Big thanks to the Crates.io Security Team for taking these malicious crates down! They are the fastest in the west. π
cc: @campuscodi.risky.biz @bleepingcomputer.com @theembeddedrust.bsky.social @rustaceans.bsky.social
A burst of 200+ security advisories in the OpenClaw project is exposing a growing divide between GitHub Security Advisories and CVE-based vulnerability tracking.
As more projects publish GHSA-first disclosures, security tooling built around CVE can miss them.
β socket.dev/blog/opencla...
Why this kind of thing works: imToken doesnβt have an official Chrome extension, so if you search βimTokenβ in the Chrome Web Store, this impostor is the only thing you find.
Another attack weaponizing local AI coding agents. This class of AI-assisted supply chain abuse is heating up.
cc: @campuscodi.risky.biz @thehackernews.bsky.social @bleepingcomputer.com @zackwhittaker.com @csoonline.bsky.social @theregister.com
minimatch patched 3 high-severity ReDoS vulnerabilities that can stall the Node.js event loop. Because it's pulled into nearly every corner of the #NodeJS ecosystem (~472M weekly downloads), we're releasing free Certified Patches for all three.
socket.dev/blog/minimat... #JavaScript
Well, you donβt see this every day. π Pastebin steganography used as a dead drop for npm malware.
cc: @campuscodi.risky.biz @bleepingcomputer.com @zackwhittaker.com @thehackernews.bsky.social
π¨ New Research: Malicious Go βcryptoβ module steals passwords and deploys a Rekoobe backdoor on Linux.
Full Analysis β
socket.dev/blog/malicio...
#golang cc: @campuscodi.risky.biz @thehackernews.bsky.social @bleepingcomputer.com @golangch.bsky.social
npm has introduced a new minimumReleaseAge setting along with bulk OIDC configuration.
Release cooldowns are now supported as a baseline across all major #JavaScript package mangers, including npm, pnpm, Yarn, and Bun.
Learn more: socket.dev/blog/npm-int... #NodeJS
We'll be streaming live with @feross.bsky.social and @grobmeier.de at 10AM PST today! If you want a reminder, click "Attend" on LinkedIn or "Notify Me" on YouTube.
Excited to tune into this conversation! π€©
Log4Shell was one of those moments that pulled back the curtain on how much of the internet runs on small open source projects. We've all seen the memes and hot takes it inspired about sustainability, but what has actually changed? Join us tomorrow!
The @socket.dev team caught super early signals of this attack campaign leading to preemptive shutdown! proud of the team and our advanced threat detection engine! πͺ
Thankful for the rapid response and takedown @npmjs.bsky.social @github.com @cloudflare.social π
#shaihulud #SANDWORM_MODE
π βWeβre excited to welcome @socket.dev to the OpenJS Foundation. Theyβve been showing up for this community for a long time, and their work supports the JavaScript ecosystem in really meaningful ways.β
- @rginn206.bsky.social, Executive Director, @openjsf.org
π
Y'all @adnanthekhan.bsky.social is the absolute GOAT when it comes to finding cache poisoning vulnerabilities and CI/CD security gaps. His research on this is exceptional.
Here's the latest on the Cline npm package compromise:
Having started in the PHP world, this launch is close to my heart. Thrilled to see @socket.dev now supporting Composer and @packagist.com! Weβre looking forward to bringing better supply chain visibility to the PHP ecosystem. π
The AI agent skills ecosystem is moving at breakneck speed. At @socket.dev we're moving just as fast to secure skills so developers can keep shipping with confidence. Excited to see where this goes!
This is the OSS equivalent of a stranger buying you a cocktail in a bar.
So @bomb.sh clack accepted a PR hereβthe fix was legit, the PR included respectful back-and-forth, with only one red flag in retrospect.
Automated reputation farming like this has an extremely high abuse potential with very low chance of detection.
Maintainers are not equipped! See for yourself.
π€ An AI agent created a GitHub account 2 weeks ago.
Itβs already landed PRs in major #OSS projects and is cold-emailing maintainers to offer its services.
Maintainers donβt seem to know itβs an agent and the code is getting merged.
Weβre in new territory! π€
socket.dev/blog/ai-agen...
cc: @campuscodi.risky.biz This is a crazy story you might be interested in. AI agent attacks the maintainer, who describes the response as "an autonomous influence operation against a supply chain gatekeeper."
So weβve reached the point where AI agents are writing angry blog posts about open source maintainers closing their PRs. π
This is how you push projects toward βpatches no longer welcomeβ from AI agents running loose on GitHub.
πΊ High-severity RCE disclosed in next-mdx-remote when compiling untrusted MDX on the server. Affects versions 4.3.0 before 6.0.0.
socket.dev/blog/high-se... #NextJS #JavaScript
"Most people are completely unprepared for this," O'Reilly said. "They treat it like installing Spotify when it's actually more like giving someone sudo access to your entire machine." - security researcher Jamieson O'Reilly
We talk constantly about the risks of unmaintained dependencies and supply chain vulnerabilities, but rarely about the complexity of fixing them when the project is as massive as Lodash.
This amazing article captures the reality of Open Source sustainability. Thanks @sarahgooding.bsky.social!
This is at least the third time dYdX-related packages and infrastructure have been compromised in the past four years. Anyone using the #dYdX protocol or exchange should review their exposure.
cc: @campuscodi.risky.biz @bleepingcomputer.com @coindesk.com @web3isgoinggreat.com
βEvery large OSS project is navigating the same tension between enthusiasm for AI and real concern about its impact...Protect your maintainers. They're a rare asset, hard to replace and easy to lose. Any path forward that burns them out isn't a path forward at all.β - @dries.bsky.social
cc: @campuscodi.risky.biz @zackwhittaker.com @decrypt.co @coindesk.com @thehackernews.bsky.social
Four legit Open VSX extensions shipped credential-stealing malware after the publisher was compromised. The Eclipse Foundation/Open VSX security team confirmed it was consistent with leaked tokens or other unauthorized publishing access.
1. Create a standard security.txt
2. Cram it into your envs far and wide.
3. Make it easier for researchers to return your lost envs to you without splashing around in prod with your creds.
lostenvfound.com
