Flux
Toutes les catégories

Cybersécurité

138 articles

OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI
Cybersécurité Programmation

OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI

OSV, the OpenSSF-backed vulnerability database, withdrew 157 malicious-package reports on May 26 after automated detections incorrectly flagged npm and PyPI packages as malware, pushing bad records for trusted projects into OSV-consuming security tools and CI/CD systems. The rollback happened in OpenSSF’s malicious-packages repository, where OSV-format records for malicious packages are maintained. A PR titled “Withdraw FastAPI v0.136.3 and other FPs reports,” began with a false-positive…

Socket
TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io
Cybersécurité Programmation

TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io

Socket researchers have identified an active crypto stealer supply chain attack spanning npm, PyPI, and Crates.io. The campaign, which Socket is tracking as TrapDoor, spans more than 34 malicious packages and 384+ related versions and artifacts across npm, PyPI, and Crates.io, with some already removed and others still live at the time of writing. The earliest package Socket observed was the PyPI package eth-security-auditor@0.1.0, uploaded on May 22, 2026 at 20:20:18 UTC, with the wheel…

Socket
Laravel Lang Compromised with RCE Backdoor Across 700+ Versions
Cybersécurité Programmation

Laravel Lang Compromised with RCE Backdoor Across 700+ Versions

A compromise affecting the community-maintained Laravel Lang project has introduced remote code execution backdoors across multiple packages in the organization, including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes , and laravel-lang/actions across roughly 700+ historical versions. The affected packages are not part of the official Laravel framework. They are third-party localization packages used by Laravel applications. However, applications that installed…

Socket
Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects
Cybersécurité Programmation

Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects

Socket researchers identified a coordinated supply chain campaign affecting eight packages on Packagist whose upstream repositories were modified to include the same malicious postinstall script. The script attempted to download a Linux binary from a GitHub Releases URL, save it to /tmp/.sshd, make it executable, and run it in the background. Although the affected packages were all Composer packages, the malicious code was not added to composer.json. Instead, it was inserted into package.json,…

Socket
AI Has Taken Over Open Source
Cybersécurité Programmation

AI Has Taken Over Open Source

I’ve spent a lot of time looking at what the data reveals about open source, from the speed at which open source alternatives emerge to how maintainer compensation compares with the broader software industry. I’m interested in what the data says, not in predictions based on anecdotes. At Socket, I've had the privilege of accessing our massive database across all major ecosystems, including npm, PyPI, Go, and Rust. We essentially replicate all open source packages, including the very fringe…

Socket
npm Invalidates Granular Access Tokens as Mini Shai-Hulud Sweeps the Registry
Cybersécurité Programmation

npm Invalidates Granular Access Tokens as Mini Shai-Hulud Sweeps the Registry

npm has invalidated every granular access token with write access that bypasses two-factor authentication. The platform-wide credential reset rolled out on May 19, announced from npm's long-dormant X account. The registry posted the notice following an attack that used a hijacked maintainer account to publish hundreds of malicious package versions across the @antv ecosystem. "To prevent supply chain attacks following the pattern of Mini Shai Hulud, we invalidated npm granular access tokens with…

Socket
Coruna Respawned: Compromised art-template npm Package Leads to iOS Browser Exploit Kit
Cybersécurité Programmation

Coruna Respawned: Compromised art-template npm Package Leads to iOS Browser Exploit Kit

Early on May 20th, 2026, the Socket Threat Research team detected signals of a package compromise leading to a sophisticated payload targeting a broad range of iOS devices with a watering-hole attack similar in style to the delivery of the Coruna exploit kit. After careful analysis, a plethora of similarities to that campaign emerged, indicating that a threat actor intended to use a package supply-chain compromise to deliver iOS browser exploits. Repository Takeover Leads to Package Compromise…

Socket
Socket raises $60M Series C at $1B valuation led by Thrive Capital to secure AI-driven software development
Cybersécurité Programmation

Socket raises $60M Series C at $1B valuation led by Thrive Capital to secure AI-driven software development

Today we're announcing Socket's $60 million Series C at a $1 billion valuation, led by Thrive Capital, with participation from Andreessen Horowitz, Abstract Ventures, and Capital One Ventures. The round brings our total funding to $125 million and sets up the next phase of what we're building to protect the software supply chain. This is the moment we've been working toward since we started Socket. AI has changed how every engineering team writes and ships code, increasing the volume of open…

