Flux
Toutes les sources

Socket

106 articles Flux RSS
Cybersécurité Programmation
Next.js moves to scheduled security releases
Nouveau

Next.js moves to scheduled security releases

Vercel announced that Next.js is adopting a formal security release program, replacing the ad-hoc patches the framework has shipped until now. Going forward, the team will publish advance notice of security releases on the Next.js blog roughly once a month. Each notice will state the expected release date and the highest anticipated severity of the fixes it covers. The first scheduled release is slated for July 20. It will ship patch releases for Next.js 16.2 and 15.5 and addresses 4 high and 5…

Socket
11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload Récent

11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload

Socket’s Threat Research Team analyzed 11 malicious NuGet packages published as .NET command-line tools (DotnetTool package type) that present themselves as game utilities, bots, and “panels”. Every package is a first-stage downloader that fetches and executes a second-stage Windows payload named pepesoft.exe from GitHub Releases and Hugging Face paths under the username pepegit666, with dormant BitTorrent fallback code built in. The campaign splits cleanly into two stages: A .NET downloader…

Socket
Compromised npm Packages in the AsyncAPI Namespace Deliver Miasma Botnet Loader Récent

Compromised npm Packages in the AsyncAPI Namespace Deliver Miasma Botnet Loader

Socket's Threat Research Team identified four compromised npm packages in the @asyncapi namespace distributing a multi-stage botnet loader. The affected packages are @asyncapi/generator-helpers@1.1.1, @asyncapi/generator-components@0.7.1, @asyncapi/generator@3.3.1 , @asyncapi/specs(v6.11.2, v6.11.2-alpha.1) Based on current analysis, the compromised packages deploy an obfuscated first-stage payload that downloads an encrypted second-stage payload, identified as Miasma, from IPFS. Users should…

Socket
jscrambler npm Package Compromised in Supply Chain Attack

jscrambler npm Package Compromised in Supply Chain Attack

A compromised release of the popular jscrambler npm package introduced hidden native binaries that execute automatically during npm install, exposing users to a supply chain attack before any application code runs. The malicious 8.14.0 release, published on July 11, adds an undocumented preinstall hook that invokes dist/setup.js. It also introduces new files, including dist/setup.js and dist/intro.js, along with platform-specific binaries for Linux, macOS, and Windows embedded in an obfuscated…

Socket
Fake Braintree NuGet Package Skims Credit Cards and Harvests Merchant Credentials

Fake Braintree NuGet Package Skims Credit Cards and Harvests Merchant Credentials

Socket’s AI scanner flagged a suspicious NuGet package masquerading as the official Braintree payment gateway client, with the first malicious version published on July 3, 2026. It was detected by Socket as potential malware 10 minutes after publication. Follow-on analysis by the Socket Threat Research team revealed a multi-stage .NET implant that intercepts live payment card data, exfiltrates Braintree merchant API keys and harvests host environment secrets upon assembly load. The package…

Socket
Compromised Injective SDK npm Package Exfiltrates Wallet Keys and Mnemonics

Compromised Injective SDK npm Package Exfiltrates Wallet Keys and Mnemonics

@injectivelabs/sdk-ts@1.20.21 records private keys and mnemonics, enabling wallet compromise via 17 scoped packages pinned to the malicious version. Socket detected a malicious @injectivelabs/sdk-ts@1.20.21 release published to npm with fake telemetry functionality that exfiltrates wallet private keys and mnemonic phrases. The affected package is part of the Injective Labs TypeScript SDK and receives roughly 50,000 weekly downloads, making the incident significant for developers and…

Socket
npm v12 Ships With Install Scripts Off by Default, Begins Deprecating 2FA-Bypass Tokens

npm v12 Ships With Install Scripts Off by Default, Begins Deprecating 2FA-Bypass Tokens

npm v12 is now generally available and tagged latest. The release turns on the install-time security defaults GitHub announced in June and starts winding down the most sensitive uses of 2FA-bypass granular access tokens (GATs). Both changes landed in today's changelog. The direction will be familiar to anyone who followed the past year of npm supply chain attacks. Almost every worm and credential stealer that hit the registry since late 2025 ran at install time, before any application code…

Socket
Malicious Go Module Exposes GitHub Malware Lure Network Spanning 222 Repositories

Malicious Go Module Exposes GitHub Malware Lure Network Spanning 222 Repositories

