
Security News
Open VSX Begins Implementing Pre-Publish Security Checks After Repeated Supply Chain Incidents
Following multiple malicious extension incidents, Open VSX outlines new safeguards designed to catch risky uploads earlier.
Quickly evaluate the security and health of any open source package.
pinokiod
0.0.433
by cocktailpeanut
Live on npm
Blocked by Socket
The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.
poor-azure-cuckoo
1.3.9
by uhuhana
Removed from npm
Blocked by Socket
The code implements an automated npm package publishing system that generates random package names and versions every 5 seconds, creating potential registry abuse. It hardcodes a placeholder authentication token directly in the source code (process.env.NODE_AUTH_TOKEN = 'your-npm-token'), which poses credential exposure risks if replaced with real tokens. The script continuously overwrites package.json with randomized metadata and executes 'npm publish' via execSync without rate limiting or validation. This behavior can lead to npm registry pollution, violation of npm policies, potential account suspension, and security risks from exposed authentication credentials. While not containing direct malicious payloads or data theft mechanisms, the automated spam-like publishing pattern represents abusive behavior that could disrupt the package ecosystem.
Live on npm for 10 minutes before removal. Socket users were protected even while the package was live.
bluelamp-ai
1.0.2
Live on PyPI
Blocked by Socket
This file is high risk for supply-chain use. Its loader pattern (base64 + zlib obfuscation and immediate exec) conceals runtime behavior and enables arbitrary code execution at import time. Treat the package as untrusted until the embedded payload is decoded and audited in a secure, isolated environment. Recommended actions: decode and inspect payload offline, run it in an instrumented sandbox, and block use in production until verified.
mtmai
0.3.1049
Live on PyPI
Blocked by Socket
The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.
pinokiod
0.0.67
by cocktailpeanut
Live on npm
Blocked by Socket
The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.
lynx-explorer
1.0.1
by pikabug
Live on npm
Blocked by Socket
The code exhibits malicious behavior by collecting and sending sensitive system data to an unknown external server without user consent.
skyway-gateway
0.2.21
by n0bisuke
Live on npm
Blocked by Socket
High risk. The package downloads and installs an executable during npm install and does so while disabling TLS verification (--insecure). This is a supply-chain risk: a malicious or tampered binary could be placed on the system and executed, enabling data exfiltration, remote code execution, reverse shells, or other system compromise. At minimum review the binary before execution, remove or modify the postinstall, or require integrity verification (checksums or signatures) and remove the --insecure flag.
alita-sdk
0.3.348rc1
Live on PyPI
Blocked by Socket
The code contains patches that could weaken SSH security by disabling key verification and has the potential to hide tracks by deleting the .git directory. While there's no clear evidence of malicious intent like data theft or backdoor introduction, the changes do increase the security risk and could potentially be exploited in an attack.
airbnb-dev
4.9.0
by jpdtest1
Removed from npm
Blocked by Socket
The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.
Live on npm for 21 hours and 44 minutes before removal. Socket users were protected even while the package was live.
pretixgww
10.4.1
Live on PyPI
Blocked by Socket
This migration will create a superuser account with predictable, hardcoded credentials ('admin@localhost' / 'admin') whenever the migration is applied. That is a severe security risk (effectively a backdoor) for any environment that runs the migration. No network exfiltration or other malicious payloads were found, but the creation of an easily guessed administrative account warrants urgent remediation: remove or change the RunPython hook, and treat this as a high-risk supply-chain/backdoor indicator.
tiktok-coins-generator890
1.0.2
by sicrap
Removed from npm
Blocked by Socket
The code poses a significant security risk and should be reviewed. It is recommended to remove unnecessary imports, verify the contents of the data folder and the WordPress websites before proceeding, and avoid using hardcoded credentials for WordPress login.
Live on npm for 53 minutes before removal. Socket users were protected even while the package was live.
rshc
0.1.3
Live on crates.io
Blocked by Socket
The fragment demonstrates a backdoor-like mechanism: after a password check, it executes an embedded payload via an external interpreter. The use of templated placeholders and a per-build payload means distributed artifacts could silently execute attacker-supplied code. This is a significant supply-chain and runtime risk and warrants aggressive hardening, removal of dynamic code execution paths, or ensuring payloads are strictly controlled and auditable.
eteres
6.7.1
by wangxianxiu
Removed from npm
Blocked by Socket
This script appears to be checking the operating system and running a PowerShell script on Windows. While this behavior may be intended for legitimate purposes, it is important to review the contents of the PowerShell script to ensure it does not contain any malicious code.
