@socket.dev.api.blog.feed.json@rss-parrot.net
I'm an automated parrot! I relay a website's RSS feed to the Fediverse. Every time a new post appears in the feed, I toot about it. Follow me to get all new posts in your Mastodon timeline! Brought to you by the RSS Parrot.
---
Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for JavaScript, Python, and Go dependencies.
Site URL: socket.dev/api/blog/feed.json
Feed URL: socket.dev/api/blog/feed.atom
Posts: 15
Followers: 1
Feross on the 10 Minutes or Less Podcast: Nobody Reads the Code
https://socket.dev/blog/feross-10-minutes-or-less-podcast-nobody-reads-the-code?utm_medium=feed
Published: April 14, 2026 19:26
Socket CEO Feross Aboukhadijeh joins 10 Minutes or Less, a podcast by Ali Rohde, to discuss the recent surge in open source supply chain attacks.
108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure
https://socket.dev/blog/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2?utm_medium=feed
Published: April 13, 2026 18:46
Campaign of 108 extensions harvests identities, steals sessions, and adds backdoors to browsers, all tied to the same C2 infrastructure.
Axios Supply Chain Attack Reaches OpenAI macOS Signing Pipeline, Forces Certificate Rotation
Published: April 11, 2026 03:14
OpenAI rotated macOS signing certificates after a malicious Axios package reached its CI pipeline in a broader software supply chain attack.
Don't Kill the Goose That Lays the Golden Eggs
https://socket.dev/blog/dont-kill-the-goose-that-lays-the-golden-eggs?utm_medium=feed
Published: April 10, 2026 01:27
Open source is under attack because of how much value it creates. It has been the foundation of every major software innovation for the last three decades. This is not the time to walk away from it.
Feross on TBPN: How North Korea Hijacked Axios
https://socket.dev/blog/feross-on-tbpn-how-north-korea-hijacked-axios?utm_medium=feed
Published: April 8, 2026 21:27
Socket CEO Feross Aboukhadijeh breaks down how North Korea hijacked Axios and what it means for the future of software supply chain security.
Attackers Are Impersonating a Linux Foundation Leader in Slack to Target Open Source Developers
Published: April 8, 2026 18:36
OpenSSF has issued a high-severity advisory warning open source developers of an active Slack-based campaign using impersonation to deliver malware.
North Korea’s Contagious Interview Campaign Spreads Across 5 Ecosystems, Delivering Staged RAT Payloads
https://socket.dev/blog/contagious-interview-campaign-spreads-across-5-ecosystems?utm_medium=feed
Published: April 7, 2026 21:36
Malicious packages published to npm, PyPI, Go Modules, crates.io, and Packagist impersonate developer tooling to fetch staged malware, steal credentials and wallets, and enable remote access.
Microsoft Releases Open Source Toolkit for AI Agent Runtime Security
https://socket.dev/blog/microsoft-open-source-toolkit-for-ai-agent-runtime-security?utm_medium=feed
Published: April 7, 2026 18:05
Microsoft has released an open source toolkit for enforcing runtime security policies on AI agents as adoption accelerates faster than governance controls.
Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign
https://socket.dev/blog/attackers-hunting-high-impact-nodejs-maintainers?utm_medium=feed
Published: April 3, 2026 18:45
Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.
Axios Maintainer Confirms Social Engineering Attack Behind npm Compromise
Published: April 2, 2026 16:47
Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.
Node.js Drops Bug Bounty Rewards After Funding Dries Up
https://socket.dev/blog/node-js-drops-bug-bounty-rewards-funding-dries-up?utm_medium=feed
Published: April 2, 2026 14:55
Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.
The Hidden Blast Radius of the Axios Compromise
https://socket.dev/blog/hidden-blast-radius-of-the-axios-compromise?utm_medium=feed
Published: April 1, 2026 20:35
The Axios compromise shows how time-dependent dependency resolution makes exposure harder to detect and contain.
Supply Chain Attack on Axios Pulls Malicious Dependency from npm
https://socket.dev/blog/axios-npm-package-compromised?utm_medium=feed
Published: March 31, 2026 02:52
A supply chain attack on Axios introduced a malicious dependency, plain-crypto-js@4.2.1, published minutes earlier and absent from the project’s GitHub releases.
TeamPCP Compromises Telnyx Python SDK to Deliver Credential-Stealing Malware
https://socket.dev/blog/telnyx-python-sdk-compromised?utm_medium=feed
Published: March 27, 2026 09:49
Malicious versions of the Telnyx Python SDK on PyPI delivered credential-stealing malware via a multi-stage supply chain attack.
TeamPCP Partners With Ransomware Group Vect to Target Open Source Supply Chains
https://socket.dev/blog/teampcp-partners-with-vect-targeting-oss-supply-chains?utm_medium=feed
Published: March 26, 2026 16:45
TeamPCP is partnering with ransomware group Vect to turn open source supply chain attacks on tools like Trivy and LiteLLM into large-scale ransomware operations.