Flux
Couleur d'accent
Toutes les sources

Socket

89 articles Flux RSS
Cybersécurité Programmation
npm Tooling Bug Incorrectly Marks One-Character Packages as Security Holders
Cybersécurité Programmation

npm Tooling Bug Incorrectly Marks One-Character Packages as Security Holders

npm incorrectly applied security-holder metadata to multiple one-character packages, including letters, numbers, and the - package. Socket reviewed public npm registry metadata and found several affected packages had been assigned 0.0.1-security or 0.0.1-security.0 versions, with the latest dist-tag moved to the security placeholder. Older package versions remained available. npm confirmed the markings were not intentional and that they are working on rolling it back. “This happened due to a…

Socket
Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels
Cybersécurité Programmation

Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels

Socket Threat Research team identified a newer PyPI wave connected to the broader Mini Shai-Hulud, Miasma, and Hades supply chain attacks. This wave expands beyond the 37 malicious PyPI wheels covered in our weekend report and shows that the threat actors are iterating quickly across delivery mechanisms, package themes, and runtime triggers. The campaign has since added 23 newly identified PyPI package-version artifacts, expanding beyond the 37 malicious PyPI wheels covered in our weekend…

Socket
Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave
Cybersécurité Programmation

Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave

Socket detected a coordinated PyPI compromise involving 37 malicious wheel artifacts across 19 packages. The compromised releases shipped a *-setup.pth file that attempts to execute automatically during Python startup, download the Bun JavaScript runtime, and run an obfuscated JavaScript payload named _index.js. Socket’s AI malware detection system identified the malicious package cluster minutes after publication. The attack is cross-runtime, and the tradecraft is unmistakably Shai-Hulud /…

Socket
RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems
Cybersécurité Programmation

RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems

RubyGems and Bundler 4.0.13 introduced an opt-in cooldown feature that can delay installation of newly published gem versions, bringing a time-based supply chain defense to Ruby’s package management workflow. The feature allows developers to configure Bundler so it will not resolve to a gem version until it has been public for a set number of days. In the example published by RubyGems maintainer Hiroshi SHIBATA, a project can add a cooldown directly to its Gemfile: source…

Socket
pnpm 11.5 Adds Support for Recognizing npm Staged Publishes
Cybersécurité Programmation

pnpm 11.5 Adds Support for Recognizing npm Staged Publishes

pnpm 11.5 now treats npm staged publishing approvals as strong trust evidence, fixing a false-positive downgrade warning that could appear when packages used npm’s newer 2FA-backed release flow. The change lands as npm continues tightening package publishing controls after a series of credential theft and token abuse incidents. In the Mini Shai-Hulud campaign, attackers used stolen npm tokens to publish malicious package versions, prompting npm to invalidate granular access tokens and…

Socket
Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog
Cybersécurité Programmation

Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog

A newly released federal audit now documents NIST’s long-running NVD backlog, with findings that are hard to square with two years of public assurances that the database was being brought back under control. The U.S. Department of Commerce Office of Inspector General found that NIST had no strategic plan for the National Vulnerability Database, set a public deadline it did not have the capacity to meet, delayed use of CISA enrichment data, and spent taxpayer funds on duplicated vulnerability…

Socket
Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages
Cybersécurité Programmation

Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages

Socket has detected a malicious npm supply chain campaign involving compromised @redhat-cloud-services packages published under the Red Hat Cloud Services namespace. This is effectively a mini Shai-Hulud campaign: it uses the same core tactics of install-time execution, credential harvesting, CI/CD targeting, encrypted exfiltration, and potential downstream propagation. Since TeamPCP recently released Shai-Hulud as open source attack tooling while promoting a BreachForums contest for package…

Socket
Famous Chollima Targets PHP Developers Through Compromised Packagist Package
Cybersécurité Programmation

