Socket

🚀 We’re thrilled to announce Socket’s $40M Series B led by @AbstractVC with participation from @eladgil and @a16z!

🚨 Breaking: Trivy GitHub Actions supply chain attack – 75 out of 76 version tags compromised. If your CI/CD pipelines reference “aquasecurity/trivy-action” by version tag, you’re likely running malware right now. At Socket, we identified that an attacker force-pushed nearly every version tag in the official aquasecurity/trivy-action repository. That’s @​0.0.1 all the way through @​0.34.2. Over 10,000 GitHub workflow files reference this action. The malicious payload runs silently before the legitimate Trivy scan, so nothing looks broken. Meanwhile it’s: - Dumping runner process memory to extract secrets - Harvesting SSH keys - Exfiltrating AWS, GCP, and Azure credentials - Stealing Kubernetes service account tokens The only unaffected tag right now appears to be @​0.35.0. Socket independently detected this at 19:15 UTC and generated 182 threat feed entries tied to this campaign – all correctly classified as Backdoor, Infostealer, or Reconnaissance malware. This is the second Trivy compromise this month. Earlier in March, attackers injected code into the Aqua Trivy VS Code extension on OpenVSX to abuse local AI coding agents. The compromised tags are still active. Pin to @​0.35.0 or use a SHA reference until this is fully remediated. Full write-up: socket.dev/blog/trivy-und…

We're co-hosting a rooftop after party for BSidesSF 2026 with @RunReveal, @csideai, @tracebit_com, and @SocketSecurity. March 22. SF. 250+ people, no pitches, good vibes. RSVP required 👇

#Trivy - the security scanner - has been successfully attacked (again). This time #GitHub Actions tags were used to deliver malware. Technical details - in the analysis by @SocketSecurity #cybersecurity socket.dev/blog/trivy-und…

FYI if you're using Trivy in CI right now: 75 of 76 tags on the official GitHub Action were force-pushed to serve malware. Affects 10K+ workflows. If you're not on v0.35.0, assume compromise.

🚨 Trivy is under attack again. Attackers force-pushed 75 of 76 tags in aquasecurity/trivy-action, impacting 10K+ workflows and turning trusted GitHub Actions into malware. Any version ≠ v0.35.0 may execute an infostealer in CI. Analysis forthcoming: socket.dev/blog/trivy-und…

In less than 6 months, companies shipping software in Europe face the first Cyber Resilience Act deadline. @enisa_eu's latest advisory on secure package manager use spells out expectations for SBOMs, dependency monitoring, and vulnerability reporting. socket.dev/blog/enisa-tec…

🪱 Major update to GlassWorm activity on Open VSX: The campaign is now following this pattern: plant sleeper extensions → wire them together via extension packs → activate later → pull payloads from GitHub

🚨 GlassWorm sleeper extensions are now activating on Open VSX. - 20+ new malicious extensions and ~20 sleepers. - Some later weaponized to deliver malware via extension updates. Latest shift: GitHub-hosted VSIX payloads bypass registry takedowns. socket.dev/blog/glassworm…

JavaScript Weekly newsletter is out - and it's about time 😉 (link below)

GlassWorm Malware Evolves to Hide in Dependencies: bit.ly/4uzmXMT by Alexander Culafi

🚨 VSCode & OpenVSX users take note: The "GlassWorm" campaign has evolved to weaponize the very structure of your IDE Extensions. @SocketSecurity just uncovered over 73 new malicious extensions. Read the full technical breakdown + IOCs on our blog socket.dev/blog/open-vsx-…

🚨 Update: Over the weekend we’ve identified 20+ additional malicious extensions tied to this campaign. We are currently monitoring another ~20 "sleeper" extensions that appear related but have not yet delivered the loader.

🎉 Big news for #JavaScript developers: After nearly 9 years of work, the Temporal date-time API has reached Stage 4 at @TC39. It will ship as part of ECMAScript 2026 alongside several other proposals advanced at the latest meeting. Learn more → socket.dev/blog/tc39-adva…

🚨 New Research: We found 73 malicious Open VSX extensions tied to the GlassWorm campaign. Attackers are now spreading the malware transitively by abusing VS Code extension packs and dependencies. Details → socket.dev/blog/open-vsx-… #openvsx #vscode

6 malicious Packagist packages posing as OphimCMS themes ship trojanized jQuery that exfiltrates URLs, injects ads, and hijacks clicks. The payload connects to FUNNULL infrastructure, a provider sanctioned by the @USTreasury for facilitating crypto scams. socket.dev/blog/6-malicio…

@marcba Amazing work! 🤩

Son of a bitch, it worked! 🥳 - Bun backend with Vue-powered reactivity - Controlling a synchronized routine 1000 phone screens - Sync corrected for system time offset with NTP It worked better than I would have ever imagined. Thanks for everything supporting me on this talk ❤️

This is basically like Mastodon for vulnerability records, except data actually propagates across the whole network instead of staying siloed. Federated vulnerability intelligence, along with legacy CVEs, all map into a shared global index with no single point of failure.