Socket (@SocketSecurity)
@SocketSecurity
Socket is the #1# software supply chain security platform. Next-gen SCA + SBOM + 0-day prevention. LOVED BY DEVELOPERS. 👀 @npm_malware
4.6K 正在关注 17.1K 粉丝
We published our technical analysis. The @antv payload includes worm-like npm propagation logic: validate stolen npm tokens, enumerate packages, inject the payload, bump versions, and republish under the compromised maintainer identity.
This is why these attacks can move so fast.
There are now 2.1k public GitHub repos using the reversed Shai-Hulud marker and Dune-themed names, showing the fallback path is active at scale.
显示更多
UPDATE: So far we've identified 639 compromised npm package versions across 323 unique packages in tonight’s Mini Shai-Hulud wave.
That includes 558 versions across 279 unique @antv packages. Most were detected within ~6 minutes of publication.
显示更多
🚨 BREAKING: Socket is investigating an active npm supply chain attack compromising hundreds of packages in the @antv ecosystem.
The malicious publish wave appears tied to Mini Shai-Hulud and packages connected to the npm maintainer account atool.
显示更多
🚨 Socket detected malicious activity in newly published versions of node-ipc, an npm package with 822K weekly downloads.
Affected versions:
node-ipc@9.1.6
node-ipc@9.2.3
node-ipc@12.0.1
Socket’s AI scanner flagged the malware within ~3 minutes of publication.
Early analysis shows obfuscated stealer/backdoor behavior, including host fingerprinting, local file enumeration, payload wrapping, and attempted exfiltration.
显示更多
🏁 TeamPCP and BreachForums are running a supply chain attack contest: $1,000 in Monero for the biggest haul of compromised open source packages, measured by download counts. The group open sourced Shai-Hulud as attack tooling and requires it for entry.
显示更多
Yep, that works as a lightweight local guardrail. It makes Socket Firewall the default path for everyday installs.
For macOS/Linux users, the equivalent in zsh/bash would be:
alias npm="sfw npm"
alias yarn="sfw yarn"
alias pnpm="sfw pnpm"
alias pip="sfw pip"
alias uv="sfw uv"
alias cargo="sfw cargo"
显示更多
🐘 @packagist is urging #PHP# projects to update Composer after a GitHub token format change caused some GitHub Actions tokens to be exposed in CI logs.
GitHub has rolled back the token change for now, but affected projects still need to update Composer.
显示更多
🚨 The popular PyPI package lightning has been compromised in a supply chain attack.
Socket detected malicious code in versions 2.6.2 and 2.6.3 that executes automatically on import, downloads Bun, and runs an 11 MB obfuscated JavaScript payload designed to steal credentials.
This appears to be connected to yesterday's mini Shai-Hulud attack, but we're still investigating. #Python#
显示更多