Famous Chollima Targets PHP Developers Through Compromised Packagist Package

We identified malicious obfuscated JavaScript appended to tailwind.js in the Packagist development version dev-drewroberts/feature/test-case of the PHP package roberts/leads. The package itself is a legitimate Laravel package associated with a maintainer, Drew Roberts. The malicious code appears isolated to a specific development branch, drewroberts/feature/test-case, exposed through Packagist as an installable dev version. Socket AI Scanner flagged dev-drewroberts/feature/test-case as known…

Socket
Rust Moves to Restrict LLM Use in Contributions After Months of Internal Debate
Cybersécurité Programmation

Rust Moves to Restrict LLM Use in Contributions After Months of Internal Debate

Rust has topped Stack Overflow's most-admired language survey for nine consecutive years. It's also become an increasingly attractive target for LLM-assisted development. The borrow checker and strict compiler that make Rust appealing for safety-critical systems also give LLMs an immediate feedback loop that other languages don't. The compiler catches errors the LLM introduces, which makes AI-assisted Rust development more reliable than in permissive languages where bad output can silently…

Socket
Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords
Cybersécurité Programmation

Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords

Sicoob.Sdk releases 2.0.0 through 2.0.4 exfiltrate client IDs, PFX passwords, and base64-encoded PFX certificate archive contents through a third-party Sentry endpoint. The linked GitHub repository appears to be a clean-source façade for the malicious NuGet artifact. We analyzed a Sicoob-branded NuGet package, Sicoob.Sdk, that claimed to be an official C# SDK for Sicoob API integrations. Sicoob, formally the Sistema de Cooperativas de Crédito do Brasil, is one of Brazil’s largest cooperative…

Socket
Feross on TBPN: Socket's Series C and the State of Software Supply Chain Security
Cybersécurité Programmation

Feross on TBPN: Socket's Series C and the State of Software Supply Chain Security

Socket CEO Feross Aboukhadijeh joined John Coogan and Jordi Hays on TBPN to discuss Socket's $60 million Series C led by Thrive Capital, the company's 500%+ ARR growth over the past 12 months, and why software supply chain security has moved to the top of the priority list at nearly every company. The 10-minute conversation covers three forces converging right now: AI generating more third-party code than ever before, frontier models surfacing massive volumes of vulnerabilities across operating…

Socket
OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI
Cybersécurité Programmation

OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI

OSV, the OpenSSF-backed vulnerability database, withdrew 157 malicious-package reports on May 26 after automated detections incorrectly flagged npm and PyPI packages as malware, pushing bad records for trusted projects into OSV-consuming security tools and CI/CD systems. The rollback happened in OpenSSF’s malicious-packages repository, where OSV-format records for malicious packages are maintained. A PR titled “Withdraw FastAPI v0.136.3 and other FPs reports,” began with a false-positive…

Socket
TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io
Cybersécurité Programmation

TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io

Socket researchers have identified an active crypto stealer supply chain attack spanning npm, PyPI, and Crates.io. The campaign, which Socket is tracking as TrapDoor, spans more than 34 malicious packages and 384+ related versions and artifacts across npm, PyPI, and Crates.io, with some already removed and others still live at the time of writing. The earliest package Socket observed was the PyPI package eth-security-auditor@0.1.0, uploaded on May 22, 2026 at 20:20:18 UTC, with the wheel…

Socket
Laravel Lang Compromised with RCE Backdoor Across 700+ Versions
Cybersécurité Programmation

Laravel Lang Compromised with RCE Backdoor Across 700+ Versions

A compromise affecting the community-maintained Laravel Lang project has introduced remote code execution backdoors across multiple packages in the organization, including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes , and laravel-lang/actions across roughly 700+ historical versions. The affected packages are not part of the official Laravel framework. They are third-party localization packages used by Laravel applications. However, applications that installed…

Socket
Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects
Cybersécurité Programmation

Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects

Socket researchers identified a coordinated supply chain campaign affecting eight packages on Packagist whose upstream repositories were modified to include the same malicious postinstall script. The script attempted to download a Linux binary from a GitHub Releases URL, save it to /tmp/.sshd, make it executable, and run it in the background. Although the affected packages were all Composer packages, the malicious code was not added to composer.json. Instead, it was inserted into package.json,…

Socket
Esc