Socket

🚀 We’re thrilled to announce Socket’s $40M Series B led by @AbstractVC with participation from @eladgil and @a16z!

Hackers behind Shai-Hulud are now offering crypto bounties to their mates for the trophy of highest vuln on OSS packages. socket.dev/blog/teampcp-s… I’m tired, boss 😓

Another day, another MASSIVE npm supply chain attack. If you haven't installed @SocketSecurity yet (it's free!), you should have done this yesterday. The second best time to install it is today!

@CircumjovialLLC You can use Socket Firewall. It's free and will block malicious packages during install: socket.dev/features/firew…

@SocketSecurity Excellent work, Socket! If it doesn't exist already, it'd be great if there was a hook during "npm install" to check all package version for such flags and fail the install if found? If this exists, can someone reply with a "how to"?

🚨 Socket detected malicious activity in newly published versions of node-ipc, an npm package with 822K weekly downloads. Affected versions: node-ipc@9.1.6 node-ipc@9.2.3 node-ipc@12.0.1 Socket’s AI scanner flagged the malware within ~3 minutes of publication. Early analysis shows obfuscated stealer/backdoor behavior, including host fingerprinting, local file enumeration, payload wrapping, and attempted exfiltration.

Update: We added our technical analysis. Notable findings: → Likely dormant maintainer account takeover → Payload appended to the CommonJS entrypoint, node-ipc.cjs → Steals developer/CI secrets from env vars and config files → Exfiltrates via DNS TXT queries, not HTTP socket.dev/blog/node-ipc-…

@TekDefense Thanks, the post has been updated and we cited you in our technical analysis!

Looking like domain takeover to get this one: Domain expired 2025-01-10, Attacker re-registered it 2026-05-07 via NameCheap. 2001-01-10 atlantis-software[.]net registered (legitimate, OVH) 2025-01-10 Domain expires (not renewed) 2026-05-07 Attacker re-registers domain via NameCheap 2026-05-07+ Attacker sets up email (mx records), receives npm password reset // A little speculation 2026-05-14 Three malicious versions published (14:25-14:26 UTC)

Developers should avoid installing these versions and audit recent installs. Technical analysis to follow: socket.dev/blog/node-ipc-…

🏁 TeamPCP and BreachForums are running a supply chain attack contest: $1,000 in Monero for the biggest haul of compromised open source packages, measured by download counts. The group open sourced Shai-Hulud as attack tooling and requires it for entry. socket.dev/blog/teampcp-s…

This is how I set up Socket Firewall to protect my local dev environment from supply chain attacks. The core idea is simple: package installs are now part of the attack surface. npm install, pip install, CI jobs, and LLM agent workspaces can all execute attacker-controlled code before anything reaches production. So I wrapped my package managers with @SocketSecurity’s sfw, cleared local caches, and made normal commands like npm, pnpm, yarn, pip, uv, and cargo route through Socket Firewall by default. The article covers: 1. Why the TanStack npm compromise made this urgent 2. How install-time protection differs from auditing after the fact 3. The shell wrapper setup 4. What LLM coding agents should do before installing packages Supply chain security cannot depend on everyone remembering to be careful at the exact moment they are trying to move fast. The safer path has to become the default path.

Yep, that works as a lightweight local guardrail. It makes Socket Firewall the default path for everyday installs. For macOS/Linux users, the equivalent in zsh/bash would be: alias npm="sfw npm" alias yarn="sfw yarn" alias pnpm="sfw pnpm" alias pip="sfw pip" alias uv="sfw uv" alias cargo="sfw cargo"

Hey @SocketSecurity, would it be considered good practice to auto-wrap package manager commands with an sfw prefix so they always go through the Socket Firewall? E.g. via PowerShell Profile Functions on Windows (see image)

⚠️ GemStuffer used more than 150 RubyGems packages to exfiltrate scraped U.K. council portal data, not distribute malware. The gems collected ModernGov pages, built .gem archives, and published them to RubyGems with hardcoded credentials. Read: thehackernews.com/2026/05/gemstu…

💎 New GemStuffer Campaign: Socket detected a RubyGems registry abuse campaign stuffing scraped UK council portal pages into junk gems. PoC worm, scraper, or spam? Low downloads, repeated publishing, and 155 artifacts tracked so far. New Research → socket.dev/blog/gemstuffer

🐘 @packagist is urging #PHP projects to update Composer after a GitHub token format change caused some GitHub Actions tokens to be exposed in CI logs. GitHub has rolled back the token change for now, but affected projects still need to update Composer. socket.dev/blog/packagist…

@ruchernchong Indeed it is! 😄

@SocketSecurity Is this Safe For Work?

It’s not every day a competitor promotes your product in their launch image. Thanks for the endorsement, Endor Labs. 😅 For anyone wondering, sfw is Socket Firewall, and yes, you can install it from npm today: npm install -g sfw

@peer_rich Only if it’s not another obituary. 🙃

can i say something without everyone getting mad again