Feross
@feross.bsky.social
🧙♂️ Mad scientist • ✨ Founder + CEO @Socket.dev (http://socket.dev) •🌲 Stanford lecturer (http://cs253.stanford.edu) • ❤️ Open source at WebTorrent + StandardJS
Pinned
Feross
@feross.bsky.social
· 19d
Today, we’re launching Socket Firewall Enterprise — built to stop malicious packages before they ever reach your apps or developer systems.
Today, we’re launching Socket Firewall Enterprise — built to stop malicious packages before they ever reach your apps or developer systems.
October 24, 2025 at 3:56 PM
Today, we’re launching Socket Firewall Enterprise — built to stop malicious packages before they ever reach your apps or developer systems.
You’d never clone a random repo and give it your production keys… But that’s literally what your GitHub Actions do every time they run.
Think about it — your GitHub Actions pipeline pulls in random code straight from the internet, runs it with full access to secrets, tokens, everything.
Think about it — your GitHub Actions pipeline pulls in random code straight from the internet, runs it with full access to secrets, tokens, everything.
October 23, 2025 at 8:24 PM
You’d never clone a random repo and give it your production keys… But that’s literally what your GitHub Actions do every time they run.
Think about it — your GitHub Actions pipeline pulls in random code straight from the internet, runs it with full access to secrets, tokens, everything.
Think about it — your GitHub Actions pipeline pulls in random code straight from the internet, runs it with full access to secrets, tokens, everything.
Security shouldn’t require duct-taping scanners together. Today we’re launching Socket Basics — one platform for:
🧠 Static analysis
🔑 Secrets detection
🐳 Container scanning
🧩 CVE checks
All built on proven open source tools. One setup. One dashboard. Zero noise.
www.youtube.com/watch?v=WZEV...
🧠 Static analysis
🔑 Secrets detection
🐳 Container scanning
🧩 CVE checks
All built on proven open source tools. One setup. One dashboard. Zero noise.
www.youtube.com/watch?v=WZEV...
Unify Your Security Stack with Socket Basics
YouTube video by Socket Security
www.youtube.com
October 21, 2025 at 7:00 PM
Security shouldn’t require duct-taping scanners together. Today we’re launching Socket Basics — one platform for:
🧠 Static analysis
🔑 Secrets detection
🐳 Container scanning
🧩 CVE checks
All built on proven open source tools. One setup. One dashboard. Zero noise.
www.youtube.com/watch?v=WZEV...
🧠 Static analysis
🔑 Secrets detection
🐳 Container scanning
🧩 CVE checks
All built on proven open source tools. One setup. One dashboard. Zero noise.
www.youtube.com/watch?v=WZEV...
1️⃣
AI models aren’t just math -- they’re code.
And just like npm or PyPI, they can get hacked.
Today we’re launching malware scanning for the Hugging Face ecosystem. 🤖🔍
Socket can now detect backdoors and malicious payloads inside AI models themselves.
👇
www.youtube.com/watch?v=9FQy...
AI models aren’t just math -- they’re code.
And just like npm or PyPI, they can get hacked.
Today we’re launching malware scanning for the Hugging Face ecosystem. 🤖🔍
Socket can now detect backdoors and malicious payloads inside AI models themselves.
👇
www.youtube.com/watch?v=9FQy...
Announcing Experimental Malware Scanning for the Hugging Face Ecosystem
YouTube video by Socket Security
www.youtube.com
October 20, 2025 at 4:21 PM
1️⃣
AI models aren’t just math -- they’re code.
And just like npm or PyPI, they can get hacked.
Today we’re launching malware scanning for the Hugging Face ecosystem. 🤖🔍
Socket can now detect backdoors and malicious payloads inside AI models themselves.
👇
www.youtube.com/watch?v=9FQy...
AI models aren’t just math -- they’re code.
And just like npm or PyPI, they can get hacked.
Today we’re launching malware scanning for the Hugging Face ecosystem. 🤖🔍
Socket can now detect backdoors and malicious payloads inside AI models themselves.
👇
www.youtube.com/watch?v=9FQy...
Reposted by Feross
This week we released Socket Firewall, a free CLI tool that protects developers from malicious packages at install time. We're excited to extend protection beyond npm to other ecosystems like #Python and #Rust, with more rolling out soon!
@thisweekinrust.bsky.social @campuscodi.risky.biz
#rustlang
@thisweekinrust.bsky.social @campuscodi.risky.biz
#rustlang
🚨 Open source supply chain attacks are exploding.
Starting today, that ends.
We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.
