The `xz` package backdoor is just the tip of the iceberg.
There's a CONSTANT low-level stream of malware and spyware being uploaded to npm, PyPI, and Go registries.
I want to share a few examples from the 20,000+ malicious packages we detected so far:
Detect pressed keys via microphone audio capture in real-time. Uses training data captured by typing first. Very neat!
Based on ideas in this classic traffic analysis paper: Timing Analysis of Keystrokes and Timing Attacks on SSH
🤩 Exciting news! I'm ready to share the project I've been working on for the past 2 months.
✨ Wormhole – the fastest way to send files ✨
Wormhole lets you share files with end-to-end encryption and it's super fast.
Send a file in just 2 seconds:
I wish more developers understood the constant stream of malware that is posted to npm, PyPI, and all package managers...
Here's just a taste of some crazy malware Socket identified in the past couple weeks...
All malware descriptions were FULLY WRITTEN by Socket AI.
🙌 Just released a CLI tool called `thanks` to help you thank the open source maintainers you depend on! ✨
1. Run 'npx thanks' in your project
2. See which of your dependencies are seeking donations! 💸
🌟 Open source authors, add yourself to the list:
🚨 The Express.js repo got swamped with spam PRs thanks to a YouTube tutorial gone wrong. Hundreds of low-effort contributions flooded in, creating chaos for maintainers.
Some called it an "attack on open source", as pages of "UTTER GARBAGE" piled up in the Express.js project.
"someone transferred ~0.05 BTC (currently ~$900), paying 0.01 BTC in fees (currently ~$180)
and the network burned enough electricity for that single transaction to drive a Model S well over 1000km, or power an average house in Germany for about a month"
–
@dcposch
🚀 Exciting news! I'm ready to share the project I've been working on for the past 7 months!
Introducing ✨ Socket ✨
⚡️ Search millions of open source packages
🔒 Detect suspicious package updates in real-time
🛡 Block software supply chain attacks
✨ HUGE NEWS! ✨
🤖 Introducing Socket AI – ChatGPT-Powered Threat Analysis
@SocketSecurity
is using ChatGPT to examine every npm and PyPI package for security issues!
🤯 In just 2 days, we confirmed 227 vulnerable and malware packages, all discovered with the help of ChatGPT
✨ I'm engaged! ✨
Asking
@noor_siddiqui_
to marry me was the easiest decision I've ever made! ❤️ If you know Noor, then you know what I mean! I feel lucky that I get to spend my life with her.
But planning the proposal wasn't simple. Here's how I asked her to marry me...
1/5
I taught a web security course at Stanford. All the course materials, slides, and videos are freely available online. If you want to learn about secure web programming, this course is for you! ✨
📝 Website:
📺 YouTube playlist:
This video of Steve Jobs introducing Wi-Fi is incredible.
He's casually browsing the web, then he suddenly picks up the laptop and everyone in the audience realizes that it's not plugged into anything and they go crazy with cheers and applause!
11 Mbps!
🌟 Lazy-loading images and iframes are coming to the web platform and I'm excited that this will soon be possible:
<img lazyload='on' src='cool.jpg' />
<iframe lazyload='on' src='cool.html' />
Check the issue on whatwg/html:
Now that Apple has willingly built spyware into iOS and macOS, within 10 years this tech will:
(1) be mandated by government in all end-to-end encrypted apps; and
(2) expand to scan for terrorism, disinformation, "misinformation", then eventually political images and memes.
1/5
I’m ending the `npm install funding` experiment I introduced a few days ago.
I appreciate the thoughtful discussion and feedback from the community. I shared some thoughts about how the experiment went from my perspective:
@dhh
Every line of code in that screenshot is explicit and quite understandable. If the alternative is a magical and overly-clever framework, I'll pass.
🚀 Huge news!
@SocketSecurity
has raised $20M Series A funding led by Andreessen Horowitz (
@a16z
).
⭐️ This funding fuels our mission to make open source safer for everyone!
🚀🚀🚀 We're also announcing 4 new products this week as part of Socket Launch Week! ✨
🧵 1/10
🎉 Big news!
🚀 I'm excited to announce that Socket has raised a $4.6M Series Seed!
⭐️ Read our blog post announcement:
⭐️ Read the in-depth TechCrunch exclusive:
🧵 Thread ⬇️
Sweet! When you run `npm publish`, the latest npm 6.0.0 shows which files are included in the package as well as total package size! ✨
Should help prevent sensitive or huge files from getting included by accident. This is a great change. 💪
Shrink those packages!
