.
We spoke with maintainers about its first security release in years — and why sunsetting it was never a real option.
socket.dev/blog/inside-...
We spoke with maintainers about its first security release in years — and why sunsetting it was never a real option.
socket.dev/blog/inside-...
Inside Lodash’s Security Reset and Maintenance Reboot - Sock...
Lodash 4.17.23 marks a security reset, with maintainers rebuilding governance and infrastructure to support long-term, sustainable maintenance.
socket.dev
January 31, 2026 at 3:51 AM
"Security work is emotionally expensive and invisible, and sharing it makes it sustainable." - @ulisesgascon.com
Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚
Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚
Reposted by Feross
This is exactly the kind of thing people worry about with browser extensions. It looks like an Amazon ad blocker, but quietly hijacks affiliate links in the background. Most people aren’t reading extension source code (and if you are, congrats 🙃), which is why this works.
Socket’s Threat Research team analyzed a Chrome extension marketed as an Amazon ad blocker that secretly hijacks affiliate links and replaces existing tags with its own.
Full Research → socket.dev/blog/malicio...
Full Research → socket.dev/blog/malicio...
Malicious Chrome Extension Performs Hidden Affiliate Hijacki...
A Chrome extension claiming to hide Amazon ads was found secretly hijacking affiliate links, replacing creators’ tags with its own without user consen...
socket.dev
January 27, 2026 at 5:41 PM
This is exactly the kind of thing people worry about with browser extensions. It looks like an Amazon ad blocker, but quietly hijacks affiliate links in the background. Most people aren’t reading extension source code (and if you are, congrats 🙃), which is why this works.
Reposted by Feross
Seeing @pfrazee.com, @arathorn.net and @feross.bsky.social all within arms reach, almost like some sort of centralization!
January 23, 2026 at 11:29 PM
Seeing @pfrazee.com, @arathorn.net and @feross.bsky.social all within arms reach, almost like some sort of centralization!
Reposted by Feross
“We are just a small single open source project with a small number of active maintainers. It is not in our power to change how all these people and their slop machines work. We need to make moves to ensure our survival and intact mental health.” - @bagder.mastodon.social.ap.brid.gy
curl maintainer @daniel.haxx.se said the project is shutting down its bug bounty program after maintainers were buried under low-quality, AI-generated slop reports. Security disclosure systems that assume unlimited #OSS maintainer labor are reaching their limits.
socket.dev/blog/curl-sh...
socket.dev/blog/curl-sh...
curl Shuts Down Bug Bounty Program After Flood of AI Slop Re...
A surge of AI-generated vulnerability reports has pushed open source maintainers to rethink bug bounties and tighten security disclosure processes.
socket.dev
January 24, 2026 at 3:04 AM
“We are just a small single open source project with a small number of active maintainers. It is not in our power to change how all these people and their slop machines work. We need to make moves to ensure our survival and intact mental health.” - @bagder.mastodon.social.ap.brid.gy
Reposted by Feross
only took a decade longer than anticipated (give or take half a decade)
🎉 Big #NodeJS news this week: v25.4.0 marks require(esm) as stable. After a gradual rollout and ecosystem testing, it’s now safe to depend on across supported releases.
Huge thanks to @joyeecheung.bsky.social and the many contributors who made this possible! 🙏
socket.dev/blog/node-js...
Huge thanks to @joyeecheung.bsky.social and the many contributors who made this possible! 🙏
socket.dev/blog/node-js...
Node.js 25.4.0 Ships with Stable require(esm) - Socket
Node.js 25.4.0 makes require(esm) stable, formalizing CommonJS and ESM compatibility across supported Node versions.
socket.dev
January 22, 2026 at 6:43 PM
only took a decade longer than anticipated (give or take half a decade)
Reposted by Feross
My colleague @staltz.com and his team are at it again, working magic with UIs to reduce cognitive load and make security information easier to explore. Excited to see this launched! 💜
The new Alert Details page surfaces more context in one place, with a clearer layout, detected instances, and reachability dependency chains that show how risk flows through your code.
More details → socket.dev/blog/introdu...
More details → socket.dev/blog/introdu...