Live on npm for 17 days, 14 hours and 30 minutes before removal. Socket users were protected even while the package was live.
smartchart
7.2
Live on PyPI
Blocked by Socket
This file embeds and dynamically executes compressed/encoded Python payloads via base64 + LZMA and exec(), and uses obfuscated identifiers for subsequent calls. This is a highly suspicious pattern consistent with a loader/dropper or backdoor. Treat this module as high risk: do not run it in production or on sensitive hosts without first decompressing and auditing the payloads in a safe, isolated environment.
nnodely
1.2.3
Live on PyPI
Blocked by Socket
This package contains a critical arbitrary code execution vulnerability through unsafe use of exec() on user-controlled input. Any application using this library with untrusted model definitions is at extreme risk of complete system compromise.
qg-toolkit
1.1.10
Live on PyPI
Blocked by Socket
The script collects sensitive user information from the Discord API, including usernames, emails, and IDs, and saves it to a file without user consent. It automates interactions with Discord, including sending unsolicited messages to channels (spamming), and uses a captcha solving service to bypass security measures. The script contains hardcoded API keys and tokens, posing significant security risks if shared or leaked. Additionally, it includes obfuscated JavaScript code to manipulate local storage tokens, suggesting attempts to hijack or misuse user accounts.
cloganalysis
0.0.1
Live on PyPI
Blocked by Socket
This module constructs an HTTP Basic Authorization header from provided credentials and sends those credentials and other provided strings to a hard-coded, suspicious remote endpoint over plaintext HTTP using a non-standard 'cPython' networking helper. Behavior is consistent with credential exfiltration or unwanted telemetry/backdoor activity. Treat this code as malicious or highly privacy-invasive. Investigate or remove the 'cPython' dependency and block the remote host; do not use in trusted environments.
github.com/milvus-io/milvus
v0.10.3-0.20211014022433-a2dc0d8808c3
Live on Go Modules
Blocked by Socket
This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.
sap-abstract
0.1.5
by abdallaeg2
Removed from npm
Blocked by Socket
The code is designed to send sensitive system information to a remote server, which is a significant security risk. This behavior is consistent with malicious activity, specifically data exfiltration.
Live on npm for 28 minutes before removal. Socket users were protected even while the package was live.
@ebx-ui/ebx-ui-component-library-sdk
2.97.6
by junglesultana
Live on npm
Blocked by Socket
This file gathers environment variables, base64-encodes them, and sends them via an HTTP POST request to events[.]hookdeck[.]com using obfuscated code. The dynamic execution and network exfiltration of potentially sensitive information demonstrate malicious intent.
bane
4.2.9
Live on PyPI
Blocked by Socket
The fragment is a configuration/payload dataset for offensive tools: automated web scanning/exploitation (SQLi/XSS/admin path brute-force) and multiple DDoS/amplification attack types. While the excerpt has no execution primitives shown, its use in a larger codebase would enable malicious actions or misuse for disruption. Treat this code as hostile/dual-use and avoid including it as a dependency in production systems without strong justification and controls.
@zohodesk/react-cli
1.1.19-exp.13
by hariharan_vs
Live on npm
Blocked by Socket
The code performs unauthorized exfiltration of sensitive internal project data (package name, version, git commit hash) to a suspicious external server without user consent. This behavior is indicative of malicious intent, constituting a supply chain security threat. There is no obfuscation, but the data leak is serious and should be treated as a high-risk security incident.
pinokiod
0.0.433
by cocktailpeanut
Live on npm
Blocked by Socket
The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.
poor-azure-cuckoo
1.3.9
by uhuhana
Removed from npm
Blocked by Socket
The code implements an automated npm package publishing system that generates random package names and versions every 5 seconds, creating potential registry abuse. It hardcodes a placeholder authentication token directly in the source code (process.env.NODE_AUTH_TOKEN = 'your-npm-token'), which poses credential exposure risks if replaced with real tokens. The script continuously overwrites package.json with randomized metadata and executes 'npm publish' via execSync without rate limiting or validation. This behavior can lead to npm registry pollution, violation of npm policies, potential account suspension, and security risks from exposed authentication credentials. While not containing direct malicious payloads or data theft mechanisms, the automated spam-like publishing pattern represents abusive behavior that could disrupt the package ecosystem.
Live on npm for 10 minutes before removal. Socket users were protected even while the package was live.
bluelamp-ai
1.0.2
Live on PyPI
Blocked by Socket
