Socket

🚀 We’re thrilled to announce Socket’s $40M Series B led by @AbstractVC with participation from @eladgil and @a16z!

🔥 Socket research featured in The Hacker News today:

🚨 Another supply chain attack: Attackers used compromised npm publisher access to deploy a backdoor across 29 packages, with worm-like propagation via stolen tokens and payload delivery through an ICP canister. Details: socket.dev/blog/canisterw… #NodeJS

Widely used Trivy scanner compromised in ongoing supply-chain attack arstechnica.com/security/2026/…

@HeckMaximilian @enisa_eu Thanks for the feedback! We updated the post to be more precise that the CRA applies to software products placed on the EU market, which can include distributed components from SaaS platforms (agents, SDKs, client apps).

@SocketSecurity @enisa_eu We need to be more precise here SaaS Companies are not in the CRA Scope by default.

In less than 6 months, companies shipping software in Europe face the first Cyber Resilience Act deadline. @enisa_eu's latest advisory on secure package manager use spells out expectations for SBOMs, dependency monitoring, and vulnerability reporting. socket.dev/blog/enisa-tec…

🚨 Trivy update: maintainers confirm this attack used a compromised credential carried over from the breach in early March. We updated our analysis with full details on how 75 GitHub Action tags were poisoned & how this exposed CI/CD secrets at runtime. socket.dev/blog/trivy-und…

🚨 Trivy is under attack again. Attackers force-pushed 75 of 76 tags in aquasecurity/trivy-action, impacting 10K+ workflows and turning trusted GitHub Actions into malware. Any version ≠ v0.35.0 may execute an infostealer in CI. Analysis forthcoming: socket.dev/blog/trivy-und…

🚨 Breaking: Trivy GitHub Actions supply chain attack – 75 out of 76 version tags compromised. If your CI/CD pipelines reference “aquasecurity/trivy-action” by version tag, you’re likely running malware right now. At Socket, we identified that an attacker force-pushed nearly every version tag in the official aquasecurity/trivy-action repository. That’s @​0.0.1 all the way through @​0.34.2. Over 10,000 GitHub workflow files reference this action. The malicious payload runs silently before the legitimate Trivy scan, so nothing looks broken. Meanwhile it’s: - Dumping runner process memory to extract secrets - Harvesting SSH keys - Exfiltrating AWS, GCP, and Azure credentials - Stealing Kubernetes service account tokens The only unaffected tag right now appears to be @​0.35.0. Socket independently detected this at 19:15 UTC and generated 182 threat feed entries tied to this campaign – all correctly classified as Backdoor, Infostealer, or Reconnaissance malware. This is the second Trivy compromise this month. Earlier in March, attackers injected code into the Aqua Trivy VS Code extension on OpenVSX to abuse local AI coding agents. The compromised tags are still active. Pin to @​0.35.0 or use a SHA reference until this is fully remediated. Full write-up: socket.dev/blog/trivy-und…

We're co-hosting a rooftop after party for BSidesSF 2026 with @RunReveal, @csideai, @tracebit_com, and @SocketSecurity. March 22. SF. 250+ people, no pitches, good vibes. RSVP required 👇

#Trivy - the security scanner - has been successfully attacked (again). This time #GitHub Actions tags were used to deliver malware. Technical details - in the analysis by @SocketSecurity #cybersecurity socket.dev/blog/trivy-und…

FYI if you're using Trivy in CI right now: 75 of 76 tags on the official GitHub Action were force-pushed to serve malware. Affects 10K+ workflows. If you're not on v0.35.0, assume compromise.

🪱 Major update to GlassWorm activity on Open VSX: The campaign is now following this pattern: plant sleeper extensions → wire them together via extension packs → activate later → pull payloads from GitHub

🚨 GlassWorm sleeper extensions are now activating on Open VSX. - 20+ new malicious extensions and ~20 sleepers. - Some later weaponized to deliver malware via extension updates. Latest shift: GitHub-hosted VSIX payloads bypass registry takedowns. socket.dev/blog/glassworm…

JavaScript Weekly newsletter is out - and it's about time 😉 (link below)

GlassWorm Malware Evolves to Hide in Dependencies: bit.ly/4uzmXMT by Alexander Culafi

🚨 VSCode & OpenVSX users take note: The "GlassWorm" campaign has evolved to weaponize the very structure of your IDE Extensions. @SocketSecurity just uncovered over 73 new malicious extensions. Read the full technical breakdown + IOCs on our blog socket.dev/blog/open-vsx-…

🚨 Update: Over the weekend we’ve identified 20+ additional malicious extensions tied to this campaign. We are currently monitoring another ~20 "sleeper" extensions that appear related but have not yet delivered the loader.

🎉 Big news for #JavaScript developers: After nearly 9 years of work, the Temporal date-time API has reached Stage 4 at @TC39. It will ship as part of ECMAScript 2026 alongside several other proposals advanced at the latest meeting. Learn more → socket.dev/blog/tc39-adva…