banner
LightNews
sarahgooding.bsky.social
Sarah Gooding
@sarahgooding.bsky.social
390 followers 130 following 120 posts
Head of Content Marketing at Socket (socket.dev). Open source advocate, runner, knitter. Find me at sarahgooding.dev
Posts Media Videos Starter Packs
sarahgooding.bsky.social
Sarah Gooding @sarahgooding.bsky.social · 13h
Wow! I'm honored to receive this award from the @openjsf.org. It's a privilege to share stories that highlight the people and projects driving open source security forward. I'm thankful my work at @socket.dev lets me support the OSS maintainers and users at the heart of this community. 💜
openjsf.org
OpenJS Foundation @openjsf.org · 15h
Introducing 🥁🥁🥁 our JavaScriptLandia award recipients for this year!

Beyond building new features, our recipients guide others, maintain essential systems, document the hard parts, and strengthen the community every step of the way. 💙

Read more about our honorees here: hubs.la/Q03NQvx10
6
sarahgooding.bsky.social
Sarah Gooding @sarahgooding.bsky.social · 2d
More malicious packages linked to North Korea, leveraging typosquatting.

Targets include Web3, cryptocurrency, and blockchain developers, as well as technical job seekers approached with recruiting lures, leading to multi-stage compromise and financial loss.

cc: @campuscodi.risky.biz
socket.dev
Socket @socket.dev · 6d
North Korea’s “Contagious Interview” campaign continues to weaponize npm: 338 malicious packages, 50K+ downloads. Leveraging typosquats, loader tweaks, and new aliases, it targets #crypto devs and job seekers via recruiter lures.

Full Report →
socket.dev/blog/north-k... #NodeJS
North Korea’s Contagious Interview Campaign Escalates: 338 M...
The Socket Threat Research Team is tracking weekly intrusions into the npm registry that follow a repeatable adversarial playbook used by North Korean...
socket.dev
1
sarahgooding.bsky.social
Sarah Gooding @sarahgooding.bsky.social · 2d
Ruby Central’s incident report on the RubyGems.org access dispute sparks community backlash and renewed debate over project governance.

An overview on the latest news from the Ruby gems packaging ecosystem with comments from @indirect.io and @duckinator.bsky.social:
socket.dev
Socket @socket.dev · 2d
When a registry’s maintainers and stewards lose alignment, the entire ecosystem feels it. #Ruby Central’s report on the RubyGems.org access dispute has reopened hard questions about how open source infrastructure is governed. Here's the latest:

socket.dev/blog/ruby-ce...

cc: @shortruby.com
1
sarahgooding.bsky.social
Sarah Gooding @sarahgooding.bsky.social · 7d
Big change in Google’s OSV that hasn’t gotten much attention: 500+ advisories just reappeared after a policy fix that had been hiding disputed CVEs.

cc: @campuscodi.risky.biz
socket.dev
Socket @socket.dev · 7d
⚠️ Google’s OSV just added 500+ new advisories, not from new vulns, but from fixing a long-standing policy that made disputed CVEs invisible.

Learn more → socket.dev/blog/google-...
Google’s OSV Fix Just Added 500+ New Advisories — All Thanks...
A data handling bug in OSV.dev caused disputed CVEs to disappear from vulnerability feeds until a recent fix restored over 500 advisories.
socket.dev
2 3
Reposted by Sarah Gooding
ecmascript.news
ECMAScript.News @ecmascript.news · 10d
Introducing Socket Firewall: free, proactive protection for your software supply chain
@dale.link @socket.dev
socket.dev/blog/introdu...

#ECMAScript #JavaScript
Introducing Socket Firewall: Free, Proactive Protection for ...
Socket Firewall is a free tool that blocks malicious packages at install time, giving developers proactive protection against rising supply chain atta...
socket.dev
5 8
sarahgooding.bsky.social
Sarah Gooding @sarahgooding.bsky.social · 10d
Thrilled to have @ahmadnassri.com joining us at Socket! 🎉🎉🎉
ahmadnassri.com
Ahmad Nassri @ahmadnassri.com · 10d
Happy to share I'm getting back to my roots in open source, this time around on the side of protecting software development!

If you haven't yet, you should install @socket.dev for your team!
1 6
Reposted by Sarah Gooding
socket.dev
Socket @socket.dev · 11d
🔥 Breaking: Former #RubyGems maintainers have launched the Gem Cooperative, a community-run RubyGems server with open governance.

