PSA: Watch out. Attackers are impersonating a Linux Foundation leader in Slack to target open source developers

"The whole software supply chain is built on blind trust. You're downloading code from random people on the internet that you've never met, and you're like, let's just run it." - @feross.bsky.social on TBPN talking about the Axios compromise.

Full interview → socket.dev/blog/feross-...

On TBPN: Feross Discusses the Axios Attack and Today’s Open Source Security Landscape YouTube video by Socket Security

🚀 @socket.dev's first appearance on TBPN. We talked about what's been an intense week in supply chain security and why AI is accelerating the problem.

We've been building for exactly this moment.

www.youtube.com/watch?v=EeJg...

North Korea’s Contagious Interview Campaign Spreads Across 5... Malicious packages published to npm, PyPI, Go Modules, crates.io, and Packagist impersonate developer tooling to fetch staged malware, steal credentia...

North Korea’s Contagious Interview Campaign Spreads Across 5 Ecosystems, Delivering Staged RAT Payloads
Socket
socket.dev/blog/contagi...
@socket.dev

Attackers Are Impersonating a Linux Foundation Leader in Sla... OpenSSF has issued a high-severity advisory warning open source developers of an active Slack-based campaign using impersonation to deliver malware.

Attackers are impersonating a @linuxfoundation.org leader in Slack to target #opensource developers with a multi-stage attack that ends in malware delivery. @openssf.org issued a high-severity advisory.

More details and screenshots of the lure: socket.dev/blog/attacke... #infosec

Mythos, Muse Spark, Satoshi Revealed, Ackman Buys UMG, Apple's Folding Phone YouTube video by TBPN

🔥 Socket CEO @feross.bsky.social is live on TBPN right now discussing the Axios compromise:

www.youtube.com/watch?v=BRYr...

cc: @campuscodi.risky.biz @thehackernews.bsky.social @zackwhittaker.com @bleepingcomputer.com @rustaceans.bsky.social @intcyberdigest.bsky.social

North Korea’s Contagious Interview Campaign Spreads Across 5... Malicious packages published to npm, PyPI, Go Modules, crates.io, and Packagist impersonate developer tooling to fetch staged malware, steal credentia...

🚨 North Korea’s Contagious Interview campaign is now spreading across 5 ecosystems.

We found coordinated malicious packages on npm, PyPI, Go Modules, Crates, and Packagist delivering staged RAT payloads that steal credentials, wallets & browser data.

socket.dev/blog/contagi...

Microsoft Releases Open Source Toolkit for AI Agent Runtime ... Microsoft has released an open source toolkit for enforcing runtime security policies on AI agents as adoption accelerates faster than governance cont...

AI agents are executing code, calling APIs, writing to databases, and most deployments have almost no controls around what they can do. @microsoft.com just open-sourced a runtime governance toolkit built around @owasp.org's Top 10 for Agentic Applications.

Details → socket.dev/blog/microso...

"Docker Hardened Images for Node.js, Python, and Rust also include Socket Firewall, which blocks malicious dependencies at install time."

Another tool for securing your build pipeline - DHI are free and open source: socket.dev/blog/socket-...

Big thanks to the team at @darkreading.bsky.social for helping bring attention to this coordinated social engineering campaign:

Attackers Are Hunting High-Impact Node.js Maintainers in a C... Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.

We found this campaign is far more widespread than just Axios - tons of high-impact Node.js package maintainers are actively being targeted right now with the same playbook. Some have gotten frighteningly close to getting compromised: socket.dev/blog/attacke...

Damn I got this as well! Just assumed it was spam and ignored this (and the LinkedIn follow up) turns out I dodged a bullet 😅

It's absolutely unbelievable the levels of social engineering maintainers have to be alert to these days. Hopefully the general media pick up on @sarahgooding.bsky.social's story to raise awareness more widely. #npm #nodejs #security

Attackers Are Hunting High-Impact Node.js Maintainers in a C... Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.

📖 This article by @sarahgooding.bsky.social at @socket.dev highlights a concerning trend (ref. socket.dev/blog/attacke...)

📕 Story time: this kind of supply chain targeting isn't unique. I myself & everyone on our team @vlt.sh have been the targets of consistent, concerted efforts.

Developers are in scope attack surface.

This campaign is massive and a great reminder that behind your favorite Open Source dependencies are humans too!

I was also targeted, lucky that it takes me years to check my inbox 💀

Look, I’m in the news, like a lot of other maintainers 🤓 Scary stuff this

Wanted to warn the #NodeJS community: This campaign is active. Thank you to the maintainers who shared their stories - some of these came frighteningly close. One got all the way to the fake meeting before walking away. The more we talk about this, the harder it is for these attacks to succeed.

jokes on them, ignoring my inbox has long been part of my security posture

Attackers Are Hunting High-Impact Node.js Maintainers in a C... Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.

North Korea is targeting npm maintainers.

Not for crypto. For write access to packages downloaded trillions of times a year.

Lodash. Fastify. axios. mocha. Node.js core. Even @feross.bsky.social and several @socket.dev engineers!

socket.dev/blog/attacke...

Attackers Are Hunting High-Impact Node.js Maintainers in a C... Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.

🚨 New Investigation: Attackers are hunting the maintainers behind Lodash, Fastify, buffer, Pino, mocha, Express, and #Nodejs core, because compromising one of them means write access to packages downloaded billions of times a week.

socket.dev/blog/attacke...

Most critical OSS projects don’t have independent security budgets, so it's not unusual that even something as central as @nodejs.org depended on pooled funding models like the IBB. If open source consumers want these kinds of security incentives to exist, they need to step up to fund them.

Axios Maintainer Confirms Social Engineering Attack Behind n... Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.

Axios maintainer confirms the npm compromise was caused by a targeted social engineering attack that led to full access to his GitHub and npm accounts.

Open source maintainers continue to be high-value targets in supply chain attacks.

socket.dev/blog/axios-m...

The Hidden Blast Radius of the Axios Compromise - Socket The Axios compromise shows how time-dependent dependency resolution makes exposure harder to detect and contain.

🧨 Axios only needed to be resolved somewhere in your dependency graph to affect you.

Semver + transitive deps + runtime installs = hidden blast radius.

If you only checked your project’s lockfile, you may still not know.

socket.dev/blog/hidden-... #nodejs #javascript

Node.js Drops Bug Bounty Rewards After Funding Dries Up - So... Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.

📍 @nodejs.org drops bug bounty rewards after external funding dries up.

A real hit to its security incentives → socket.dev/blog/node-js... #nodejs #javascript

The axios compromise blast radius is much much much bigger than people seem to suspect. The secret: transitive dependencies with open ranges making it extremely obscure and difficult to detect whether you were affected, after the fact.

this is one of my favorite parts of the @vlt.sh CLI. it uses @socket.dev security data to prevent known malware from running lifecycle scripts like postinstall!

and it’s powered by queries under the hood so you could make it as granular as you wanted (but we ship with safe defaults)

⚠️ If you're running local mcp servers, you need to do the following:

1. Individually "install" packages you want to use, within a specified directory: (e.g. $HOME/mcp) creating a lockfile

2. Add: "--include-workspace-root --workspace $HOME/mcp --no --offline" to EVERY npx call

The Hidden Blast Radius of the Axios Compromise - Socket The Axios compromise shows how time-dependent dependency resolution makes exposure harder to detect and contain.

We’re seeing cases where teams can’t explain how they were compromised by the Axios incident because it doesn’t show up in their project's lockfile. The blast radius here is much larger than it looks.

Deep dive into the messy reality of modern dependency resolution → socket.dev/blog/hidden-...