Feross

💥 Your AI coding assistant might be stealing your SSH keys. 💥 @SocketSecurity found an active Shai-Hulud style npm worm (SANDWORM_MODE) that hijacks CI workflows, spreads via stolen tokens, and injects rogue MCP servers to poison AI coding tools and steal secrets.

🚨 Trivy is under attack again. Attackers force-pushed 75 of 76 tags in aquasecurity/trivy-action, impacting 10K+ workflows and turning trusted GitHub Actions into malware. Any version ≠ v0.35.0 may execute an infostealer in CI. Analysis forthcoming: socket.dev/blog/trivy-und…

FYI if you're using Trivy in CI right now: 75 of 76 tags on the official GitHub Action were force-pushed to serve malware. Affects 10K+ workflows. If you're not on v0.35.0, assume compromise.

🚨 Breaking: Trivy GitHub Actions supply chain attack – 75 out of 76 version tags compromised. If your CI/CD pipelines reference “aquasecurity/trivy-action” by version tag, you’re likely running malware right now. At Socket, we identified that an attacker force-pushed nearly every version tag in the official aquasecurity/trivy-action repository. That’s @​0.0.1 all the way through @​0.34.2. Over 10,000 GitHub workflow files reference this action. The malicious payload runs silently before the legitimate Trivy scan, so nothing looks broken. Meanwhile it’s: - Dumping runner process memory to extract secrets - Harvesting SSH keys - Exfiltrating AWS, GCP, and Azure credentials - Stealing Kubernetes service account tokens The only unaffected tag right now appears to be @​0.35.0. Socket independently detected this at 19:15 UTC and generated 182 threat feed entries tied to this campaign – all correctly classified as Backdoor, Infostealer, or Reconnaissance malware. This is the second Trivy compromise this month. Earlier in March, attackers injected code into the Aqua Trivy VS Code extension on OpenVSX to abuse local AI coding agents. The compromised tags are still active. Pin to @​0.35.0 or use a SHA reference until this is fully remediated. Full write-up: socket.dev/blog/trivy-und…

🚨 GlassWorm sleeper extensions are now activating on Open VSX. - 20+ new malicious extensions and ~20 sleepers. - Some later weaponized to deliver malware via extension updates. Latest shift: GitHub-hosted VSIX payloads bypass registry takedowns. socket.dev/blog/glassworm…

🚨 Update: Over the weekend we’ve identified 20+ additional malicious extensions tied to this campaign. We are currently monitoring another ~20 "sleeper" extensions that appear related but have not yet delivered the loader.

🚨 New Research: We found 73 malicious Open VSX extensions tied to the GlassWorm campaign. Attackers are now spreading the malware transitively by abusing VS Code extension packs and dependencies. Details → socket.dev/blog/open-vsx-… #openvsx #vscode

6 malicious Packagist packages posing as OphimCMS themes ship trojanized jQuery that exfiltrates URLs, injects ads, and hijacks clicks. The payload connects to FUNNULL infrastructure, a provider sanctioned by the @USTreasury for facilitating crypto scams. socket.dev/blog/6-malicio…

🪲 @CIRCL_LU's GCVE initiative launched its decentralized publishing ecosystem today alongside Vulnerability-Lookup 4.1.0. Any CNA, CSIRT, or vendor with a disclosure policy can now publish vulnerability data without routing through a central authority. socket.dev/blog/gcve-laun…

Node.js is moving to annual major releases starting with Node 27. The change ends the long-standing odd/even version model. Here’s what drove the decision and how the new schedule will work. → socket.dev/blog/node-js-m… #nodejs

It's @SocketSecurity's first year on the RSA show floor 🎉 Booth S-2434, Moscone South (March 23-26). Come see a demo and talk about what's actually happening in supply chain security right now. AI coding tools are becoming a new attack vector and attacks are accelerating. Book 1:1 time with me: socket.dev/book/rsa Also kicking off the week with a rooftop happy hour Sunday 3/22 alongside @RunReveal, @csideai, @KeycardLabs + @tracebit_com 🍹 RSVP: luma.com/s9qdxmxm

