Flux
Toutes les catégories

Cybersécurité

89 articles

5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer
Cybersécurité Programmation

5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer

Socket's Threat Research Team discovered five malicious NuGet packages published under the account bmrxntfj that typosquat widely used Chinese .NET UI and infrastructure libraries. Each package grafts a .NET Reactor protected infostealer payload onto a decompiled copy of a legitimate open source library. The stealer targets saved credentials across 12 browsers, 8 desktop cryptocurrency wallets, 5 browser wallet extensions and exfiltrates to a newly-registered C2 domain. Across all versions, the…

Socket
pnpm 11 Adds Supply Chain Protection Defaults for Minimum Release Age and Exotic Subdependencies
Cybersécurité Programmation

pnpm 11 Adds Supply Chain Protection Defaults for Minimum Release Age and Exotic Subdependencies

pnpm 11 has been released with new supply chain protections in place, making safer install behavior the default while still allowing teams to override those settings. The release sets Minimum Release Age to 24 hours by default, blocks exotic subdependencies by default, and introduces a new Allow Builds model for controlling dependency build scripts. pnpm 11 arrived as the JavaScript, Python, and PHP ecosystems were responding to Mini Shai-Hulud, a fresh supply chain campaign that compromised…

Socket
PyPI Fixes High-Severity Access Control Issues Found in Security Audit
Cybersécurité Programmation

PyPI Fixes High-Severity Access Control Issues Found in Security Audit

PyPI has fixed two high-severity flaws found during its second external security audit, addressing access control issues that could have allowed organization members to invite new owners and stale team permissions to persist after project transfers. The audit was performed by Trail of Bits and funded by the Sovereign Tech Agency. It reviewed Warehouse, the open source Python application that powers PyPI and handles package uploads, metadata validation, storage, and downloads for pip and other…

Socket
Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Steal Secrets and Poison CI
Cybersécurité Programmation

Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Steal Secrets and Poison CI

We investigated the GitHub account BufferZoneCorp, which published a cluster of repositories linked to malicious Ruby gems and Go modules. The account is part of a software supply chain campaign targeting developers, CI runners, and build environments across two ecosystems. On the Ruby side, the analyzed gems automate secret theft. They harvest secret-bearing environment variables and read local credential material such as SSH keys, AWS credentials, .npmrc, .netrc, GitHub CLI configuration, and…

Socket
Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise
Cybersécurité Programmation

Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise

A malicious intercom/intercom-php package artifact uses Composer plugin execution to download Bun and run the same style of obfuscated credential-stealing payload observed in the ongoing Mini Shai-Hulud campaign. intercom/intercom-php is a widely used PHP package, with more than 20.7 million lifetime installs, roughly 285,000 installs in the last 30 days, and an estimated 12,700 daily installs across versions (~700 for version 5.0.2), meaning the compromised 5.0.2 artifact could have reached…

Socket
Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack
Cybersécurité Programmation

Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack

Socket AI scanner detected, and the Socket Threat Research team has confirmed that intercom-client@7.0.4 is malicious, identifying a fresh compromise of the npm package used for Intercom’s Node.js client. intercom-client is a widely used official SDK for Intercom’s API. While it is not among npm’s largest packages, npm package aggregators report roughly 360,000 weekly downloads, and npm lists more than 100 dependent projects. The real exposure may extend beyond direct dependents, since the…

Socket
lightning PyPI Package Compromised in Supply Chain Attack
Cybersécurité Programmation

lightning PyPI Package Compromised in Supply Chain Attack

The popular PyPI package lightning has been compromised in a supply chain attack affecting newly published versions of the package. Socket has classified lightning versions 2.6.2 and 2.6.3 as malicious. Version 2.6.1, published on January 30, 2026, is clean. Version 2.6.2, published on April 30, 2026, introduced malicious code into the legitimate library. Socket’s AI scanner flagged both versions 2.6.2 and 2.6.3as potentially malicious eighteen minutes after publication. The compromise affects…

Socket
Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Variables
Cybersécurité Programmation

Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Variables

The Socket Research Team has detected an active supply-chain attack targeting the unscoped tanstack package on npm, a brand-squatted impersonation of the legitimate @tanstack/* organization. Beginning today, the package's maintainer (sh20raj) began pushing malicious versions that silently steal environment variable files, including .env, .env.local, and .env.production, from developers' machines at install time, exfiltrating them to an attacker-controlled endpoint. Versions 2.0.4 through 2.0.7…

Socket
TeamPCP-Linked Supply Chain Attack Hits SAP CAP and Cloud MTA npm Packages
Cybersécurité Programmation

TeamPCP-Linked Supply Chain Attack Hits SAP CAP and Cloud MTA npm Packages

Socket is investigating a suspected supply chain attack affecting multiple npm packages associated with SAP’s JavaScript and cloud application development ecosystem. At the time of publication, Socket has identified the following affected package versions: mbt@1.2.48 @cap-js/db-service@2.10.1 @cap-js/postgres@2.2.2 @cap-js/sqlite@2.2.2 Socket’s analysis indicates that the affected versions introduced new installation-time behavior that was not previously part of these packages’ expected…

Socket
Socket Has Acquired Secure Annex
Cybersécurité Programmation

Socket Has Acquired Secure Annex

Today I'm excited to share that Socket has acquired Secure Annex, the extension security company founded by John Tuckner. John is joining Socket, and we’re excited to have him here. John has spent the last year doing some of the sharpest work anywhere on extension security, building Secure Annex into a product that security teams at Reddit, Brave, Torq, and Movable Ink depend on. He did it as a solo founder, which makes what he shipped even more impressive. The research he's published on…

Socket
73 Open VSX Sleeper Extensions Linked to GlassWorm Show New Malware Activations
Cybersécurité Programmation

73 Open VSX Sleeper Extensions Linked to GlassWorm Show New Malware Activations

The GlassWorm campaign targeting Open VSX continues to escalate. Socket is now tracking a new cluster of 73 impersonation extensions connected to the same sleeper-extension activity reported in March 2026. Beginning in April 2026, and continuing as of this writing, additional cloned versions of popular code extensions have appeared on the Open VSX marketplace. These extensions did not initially contain malware, but they were published by newly created GitHub accounts with only one or two public…

Socket
Introducing Reachability for PHP
Cybersécurité Programmation

Introducing Reachability for PHP

Security teams are already struggling to keep pace with the volume of vulnerability disclosures. Every week brings more CVEs, and the arrival of AI-assisted vulnerability research is only going to push that number higher. Teams that can't tell which disclosures actually matter for their application will fall behind quickly. PHP carries more of this weight than most ecosystems. Composer ranks third for CVE volume among package ecosystems, behind only Maven and npm, and PHP still runs a…

Socket
Introducing Data Exports
Cybersécurité Programmation

Introducing Data Exports

Security teams often need alert data in their own infrastructure, alongside the rest of their security telemetry. We're excited to share that Socket alert data can now flow directly into your own cloud storage. Today we're launching Data Exports, a new integration that automatically writes alert changes from Socket to a bucket you own in AWS S3, Google Cloud Storage, or Azure Blob Storage. Data Exports lets you to choose the format that fits your downstream systems, and decide whether you want…

Socket
Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign
Cybersécurité Programmation

Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign

Socket researchers discovered that the Bitwarden CLI was compromised as part of the ongoing Checkmarx supply chain campaign. The open source password manager serves more than 10 million users and over 50,000 businesses, and ranks among among the top three password managers by enterprise adoption. The affected package version appears to be @bitwarden/cli2026.4.0, and the malicious code was published in bw1.js, a file included in the package contents. The attack appears to have leveraged a…

Socket
Malicious Checkmarx Artifacts Found in Official KICS Docker Repository and Code Extensions
Cybersécurité Programmation

Malicious Checkmarx Artifacts Found in Official KICS Docker Repository and Code Extensions

Docker alerted Socket to malicious images pushed to the official checkmarx/kics Docker Hub repository after internal monitoring flagged suspicious new activity around KICS image tags. Our investigation found that attackers appear to have overwritten existing tags, including v2.1.20 and alpine, while also introducing a new v2.1.21 tag that does not correspond to a legitimate upstream release. Analysis of the poisoned image indicates that the bundled KICS binary was modified to include data…

Socket