We spoke with the team behind it. Read the full story on the Socket blog
→ socket.dev/blog/gem-coo... #RubyLang #Ruby #Rails
Gem Cooperative Emerges as a Community-Run Alternative to Ru...
Former RubyGems maintainers have launched The Gem Cooperative, a new community-run project aimed at rebuilding open governance in the Ruby ecosystem.
socket.dev
2 7
sarahgooding.bsky.social
Sarah Gooding @sarahgooding.bsky.social · 14d
This week we released Socket Firewall, a free CLI tool that protects developers from malicious packages at install time. We're excited to extend protection beyond npm to other ecosystems like #Python and #Rust, with more rolling out soon!

@thisweekinrust.bsky.social @campuscodi.risky.biz
#rustlang
feross.bsky.social
Feross @feross.bsky.social · 16d
🚨 Open source supply chain attacks are exploding.

Starting today, that ends.

We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.

Just run:

npm i -g sfw
sfw npm install lodash

Works for: npm, yarn, pnpm, pip, uv, and cargo.
3
Reposted by Sarah Gooding
socket.dev
Socket @socket.dev · 15d
Excited to see The Register cover the launch of Socket Firewall!

This new free tool gives developers real-time protection at install time across multiple ecosystems, including JavaScript, Python, and Rust, with more coming soon. It works out of the box: No API key. No configuration.
theregister.com
The Register @theregister.com · 16d
Socket will block it with free malicious package firewall
Socket will block it with free malicious package firewall
"sfw" stands for Socket Firewall, but perhaps also "safe for work." Software security biz Socket has released a free command line tool to defend developers against supply chain attacks.…
dlvr.it
1 3
Reposted by Sarah Gooding
notwes.bsky.social
Wes @notwes.bsky.social · 16d
Other than the trusted publishing stuff (which is absolutely not ready for use yet, I will be outlining why in my JS Conf talk) this is a great write up of the recent goings on.
socket.dev
Socket @socket.dev · 16d
GitHub is overhauling npm security after the Shai-Hulud worm. Maintainers welcome the shift to stronger defaults, but are pressing for fixes to CI workflows, enterprise support & token usability.

Details on how community feedback is shaping the rollout:
socket.dev/blog/package...
Package Maintainers Call for Improvements to GitHub’s New np...
Maintainers back GitHub’s npm security overhaul but raise concerns about CI/CD workflows, enterprise support, and token management.
socket.dev
2 5 11
Reposted by Sarah Gooding
socket.dev
Socket @socket.dev · 27d
⚡️ Follow Socket on Instagram! www.instagram.com/socketsecuri...
1 1
Reposted by Sarah Gooding
othiym23.bsky.social
零Rei @othiym23.bsky.social · Sep 16
…what a time to be in the JavaScript web security space…
1 1 5
Reposted by Sarah Gooding
socket.dev
Socket @socket.dev · Sep 16
🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.

Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Ongoing Supply Chain Attack Targets CrowdStrike npm Packages...
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that previously hit Tinycolor and dozen...
socket.dev
1 15 30
Reposted by Sarah Gooding
feross.bsky.social
Feross @feross.bsky.social · Sep 16
the ecosystem can’t keep absorbing hits like this, we need stronger defenses
1 2 3
sarahgooding.bsky.social
Sarah Gooding @sarahgooding.bsky.social · Sep 16
Y'all this is non-stop. 😰 Woke up to another npm supply chain attack this morning. This malware is identical to the one that hit 40+ packages yesterday:

cc: @campuscodi.risky.biz
socket.dev
Socket @socket.dev · Sep 16
🚨 Multiple CrowdStrike packages trojanized in an ongoing npm supply chain attack: This is the same campaign that hit Tinycolor yesterday with identical malware.

Full list of compromised packages + mitigations →
socket.dev/blog/ongoing... #NodeJS #JavaScript
Ongoing Supply Chain Attack Targets CrowdStrike npm Packages...
Socket.dev found compromised various CrowdStrike npm packages, continuing the "Shai-Halud" supply-chain attack that previously hit `tinycolor`.
socket.dev
1 10 19
Reposted by Sarah Gooding
feross.bsky.social
Feross @feross.bsky.social · Sep 16
🚨 Major active supply chain attack just hit npm.

Popular package @​ctrl/tinycolor was trojanized — and it didn’t stop there. Over 40 packages were silently modified to steal secrets from dev machines & CI pipelines.

Our team at Socket caught it. Full report coming soon. Stay safe out there.
1 17 48
sarahgooding.bsky.social
Sarah Gooding @sarahgooding.bsky.social · Sep 16
These attacks used to be more rare, but now we're seeing popular packages getting compromised every week. Check your dependencies.

cc: @campuscodi.risky.biz
socket.dev
Socket @socket.dev · Sep 15
🚨 Malicious update to @ctrl/tinycolor on npm is part of an active supply chain attack hitting 40+ packages across multiple maintainers. Audit & remove affected versions.

