Philipp Burckhardt
@burckhap.bsky.social
⚡Securing Software Supply Chains @SocketSecurity (http://socket.dev)
🔭 Scientific computing for the web via @stdlibjs (http://stdlib.io)
🔭 Scientific computing for the web via @stdlibjs (http://stdlib.io)
While we haven't seen major supply chain attacks hitting any of the major open-source ecosystems, the Socket Threat Research Team uncovered some fascinating and creative attack techniques worth sharing:
pypi-mirror.org
September 26, 2025 at 10:44 PM
While we haven't seen major supply chain attacks hitting any of the major open-source ecosystems, the Socket Threat Research Team uncovered some fascinating and creative attack techniques worth sharing:
Published my take on METR's surprising study that I participated in: AI tools made experienced developers 19% slower (expectation was that they would become 40% faster with AI!)🤯
I dive into the why, where AI coding tools actually help, and how I've shifted from handholding AI to async delegation.
I dive into the why, where AI coding tools actually help, and how I've shifted from handholding AI to async delegation.
July 17, 2025 at 8:00 PM
Published my take on METR's surprising study that I participated in: AI tools made experienced developers 19% slower (expectation was that they would become 40% faster with AI!)🤯
I dive into the why, where AI coding tools actually help, and how I've shifted from handholding AI to async delegation.
I dive into the why, where AI coding tools actually help, and how I've shifted from handholding AI to async delegation.
Two major npm supply chain discoveries this week from the Socket Research Team highlight a critical gap in traditional security approaches. Both threats would slip past security tools that rely on vulnerability databases or metadata alone.
July 16, 2025 at 8:13 PM
Two major npm supply chain discoveries this week from the Socket Research Team highlight a critical gap in traditional security approaches. Both threats would slip past security tools that rely on vulnerability databases or metadata alone.
Over the last few months, I have been picking up Cursor again after finding it not substantially improving my productivity when I tried it last year. It, and the LLMs powering AI code completions, have gotten so much better that I now really enjoy its agent workflow.
May 8, 2025 at 5:32 PM
Over the last few months, I have been picking up Cursor again after finding it not substantially improving my productivity when I tried it last year. It, and the LLMs powering AI code completions, have gotten so much better that I now really enjoy its agent workflow.
Our team at Socket has uncovered a Go module supply chain attack that deploys destructive disk-erasing payloads.
A single code line triggers a shell script that overwrites disks, making data irretrievable. The attack leverages Go's open ecosystem, exploiting namespace confusion.
A single code line triggers a shell script that overwrites disks, making data irretrievable. The attack leverages Go's open ecosystem, exploiting namespace confusion.
wget to Wipeout: Malicious Go Modules Fetch Destructive Payl...
Socket's research uncovers three dangerous Go modules that contain obfuscated disk-wiping malware, threatening complete data loss.
socket.dev
May 1, 2025 at 7:56 PM
Our team at Socket has uncovered a Go module supply chain attack that deploys destructive disk-erasing payloads.
A single code line triggers a shell script that overwrites disks, making data irretrievable. The attack leverages Go's open ecosystem, exploiting namespace confusion.
A single code line triggers a shell script that overwrites disks, making data irretrievable. The attack leverages Go's open ecosystem, exploiting namespace confusion.
The Socket research team discovered seven "Coffin-Codes" packages that leveraged Gmail's SMTP protocol to create covert channels for extracting data and executing commands.
Using Trusted Protocols Against You: Gmail as a C2 Mechanism...
Socket uncovers malicious packages on PyPI using Gmail's SMTP protocol for command and control (C2) to exfiltrate data and execute commands.
socket.dev
April 30, 2025 at 8:33 PM
The Socket research team discovered seven "Coffin-Codes" packages that leveraged Gmail's SMTP protocol to create covert channels for extracting data and executing commands.
🚨SECURITY ALERT: Uncovering "The Bad Seeds" in Package Registries 🚨
Socket researchers have identified three malicious npm and PyPI packages that, like their namesake, are doing the devil's work - harvesting crypto wallet credentials while posing as innocent developer tools.
Socket researchers have identified three malicious npm and PyPI packages that, like their namesake, are doing the devil's work - harvesting crypto wallet credentials while posing as innocent developer tools.
April 23, 2025 at 7:08 PM
🚨SECURITY ALERT: Uncovering "The Bad Seeds" in Package Registries 🚨
Socket researchers have identified three malicious npm and PyPI packages that, like their namesake, are doing the devil's work - harvesting crypto wallet credentials while posing as innocent developer tools.
Socket researchers have identified three malicious npm and PyPI packages that, like their namesake, are doing the devil's work - harvesting crypto wallet credentials while posing as innocent developer tools.