Introducing the Alert Details Page: A Better Way to Explore ...
Socket's new Alert Details page is designed to surface more context, with a clearer layout, reachability dependency chains, and structured review.
socket.dev
January 22, 2026 at 6:37 PM
My colleague @staltz.com and his team are at it again, working magic with UIs to reduce cognitive load and make security information easier to explore. Excited to see this launched! 💜
Reposted by Feross
🎉 Big #NodeJS news this week: v25.4.0 marks require(esm) as stable. After a gradual rollout and ecosystem testing, it’s now safe to depend on across supported releases.
Huge thanks to @joyeecheung.bsky.social and the many contributors who made this possible! 🙏
socket.dev/blog/node-js...
Huge thanks to @joyeecheung.bsky.social and the many contributors who made this possible! 🙏
socket.dev/blog/node-js...
Node.js 25.4.0 Ships with Stable require(esm) - Socket
Node.js 25.4.0 makes require(esm) stable, formalizing CommonJS and ESM compatibility across supported Node versions.
socket.dev
January 21, 2026 at 8:12 PM
🎉 Big #NodeJS news this week: v25.4.0 marks require(esm) as stable. After a gradual rollout and ecosystem testing, it’s now safe to depend on across supported releases.
Huge thanks to @joyeecheung.bsky.social and the many contributors who made this possible! 🙏
socket.dev/blog/node-js...
Huge thanks to @joyeecheung.bsky.social and the many contributors who made this possible! 🙏
socket.dev/blog/node-js...
Reposted by Feross
Cryptomining malware targeting one of Python’s most widely used math libraries.
@campuscodi.risky.biz @decrypt.co @darkreading.bsky.social @coindesk.com
@campuscodi.risky.biz @decrypt.co @darkreading.bsky.social @coindesk.com
🚨 New research: We uncovered a PyPI package impersonating SymPy that delivers cryptomining malware via in-memory execution.
The typosquat reuses SymPy’s branding and pulls ELF payloads at runtime.
Full analysis: socket.dev/blog/pypi-pa... #Python
The typosquat reuses SymPy’s branding and pulls ELF payloads at runtime.
Full analysis: socket.dev/blog/pypi-pa... #Python
PyPI Package Impersonates SymPy to Deliver Cryptomining Malw...
Malicious PyPI package sympy-dev targets SymPy users, a Python symbolic math library with 85 million monthly downloads.
socket.dev
January 21, 2026 at 4:34 PM
Cryptomining malware targeting one of Python’s most widely used math libraries.
@campuscodi.risky.biz @decrypt.co @darkreading.bsky.social @coindesk.com
@campuscodi.risky.biz @decrypt.co @darkreading.bsky.social @coindesk.com
Reposted by Feross
Fake browser crash alerts turn Chrome extension into enterprise backdoor
📖 Read more: www.helpnetsecurity.com/2026/01/19/f...
#cybersecurity #cybersecuritynews #remoteaccesstrojan #socialengineering @huntress.com @socket.dev
📖 Read more: www.helpnetsecurity.com/2026/01/19/f...
#cybersecurity #cybersecuritynews #remoteaccesstrojan #socialengineering @huntress.com @socket.dev
Fake browser crash alerts turn Chrome extension into enterprise backdoor - Help Net Security
The NexShield Chrome extension downloaded a Windows RAT onto domain-joined machines after tricking users with fake browser crash alerts.
www.helpnetsecurity.com
January 19, 2026 at 2:57 PM
Fake browser crash alerts turn Chrome extension into enterprise backdoor
📖 Read more: www.helpnetsecurity.com/2026/01/19/f...
#cybersecurity #cybersecuritynews #remoteaccesstrojan #socialengineering @huntress.com @socket.dev
📖 Read more: www.helpnetsecurity.com/2026/01/19/f...