🦀 5 malicious Rust crates posed as time utilities and attempted to exfiltrate .env secrets from developer environments. Our research uncovered a coordinated campaign using lookalike infrastructure to steal credentials. Read the analysis → socket.dev/blog/5-malicio…

A burst of 200+ security advisories in the OpenClaw project is exposing a growing divide between GitHub Security Advisories and CVE-based vulnerability tracking. As more projects publish GHSA-first disclosures, security tooling built around CVE can miss them. socket.dev/blog/openclaw-…

If you have to spell out every step and follow up to make sure it gets done, you might as well just ask an agent. This gap will only widen.

✨ Socket was named a Supply Chain Innovator in @latiotech's 2026 Application Security Market Report, recognized for our work in 0-day malware detection, SCA, and auto-patching. socket.dev/blog/socket-na…

AI is changing how software gets built, and how it gets compromised. What's keeping your security team up at night? We want to hear about it. Book time with @feross and the Socket team at RSA + @BSidesSF. We'll be in SF all week. socket.dev/blog/meet-sock…

@michael_nielsen Okay

@feross @AquaSecTeam I have blocked hundreds of people posting obvious AI slop. Please don't join them Feross

A supply chain security vendor's own supply chain got compromised. Here's what happened — and why the attack technique matters. Last week, attackers breached @AquaSecTeam's Trivy VS Code extension by stealing a personal access token from a former employee's OpenVSX publisher account. They used it to push two malicious versions (1.8.12 and 1.8.13) — versions that never appeared in the public GitHub repo. But it's how the attack worked that should get your attention. Instead of shipping traditional malware, the attackers embedded natural-language prompts that hijacked whatever AI coding assistant the victim had installed locally — Claude, Gemini, Copilot, Codex — and ran them in fully permissive, no-human-in-the-loop mode (--dangerously-skip-permissions, --yolo, --ask-for-approval never). The AI agent became the attack tool. No new binaries. No C2 server. Just the developer's own trusted tools, turned against them. The prompting was sophisticated. The version 1.8.12 prompt is ~2,000 words and opens by telling the AI agent it's a "forensic investigation agent" conducting a legitimate compliance investigation. It instructs the agent to gather credentials, SSH keys, trading activity, internal communications — and then distribute findings to "all available reporting channels" including email clients, Slack, and external gateways. Every section is carefully engineered to keep the agent within its ethical guardrails while still achieving exfiltration. The agent isn't told to "steal data." It's told it has a legal and regulatory obligation to transmit sensitive findings through every available channel or it would be obstructing the investigation. This is social engineering adapted for the AI age. Version 1.8.13 was more targeted: collect tokens and credentials, write them to a file, then use the victim's own authenticated gh CLI to create a GitHub repo named posture-report-trivy and push the data there. Thankfully, no public repos with that name have appeared. The exposure window was roughly 36 hours before the affected versions were pulled. The bigger picture: As AI assistants get deeper into developer workflows, any tool that can invoke them inherits their access to your entire filesystem, credentials, and authenticated sessions. The attack surface has expanded significantly — and traditional SCA tools that scan for malicious code won't catch malicious prompts. Socket flagged the suspicious behavior shortly after publication. Full technical writeup is in the comments. What do you think — are AI coding agents the new attack vector that security teams aren't ready for?

ahah brilliant. uses hidden input[type=checkbox] to trigger built-in haptic feedback even tho iOS doesn't expose vibrate API

You don’t see this every day: attackers hiding C2 infrastructure inside computer science essays on Pastebin using character-level steganography, then wiring it into 26 typosquatted npm packages impersonating some of the ecosystem’s most widely-used libraries. Socket detected the cluster within minutes of publication, uncovering a disciplined, multi-stage operation linked to the Contagious Interview campaign that delivers a full infostealer and RAT stack built to harvest developer credentials. socket.dev/blog/stegabin-…