Socket

🚨 Socket detected malicious activity in newly published versions of node-ipc, an npm package with 822K weekly downloads. Affected versions: node-ipc@9.1.6 node-ipc@9.2.3 node-ipc@12.0.1 Socket’s AI scanner flagged the malware within ~3 minutes of publication. Early analysis shows obfuscated stealer/backdoor behavior, including host fingerprinting, local file enumeration, payload wrapping, and attempted exfiltration.

It’s not every day a competitor promotes your product in their launch image. Thanks for the endorsement, Endor Labs. 😅 For anyone wondering, sfw is Socket Firewall, and yes, you can install it from npm today: npm install -g sfw

🏁 TeamPCP and BreachForums are running a supply chain attack contest: $1,000 in Monero for the biggest haul of compromised open source packages, measured by download counts. The group open sourced Shai-Hulud as attack tooling and requires it for entry. https://lnkd.in/eTKe7sHz

🏁 TeamPCP and BreachForums are running a supply chain attack contest: $1,000 in Monero for the biggest haul of compromised open source packages, measured by download counts. The group open sourced Shai-Hulud as attack tooling and requires it for entry. https://lnkd.in/eTKe7sHz

It’s not every day a competitor promotes your product in their launch image. Thanks for the endorsement, Endor Labs. 😅 For anyone wondering, sfw is Socket Firewall, and yes, you can install it from npm today: npm install -g sfw

🐘 Packagist is urging #PHP projects to update Composer after a GitHub token format change caused some GitHub Actions tokens to be exposed in CI logs. GitHub has rolled back the token change for now, but affected projects still need to update Composer. Packagist Conductors published a security advisory today. https://lnkd.in/eUzybyy2

💎 New GemStuffer Campaign: Socket detected a RubyGems registry abuse campaign stuffing scraped UK council portal pages into junk gems. PoC worm, scraper, or spam? Low downloads, repeated publishing, and 155 artifacts tracked so far. New Research → https://lnkd.in/eAZyBJZb

🎉 Socket is proud to be named to the Rising in Cyber 2026 list by Notable Capital, recognizing 30 private cybersecurity startups selected by nearly 150 practicing CISOs and cybersecurity executives. https://lnkd.in/eFPGKADP

The Netlify team has been monitoring the npm supply chain breach that is expertly covered by Socket on their blog. We have reached out to a small set of affected customers. We have no evidence that Netlify itself is affected at this time. https://lnkd.in/gz8M-_8C

Socket is now counting 416 compromised artifacts as part of Mini Shai-Hulud. We have identified compromises in @opensearch-project/opensearch on npm (v3.5.3 through 3.8.0), mistralai and guardrails-ai on PyPI, and others. guardrails-ai@0.10.1 executed code on import, fetching and running a Python payload from a remote URL; at the domain, the attacker was taunting visitors with a note signed "With Love TeamPCP" and "We've been online over 2 hours now stealing creds." We've reported the issue upstream to the project. The affected packages now span search infrastructure, AI tooling, aviation-related dev packages, enterprise automation, and frontend/CI ecosystems.