Home / Companies / Socket / Blog / July 2026

July 2026 Summaries

6 posts from Socket

Filter
Month: Year:
Post Summaries Back to Blog
pnpm 11.10 introduces several supply chain security enhancements, notably a new method for configuring registry authentication that prevents registry tokens from being redirected to different hosts. This update includes an _auth setting that ties each token to its registry, ensuring credentials travel securely and are read only from the environment or global config. The release also resolves a previous issue where authentication was broken due to changes in handling environment variables for registry credentials. Alongside security improvements, pnpm 11.10 provides an installation path for pnpm v12, a Rust rewrite aimed at improving installation speed and reducing overhead, even though it is still in pre-release. Additional security measures include rejecting output paths outside the project and addressing a prototype pollution vulnerability. This release continues pnpm's trend of enhancing supply chain security by enforcing stricter controls and protecting against potential threats in repository files.
Jul 08, 2026 514 words in the original blog post.
Operation Muck and Load is an extensive cyber campaign involving a network of 222 GitHub repositories across 190 accounts, designed to appear as legitimate software projects but serving as a platform for malware distribution. Initially discovered through a malicious Go module posing as a DNS/subdomain scanner, the operation employs a sophisticated infrastructure that stages Windows malware via hidden PowerShell scripts, encrypted dead-drop locations, and protected archives. The campaign utilizes GitHub's platform to create a semblance of active development through automated commit farming and workflow manipulation, making malicious projects appear recently maintained and credible. This network not only functions as a lure but also hosts direct malware payloads, including loaders, infostealers, and cryptominers, exploiting themes like cryptocurrency, gaming cheats, and automation tools to attract potential victims. The operation's resilience is enhanced by using multiple public platforms for encrypted payload distribution and fallback mechanisms, allowing it to adapt quickly to defensive measures. Despite takedowns and blocks by security teams, the operation's persistent patterns of behavior and infrastructure remain difficult to fully dismantle, highlighting the necessity for ongoing vigilance and adaptive security measures in the software development ecosystem.
Jul 08, 2026 3,855 words in the original blog post.
npm v12 introduces significant security enhancements by making install-time execution opt-in, aligning it with industry practices to mitigate supply chain attacks. This includes requiring explicit approval for preinstall, install, and postinstall scripts, effectively blocking potential attack vectors that exploited automatic script execution, such as those seen in the Miasma "Phantom Gyp" incidents. Additionally, the update begins phasing out 2FA-bypass granular access tokens, restricting their capabilities to enhance account security, and recommends transitioning to more secure publishing methods like trusted or staged publishing with human approval. Despite some initial resistance, a change that would have made unknown .npmrc keys result in errors was rolled back to ease the transition for teams, while unknown CLI flags continue to trigger errors. The npm team also plans to potentially backport v12 to Node 24 and 26, expanding its reach to more users. An ongoing community discussion addresses gaps in approval tooling, proposing enhancements to provide detailed insights into script actions, further strengthening npm's security posture.
Jul 08, 2026 988 words in the original blog post.
On July 7, 2026, Socket's AI scanner identified a malware campaign targeting SDK developers and users of the PaySafe, Skrill, and Neteller payment applications via npm and PyPI packages. A total of 17 malicious packages were published almost simultaneously, with npm packages having four versions and PyPI packages one version each, aiming to steal credentials and tokens by exfiltrating them to AWS infrastructure. The malicious npm packages mimic legitimate Paysafe REST clients to steal API keys and other sensitive data, employing techniques to evade sandbox detection and obfuscate the Command and Control (C2) domain using a multi-step decoding process. The PyPI packages exhibit similar behavior without requiring API keys, activating based on their placement in the code. The malware campaign demonstrates advanced attributes, such as targeting financial SDKs, using unique obfuscation keys, leveraging Ngrok infrastructure, and showing awareness of sandbox evasion tactics, indicating a sophisticated threat actor potentially linked to established cybercrime networks. To mitigate the threat, it is recommended to rotate all secrets on compromised machines, block the malicious packages at the registry proxy level, and audit CI logs and network traffic for indicators of compromise.
Jul 07, 2026 1,101 words in the original blog post.
A proposal within the Node.js Technical Steering Committee suggests shifting lower-severity security reports to a public workflow, reserving private handling for higher-severity vulnerabilities, as a response to the increased volume and similarity of reports, largely attributed to AI-assisted discovery methods. Initiated by security maintainer Rafael Gonzaga, the proposal argues that many reports are not security-critical and that handling them privately creates unnecessary workload, while the AI-driven reproducibility of findings questions the need for confidentiality. Despite the discontinuation of bug bounty rewards in April due to funding issues, the volume of HackerOne submissions has not decreased, as many contributors seek recognition rather than financial incentives. The ongoing discussion within the Node.js Security Working Group, which includes considerations of AI-assisted triage, reflects a split among maintainers about whether the proposal would effectively reduce workload or merely redistribute it across different processes, with concerns that public handling could shift the burden to public review and pull request coordination. As the group continues to evaluate options, no policy change has been announced, with discussions ongoing about how to alleviate the private triage load without exacerbating public review pressures.
Jul 06, 2026 969 words in the original blog post.
The Socket Threat Research Team has uncovered a significant supply chain attack, known as the PolinRider campaign, linked to North Korean threat actors targeting multiple open-source ecosystems such as npm, Packagist, Go modules, and Chrome extensions. This campaign, part of the broader North Korean Contagious Interview / Famous Chollima activity, involves compromising legitimate developer repositories to plant obfuscated JavaScript loaders, often hidden in configuration files or disguised as fake font files, which execute when triggered by developer tooling like VS Code. The malicious loaders retrieve encrypted payloads from blockchain and public infrastructure, which are then decrypted and executed, enabling various malicious activities including data theft and additional malware delivery. The campaign is characterized by sophisticated techniques such as Git history rewriting to make malicious changes appear less suspicious, thus complicating detection efforts. Despite some remediation efforts, such as removing certain payloads, the campaign remains active with new malicious packages continuing to emerge. As a response, affected organizations are advised to treat their environments as compromised, preserve forensic artifacts, rebuild from clean lockfiles, rotate exposed secrets, and thoroughly audit developer workstations and repositories for indicators of compromise.
Jul 01, 2026 2,477 words in the original blog post.