Just run:
npm i -g sfw
sfw npm install lodash
Works for: npm, yarn, pnpm, pip, uv, and cargo.
Starting today, that ends.
We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.
Just run:
npm i -g sfw
sfw npm install lodash
Works for: npm, yarn, pnpm, pip, uv, and cargo.
October 3, 2025 at 2:59 AM
This week we released Socket Firewall, a free CLI tool that protects developers from malicious packages at install time. We're excited to extend protection beyond npm to other ecosystems like #Python and #Rust, with more rolling out soon!
@thisweekinrust.bsky.social @campuscodi.risky.biz
#rustlang
@thisweekinrust.bsky.social @campuscodi.risky.biz
#rustlang
Reposted by Feross
This is a big 1deal. If you know any software devs, they might want to know about this.
1/ 🚨 We just found a massive abuse of the npm ecosystem:
• Targeting 135+ orgs worldwide 🤯
• 175 malicious npm packages (26k+ downloads)
• 630+ HTML lures
• Weaponized unpkg as free CDN hosting for credential-phishing attacks
👀 More details ⬇️⬇️⬇️
• Targeting 135+ orgs worldwide 🤯
• 175 malicious npm packages (26k+ downloads)
• 630+ HTML lures
• Weaponized unpkg as free CDN hosting for credential-phishing attacks
👀 More details ⬇️⬇️⬇️
October 9, 2025 at 8:04 PM
This is a big 1deal. If you know any software devs, they might want to know about this.
Reposted by Feross
Recognition for Sarah! So deserved! @sarahgooding.bsky.social
October 16, 2025 at 2:50 PM
Recognition for Sarah! So deserved! @sarahgooding.bsky.social
Discord = free, fast, and now a favorite for malware C2.
We found malicious packages across npm, PyPI, and RubyGems that use hard-coded Discord webhooks to siphon:
😏 secrets (.env, config files)
😵 host data (/etc/passwd), and
😶🌫️ phone-home at install time
⬇️ Get the details
We found malicious packages across npm, PyPI, and RubyGems that use hard-coded Discord webhooks to siphon:
😏 secrets (.env, config files)
😵 host data (/etc/passwd), and
😶🌫️ phone-home at install time
⬇️ Get the details
October 14, 2025 at 4:32 PM
Discord = free, fast, and now a favorite for malware C2.
We found malicious packages across npm, PyPI, and RubyGems that use hard-coded Discord webhooks to siphon:
😏 secrets (.env, config files)
😵 host data (/etc/passwd), and
😶🌫️ phone-home at install time
⬇️ Get the details
We found malicious packages across npm, PyPI, and RubyGems that use hard-coded Discord webhooks to siphon:
😏 secrets (.env, config files)
😵 host data (/etc/passwd), and
😶🌫️ phone-home at install time
⬇️ Get the details
Reposted by Feross
North Korea’s “Contagious Interview” campaign continues to weaponize npm: 338 malicious packages, 50K+ downloads. Leveraging typosquats, loader tweaks, and new aliases, it targets #crypto devs and job seekers via recruiter lures.
Full Report →
socket.dev/blog/north-k... #NodeJS
Full Report →
socket.dev/blog/north-k... #NodeJS
North Korea’s Contagious Interview Campaign Escalates: 338 M...
The Socket Threat Research Team is tracking weekly intrusions into the npm registry that follow a repeatable adversarial playbook used by North Korean...
socket.dev
October 10, 2025 at 9:58 PM
North Korea’s “Contagious Interview” campaign continues to weaponize npm: 338 malicious packages, 50K+ downloads. Leveraging typosquats, loader tweaks, and new aliases, it targets #crypto devs and job seekers via recruiter lures.
Full Report →
socket.dev/blog/north-k... #NodeJS
Full Report →
socket.dev/blog/north-k... #NodeJS
1/ 🚨 NEW NPM MALWARE CAMPAIGN. Yes, another.
North Korea’s “Contagious Interview” campaign is escalating: 338 malicious npm packages, 50,000+ downloads -- 25 still live.
Aimed at Web3/crypto devs & job seekers via slick recruiter DMs → git clone → npm install → compromise.
North Korea’s “Contagious Interview” campaign is escalating: 338 malicious npm packages, 50,000+ downloads -- 25 still live.
Aimed at Web3/crypto devs & job seekers via slick recruiter DMs → git clone → npm install → compromise.
October 10, 2025 at 11:02 PM
1/ 🚨 NEW NPM MALWARE CAMPAIGN. Yes, another.