This file is high risk for supply-chain use. Its loader pattern (base64 + zlib obfuscation and immediate exec) conceals runtime behavior and enables arbitrary code execution at import time. Treat the package as untrusted until the embedded payload is decoded and audited in a secure, isolated environment. Recommended actions: decode and inspect payload offline, run it in an instrumented sandbox, and block use in production until verified.
mtmai
0.3.1049
Live on PyPI
Blocked by Socket
The code exposes powerful administrative actions: arbitrary shell execution, arbitrary file reads, full environment dumps, and building/pushing Docker images to a hardcoded registry. These are not obfuscated but are high-risk capabilities that can be abused for data exfiltration, remote code execution, and supply-chain leakage if the superuser authentication is compromised or misconfigured. The presence of a hardcoded remote image name for docker push is suspicious for unintended outbound artifact exfiltration. Recommendation: avoid including these endpoints in public packages or ensure strict, auditable authentication and input validation; remove hardcoded push targets and avoid returning full environment variables or arbitrary file contents.
pinokiod
0.0.67
by cocktailpeanut
Live on npm
Blocked by Socket
The SweetAlert2 library code is mostly benign and serves as a UI modal dialog tool. However, it contains a suspicious and potentially malicious snippet that targets Russian users on certain domains to play an unsolicited audio prank, disabling pointer events and potentially disrupting user interaction. This behavior is unexpected and should be considered a moderate security risk and potential malware. The rest of the code shows no signs of malicious intent. The provided reports were invalid and unhelpful. Users should be cautious about this version of the library due to the embedded prank behavior.
lynx-explorer
1.0.1
by pikabug
Live on npm
Blocked by Socket
The code exhibits malicious behavior by collecting and sending sensitive system data to an unknown external server without user consent.
skyway-gateway
0.2.21
by n0bisuke
Live on npm
Blocked by Socket
High risk. The package downloads and installs an executable during npm install and does so while disabling TLS verification (--insecure). This is a supply-chain risk: a malicious or tampered binary could be placed on the system and executed, enabling data exfiltration, remote code execution, reverse shells, or other system compromise. At minimum review the binary before execution, remove or modify the postinstall, or require integrity verification (checksums or signatures) and remove the --insecure flag.
alita-sdk
0.3.348rc1
Live on PyPI
Blocked by Socket
The code contains patches that could weaken SSH security by disabling key verification and has the potential to hide tracks by deleting the .git directory. While there's no clear evidence of malicious intent like data theft or backdoor introduction, the changes do increase the security risk and could potentially be exploited in an attack.
airbnb-dev
4.9.0
by jpdtest1
Removed from npm
Blocked by Socket
The code is designed to collect and transmit system information to external endpoints without user consent, which is indicative of malicious behavior. The hardcoded endpoints and the nature of the data being sent pose a significant security risk.
Live on npm for 21 hours and 44 minutes before removal. Socket users were protected even while the package was live.
pretixgww
10.4.1
Live on PyPI
Blocked by Socket
This migration will create a superuser account with predictable, hardcoded credentials ('admin@localhost' / 'admin') whenever the migration is applied. That is a severe security risk (effectively a backdoor) for any environment that runs the migration. No network exfiltration or other malicious payloads were found, but the creation of an easily guessed administrative account warrants urgent remediation: remove or change the RunPython hook, and treat this as a high-risk supply-chain/backdoor indicator.
tiktok-coins-generator890
1.0.2
by sicrap
Removed from npm
Blocked by Socket
The code poses a significant security risk and should be reviewed. It is recommended to remove unnecessary imports, verify the contents of the data folder and the WordPress websites before proceeding, and avoid using hardcoded credentials for WordPress login.
Live on npm for 53 minutes before removal. Socket users were protected even while the package was live.
rshc
0.1.3
Live on crates.io
Blocked by Socket
The fragment demonstrates a backdoor-like mechanism: after a password check, it executes an embedded payload via an external interpreter. The use of templated placeholders and a per-build payload means distributed artifacts could silently execute attacker-supplied code. This is a significant supply-chain and runtime risk and warrants aggressive hardening, removal of dynamic code execution paths, or ensuring payloads are strictly controlled and auditable.
eteres
6.7.1
by wangxianxiu
Removed from npm
Blocked by Socket
This script appears to be checking the operating system and running a PowerShell script on Windows. While this behavior may be intended for legitimate purposes, it is important to review the contents of the PowerShell script to ensure it does not contain any malicious code.
Live on npm for 17 days, 14 hours and 30 minutes before removal. Socket users were protected even while the package was live.
smartchart
7.2
Live on PyPI
Blocked by Socket
