Socket is the #1 software supply chain security platform. Next-gen SCA + SBOM + 0-day prevention. LOVED BY DEVELOPERS.
https://socket.dev
Socket
Loading...
🚨 Mini Shai-Hulud/Miasma has now spread to PyPI.
Socket found 37 malicious artifacts across 19 PyPI packages.
The packages abuse #Python .pth startup behavior to launch a Bun-powered credential stealer targeting developer, cloud, and CI/CD secrets.
socket.dev/blog/shai-hu...
Mini Shai-Hulud/Miasma/Hades is now targeting bioinformatics and MCP developers in a newer PyPI wave.
We found 23 newly compromised PyPI artifacts using multiple execution paths, plus a fake prompt-injection header likely meant to interfere with LLM-based malware triage:
socket.dev/blog/mini-sh...
Big news for Socket: Andrew Becherer is joining as our first CISO.
He brings deep experience leading security at high-growth SaaS companies, and will strengthen the security program behind the infrastructure we operate and the open source ecosystem we protect.
socket.dev/blog/andrew-...
npm accidentally marked a bunch of one-character packages as security holders, including c, i, n, x, several numbers, and even the - package.
The registry confirmed it was a tooling bug and said a rollback is underway.
socket.dev/blog/npm-too...
RubyGems 4.0.13 adds a cooldown feature to Bundler for newly published gems.
The opt-in setting lets projects delay dependency resolution for new gem versions, reducing exposure during the short window when malicious releases often spread fastest.
socket.dev/blog/rubygem...
📦 @pnpm.io 11.5 adds support for recognizing npm staged publishes after staged approval metadata triggered a false downgrade signal.
As npm adds more release paths, registry metadata needs to make it clear how each package version was published.
socket.dev/blog/pnpm-11...
📦 @pnpm.io 11.5 adds support for recognizing npm staged publishes after staged approval metadata triggered a false downgrade signal.
As npm adds more release paths, registry metadata needs to make it clear how each package version was published.
socket.dev/blog/pnpm-11...
💸 Dept. of Commerce audit: NIST had no strategic plan for the NVD backlog, set an unrealistic deadline, delayed CISA data use, and eroded trust with poor communication.
Auditors also found 21,000+ duplicate enrichment activities and ~$200K wasted.
socket.dev/blog/federal...
🔥 Socket Firewall is now built into Replit's AI-powered development experience.
It’s already blocking 8K malicious packages/day across builders on the platform, giving Replit users stronger protection by default at the moment dependencies are introduced.
socket.dev/blog/socket-...
Socket found 37 malicious PyPI wheels that abuse Python startup hooks to launch a Bun-powered credential stealer tied to Mini Shai-Hulud/Miasma.
pnpm 11.5 now recognizes npm staged publish approvals in release metadata, preventing those releases from being mistaken for lower-trust package publi...
pnpm 11.5 now recognizes npm staged publish approvals in release metadata, preventing those releases from being mistaken for lower-trust package publi...