Last week, Socket researchers have discovered malicious npm packages deploying backdoors through fake Telegram bot libraries and payment integrations - details in thread below.
Malicious npm Package Disguised as Advcash Integration Trigg...
The Socket Research Team investigates a malicious npm package that appears to be an Advcash integration but triggers a reverse shell during payment su...
socket.dev
April 20, 2025 at 10:52 PM
Last week, Socket researchers have discovered malicious npm packages deploying backdoors through fake Telegram bot libraries and payment integrations - details in thread below.
Reposted by Philipp Burckhardt
This is tremendous for TypeScript and JavaScript developers everywhere. We're building a new TypeScript that runs lighter, goes faster, and scales well on enormous codebases.
This was a big decision and a lot of work, but we are seeing promising results for this new foundation!
This was a big decision and a lot of work, but we are seeing promising results for this new foundation!
Today we're thrilled to announce our effort to port the TypeScript compiler and language service to native code, gaining a 10x speed boost in build times and editor responsiveness!
devblogs.microsoft.com/typescript/t...
devblogs.microsoft.com/typescript/t...
A 10x Faster TypeScript - TypeScript
Embarking on a native port of the existing TypeScript compiler and toolset to achieve a 10x performance speed-up.
devblogs.microsoft.com
March 11, 2025 at 4:30 PM
This is tremendous for TypeScript and JavaScript developers everywhere. We're building a new TypeScript that runs lighter, goes faster, and scales well on enormous codebases.
This was a big decision and a lot of work, but we are seeing promising results for this new foundation!
This was a big decision and a lot of work, but we are seeing promising results for this new foundation!
Eleven years ago, Athan Reines and I set out to bring numerical and statistical computing to the web, which culminated in the creation of stdlib. What started as an ambitious idea has grown into a thriving open-source project which has truly taken off since being accepted into GSoC last year.
February 26, 2025 at 8:07 PM
Eleven years ago, Athan Reines and I set out to bring numerical and statistical computing to the web, which culminated in the creation of stdlib. What started as an ambitious idea has grown into a thriving open-source project which has truly taken off since being accepted into GSoC last year.
🚨 New research from the Socket threat analysis team! 🚨
We've uncovered a harmful PyPI package exploiting the Deezer API for systematic music piracy. Learn more about the detection of this exploit and its implications for developers and users alike: https://buff.ly/3D9CHjW
We've uncovered a harmful PyPI package exploiting the Deezer API for systematic music piracy. Learn more about the detection of this exploit and its implications for developers and users alike: https://buff.ly/3D9CHjW
Malicious PyPI Package Exploits Deezer API for Coordinated M...
Socket researchers uncovered a malicious PyPI package exploiting Deezer’s API to enable coordinated music piracy through API abuse and C2 server contr...
socket.dev
February 26, 2025 at 5:13 PM
🚨 New research from the Socket threat analysis team! 🚨
We've uncovered a harmful PyPI package exploiting the Deezer API for systematic music piracy. Learn more about the detection of this exploit and its implications for developers and users alike: https://buff.ly/3D9CHjW
We've uncovered a harmful PyPI package exploiting the Deezer API for systematic music piracy. Learn more about the detection of this exploit and its implications for developers and users alike: https://buff.ly/3D9CHjW
We uncovered a stealthy Go supply chain attack: a malicious BoltDB typosquat backdoored dev machines while looking clean on GitHub!
Go Supply Chain Attack: Malicious Package Exploits Go Module...
Socket researchers uncovered a backdoored typosquat of BoltDB in the Go ecosystem, exploiting Go Module Proxy caching to persist undetected for years.
socket.dev
February 4, 2025 at 2:33 PM
We uncovered a stealthy Go supply chain attack: a malicious BoltDB typosquat backdoored dev machines while looking clean on GitHub!
🚨 North Korean APT Lazarus is targeting developers with a malicious npm package!
The postcss-optimizer package delivers BeaverTail malware, stealing credentials & deploying second-stage payloads.
Read the full analysis on the Socket blog:
The postcss-optimizer package delivers BeaverTail malware, stealing credentials & deploying second-stage payloads.
Read the full analysis on the Socket blog:
North Korean APT Lazarus Targets Developers with Malicious n...
Malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems; similarities to past campaigns suggest a North Korea...
buff.ly
January 31, 2025 at 4:59 PM
🚨 North Korean APT Lazarus is targeting developers with a malicious npm package!
The postcss-optimizer package delivers BeaverTail malware, stealing credentials & deploying second-stage payloads.
Read the full analysis on the Socket blog:
The postcss-optimizer package delivers BeaverTail malware, stealing credentials & deploying second-stage payloads.
