Flux
Toutes les sources

Socket

34 articles Flux RSS
Cybersécurité Programmation
Don't Kill the Goose That Lays the Golden Eggs
Cybersécurité Programmation

Don't Kill the Goose That Lays the Golden Eggs

March 2026 was a bad month. Back-to-back supply chain attacks with incident response teams running nonstop, real damage across ecosystems that millions of developers depend on, and legitimate questions about how we secure critical infrastructure. What it didn't have was an excuse to write an obituary for open source. In the wake of the attacks, familiar criticism has been making the rounds. It's a hot take dressed up as a reckoning. The argument goes something like this: open source is…

Socket
Feross on TBPN: How North Korea Hijacked Axios
Cybersécurité Programmation

Feross on TBPN: How North Korea Hijacked Axios

Socket CEO Feross Aboukhadijeh joined the TBPN podcast today to break down the Axios npm supply chain attack, one of the most significant open source compromises in recent months. TBPN, recently acquired by OpenAI, is a live daily tech show hosted by John Coogan and Jordi Hays. Feross walked through how North Korean state actors socially engineered the lead Axios maintainer over weeks, building a fake company, a fake Slack workspace, and a staged Microsoft Teams call before delivering malware…

Socket
Attackers Are Impersonating a Linux Foundation Leader in Slack to Target Open Source Developers
Cybersécurité Programmation

Attackers Are Impersonating a Linux Foundation Leader in Slack to Target Open Source Developers

A social engineering campaign is actively targeting open source developers through Slack, according to a high-severity advisory posted April 7 to the OpenSSF Siren mailing list. The attacker impersonates a known Linux Foundation community leader to lure victims into a multi-stage attack that ends with malware delivery and potential full system compromise. OpenSSF Siren is a public threat intelligence mailing list run by the Open Source Security Foundation (OpenSSF), a Linux Foundation project.…

Socket
North Korea’s Contagious Interview Campaign Spreads Across 5 Ecosystems, Delivering Staged RAT Payloads
Cybersécurité Programmation

North Korea’s Contagious Interview Campaign Spreads Across 5 Ecosystems, Delivering Staged RAT Payloads

We have been tracking North Korea’s Contagious Interview operation since 2024 and maintain a dedicated campaign page that now tracks more than 1,700 malicious packages linked to the activity. In this newly identified cluster, the threat actors operated under GitHub aliases including golangorg and published malicious packages across five open source ecosystems: npm: dev-log-core, logger-base, logkitx PyPI: logutilkit, apachelicense, fluxhttp, and license-utils-kit Go Modules:…

Socket
Microsoft Releases Open Source Toolkit for AI Agent Runtime Security
Cybersécurité Programmation

Microsoft Releases Open Source Toolkit for AI Agent Runtime Security

Microsoft has published its Agent Governance Toolkit, an open source project that brings runtime policy enforcement to autonomous AI agents. The release lands as the industry grapples with a widening gap between how fast AI agents are being deployed and how little infrastructure exists to govern what they do once they're running. The toolkit is available under the MIT license at the Microsoft GitHub organization and supports Python, TypeScript, Rust, Go, and .NET. Agent Governance Is Getting…

Socket
Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign
Cybersécurité Programmation

Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign

Since we published our initial analysis of the axios compromise, a deep dive into its hidden blast radius, and a report on the maintainer confirming it was social engineering, maintainers across the Node.js ecosystem have come out of the woodwork to report that they were targeted by the same social engineering campaign. The accounts now span some of the most widely depended-upon packages in the npm registry and Node.js core itself, and together they confirm that axios was not a one-off target.…

Socket
Axios Maintainer Confirms Social Engineering Attack Behind npm Compromise
Cybersécurité Programmation

Axios Maintainer Confirms Social Engineering Attack Behind npm Compromise

On March 31, two malicious versions of Axios were briefly published to npm, introducing a dependency that installed a remote access trojan across macOS, Windows, and Linux. We covered the initial attack and its scope earlier, as well as a deeper technical analysis of its hidden blast radius and how dependency resolution expanded its impact exponentially. Now, the project’s lead maintainer has shared additional details about how the compromise occurred. A Targeted Social Engineering Attack # In…

Socket
Node.js Drops Bug Bounty Rewards After Funding Dries Up
Cybersécurité Programmation

Node.js Drops Bug Bounty Rewards After Funding Dries Up

The Node.js project has paused its long-running bug bounty program after the funding behind it was discontinued, removing a key security incentive from one of the most widely used JavaScript runtimes. For nearly a decade, Node.js participated in the Internet Bug Bounty (IBB) program through HackerOne, offering monetary rewards to researchers who responsibly disclosed security issues. That program is now on hold, leaving Node.js without a funded bounty structure for the first time since 2016.…