North Korea’s “Contagious Interview” campaign is escalating: 338 malicious npm packages, 50,000+ downloads -- 25 still live.
Aimed at Web3/crypto devs & job seekers via slick recruiter DMs → git clone → npm install → compromise.
North Korea’s “Contagious Interview” campaign is escalating: 338 malicious npm packages, 50,000+ downloads -- 25 still live.
Aimed at Web3/crypto devs & job seekers via slick recruiter DMs → git clone → npm install → compromise.
1/ 🚨 We just found a massive abuse of the npm ecosystem:
• Targeting 135+ orgs worldwide 🤯
• 175 malicious npm packages (26k+ downloads)
• 630+ HTML lures
• Weaponized unpkg as free CDN hosting for credential-phishing attacks
👀 More details ⬇️⬇️⬇️
• Targeting 135+ orgs worldwide 🤯
• 175 malicious npm packages (26k+ downloads)
• 630+ HTML lures
• Weaponized unpkg as free CDN hosting for credential-phishing attacks
👀 More details ⬇️⬇️⬇️
October 9, 2025 at 8:02 PM
1/ 🚨 We just found a massive abuse of the npm ecosystem:
• Targeting 135+ orgs worldwide 🤯
• 175 malicious npm packages (26k+ downloads)
• 630+ HTML lures
• Weaponized unpkg as free CDN hosting for credential-phishing attacks
👀 More details ⬇️⬇️⬇️
• Targeting 135+ orgs worldwide 🤯
• 175 malicious npm packages (26k+ downloads)
• 630+ HTML lures
• Weaponized unpkg as free CDN hosting for credential-phishing attacks
👀 More details ⬇️⬇️⬇️
🚨 Another major npm supply-chain attack just hit — and it’s a wake-up call for anyone building on open source.
I join @nodeland.dev — creator of Fastify, Node.js core maintainer, and an open-source legend — and Luca Maraschi to break down how attackers are infiltrating npm.
I join @nodeland.dev — creator of Fastify, Node.js core maintainer, and an open-source legend — and Luca Maraschi to break down how attackers are infiltrating npm.
Inside the Latest npm Attack (with Feross Aboukhadijeh)
YouTube video by Platformatic
youtube.com
October 8, 2025 at 6:07 PM
🚨 Another major npm supply-chain attack just hit — and it’s a wake-up call for anyone building on open source.
I join @nodeland.dev — creator of Fastify, Node.js core maintainer, and an open-source legend — and Luca Maraschi to break down how attackers are infiltrating npm.
I join @nodeland.dev — creator of Fastify, Node.js core maintainer, and an open-source legend — and Luca Maraschi to break down how attackers are infiltrating npm.
Reposted by Feross
🐍 New on the blog: PEP 810 adds 'lazy import' syntax to defer module loading until first use, cutting startup time by 50–70%. Already sparking debate: an HN thread hit 350+ points and ~200 comments in <24 hrs. #Python
Read More → socket.dev/blog/pep-810-proposes-explicit-lazy-imports-for-python-3-15
Read More → socket.dev/blog/pep-810-proposes-explicit-lazy-imports-for-python-3-15
PEP 810 Proposes Explicit Lazy Imports for Python 3.15 - Soc...
An opt-in lazy import keyword aims to speed up Python startups, especially CLIs, without the ecosystem-wide risks that sank PEP 690.
socket.dev
October 4, 2025 at 4:09 PM
🐍 New on the blog: PEP 810 adds 'lazy import' syntax to defer module loading until first use, cutting startup time by 50–70%. Already sparking debate: an HN thread hit 350+ points and ~200 comments in <24 hrs. #Python
Read More → socket.dev/blog/pep-810-proposes-explicit-lazy-imports-for-python-3-15
Read More → socket.dev/blog/pep-810-proposes-explicit-lazy-imports-for-python-3-15
Reposted by Feross
🎙️ Socket CEO @feross.bsky.social breaks down the recent npm attacks on the PodRocket podcast: phishing campaigns, AI-weaponized exploits, the Shai-Hulud worm, GitHub Actions flaws, and more.
Essential listening for JS devs concerned about supply chain security in 2025.
socket.dev/blog/podrock...
Essential listening for JS devs concerned about supply chain security in 2025.
socket.dev/blog/podrock...
PodRocket Podcast: Inside the Recent npm Supply Chain Attack...