This file embeds and dynamically executes compressed/encoded Python payloads via base64 + LZMA and exec(), and uses obfuscated identifiers for subsequent calls. This is a highly suspicious pattern consistent with a loader/dropper or backdoor. Treat this module as high risk: do not run it in production or on sensitive hosts without first decompressing and auditing the payloads in a safe, isolated environment.
nnodely
1.2.3
Live on PyPI
Blocked by Socket
This package contains a critical arbitrary code execution vulnerability through unsafe use of exec() on user-controlled input. Any application using this library with untrusted model definitions is at extreme risk of complete system compromise.
qg-toolkit
1.1.10
Live on PyPI
Blocked by Socket
The script collects sensitive user information from the Discord API, including usernames, emails, and IDs, and saves it to a file without user consent. It automates interactions with Discord, including sending unsolicited messages to channels (spamming), and uses a captcha solving service to bypass security measures. The script contains hardcoded API keys and tokens, posing significant security risks if shared or leaked. Additionally, it includes obfuscated JavaScript code to manipulate local storage tokens, suggesting attempts to hijack or misuse user accounts.
cloganalysis
0.0.1
Live on PyPI
Blocked by Socket
This module constructs an HTTP Basic Authorization header from provided credentials and sends those credentials and other provided strings to a hard-coded, suspicious remote endpoint over plaintext HTTP using a non-standard 'cPython' networking helper. Behavior is consistent with credential exfiltration or unwanted telemetry/backdoor activity. Treat this code as malicious or highly privacy-invasive. Investigate or remove the 'cPython' dependency and block the remote host; do not use in trusted environments.
github.com/milvus-io/milvus
v0.10.3-0.20211014022433-a2dc0d8808c3
Live on Go Modules
Blocked by Socket
This code implements an insecure, unauthenticated RPC mechanism that allows remote clients to cause arbitrary code execution and exfiltrate files/system information. Using pickle over an untrusted network and invoking methods by client-supplied names are severe supply-chain/backdoor risks. Do not deploy or reuse this code in production; it should be treated as a backdoor/untrusted remote-execution component unless wrapped with strong authentication, authorization, sandboxing, and safe serialization.
sap-abstract
0.1.5
by abdallaeg2
Removed from npm
Blocked by Socket
The code is designed to send sensitive system information to a remote server, which is a significant security risk. This behavior is consistent with malicious activity, specifically data exfiltration.
Live on npm for 28 minutes before removal. Socket users were protected even while the package was live.
@ebx-ui/ebx-ui-component-library-sdk
2.97.6
by junglesultana
Live on npm
Blocked by Socket
This file gathers environment variables, base64-encodes them, and sends them via an HTTP POST request to events[.]hookdeck[.]com using obfuscated code. The dynamic execution and network exfiltration of potentially sensitive information demonstrate malicious intent.
bane
4.2.9
Live on PyPI
Blocked by Socket
The fragment is a configuration/payload dataset for offensive tools: automated web scanning/exploitation (SQLi/XSS/admin path brute-force) and multiple DDoS/amplification attack types. While the excerpt has no execution primitives shown, its use in a larger codebase would enable malicious actions or misuse for disruption. Treat this code as hostile/dual-use and avoid including it as a dependency in production systems without strong justification and controls.
@zohodesk/react-cli
1.1.19-exp.13
by hariharan_vs
Live on npm
Blocked by Socket
The code performs unauthorized exfiltration of sensitive internal project data (package name, version, git commit hash) to a suspicious external server without user consent. This behavior is indicative of malicious intent, constituting a supply chain security threat. There is no obfuscation, but the data leak is serious and should be treated as a high-risk security incident.
Socket detects traditional vulnerabilities (CVEs) but goes beyond that to scan the actual code of dependencies for malicious behavior. It proactively detects and blocks 70+ signals of supply chain risk in open source code, for comprehensive protection.
Possible typosquat attack
Known malware
Git dependency
GitHub dependency
AI-detected potential malware
HTTP dependency
Obfuscated code
Suspicious Stars on GitHub
Telemetry
Protestware or potentially unwanted behavior
Critical CVE
High CVE
Medium CVE
Low CVE
Unpopular package
Minified code
Bad dependency semver
Wildcard dependency
Socket optimized override available
Deprecated
Unmaintained
Explicitly Unlicensed Item
License Policy Violation
Misc. License Issues
No License Found
Non-permissive License
License exception
Unidentified License
Ambiguous License Classifier
Copyleft License
Socket detects and blocks malicious dependencies, often within just minutes of them being published to public registries, making it the most effective tool for blocking zero-day supply chain attacks.
Socket is built by a team of prolific open source maintainers whose software is downloaded over 1 billion times per month. We understand how to build tools that developers love. But don’t take our word for it.