Socket
The Hidden Blast Radius of the Axios Compromise
Cybersécurité Programmation

The Hidden Blast Radius of the Axios Compromise

Yesterday, we reported on a supply chain attack targeting Axios that introduced a malicious dependency (plain-crypto-js) into specific npm releases. At first glance, the scope seemed contained: Two compromised Axios versions A short exposure window A malicious dependency that was quickly removed Over the past 24 hours, we’re seeing many teams focus on checking their lockfiles and node_modules directories, but that only captures part of the picture, especially when tools are executed dynamically…

Socket
Supply Chain Attack on Axios Pulls Malicious Dependency from npm
Cybersécurité Programmation

Supply Chain Attack on Axios Pulls Malicious Dependency from npm

A supply chain attack targeting the widely used HTTP client Axios has introduced a malicious dependency into specific npm releases, including axios@1.14.1 and axios@0.30.4. The latest version pulls in plain-crypto-js@4.2.1, a package that Socket has confirmed as malicious. Our analysis shows the malicious package deploys a multi-stage payload, including a remote access trojan (RAT) capable of executing arbitrary commands, exfiltrating system data, and persisting on infected machines. Axios is…

Socket
TeamPCP Compromises Telnyx Python SDK to Deliver Credential-Stealing Malware
Cybersécurité Programmation

TeamPCP Compromises Telnyx Python SDK to Deliver Credential-Stealing Malware

Socket has identified a supply chain attack affecting the telnyx Python package on PyPI. The telnyx library is the official Python SDK for the Telnyx communications platform, providing developers with programmatic access to APIs for voice calls, SMS/MMS messaging, WhatsApp, fax, IoT connectivity, and SIP trunking. It is commonly used in backend systems to integrate real-time communications and telephony into applications. Because the library is used to authenticate and send requests directly to…

Socket
TeamPCP Partners With Ransomware Group Vect to Target Open Source Supply Chains
Cybersécurité Programmation

TeamPCP Partners With Ransomware Group Vect to Target Open Source Supply Chains

The ongoing attacks targeting Trivy, LiteLLM, and other open source security tools are entering a new phase, with claims that TeamPCP has partnered with the Vect ransomware group to leverage supply chain compromises for ransomware operations. Posts attributed to Vect on BreachForums announced a partnership with TeamPCP, the actors behind recent cross-ecosystem supply chain attacks involving GitHub Actions, OpenVSX extensions, Docker images, and npm and PyPI packages: Vect Ransomware Group is…

Socket
Widespread GitHub Campaign Uses Fake VS Code Security Alerts to Deliver Malware
Cybersécurité Programmation

Widespread GitHub Campaign Uses Fake VS Code Security Alerts to Deliver Malware

A large-scale phishing campaign is targeting developers directly inside GitHub, using fake Visual Studio Code security alerts posted through Discussions to trick users into installing malicious software. Here's one example, saved to the Internet Archive, as we assume these will quickly be taken down: Early searches show thousands of nearly identical posts across repositories, indicating this is not an isolated incident but a coordinated spam campaign. Because GitHub Discussions trigger email…

Socket
5 Malicious npm Packages Typosquat Solana and Ethereum Libraries to Steal Private Keys
Cybersécurité Programmation

5 Malicious npm Packages Typosquat Solana and Ethereum Libraries to Steal Private Keys

Socket's Threat Research Team identified five malicious npm packages published under the account galedonovan, all targeting cryptocurrency developers. Each package typosquats a legitimate crypto library and exfiltrates private keys to a single hardcoded Telegram bot. The campaign covers both the Solana and Ethereum ecosystems, and the C2 infrastructure was confirmed active as of March 23, 2026. One of the packages, base_xd, was published by the same account but was unpublished within five…

Socket
TeamPCP Is Systematically Targeting Security Tools Across the OSS Ecosystem
Cybersécurité Programmation

TeamPCP Is Systematically Targeting Security Tools Across the OSS Ecosystem

TeamPCP is escalating a coordinated campaign targeting security tools and open source developer infrastructure, and is now openly taking credit for multiple follow-on attacks across ecosystems. In recent Telegram posts, the group has claimed responsibility for expanding beyond the initial Trivy compromise, pointing to attacks on GitHub Actions, OpenVSX extensions, and now PyPI. The latest development includes attacks on Checkmarx' KICS scanner and OpenVSX extensions and a trojanized release of…

Socket
Esc