#cybersecurity #cybersecuritynews #remoteaccesstrojan #socialengineering @huntress.com @socket.dev
Reposted by Feross
📜 A good summary of recent developments around the Temporal API by @sarahgooding.bsky.social
Temporal is the modern replacement for the old JS Date API ✨
Temporal is the modern replacement for the old JS Date API ✨
🎉 Chrome 144 ships the Temporal API, a long-awaited update to #JavaScript date and time handling that aims to replace the legacy Date object.
socket.dev/blog/tempora... h/t @robpalmer.bsky.social
socket.dev/blog/tempora... h/t @robpalmer.bsky.social
Temporal API Ships in Chrome 144, Marking a Major Shift for ...
Chrome 144 introduces the Temporal API, a modern approach to date and time handling designed to fix long-standing issues with JavaScript’s Date object...
socket.dev
January 16, 2026 at 6:13 PM
📜 A good summary of recent developments around the Temporal API by @sarahgooding.bsky.social
Temporal is the modern replacement for the old JS Date API ✨
Temporal is the modern replacement for the old JS Date API ✨
Reposted by Feross
🎙️ Socket CEO @feross.bsky.social joined host Allie Howe on the Insecure Agents podcast to talk about Certified Patches, supply chain security, and the future of securing AI agents.
Check out the full episode →
socket.dev/blog/insecur...
Check out the full episode →
socket.dev/blog/insecur...
Insecure Agents Podcast: Certified Patches, Supply Chain Sec...
Socket CEO Feross Aboukhadijeh joins Insecure Agents to discuss CVE remediation and why supply chain attacks require a different security approach.
socket.dev
January 8, 2026 at 10:42 PM
🎙️ Socket CEO @feross.bsky.social joined host Allie Howe on the Insecure Agents podcast to talk about Certified Patches, supply chain security, and the future of securing AI agents.
Check out the full episode →
socket.dev/blog/insecur...
Check out the full episode →
socket.dev/blog/insecur...
Reposted by Feross
😭 💔 "I feel like a fucking idiot for somehow being able to build this CSS framework that's taken over the world and it's used by everything and it's super popular, but I can't figure out how to have it make enough money that eight people can work on it." - @adamwathan.com
💔 @tailwindcss.com laid off 75% of its engineering team after revenue dropped 80%, despite being more popular than ever. LLMs are killing documentation traffic, breaking the business model that funds development on many open source projects.
Full story → socket.dev/blog/tailwin... #OSS #CSS
Full story → socket.dev/blog/tailwin... #OSS #CSS
Tailwind CSS Announces 75% Layoffs as LLMs Reshape OSS Busin...
Tailwind Labs laid off 75% of its engineering team after revenue dropped 80%, as LLMs redirect traffic away from documentation where developers discov...
socket.dev
January 8, 2026 at 7:51 PM
😭 💔 "I feel like a fucking idiot for somehow being able to build this CSS framework that's taken over the world and it's used by everything and it's super popular, but I can't figure out how to have it make enough money that eight people can work on it." - @adamwathan.com
Strongly recommend this post on npm’s staged publishing change after supply-chain turmoil. npm will roll out staged publishing to add a review step before releases go live after the Shai-Hulud attacks, giving maintainers a chance to catch bad releases.
Read it here: socket.dev/blog/npm-to-...
Read it here: socket.dev/blog/npm-to-...
npm to Implement Staged Publishing After Turbulent Shift Off...
The planned feature introduces a review step before releases go live, following the Shai-Hulud attacks and a rocky migration off classic tokens that d...
socket.dev
January 7, 2026 at 7:58 PM
Strongly recommend this post on npm’s staged publishing change after supply-chain turmoil. npm will roll out staged publishing to add a review step before releases go live after the Shai-Hulud attacks, giving maintainers a chance to catch bad releases.
Read it here: socket.dev/blog/npm-to-...
Read it here: socket.dev/blog/npm-to-...
Must-read from Nicholas C. Zakas (ESLint maintainer) on how GitHub could better secure npm and prevent supply-chain attacks. humanwhocodes.com/blog/2026/01...
How GitHub could secure npm - Human Who Codes
Why doesn't npm detect compromised packages the way credit card companies detect fraud?
humanwhocodes.com
January 7, 2026 at 7:55 PM
Must-read from Nicholas C. Zakas (ESLint maintainer) on how GitHub could better secure npm and prevent supply-chain attacks. humanwhocodes.com/blog/2026/01...