Our investigation began with a malicious Go module, github[.]com/kaleidora/dnsub-scanning-tool, that posed as a DNS/subdomain scanner. The module did more than impersonate a developer utility: it exposed a Windows malware-staging chain that used hidden PowerShell execution, public dead-drop resolution, protected archive delivery, and RAT/infostealer deployment. Pivoting from that module revealed the larger finding: a GitHub-based lure network of 222 confirmed repositories across 190 accounts,…

Socket
pnpm 11.10 Hardens Registry Authentication to Block Token Redirection

pnpm 11.10 Hardens Registry Authentication to Block Token Redirection

pnpm 11.10 was released over the weekend as a small update that includes several supply chain hardening changes. The main change is a new way to configure registry authentication that keeps a repository's own files from redirecting your registry token to a different host. The release also tightens a few build and packaging commands and adds an install path for pnpm v12, the Rust rewrite. The new _auth setting ties each token to its registry # pnpm 11.10 adds an _auth setting that stores…

Socket
Coordinated npm and PyPI Campaign Typosquats Popular Secure Payment Apps

Coordinated npm and PyPI Campaign Typosquats Popular Secure Payment Apps

Socket’s AI scanner detected a cluster of npm and PyPI malware published on July 7, 2026. The 17 packages, published nearly simultaneously, target SDK developers and users of the popular PaySafe, Skrill and Neteller payment applications. Ultimately, the packages perform credential and token theft, exfiltrating stolen data to AWS infrastructure. Affected Packages # At the time of publication, the following packages were affected. Each npm package published four malicious versions (1.0.0 through…

Socket
Node.js Considers Public Workflow for Security Reports Amid AI-Driven Surge

Node.js Considers Public Workflow for Security Reports Amid AI-Driven Surge

A controversial proposal inside the Node.js Technical Steering Committee would move lower-severity security reports into a public workflow, reserving private embargo handling for higher-severity vulnerabilities. The proposal, opened in February by Node.js security maintainer Rafael Gonzaga, is now on the agenda for the July 9, 2026 Security Working Group meeting, alongside a follow-up discussion on AI-assisted HackerOne triage. It builds on a year of changes to Node.js security intake,…

Socket
PolinRider: North Korea-Linked Supply Chain Campaign Expands Across Open Source Ecosystems

PolinRider: North Korea-Linked Supply Chain Campaign Expands Across Open Source Ecosystems

Socket Threat Research Team identified 162 malicious release artifacts across 108 packages and extensions in npm, Packagist, Go modules, and Chrome extensions, linking the activity to the broader North Korean Contagious Interview / Famous Chollima developer-targeting campaign. PolinRider is a supply chain campaign linked to North Korean threat actors associated with the broader Contagious Interview / Famous Chollima activity cluster. Our latest findings show that the campaign has expanded…

Socket
Risky Biz Podcast: AI Agents Are Raising the Stakes for Software Supply Chain Security

Risky Biz Podcast: AI Agents Are Raising the Stakes for Software Supply Chain Security

The last six months have been one of the most intense stretches of software supply chain attacks the open source ecosystem has seen. Attackers are compromising widely used packages, abusing trusted developer workflows, stealing credentials, and using package registries, IDE extensions, and source repositories to distribute malicious code. At the same time, AI coding agents are changing how software gets built, pulling in dependencies at machine speed and making unreviewed trust decisions…

Socket
Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers via Malicious Updates

Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers via Malicious Updates

Malicious Chrome and Firefox extensions posing as free VPNs added a clipboard stealer through staged updates, exfiltrating copied data to hardcoded threat actor-controlled infrastructure. Socket’s Threat Research Team analyzed two browser extensions operating under the VPN Go: Free VPN branding, one listed on the Chrome Web Store and another listed on Mozilla’s Firefox Add-ons marketplace. At the time of writing, the Chrome extension listed 146 users, while the Firefox extension showed 3,499…

Socket
Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages

Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages

Latest wave affects legitimate @immobiliarelabs Backstage packages, with malicious npm releases published across GitLab and LDAP authentication plugin families on June 26, 2026. Socket Threat Research is tracking a fresh compromise in the ongoing Miasma Mini Shai-Hulud supply chain campaign. The latest activity affects legitimate npm packages published under the @immobiliarelabs scope, including Backstage plugins used for GitLab integration and LDAP authentication. This appears to be a…

Socket