I just built a site to help you make a friend in 2 minutes! My goal is to help people stuck indoors because of COVID-19 (or police curfews) to make meaningful connections with strangers. Hope you love it!
🗣 Big news! Today I'm launching a Patreon! ✨
I need your help to continue making free software like WebTorrent ❤️ and Standard 🌟. If you use any of my 100+ open source projects, please support my ongoing work by becoming a patron. 😇
This is the result of treating OSS contribution as a quick FAANG job ticket.
Reminder: Open Source isn't a free job fair or mentorship program. It's about solving real problems and contributing to the community. Don't be that person who adds noise instead of value.
This is brilliant.
Make public transit free ➡️ increased public transit usage (obviously) ➡️ decreased congestion, fewer travel delays ➡️ increased economic activity, more eating out, better quality of life ➡️ more tax revenue to fund the free transit
✨ 🇪🇪 ✨
Following a successful five year pilot in its capital, Estonia is set to become the first country in the world to make public transport free everywhere, for everyone.
This Thanksgiving, I'm thinking of the open source maintainers who make all my work possible. Linux, BSD, GNU, Git, nginx, Node.js, Chromium, Firefox, and literally thousands of npm packages.
I stand on the shoulders of giants.
💥 Want to find out if the compromised ESLint dependency is on your machine?
⚡️ Just run this:
cd ~/code
find . -type d -name "eslint-scope" -print0 | xargs -n 1 -0 -I % sh -c "(cat %/package.json | npx json version) && echo '(at %)'"
Look for "3.7.2" in the output ☠️
Get the JavaScript Source Code CD Professional Series for only $2.99
Almost 800 ready-to-use JavaScripts that you can cut & paste into your own HTML documents!
I've been testing
#GitHubCopilot
in Alpha for the past two weeks. Some of the code suggestions it comes up with are eerily good.
Here's a thread with some examples that I found surprising. Will update with new examples over time.
It's time to do an annual backup of your data from online accounts. Here are the links you need:
- Google:
- Apple:
- Twitter:
- Facebook:
- Microsoft:
"This man has been editing a Wikipedia article every four minutes for 13 years. He is insane, and he has had a huge impact on what you and I read every day when we need more information about literally anything"
🤯 Just read a fascinating paper called "The Surprising Creativity of Digital Evolution"
🤣 It's a bunch of HILARIOUS anecdotes showing how Artificial Life systems often produce SUPER surprising and SHOCKINGLY ridiculous results. 😲
👇 THREAD
Do you use my open source software at work? I now offer an open source support contract.
- 4 hours of consulting (development, bug fixes, etc.) per month
- Email support
- Company logo on readmes + website (~180K views/mo)
- Priority GitHub issues
🌟
I added some improvements to The Annoying Site
- Change theme-color in a loop (Safari 15)
- Picture-in-picture in all browsers
- Block close window better
- Animate URL with emojis
- Pointer lock
- Request MIDI, bluetooth, USB, serial, HID
⚠️ Warning ⚠️
☠️ Passwords ☠️
- Average user has ~100 accounts
- Creates 50 passwords per year
- High rate of password re-use (75% of users)
- Frequent password sharing with others (40% of users)
- Huge number of password resets (40%-60% reset every 3 months)
Source: Nikola Blanchard
My friend has a
@1Password
Family subscription and let the credit card lapse. She didn't notice the emails asking to update the card.
1Password completely deleted her account and logged her out on all devices. Now she can't access her 100+ passwords and 2FA tokens
WTF
Stop what you're doing and turn on "Auto-delete your Web & App Activity" in your Google account:
Set it to the minimum "Keep for 3 months".
Once you've done that, also turn off as many tracking options as you can here:
✌️
If you have a website, definitely check out your site's Chrome UX Report. It's a bit tricky to set up (watch the embedded video), but when you're done you get an automatically updating dashboard with real user experience numbers! Cool!
h/t
@_developit
In 2020, I was grinding away as an open source maintainer, fueled by donations and a dream.
Today,
@SocketSecurity
is shining bright on a Times Square billboard.
Never give up.
It gets worse!
Someone found a bug in the try-before-you-buy demo page.
You could type in any U.S. phone number and get the phone’s real-time location *without any text to the user for permission*. 200 million people exposed!
