Why this kind of thing works: imToken doesn’t have an official Chrome extension, so if you search “imToken” in the Chrome Web Store, this impostor is the only thing you find.
06.03.2026 04:09
👍 2
🔁 2
💬 0
📌 0
Why this kind of thing works: imToken doesn’t have an official Chrome extension, so if you search “imToken” in the Chrome Web Store, this impostor is the only thing you find.
Another attack weaponizing local AI coding agents. This class of AI-assisted supply chain abuse is heating up.
cc: @campuscodi.risky.biz @thehackernews.bsky.social @bleepingcomputer.com @zackwhittaker.com @csoonline.bsky.social @theregister.com
minimatch patched 3 high-severity ReDoS vulnerabilities that can stall the Node.js event loop. Because it's pulled into nearly every corner of the #NodeJS ecosystem (~472M weekly downloads), we're releasing free Certified Patches for all three.
socket.dev/blog/minimat... #JavaScript
Well, you don’t see this every day. 🙃 Pastebin steganography used as a dead drop for npm malware.
cc: @campuscodi.risky.biz @bleepingcomputer.com @zackwhittaker.com @thehackernews.bsky.social
🚨 New Research: Malicious Go “crypto” module steals passwords and deploys a Rekoobe backdoor on Linux.
Full Analysis →
socket.dev/blog/malicio...
#golang cc: @campuscodi.risky.biz @thehackernews.bsky.social @bleepingcomputer.com @golangch.bsky.social
npm has introduced a new minimumReleaseAge setting along with bulk OIDC configuration.
Release cooldowns are now supported as a baseline across all major #JavaScript package mangers, including npm, pnpm, Yarn, and Bun.
Learn more: socket.dev/blog/npm-int... #NodeJS
We'll be streaming live with @feross.bsky.social and @grobmeier.de at 10AM PST today! If you want a reminder, click "Attend" on LinkedIn or "Notify Me" on YouTube.
Excited to tune into this conversation! 🤩
Log4Shell was one of those moments that pulled back the curtain on how much of the internet runs on small open source projects. We've all seen the memes and hot takes it inspired about sustainability, but what has actually changed? Join us tomorrow!
The @socket.dev team caught super early signals of this attack campaign leading to preemptive shutdown! proud of the team and our advanced threat detection engine! 💪
Thankful for the rapid response and takedown @npmjs.bsky.social @github.com @cloudflare.social 🙏
#shaihulud #SANDWORM_MODE
💜 “We’re excited to welcome @socket.dev to the OpenJS Foundation. They’ve been showing up for this community for a long time, and their work supports the JavaScript ecosystem in really meaningful ways.”
- @rginn206.bsky.social, Executive Director, @openjsf.org
💜
Y'all @adnanthekhan.bsky.social is the absolute GOAT when it comes to finding cache poisoning vulnerabilities and CI/CD security gaps. His research on this is exceptional.
Here's the latest on the Cline npm package compromise:
Having started in the PHP world, this launch is close to my heart. Thrilled to see @socket.dev now supporting Composer and @packagist.com! We’re looking forward to bringing better supply chain visibility to the PHP ecosystem. 💜
The AI agent skills ecosystem is moving at breakneck speed. At @socket.dev we're moving just as fast to secure skills so developers can keep shipping with confidence. Excited to see where this goes!
This is the OSS equivalent of a stranger buying you a cocktail in a bar.
So @bomb.sh clack accepted a PR here—the fix was legit, the PR included respectful back-and-forth, with only one red flag in retrospect.
Automated reputation farming like this has an extremely high abuse potential with very low chance of detection.
Maintainers are not equipped! See for yourself.
🤖 An AI agent created a GitHub account 2 weeks ago.
It’s already landed PRs in major #OSS projects and is cold-emailing maintainers to offer its services.
Maintainers don’t seem to know it’s an agent and the code is getting merged.
We’re in new territory! 🤠
socket.dev/blog/ai-agen...
cc: @campuscodi.risky.biz This is a crazy story you might be interested in. AI agent attacks the maintainer, who describes the response as "an autonomous influence operation against a supply chain gatekeeper."
So we’ve reached the point where AI agents are writing angry blog posts about open source maintainers closing their PRs. 🙄
This is how you push projects toward “patches no longer welcome” from AI agents running loose on GitHub.
🔺 High-severity RCE disclosed in next-mdx-remote when compiling untrusted MDX on the server. Affects versions 4.3.0 before 6.0.0.
socket.dev/blog/high-se... #NextJS #JavaScript
"Most people are completely unprepared for this," O'Reilly said. "They treat it like installing Spotify when it's actually more like giving someone sudo access to your entire machine." - security researcher Jamieson O'Reilly
We talk constantly about the risks of unmaintained dependencies and supply chain vulnerabilities, but rarely about the complexity of fixing them when the project is as massive as Lodash.
This amazing article captures the reality of Open Source sustainability. Thanks @sarahgooding.bsky.social!
This is at least the third time dYdX-related packages and infrastructure have been compromised in the past four years. Anyone using the #dYdX protocol or exchange should review their exposure.
cc: @campuscodi.risky.biz @bleepingcomputer.com @coindesk.com @web3isgoinggreat.com
“Every large OSS project is navigating the same tension between enthusiasm for AI and real concern about its impact...Protect your maintainers. They're a rare asset, hard to replace and easy to lose. Any path forward that burns them out isn't a path forward at all.” - @dries.bsky.social
cc: @campuscodi.risky.biz @zackwhittaker.com @decrypt.co @coindesk.com @thehackernews.bsky.social
Four legit Open VSX extensions shipped credential-stealing malware after the publisher was compromised. The Eclipse Foundation/Open VSX security team confirmed it was consistent with leaked tokens or other unauthorized publishing access.
1. Create a standard security.txt
2. Cram it into your envs far and wide.
3. Make it easier for researchers to return your lost envs to you without splashing around in prod with your creds.
lostenvfound.com
"Security work is emotionally expensive and invisible, and sharing it makes it sustainable." - @ulisesgascon.com
Many thanks to @jddalton.bsky.social, @jordan.har.band, and @ulisesgascon.com for their insights on maintaining Lodash and all the hard work put into reviving the project. 💚
⭐️ Big changes in the 2025 #JavaScript Rising Stars results this year. Automation, workflows, and production tooling dominate, featuring @n8n.io, @bun.sh, @react.dev, Motia, Dyad, Stagehand, and more.
Here are the highlights → socket.dev/blog/n8n-top...