Nat Friedman
CEO at GitHub

Suz Hinton
Senior Software Engineer at Stripe
heck yes this is awesome!!! Congrats team 🎉👏

Matteo Collina
Node.js maintainer, Fastify lead maintainer
So awesome to see @SocketSecurity launch with a fresh approach! Excited to have supported the team from the early days.

DC Posch
Director of Technology at AppFolio, CTO at Dynasty
This is going to be super important, especially for crypto projects where a compromised dependency results in stolen user assets.

Luis Naranjo
Software Engineer at Microsoft
If software supply chain attacks through npm don't scare the shit out of you, you're not paying close enough attention.
@SocketSecurity sounds like an awesome product. I'll be using socket.dev instead of npmjs.org to browse npm packages going forward

Elena Nadolinski
Founder and CEO at Iron Fish
Huge congrats to @SocketSecurity! 🙌
Literally the only product that proactively detects signs of JS compromised packages.

Joe Previte
Engineering Team Lead at Coder
Congrats to @feross and the @SocketSecurity team on their seed funding! 🚀 It's been a big help for us at @CoderHQ and we appreciate what y'all are doing!

Josh Goldberg
Staff Developer at Codecademy
This is such a great idea & looks fantastic, congrats & good luck @feross + team!
The best security teams in the world use Socket to get visibility into supply chain risk, and to build a security feedback loop into the development process.

Scott Roberts
CISO at UiPath
As a happy Socket customer, I've been impressed with how quickly they are adding value to the product, this move is a great step!

Yan Zhu
Head of Security at Brave, DEFCON, EFF, W3C
glad to hear some of the smartest people i know are working on (npm, etc.) supply chain security finally :). @SocketSecurity

Andrew Peterson
CEO and Co-Founder at Signal Sciences (acq. Fastly)
How do you track the validity of open source software libraries as they get updated? You're prob not. Check out @SocketSecurity and the updated tooling they launched.
Supply chain is a cluster in security as we all know and the tools from Socket are "duh" type tools to be implementing. Check them out and follow Feross Aboukhadijeh to see more updates coming from them in the future.

