Socket

Wanted to warn the #NodeJS community: This campaign is active. Thank you to the maintainers who shared their experiences - some of these came frighteningly close. One got all the way to the fake meeting before walking away. The more we talk about this, the harder it is for these attacks to succeed.

North Korea is targeting npm maintainers -- not for crypto, but for write access to packages downloaded trillions of times a year. Several Socket engineers were targeted in this campaign -- myself, Jordan Harband, John-David D., and others. None of us fell for the bait. Unfortunately, the axios maintainer did. No shame in that -- these aren't phishing emails. They're weeks-long ops with fake companies, fake Slack workspaces, and spoofed meeting platforms built with realistic Zoom/Teams interfaces using the official SDKs for realism. Other confirmed targets: Matteo Collina (Fastify, Pino, Undici, Node.js TSC Chair), Wesley Todd (Express TC), Pelle Wessman (mocha, neostandard). The common thread? High-trust maintainers with publish access to packages that sit deep in everyone's dependency tree. The attack chain: build rapport over weeks, schedule a video call, fake an audio error, prompt the target to install a "fix." That fix is a RAT. Once it's on your machine, they have your .npmrc tokens, browser sessions, AWS creds, keychain. 2FA doesn't matter. OIDC publishing doesn't matter. Game over. Security researcher @tayvano_ linked this to UNC1069, a DPRK-nexus group Mandiant has tracked since 2018. Their reasoning is brutal in its simplicity: why social engineer one rich person when you can compromise one maintainer and reach millions of machines? This is the threat model now. If you maintain popular packages, act accordingly. If you use open source (and you certainly do), act accordingly. Full writeup: https://lnkd.in/dsjmBcvg

🚨 New Investigation: Attackers are hunting the maintainers behind Lodash, Fastify, buffer, Pino, mocha, Express, and #Nodejs core, because compromising one of them means write access to packages downloaded billions of times a week. Multiple high-impact maintainers have all confirmed they were targeted in the same coordinated social engineering campaign that compromised Axios. https://lnkd.in/eXAawvf8

Most critical OSS projects don’t have independent security budgets, so it's not unusual that even something as central as Node.js depended on pooled funding models like the IBB. If open source consumers want these kinds of security incentives to exist, they need to step up to fund them.

Socket is free for open source maintainers. We're launching the Socket for Open Source program -- any open source maintainer can get a free Team plan to protect their project from supply chain attacks. Open source is critical infrastructure. Millions of companies depend on packages maintained by small teams and volunteers. These maintainers are high-value targets but rarely have access to enterprise security tooling. That's wrong. We want to fix it. What you get: ✅ Full dependency scanning across your project ✅ Real-time alerts for malicious packages in your dependency tree ✅ Check every PR to make sure no malicious dependencies are added -- including PRs from outside contributors If you maintain an open source project, send an email to support[at]socket[dot]dev and we'll get you set up!

Axios maintainer confirms the npm compromise was caused by a targeted social engineering attack that led to full access to his GitHub and npm accounts. Open source maintainers continue to be high-value targets in supply chain attacks. https://lnkd.in/eMfqGAyK

📍 Node.js drops bug bounty rewards after external funding dries up. A real hit to its security incentives → https://lnkd.in/eYnqmkuu #nodejs #javascript

⚠️ If you're running local mcp servers, you need to do the following: 1. Individually "install" packages you want to use, within a specified directory: (e.g. $HOME/mcp) creating a lockfile 2. Add: "--include-workspace-root --workspace $HOME/mcp --no --offline" to EVERY npx call