Reposted by Feross
· @npmjs.bsky.social appears to be massively under-resourced for the scale of the registry it operates. My respect to the teams keeping it running through wave after wave of supply chain attacks.
npm is planning to implement staged publishing, adding a review step before packages go live.
It follows a year of supply chain attacks & a rocky shift away from classic tokens over the past month that left many maintainers struggling.
socket.dev/blog/npm-to-... #NodeJS cc: @campuscodi.risky.biz
It follows a year of supply chain attacks & a rocky shift away from classic tokens over the past month that left many maintainers struggling.
socket.dev/blog/npm-to-... #NodeJS cc: @campuscodi.risky.biz
npm to Implement Staged Publishing After Turbulent Shift Off...
The planned feature introduces a review step before releases go live, following the Shai-Hulud attacks and a rocky migration off classic tokens that d...
socket.dev
January 7, 2026 at 6:25 PM
· @npmjs.bsky.social appears to be massively under-resourced for the scale of the registry it operates. My respect to the teams keeping it running through wave after wave of supply chain attacks.
Reposted by Feross
🤖⚔️ Battle of the Bots:
Dependabot opens a PR. Socket flags it as malicious.
Socket CEO @feross.bsky.social discusses dependency risk and update timing, on @softwaredaily.bsky.social.
Full episode → socket.dev/blog/softwar...
Dependabot opens a PR. Socket flags it as malicious.
Socket CEO @feross.bsky.social discusses dependency risk and update timing, on @softwaredaily.bsky.social.
Full episode → socket.dev/blog/softwar...
January 6, 2026 at 10:23 PM
🤖⚔️ Battle of the Bots:
Dependabot opens a PR. Socket flags it as malicious.
Socket CEO @feross.bsky.social discusses dependency risk and update timing, on @softwaredaily.bsky.social.
Full episode → socket.dev/blog/softwar...
Dependabot opens a PR. Socket flags it as malicious.
Socket CEO @feross.bsky.social discusses dependency risk and update timing, on @softwaredaily.bsky.social.
Full episode → socket.dev/blog/softwar...
Reposted by Feross
🎙️ In this episode of @softwaredaily.bsky.social, Socket CEO @feross.bsky.social discusses #OSS maintainer burnout.
“I put this code online as a gift to the world. I didn’t promise it would never have a defect.”
Full episode → socket.dev/blog/softwar... #OpenSource
“I put this code online as a gift to the world. I didn’t promise it would never have a defect.”
Full episode → socket.dev/blog/softwar... #OpenSource
January 6, 2026 at 6:02 PM
🎙️ In this episode of @softwaredaily.bsky.social, Socket CEO @feross.bsky.social discusses #OSS maintainer burnout.
“I put this code online as a gift to the world. I didn’t promise it would never have a defect.”
Full episode → socket.dev/blog/softwar... #OpenSource
“I put this code online as a gift to the world. I didn’t promise it would never have a defect.”
Full episode → socket.dev/blog/softwar... #OpenSource
Reposted by Feross
🚨 New research: A spearphishing campaign published 27 malicious npm packages that host browser-run lures mimicking document portals and Microsoft sign-in to steal credentials. This operation targets manufacturing and healthcare orgs in the U.S. and allied countries.
socket.dev/blog/spearph...
socket.dev/blog/spearph...
Spearphishing Campaign Abuses npm Registry to Target U.S. an...
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, ta...
socket.dev
December 23, 2025 at 7:47 PM
🚨 New research: A spearphishing campaign published 27 malicious npm packages that host browser-run lures mimicking document portals and Microsoft sign-in to steal credentials. This operation targets manufacturing and healthcare orgs in the U.S. and allied countries.
socket.dev/blog/spearph...
socket.dev/blog/spearph...
