Socket for GitHub help hundreds of thousands of developers protect their apps from software supply chain attacks.
Today, thousands of organizations rely on Socket to prevent bad packages from infiltrating their software supply chain.
Socket watches for changes to “package manifest” files such as package.json, package-lock.json, and yarn.lock. Whenever a new dependency is added in a pull request, Socket analyzes the package's behavior and leaves a comment if it is a security risk.
By statically analyzing open source packages and their dependencies, Socket detects the tell-tale signs of a supply chain attack. Socket alerts developers when packages change in security-relevant ways, highlighting events such as the introduction of install scripts, obfuscated code, or usage of privileged APIs such as shell, network, filesystem, and environment variables.
Socket automatically monitors GitHub pull requests for these software supply chain risks and many more:
✅ Detect potential typo squats
✅ Detect install scripts
✅ Detect telemetry
✅ Detect native code
✅ Detect known malware
✅ Detect protestware/troll packages
The npm package manager allows a package to specify an "install script" – an arbitrary shell command – that will run immediately when a package is installed. Install scripts are commonly used to build native code, print donation banners, or do other post-install tasks. However, this (anti-)feature is quite easy to abuse.
The vast majority of malware on npm uses an install script to deliver its payload. In fact, a 2022 paper found nearly 94% of malicious packages had at least one install script.
We found 93.9% [...] of malicious packages had at least one install script, indicating that malicious attackers use install scripts frequently
Nusrat Zahan, et al
Despite the pervasive use by malware, install scripts are in fact quite rare across the npm ecosystem. Most apps have only a handful of dependencies that use this powerful feature.
Socket can now identify when a newly-added package contains an install script, or more worryingly, when a new version of an existing package introduces a new install script. When Socket identifies a new install script – a relatively rare and highly suspicious event – it will alert the developer via a GitHub comment so they can evaluate whether the install script is safe.
In this real example from a user's repo, Socket detected that the popular
styled-components package decided to add a "protestware" install script in version 5.3.5:
To help the developer investigate, Socket helpfully includes a link to the exact script that will run in the installation step.
In this case, the install script is a benign instance of protestware, though some protestware is much more destructive.
Websites or apps often include a telemetry system that collects data about how users interact with a product. This data can help improve the product, catch bugs, or even detect abuse. While telemetry in apps is relatively common, telemetry in open source packages is quite unusual.
We've heard from our users that they do not expect their dependencies to be collecting telemetry and sending it off to remote servers. Unfortunately, telemetry in open source dependencies is becoming more common.
Socket can now detect packages that collect telemetry, alert the developer, and provide actionable information about how to disable the telemetry.
In this real example, Socket detected that a newly introduced dependency,
angular-calendar, is collecting telemetry:
Socket helpfully identifies the package collecting the telemetry,
@scarf/scarf, and provides information on how to opt-out of the telemetry system.
Teams can now use Socket to keep dependencies that collect telemetry out of their codebases, or disable the telemetry functionality.
At a more fundamental level, native code may prevent a package from running in certain environments such as browsers, Vercel Edge Functions, Cloudflare Workers, or Deno.
Socket can now detect packages that contain native code and alert the developer, providing actionable information about how to disable the native code in cases where it's optional.
This detection also finds packages which do odd things, such as turning async functions into sync using a native code dependency like
While npm is investigating the package, the malware remains available on npm.
Socket can now protect users from known malware by detecting when a bad package version is installed and reporting it to the developer directly in a GitHub pull request. The Socket CLI (coming soon!) will also give developers a way to protect their own devices from known malware by intercepting bad
npm install commands.
Related: Socket tracks packages removed from npm for security reasons which is quite interesting to look through. It's also a great way to see what package issues Socket would have detected in real historical instances of npm malware.
npm contains many packages which are low-quality, jokes, parodies, or otherwise contain code not meant to be used in production.
For example, there's a package called
bowserify that's a Bowser-themed version of
Some npm packages are named in a way designed to trick or confuse users, such as the package
standardjs which is designed to confuse users of
standard. Other packages, such as
- (yes, the actual package name is a dash character), are frequently installed by accident when a user typos a command line flag to
Socket can now protect users from misleading packages like these by reporting them directly to the developer inline in a GitHub pull request.
The most common attack vector is typosquatting.
Typosquatting is when an attacker publishes a package which has a very similar name to a legitimate and popular package. Take these two packages with very similar names, for instance:
npm install noblox.js-proxied npm install noblox.js-proxy
One of these is legitimate and one of these is malware. But which is which? And what if you can't remember and so you just take a guess?
With the Socket GitHub App in place, the developer who opened the pull request (or the developer reviewing it) will have their attention drawn to this potential typosquat.
Updated 4 months ago