Socket
Socket Raises $60M Series C at a $1B Valuation to Help Enterprises Build Securely With AI
Cybersécurité Programmation

Socket Raises $60M Series C at a $1B Valuation to Help Enterprises Build Securely With AI

Led by Thrive Capital, the round brings Socket to unicorn status as enterprises race to adopt AI coding tools and look for ways to secure the third-party dependencies entering production without slowing down SAN FRANCISCO, May 20, 2026 – Socket today announced it has raised $60 million in Series C funding at a $1 billion valuation. Led by Thrive CapitaI, with participation from a16z, Abstract Ventures, and Capital One Ventures, the round will support Socket’s next phase of growth as more…

Socket
Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor
Cybersécurité Programmation

Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor

Socket's Threat Research Team identified a malicious Go module published as github.com/shopsprint/decimal, a typosquat of the widely used github.com/shopspring/decimal arbitrary precision arithmetic library. The typosquatted module has been present on the Go ecosystem since 2017-11-08 and was weaponized on 2023-08-19 when version v1.3.3 added a malicious init() function that opens a DNS TXT record command and control channel to a threat actor controlled subdomain on a free dynamic DNS provider.…

Socket
Active Supply Chain Attack Compromises @antv Packages on npm
Cybersécurité Programmation

Active Supply Chain Attack Compromises @antv Packages on npm

Socket’s Threat Research team is investigating an active npm supply chain attack involving compromised packages in the @antv ecosystem. The attack affects packages tied to the npm maintainer account atool, including echarts-for-react, a widely used React wrapper for Apache ECharts with roughly 1.1 million weekly downloads. Socket quickly detected the malicious publish wave and classified the affected versions as known malware. Socket’s internal review identified hundreds of unique packages. The…

Socket
Popular node-ipc npm Package Infected with Credential Stealer
Cybersécurité Programmation

Popular node-ipc npm Package Infected with Credential Stealer

Socket’s threat feed has detected malicious activity in newly published versions of node-ipc, a long-running npm package previously associated with one of the most widely discussed supply chain incidents in the JavaScript ecosystem. The affected versions confirmed as malicious are: node-ipc@9.1.6 node-ipc@9.2.3 node-ipc@12.0.1 Socket’s AI scanner detected the newly published malicious versions within roughly three minutes of publication, classifying the activity as malware. Early analysis…

Socket
TeamPCP and BreachForums Launch $1,000 Contest for Supply Chain Attacks
Cybersécurité Programmation

TeamPCP and BreachForums Launch $1,000 Contest for Supply Chain Attacks

After months of targeting security tools, CI/CD workflows, and open source packages, TeamPCP is now promoting Shai-Hulud as required tooling for a competition that rewards the biggest compromise with a tiny crypto payout. According to Dark Web Informer, the competition was announced on BreachForums by an account identified as the forum’s owner, in collaboration with TeamPCP. Participants are being offered $1,000 USD in Monero to compromise open source packages with Shai-Hulud, along with the…

Socket
Packagist Urges Immediate Composer Update After GitHub Actions Token Leak
Cybersécurité Programmation

Packagist Urges Immediate Composer Update After GitHub Actions Token Leak

Packagist is urgently warning PHP projects to update Composer after a GitHub token format change caused some GitHub Actions tokens to be exposed in CI logs. Composer 2.9.8, 2.2.28 LTS, and 1.10.28 fix a vulnerability where Composer could print the full contents of GitHub Actions-issued GITHUB_TOKEN values or GitHub App installation tokens to stderr when the token failed Composer’s validation check. The issue was triggered by GitHub’s rollout of a new token format that includes a hyphen, which…

Socket
GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government
Cybersécurité Programmation

GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government

Socket's threat research team is tracking a suspicious RubyGems campaign we’re calling GemStuffer, involving more than 100 gems that appear to use the RubyGems registry as a data transport mechanism rather than a conventional malware distribution channel. The packages do not appear designed for mass developer compromise. Many have little or no download activity, and the payloads are repetitive, noisy, and unusually self-contained. Instead, the scripts fetch pages from UK local government…

Socket