Zbyszek Tenerowicz
Senior Security Engineer at ConsenSys
socket.dev is getting more appealing by the hour

Devdatta Akhawe
Head of Security at Figma
The @SocketSecurity team is on fire! Amazing progress and I am exciting to see where they go next.

Sebastian Bensusan
Engineer Manager at Stripe
I find it surprising that we don't have _more_ supply chain attacks in software:
Imagine your airplane (the code running) was assembled (deployed) daily, with parts (dependencies) from internet strangers. How long until you get a bad part?
Excited for Socket to prevent this

Adam Baldwin
VP of Security at npm, Red Team at Auth0/Okta
Congrats to everyone at @SocketSecurity ❤️🤘🏻

Nico Waisman
CISO at Lyft
This is an area that I have personally been very focused on. As Nat Friedman said in the 2019 GitHub Universe keynote, Open Source won, and every time you add a new open source project you rely on someone else code and you rely on the people that build it.
This is both exciting and problematic. You are bringing real risk into your organization, and I'm excited to see progress in the industry from OpenSSF scorecards and package analyzers to the company that Feross Aboukhadijeh is building!
Depend on Socket to prevent malicious open source dependencies from infiltrating your app.
Install the Socket GitHub App in just 2 clicks and get protected today.
Block 70+ issues in open source code, including malware, typo-squatting, hidden code, misleading packages, permission creep, and more.
Reduce work by surfacing actionable security information directly in GitHub. Empower developers to make better decisions.
Attackers have taken notice of the opportunity to attack organizations through open source dependencies. Supply chain attacks rose a whopping 700% in the past year, with over 15,000 recorded attacks.
Nov 23, 2025
Shai Hulud v2
Shai Hulud v2 campaign: preinstall script (setup_bun.js) and loader (setup_bin.js) that installs/locates Bun and executes an obfuscated bundled malicious script (bun_environment.js) with suppressed output.
Nov 05, 2025
Elves on npm
A surge of auto-generated "elf-stats" npm packages is being published every two minutes from new accounts. These packages contain simple malware variants and are being rapidly removed by npm. At least 420 unique packages have been identified, often described as being generated every two minutes, with some mentioning a capture the flag challenge or test.
Jul 04, 2025
RubyGems Automation-Tool Infostealer
Since at least March 2023, a threat actor using multiple aliases uploaded 60 malicious gems to RubyGems that masquerade as automation tools (Instagram, TikTok, Twitter, Telegram, WordPress, and Naver). The gems display a Korean Glimmer-DSL-LibUI login window, then exfiltrate the entered username/password and the host's MAC address via HTTP POST to threat actor-controlled infrastructure.
Mar 13, 2025
North Korea's Contagious Interview Campaign
Since late 2024, we have tracked hundreds of malicious npm packages and supporting infrastructure tied to North Korea's Contagious Interview operation, with tens of thousands of downloads targeting developers and tech job seekers. The threat actors run a factory-style playbook: recruiter lures and fake coding tests, polished GitHub templates, and typosquatted or deceptive dependencies that install or import into real projects.
Jul 23, 2024
Network Reconnaissance Campaign
A malicious npm supply chain attack that leveraged 60 packages across three disposable npm accounts to fingerprint developer workstations and CI/CD servers during installation. Each package embedded a compact postinstall script that collected hostnames, internal and external IP addresses, DNS resolvers, usernames, home and working directories, and package metadata, then exfiltrated this data as a JSON blob to a hardcoded Discord webhook.
Get our latest security research, open source insights, and product updates.

Security News
Following multiple malicious extension incidents, Open VSX outlines new safeguards designed to catch risky uploads earlier.

Research
/Security News
Threat actors compromised four oorzc Open VSX extensions with more than 22,000 downloads, pushing malicious versions that install a staged loader, evade Russian-locale systems, pull C2 from Solana memos, and steal macOS credentials and wallets.

Security News
Lodash 4.17.23 marks a security reset, with maintainers rebuilding governance and infrastructure to support long-term, sustainable maintenance.