Read the full analysis on the Socket blog:
New on the Socket Blog: Kush Pandya uncovered a hidden kill switch in npm packages targeting two popular libraries, chalk and chokidar. This is a deep dive into a recent typo-squatting attack, illustrating how malicious packages can jeopardize your software supply chain.
Kill Switch Hidden in npm Packages Typosquatting Chalk and C...
Socket researchers found several malicious npm packages typosquatting Chalk and Chokidar, targeting Node.js developers with kill switches and data the...
buff.ly
January 14, 2025 at 4:50 PM
New on the Socket Blog: Kush Pandya uncovered a hidden kill switch in npm packages targeting two popular libraries, chalk and chokidar. This is a deep dive into a recent typo-squatting attack, illustrating how malicious packages can jeopardize your software supply chain.
2024 was transformational for stdlib and our mission to build the fundamental numerical library for the web. Huge thanks to the dozens of new contributors who helped make it possible!
Read Athan Reines' retrospective here:
https://buff.ly/4j6dIht
Wishing everyone a great 2025!
Read Athan Reines' retrospective here:
https://buff.ly/4j6dIht
Wishing everyone a great 2025!
2024 Retrospective
A look back at 2024 and a preview of the year ahead for all things stdlib.
buff.ly
January 4, 2025 at 11:07 PM
2024 was transformational for stdlib and our mission to build the fundamental numerical library for the web. Huge thanks to the dozens of new contributors who helped make it possible!
Read Athan Reines' retrospective here:
https://buff.ly/4j6dIht
Wishing everyone a great 2025!
Read Athan Reines' retrospective here:
https://buff.ly/4j6dIht
Wishing everyone a great 2025!
Last week, we discovered a harmful npm package that pretends to be a video downloader. However, it secretly collected credentials and data by logging web form inputs, metadata, cookies, and passwords, sending them via Telegram and Discord webhooks.
December 17, 2024 at 9:24 PM
Last week, we discovered a harmful npm package that pretends to be a video downloader. However, it secretly collected credentials and data by logging web form inputs, metadata, cookies, and passwords, sending them via Telegram and Discord webhooks.
Our threat research team recently discovered a malicious Maven package impersonating “XZ for Java”. As you may remember, the widely depended on XZ Utils compression library fell prey to a sophisticated social engineering attack, which allowed an attacker to sneak in malicious code earlier this year.
December 7, 2024 at 2:21 AM
Our threat research team recently discovered a malicious Maven package impersonating “XZ for Java”. As you may remember, the widely depended on XZ Utils compression library fell prey to a sophisticated social engineering attack, which allowed an attacker to sneak in malicious code earlier this year.
We detected a malicious npm package, solana-systemprogram-utils, targeting the funds of Solana developers. The package reroutes 2% of transactions to an attacker's hardcoded address. Always audit your libraries and rely on trusted sources.
December 3, 2024 at 2:32 AM
We detected a malicious npm package, solana-systemprogram-utils, targeting the funds of Solana developers. The package reroutes 2% of transactions to an attacker's hardcoded address. Always audit your libraries and rely on trusted sources.
Open source maintainers getting funding directly for security? Yes, please.
With LLMs pumping out more code than ever, putting security first in OSS isn’t optional. Awesome to see the recently announced GitHub Secure Open Source Fund, established by GitHub together with >12 partner institutions.
With LLMs pumping out more code than ever, putting security first in OSS isn’t optional. Awesome to see the recently announced GitHub Secure Open Source Fund, established by GitHub together with >12 partner institutions.
December 1, 2024 at 1:57 PM
Open source maintainers getting funding directly for security? Yes, please.
With LLMs pumping out more code than ever, putting security first in OSS isn’t optional. Awesome to see the recently announced GitHub Secure Open Source Fund, established by GitHub together with >12 partner institutions.
With LLMs pumping out more code than ever, putting security first in OSS isn’t optional. Awesome to see the recently announced GitHub Secure Open Source Fund, established by GitHub together with >12 partner institutions.
At the start of this week, Anthropic released the Model Context Protocol (MCP), an open standard for connecting AI assistants to data sources like databases, content repositories, and dev environments. It's aiming to solve a key challenge: giving AI models access to real-world data.
November 30, 2024 at 8:29 PM
At the start of this week, Anthropic released the Model Context Protocol (MCP), an open standard for connecting AI assistants to data sources like databases, content repositories, and dev environments. It's aiming to solve a key challenge: giving AI models access to real-world data.
Interesting findings about "ghost engineers", but they invite some skepticism. Measuring developer productivity is notoriously challenging—commit counts and hours logged rarely capture true impact.
November 27, 2024 at 1:27 PM
Interesting findings about "ghost engineers", but they invite some skepticism. Measuring developer productivity is notoriously challenging—commit counts and hours logged rarely capture true impact.