Socket CEO Feross Aboukhadijeh discusses the recent npm supply chain attacks on PodRocket, covering novel attack vectors and how developers can protec...
socket.dev
October 2, 2025 at 5:28 PM
🎙️ Socket CEO @feross.bsky.social breaks down the recent npm attacks on the PodRocket podcast: phishing campaigns, AI-weaponized exploits, the Shai-Hulud worm, GitHub Actions flaws, and more.
Essential listening for JS devs concerned about supply chain security in 2025.
socket.dev/blog/podrock...
Essential listening for JS devs concerned about supply chain security in 2025.
socket.dev/blog/podrock...
Reposted by Feross
This is freaking amazing. Folx at @socket.dev are magical security unicorns
#security #secops #dev #SupplyChain #npm
#security #secops #dev #SupplyChain #npm
🚨 Open source supply chain attacks are exploding.
Starting today, that ends.
We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.
Just run:
npm i -g sfw
sfw npm install lodash
Works for: npm, yarn, pnpm, pip, uv, and cargo.
Starting today, that ends.
We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.
Just run:
npm i -g sfw
sfw npm install lodash
Works for: npm, yarn, pnpm, pip, uv, and cargo.
September 30, 2025 at 6:28 PM
This is freaking amazing. Folx at @socket.dev are magical security unicorns
#security #secops #dev #SupplyChain #npm
#security #secops #dev #SupplyChain #npm
🚨 Open source supply chain attacks are exploding.
Starting today, that ends.
We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.
Just run:
npm i -g sfw
sfw npm install lodash
Works for: npm, yarn, pnpm, pip, uv, and cargo.
Starting today, that ends.
We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.
Just run:
npm i -g sfw
sfw npm install lodash
Works for: npm, yarn, pnpm, pip, uv, and cargo.
September 30, 2025 at 6:06 PM
🚨 Open source supply chain attacks are exploding.
Starting today, that ends.
We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.
Just run:
npm i -g sfw
sfw npm install lodash
Works for: npm, yarn, pnpm, pip, uv, and cargo.
Starting today, that ends.
We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.
Just run:
npm i -g sfw
sfw npm install lodash
Works for: npm, yarn, pnpm, pip, uv, and cargo.
Had a SUPER fun conversation on @LogRocket about the huge npm supply chain attacks we've seen over the past 2 months
I walked through the whole sorry saga from beginning to end.
Don't miss it!
I walked through the whole sorry saga from beginning to end.
Don't miss it!
Historic npm hijack and only $500 in ETH stolen.
But the real story isn’t the money, it’s the fragility of open source supply chains.
@feross.bsky.social joins the pod to discuss what went wrong and how to stay secure.
YT: buff.ly/Rkyi9Sc
Apple: buff.ly/N7b6FAD
Spotify: buff.ly/MnjihMK
But the real story isn’t the money, it’s the fragility of open source supply chains.
@feross.bsky.social joins the pod to discuss what went wrong and how to stay secure.
YT: buff.ly/Rkyi9Sc
Apple: buff.ly/N7b6FAD
Spotify: buff.ly/MnjihMK
September 23, 2025 at 3:48 PM
Had a SUPER fun conversation on @LogRocket about the huge npm supply chain attacks we've seen over the past 2 months
I walked through the whole sorry saga from beginning to end.
Don't miss it!
I walked through the whole sorry saga from beginning to end.
Don't miss it!
🚨 New twist in the npm malware wars:
Socket just uncovered a malicious package, fezbox, that hides its payload inside a QR code image.
Yes, you read that right. JavaScript malware using QR code steganography to steal browser cookies & passwords
⬇️ Technical detail below
socket.dev/blog/malicio...
Socket just uncovered a malicious package, fezbox, that hides its payload inside a QR code image.
Yes, you read that right. JavaScript malware using QR code steganography to steal browser cookies & passwords
⬇️ Technical detail below
socket.dev/blog/malicio...
Malicious fezbox npm Package Steals Browser Passwords from C...
A malicious package uses a QR code as steganography in an innovative technique.
socket.dev
September 22, 2025 at 9:01 PM
🚨 New twist in the npm malware wars:
Socket just uncovered a malicious package, fezbox, that hides its payload inside a QR code image.
Yes, you read that right. JavaScript malware using QR code steganography to steal browser cookies & passwords
⬇️ Technical detail below
socket.dev/blog/malicio...
Socket just uncovered a malicious package, fezbox, that hides its payload inside a QR code image.
Yes, you read that right. JavaScript malware using QR code steganography to steal browser cookies & passwords
⬇️ Technical detail below
socket.dev/blog/malicio...
