Socket
Coverage of Socket in the Nexus archive.
- 144 Mastra npm Packages Compromised via Hijacked Contributor Account
144 npm packages under the Mastra namespace (@mastra/*) were compromised in a supply chain attack named easy-day-js. A single npm account (ehindero) was used to mass-publish malicious packages, according to findings from JFrog, SafeDep, Socket, and StepSecurity.
- Miasma worms its way onto GitHub as attack kit goes open source
The Miasma worm, a supply-chain attack toolkit, was open-sourced on GitHub via compromised developer accounts, enabling attacks on public registries and repositories. SafeDep identified the malicious repositories, which allow credential-based attacks on platforms like PyPI, npm, and GitHub, following a pattern similar to TeamPCP's earlier mini Shai-Hulud worm. The release has raised concerns about supply-chain security, with 473 affected package artifacts tracked by Socket.
- Shai-Hulud malware worms Red Hat npm package versions downloaded 80K times a week
Security researchers discovered malware in 32 Red Hat npm package releases, which were downloaded 80,000 times weekly. The Mini Shai-Hulud worm, linked to TeamPCP, was embedded via a compromised GitHub account, stealing credentials and enabling supply chain propagation. Red Hat removed the packages, stating they were internal and not used in customer systems.
- Malicious Sicoob NuGet Steals Banking Credentials as npm Packages Target Cloud Secrets
Cybersecurity researchers identified a malicious NuGet package posing as a C# SDK for Sicoob, a Brazilian cooperative financial system, which steals client IDs and PFX certificates. Socket reported that versions 2.0.0 through 2.0.4 of 'Sicoob.Sdk' exfiltrate sensitive information.
- ‘TrapDoor’ malware targets crypto dev tools in supply chain attack
A campaign named 'TrapDoor' is using malicious packages to target cryptocurrency development tools in a supply chain attack, aiming to steal crypto assets by injecting hidden instructions that hijack popular AI coding assistants. Socket has reported this threat, highlighting the exploitation of AI tools to facilitate the theft.
- Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware
A coordinated supply chain attack has compromised eight packages on Packagist, injecting malicious code that executes a Linux binary hosted on GitHub Releases. The attack targeted JavaScript projects by inserting malicious content into package.json, bypassing composer.json in Composer packages.
- Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets
Cybersecurity researchers found malicious activity in three versions of node-ipc, specifically [email protected], [email protected], and [email protected], which target developer secrets. The affected npm packages are part of the node-ipc library. This discovery raises concerns about the security of developer tools.
- GemStuffer Abuses 150+ RubyGems to Exfiltrate Scraped U.K. Council Portal Data
GemStuffer has targeted the RubyGems repository with over 150 gems to exfiltrate data from a U.K. council portal. The gems are used as a data exfiltration channel rather than for malware distribution. Many of the packages have little or no download activity and repetitive payloads.
- Cache-poisoning caper turns TanStack npm packages toxic
An attacker published 84 malicious versions of TanStack npm packages, leading to credential theft and disk wipe, as part of a wave of attacks across npm and PyPI. The attack was detected within 30 minutes by StepSecurity, triggering incident response and npm deprecation. GitHub has published a security advisory with recommended actions.
- PyTorch Lightning Compromised in PyPI Supply Chain Attack to Steal Credentials
Threat actors compromised the PyTorch Lightning Python package, publishing malicious versions 2.6.2 and 2.6.3 on April 30, 2026, to steal credentials. Security firms Aikido Security, Socket, and StepSecurity reported the attack, which is part of an ongoing supply chain campaign.
- SAP npm Packages Compromised by “Mini Shai-Hulud” Credential-Stealing Malware
Cybersecurity researchers have identified a supply chain attack campaign targeting SAP-related npm packages with the 'Mini Shai-Hulud' credential-stealing malware. Multiple security firms, including Aikido Security, SafeDep, Socket, StepSecurity, and Wiz, reported the compromise affecting SAP's JavaScript and cloud application packages.
- Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign
Bitwarden CLI version 2026.4.0 was compromised in the Checkmarx supply chain campaign, with malicious code found in 'bw1.js'. Socket identified the attack, which leveraged a supply chain vulnerability.
- Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain
Cybersecurity researchers warned of malicious Docker images and VS Code extensions in Checkmarx's supply chain. Socket revealed threat actors overwrote tags like v2.1.20 and alpine in the 'checkmarx/kics' Docker Hub repository and introduced a fake v2.1.21 tag.
- Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens
Cybersecurity researchers have identified compromised npm packages delivering a self-propagating worm that steals developer tokens to spread through supply chains. The worm, named CanisterSprawl by Socket and StepSecurity, uses an ICP canister to exfiltrate stolen data.
- 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users
Cybersecurity researchers discovered 108 malicious Google Chrome extensions linked to a shared command-and-control infrastructure, designed to steal user data from Google and Telegram, inject ads, and execute arbitrary JavaScript. The campaign has affected 20,000 users, with Socket identifying the extensions as part of the attack.