What. The. Hell.
US cell carriers are selling access to your real-time phone location data
😯 There's even a try-before-you-buy page where you can track the location of your own phone:
Some of the most innovative open source software within the JavaScript ecosystem has been produced by eccentric, independent individuals who write open source because they love it, not because some megacorp pays them to do it while representing the company's interests. 1/2
This is not a drill.
Police are already misusing location data gathered for COVID contact tracing even though everyone SWORE it wouldn't be used for anything by health purposes.
Once the data and tools exist, governments can’t help themselves – it’s just too tempting.
2/5
Just got the news that I've been selected as a
#GitHubStar
for 2023 and I couldn't be more thrilled! Looking forward to continuing to help other developers and to contribute to the open source community 🚀🌟
❤️
@GitHub
@SocketSecurity
🗺 Google Map's Moat – How far ahead of Apple Maps is Google Maps?
One of the best tech articles I've read in a while. Not kidding – Google's work on Maps is awe inspiring. It's hard to imagine the scale that they're operating at.
🚀 BIG NEWS 🚀
Wormhole now has ✨ QR Codes ✨
✅ Send files from desktop to mobile with *one click*
✅ End-to-end encryption keeps your files private
✅ Works on all platforms – iOS, Android, Mac, Windows, Linux, Chromebook – anything!
Try it out now!
⚠️ Malware removed from npm: ts-patch-mongoos
@1
.0.0 ⚠️
The code is likely intended to create a reverse shell connection to a remote server, allowing unauthorized access to the system. The use of obfuscation and system-level commands targeting specifi...
Ran into a spectacularly awful Safari bug in the latest Safari (14.1.1 on macOS and iOS 14.6).
Opening an IndexedDB database fails 100% of the time on the first try. 😩
If you refresh, it starts working.
Bug report:
cc
@webkit
@chris_dumez
@Apple
I'm quoted in
@FastCompany
about why some developers are avoiding app store headaches by going web-only.
“We want to be an example of what a modern, fast web app can do,” he says. “And we want to blow a few minds while we’re at it.”
I'm incredibly disappointed that this was approved and built by
@Apple
.
The short-sightedness is staggering. How can they think governments won't demand to expand this?
Before today, I believed that Apple genuinely cared about my privacy. But no more.
This is a disaster.
5/5
Real Mac bug for 10+ years: "In some cases the audio balance may unexpectedly drift towards the left or right channel. This can happen if you rapidly press the volume up or down keys while the computer's microprocessor is under heavy load"
Still not fixed
The company I started – Socket Inc – has a snazzy new home on the web:
If you want to work with me and help build cool software like
@Wormhole_App
, please get in touch!
My DMs are open
This code is using curl to send the contents of the file '/etc/passwd' to a remote server. This is a highly suspicious and potentially malicious behavior as it could cause sensitive data to be sent to an attacker's server.
🙌 HUGE THANKS to
@Brave
who just announced they are supporting
@WebTorrentApp
for the next 12 months as a 🌟 Platinum Sponsor!
🦁 Brave is a browser with your interests at heart —
🤩 Thanks to the awesome people at Brave for supporting open source! ✨
Happy to announce that the Wormhole cryptography code is now open source!
✅ MIT License
✅ $1,000 bounty for finding a security issue ()
Check it out here:
Chakra UI is the best frontend component library, hands down.
If you haven't used it, you're missing:
- Components are beautiful by default
- Accessible HTML
- Responsive maintainers
- Active community
- Thoughtful and delightful API design
I'm a huge, huge fan
If these creative and brilliant folks could make a decent living writing open source software to benefits the commons instead of seeking private contracts writing proprietary code for a single company, we'd all have more innovative open source software to use. Everyone wins. 2/2
@Apple
This
@EFF
write-up explains why this backdoor is a disaster:
"To say that we are disappointed by Apple’s plans is an understatement."
"It is a shocking about-face for users who have relied on the company’s leadership in privacy and security"
I was an engineer intern on the Facebook Groups team, 10 years ago today. Groups was one of the most successful Facebook products of all time and we built it in ~5 months with ~5 full-time and 2 interns.
Easily the best job I’ve ever had
Wow, security is SUPER HARD. 😫It's possible to make always-on voice assistants like Amazon Echo, Google Home, and Siri silently place a phone call from 5 feet away using ultrasound