Socket

A Go typosquat impersonating the popular shopspring/decimal library stayed benign for years before shipping a DNS TXT backdoor that executes commands on import.

The legitimate module has 38K+ known importers, making a single-letter typo a high-value target.

https://socket.dev/blog/popular-go-decimal-library-typosquat-dns-backdoor #Golang

🚨 BREAKING: Socket is investigating an active npm supply chain attack compromising hundreds of packages in the @​antv ecosystem.

The malicious publish wave appears tied to Mini Shai-Hulud and packages connected to the npm maintainer account atool.

https://socket.dev/blog/antv-packages-compromised

🚨 Socket detected malicious activity in newly published versions of node-ipc, an npm package with 822K weekly downloads.

Affected versions:
[email protected]
[email protected]
[email protected]

Socket’s AI scanner flagged the malware within ~3 minutes of publication.

Early analysis shows obfuscated stealer/backdoor behavior, including host fingerprinting, local file enumeration, payload wrapping, and attempted exfiltration.

https://socket.dev/blog/node-ipc-package-compromised

cc: @campuscodi

🐘 @packagist is urging #PHP projects to update Composer after a GitHub token format change caused some GitHub Actions tokens to be exposed in CI logs.

GitHub has rolled back the token change for now, but affected projects still need to update Composer.

https://socket.dev/blog/packagist-urges-immediate-composer-update

🚨 We detected malicious #dYdX client packages published to npm and PyPI after a maintainer account compromise, enabling wallet theft and remote code execution.

Full investigation → https://socket.dev/blog/malicious-dydx-packages-published-to-npm-and-pypi #crypto

🚨 New Research: Threat actors compromised four #OpenVSX extensions, pushed malicious updates that load encrypted malware, evade Russian locales, and fetch C2 instructions via #Solana memos, leading to macOS credential and wallet theft.

Full analysis: https://socket.dev/blog/glassworm-loader-hits-open-vsx-via-suspected-developer-account-compromise

🚨 New from the Socket Threat Research Team: 5 coordinated Chrome extensions hijack sessions and block security controls in enterprise HR and ERP platforms like Workday and NetSuite.

Full report → https://socket.dev/blog/5-malicious-chrome-extensions-enable-session-hijacking #CyberSecurity #EnterpriseSecurity

🚨 New research: A malicious Chrome Web Store extension is stealing newly created #MEXC API keys and exfiltrating them to a Telegram bot, enabling full account takeover with trading and withdrawal rights.

Details → https://socket.dev/blog/malicious-chrome-extension-steals-mexc-api-keys #crypto

🚨 New threat research: An impostor #NuGet package typosquatted a popular .NET tracing library and its author, using homoglyph tricks to blend in, then exfiltrated #Stratis wallet JSON and passwords to a Russian IP address.

Full report →
https://socket.dev/blog/malicious-nuget-package-typosquats-popular-net-tracing-library #dotnet

🚨 Socket’s Threat Research Team uncovered a malicious Chrome extension posing as an #Ethereum wallet. It steals seed phrases by encoding them into #Sui transactions and leaks them on-chain - no C2 needed.

→ https://socket.dev/blog/malicious-chrome-extension-exfiltrates-seed-phrases #crypto

🚨 Socket researchers discovered an npm package targeting #crypto traders. It hunts for wallet keys & #BullX credentials, then exfiltrates them via Telegram. A second package serves as a minimal wrapper to execute the payload.

Full report → https://socket.dev/blog/malicious-npm-packages-use-telegram-to-exfiltrate-bullx-credentials #JavaScript

📌 New from the Socket Research Team: A malicious npm package disguised as an #Advcash integration triggers a reverse shell during payment success. Unlike many malicious packages that execute code during installation, this payload is delayed until runtime.

https://socket.dev/blog/npm-package-advcash-integration-triggers-reverse-shell #JavaScript

At #VulnCon, NIST revealed that the NVD is scrapping its consortium plan, walking back last year’s promise of reform, while pitching new tools that critics say won't meaningfully address the backlog or transparency problem.

https://socket.dev/blog/vulncon-2025-nvd-scraps-consortium-plan #CVE #CyberSecurity #VulnCon2025

📦 Our latest investigation of Black Basta's leaked chats shows how they were plotting to exploit open source package registries to deploy ransomware, plus our analysis of #ransomware & wiperware packages already in the wild.

https://socket.dev/blog/black-basta-dependency-confusion-ambitions-and-ransomware-in-open-source-ecosystems #BlackBasta #CyberSecurity

🚀 Exciting news: Socket is now part of TC54! We're joining forces to help shape the future of SBOMs, CycloneDX, and PURL, making software supply chains more secure & transparent.

https://socket.dev/blog/socket-joins-tc54 #SBOM #CycloneDX #PURL #cybersecurity

🚨 The Socket Research team has uncovered a malicious npm package targeting #Ethereum developers using #Hardhat tools in their development environments: https://socket.dev/blog/malicious-npm-package-targets-ethereum-developers