Reposted by Feross
Another example of attackers abusing npm as infrastructure. Our threat research team found a spearphishing campaign that published 27 malicious packages to host browser-run phishing pages.
cc: @campuscodi.risky.biz @cisoseries.bsky.social @zackwhittaker.com
cc: @campuscodi.risky.biz @cisoseries.bsky.social @zackwhittaker.com
🚨 New research: A spearphishing campaign published 27 malicious npm packages that host browser-run lures mimicking document portals and Microsoft sign-in to steal credentials. This operation targets manufacturing and healthcare orgs in the U.S. and allied countries.
socket.dev/blog/spearph...
socket.dev/blog/spearph...
Spearphishing Campaign Abuses npm Registry to Target U.S. an...
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, ta...
socket.dev
December 23, 2025 at 8:32 PM
Another example of attackers abusing npm as infrastructure. Our threat research team found a spearphishing campaign that published 27 malicious packages to host browser-run phishing pages.
cc: @campuscodi.risky.biz @cisoseries.bsky.social @zackwhittaker.com
cc: @campuscodi.risky.biz @cisoseries.bsky.social @zackwhittaker.com
Reposted by Feross
Don’t trust free VPNs, don’t install joke Chrome extensions. You know what, just don’t install anything at all from now on. And get a new PC.
🚨 Socket’s Threat Research Team uncovered two malicious "Phantom Shuttle" Chrome extensions masquerading as a VPN since at least 2017, intercepting traffic and exfiltrating credentials via attacker-controlled proxies.
Full research → socket.dev/blog/malicio...
Full research → socket.dev/blog/malicio...
Malicious Chrome Extensions “Phantom Shuttle” Masquerade as ...
Fake “Phantom Shuttle” VPN Chrome extensions (active since 2017) hijack proxy auth to intercept traffic and continuously exfiltrate user credentials t...
socket.dev
December 23, 2025 at 5:43 AM
Don’t trust free VPNs, don’t install joke Chrome extensions. You know what, just don’t install anything at all from now on. And get a new PC.
Reposted by Feross
🚨 Socket’s Threat Research Team uncovered two malicious "Phantom Shuttle" Chrome extensions masquerading as a VPN since at least 2017, intercepting traffic and exfiltrating credentials via attacker-controlled proxies.
Full research → socket.dev/blog/malicio...
Full research → socket.dev/blog/malicio...
Malicious Chrome Extensions “Phantom Shuttle” Masquerade as ...
Fake “Phantom Shuttle” VPN Chrome extensions (active since 2017) hijack proxy auth to intercept traffic and continuously exfiltrate user credentials t...
socket.dev
December 22, 2025 at 9:21 PM
🚨 Socket’s Threat Research Team uncovered two malicious "Phantom Shuttle" Chrome extensions masquerading as a VPN since at least 2017, intercepting traffic and exfiltrating credentials via attacker-controlled proxies.
Full research → socket.dev/blog/malicio...
Full research → socket.dev/blog/malicio...
Reposted by Feross
Chrome extensions are still a wild west ecosystem.
This fake “VPN” ran for years and charged users for the privilege of silently intercepting their traffic.
cc: @campuscodi.risky.biz @zackwhittaker.com @cisoseries.bsky.social
This fake “VPN” ran for years and charged users for the privilege of silently intercepting their traffic.
cc: @campuscodi.risky.biz @zackwhittaker.com @cisoseries.bsky.social
🚨 Socket’s Threat Research Team uncovered two malicious "Phantom Shuttle" Chrome extensions masquerading as a VPN since at least 2017, intercepting traffic and exfiltrating credentials via attacker-controlled proxies.
Full research → socket.dev/blog/malicio...
Full research → socket.dev/blog/malicio...
Malicious Chrome Extensions “Phantom Shuttle” Masquerade as ...
Fake “Phantom Shuttle” VPN Chrome extensions (active since 2017) hijack proxy auth to intercept traffic and continuously exfiltrate user credentials t...
socket.dev
December 22, 2025 at 9:58 PM
Chrome extensions are still a wild west ecosystem.
This fake “VPN” ran for years and charged users for the privilege of silently intercepting their traffic.
cc: @campuscodi.risky.biz @zackwhittaker.com @cisoseries.bsky.social
This fake “VPN” ran for years and charged users for the privilege of silently intercepting their traffic.
cc: @campuscodi.risky.biz @zackwhittaker.com @cisoseries.bsky.social