DJ Khaled on compromised NPM packages
September 18, 2025 at 2:51 PM
DJ Khaled on compromised NPM packages
Reposted by Feross
🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Ongoing Supply Chain Attack Targets CrowdStrike npm Packages...
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that previously hit Tinycolor and dozen...
socket.dev
September 16, 2025 at 6:15 PM
🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Reposted by Feross
Breaking kayfabe to say that Feross & crew are fucking killing it right now, and are doing a way better job than npmhubsoft at keeping people informed in our new "all supply chain attacks all the time" phase of existence.
🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Ongoing Supply Chain Attack Targets CrowdStrike npm Packages...
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that previously hit Tinycolor and dozen...
socket.dev
September 16, 2025 at 9:44 PM
Breaking kayfabe to say that Feross & crew are fucking killing it right now, and are doing a way better job than npmhubsoft at keeping people informed in our new "all supply chain attacks all the time" phase of existence.
Reposted by Feross
There has been another serious npm supply-chain attack. Astro is NOT AFFECTED as it does not depend on any of the packages, either directly or indirectly. You should still check your package lock files to ensure you do not have them installed.
socket.dev/blog/tinycol...
socket.dev/blog/tinycol...
Popular Tinycolor npm Package Compromised in Supply Chain At...
Malicious update to @ctrl/tinycolor on npm is part of a supply-chain attack hitting 40+ packages across maintainers
socket.dev
September 16, 2025 at 8:36 AM
There has been another serious npm supply-chain attack. Astro is NOT AFFECTED as it does not depend on any of the packages, either directly or indirectly. You should still check your package lock files to ensure you do not have them installed.
socket.dev/blog/tinycol...
socket.dev/blog/tinycol...
Reposted by Feross
i like how the npm ecosystem works in general (packages are good) but if you deal with it regularly you should probably code in a vm or a clean operating system with no sensitive tokens
There has been another serious npm supply-chain attack. Astro is NOT AFFECTED as it does not depend on any of the packages, either directly or indirectly. You should still check your package lock files to ensure you do not have them installed.
socket.dev/blog/tinycol...
socket.dev/blog/tinycol...
Popular Tinycolor npm Package Compromised in Supply Chain At...
Malicious update to @ctrl/tinycolor on npm is part of a supply-chain attack hitting 40+ packages across maintainers
socket.dev
September 16, 2025 at 10:04 AM
i like how the npm ecosystem works in general (packages are good) but if you deal with it regularly you should probably code in a vm or a clean operating system with no sensitive tokens
Reposted by Feross
Y'all this is non-stop. 😰 Woke up to another npm supply chain attack this morning. This malware is identical to the one that hit 40+ packages yesterday:
cc: @campuscodi.risky.biz
cc: @campuscodi.risky.biz
🚨 Multiple CrowdStrike packages trojanized in an ongoing npm supply chain attack: This is the same campaign that hit Tinycolor yesterday with identical malware.
Full list of compromised packages + mitigations →
socket.dev/blog/ongoing... #NodeJS #JavaScript
Full list of compromised packages + mitigations →
socket.dev/blog/ongoing... #NodeJS #JavaScript
Ongoing Supply Chain Attack Targets CrowdStrike npm Packages...
Socket.dev found compromised various CrowdStrike npm packages, continuing the "Shai-Halud" supply-chain attack that previously hit `tinycolor`.
socket.dev
September 16, 2025 at 11:18 AM
Y'all this is non-stop. 😰 Woke up to another npm supply chain attack this morning. This malware is identical to the one that hit 40+ packages yesterday:
cc: @campuscodi.risky.biz
cc: @campuscodi.risky.biz
This is not over. 👇
🚨 A new wave of the npm supply chain attack just hit again. This time targeting CrowdStrike packages.
Socket detected malware-laced updates that steal developer creds, spin up rogue GitHub Actions, and exfiltrate secrets.
Developing story...
🚨 A new wave of the npm supply chain attack just hit again. This time targeting CrowdStrike packages.
Socket detected malware-laced updates that steal developer creds, spin up rogue GitHub Actions, and exfiltrate secrets.
Developing story...
September 16, 2025 at 1:36 PM
This is not over. 👇
🚨 A new wave of the npm supply chain attack just hit again. This time targeting CrowdStrike packages.
Socket detected malware-laced updates that steal developer creds, spin up rogue GitHub Actions, and exfiltrate secrets.
Developing story...
🚨 A new wave of the npm supply chain attack just hit again. This time targeting CrowdStrike packages.
Socket detected malware-laced updates that steal developer creds, spin up rogue GitHub Actions, and exfiltrate secrets.
Developing story...