Our analysis of the malware: socket.dev/blog/tinycol... #NodeJS #JavaScript
Popular Tinycolor npm Package Compromised in Supply Chain At...
Malicious update to @ctrl/tinycolor on npm is part of a supply-chain attack hitting 40+ packages across maintainers
socket.dev
1 5 10
Reposted by Sarah Gooding
socket.dev
Socket @socket.dev · Sep 15
After recent npm supply chain attacks, @pnpm.io 10.16 adds a setting for delayed dependency updates.

Tools like Taze and npm-check-updates are testing similar “maturity” options, hinting at a cautious new trend in #JavaScript package management.

socket.dev/blog/pnpm-10... #NodeJS
pnpm 10.16 Adds New Setting for Delayed Dependency Updates -...
pnpm's new minimumReleaseAge setting delays package updates to prevent supply chain attacks, with other tools like Taze and NCU following suit.
socket.dev
8 16
Reposted by Sarah Gooding
socket.dev
Socket @socket.dev · Sep 12
🚨 A new phishing campaign is hitting crates maintainers, pretending to be from the Rust Foundation and asking for logins.

There’s no evidence crates.io is compromised but the emails are convincing and are bypassing Gmail spam filters.

socket.dev/blog/crates-... #rustlang
Crates.io Users Targeted by Phishing Emails - Socket
The Rust Security Response WG is warning of phishing emails from rustfoundation.dev targeting crates.io users.
socket.dev
4 13
Reposted by Sarah Gooding
socket.dev
Socket @socket.dev · Sep 10
🚀 Day 3 of Socket Launch Week: Announcing Socket Fix 2.0!

We updated Socket Fix to be much more powerful, with targeted CVE remediation and broader ecosystem support to help developers get to zero alerts faster. This is available for all Socket users today!
1 2 2
Reposted by Sarah Gooding
feross.bsky.social
Feross @feross.bsky.social · Sep 10
Hackers just hijacked npm packages with 2–3 billion weekly downloads.
All that access… and they only stole $500 of crypto 🤯

Sloppiest supply chain attack ever.
But if they’d been smarter? Could’ve been catastrophic.

I broke it down on @riskybusiness.bsky.social.

Full video here 👇
Feross Aboukhadijeh drops by RiskyBiz to talk about the big, dumb npm supply chain attack
YouTube video by Socket Security
www.youtube.com
2 3 20
sarahgooding.bsky.social
Sarah Gooding @sarahgooding.bsky.social · Sep 9
😱😱 From the DuckDB team: "This website contained a pixel-perfect copy of the npmjs.com website. He logged in using the duckdb_admin user & password, followed by 2FA. Again, the user profile, settings etc. were a perfect copy of the npmjs.com website including all user data."
socket.dev
Socket @socket.dev · Sep 9
🚨 BREAKING: The DuckDB npm account was compromised. Malicious versions of duckdb, duckdb-wasm, and more were published early this morning with the same wallet-drainer malware seen in yesterday’s supply-chain attack. Check your dependencies!

socket.dev/blog/duckdb-... #NodeJS
DuckDB npm Account Compromised in Continuing Supply Chain At...
Ongoing npm supply chain attack spreads to DuckDB: multiple packages compromised with the same wallet-drainer malware.
socket.dev
1 3
Reposted by Sarah Gooding
socket.dev
Socket @socket.dev · Sep 9
🚨 BREAKING: The DuckDB npm account was compromised. Malicious versions of duckdb, duckdb-wasm, and more were published early this morning with the same wallet-drainer malware seen in yesterday’s supply-chain attack. Check your dependencies!

socket.dev/blog/duckdb-... #NodeJS
DuckDB npm Account Compromised in Continuing Supply Chain At...
Ongoing npm supply chain attack spreads to DuckDB: multiple packages compromised with the same wallet-drainer malware.
socket.dev
1 6 6
Reposted by Sarah Gooding
socket.dev
Socket @socket.dev · Sep 8
🚀 We’re kicking off another Launch Week at Socket, with a new feature launching every day!

First up: Pull Request Stories, a dashboard view that helps security teams track supply chain risks by showing the real impact of every PR.
1 2
Reposted by Sarah Gooding
socket.dev
Socket @socket.dev · Sep 8
🚨 Breaking: npm author Qix compromised. Malicious package versions published in projects that typically see hundreds of millions of downloads each week.

Details: socket.dev/blog/npm-aut...
npm Author Qix Compromised in Major Supply Chain Attack - So...
npm author Qix’s account was compromised, with malicious versions of popular packages like chalk-template, color-convert, and strip-ansi published.
socket.dev
2 25 31