⚡️ Founder + CEO @SocketSecurity (https://t.co/7g1opA8rgG) • 🌲 Visiting lecturer @Stanford (https://t.co/yw9prxLQAM) • ❤️ Open source @WebTorrentApp + @StandardJS
Jun 24, 2023 • 12 tweets • 6 min read
I wish more developers understood the constant stream of malware that is posted to npm, PyPI, and all package managers...
Here's just a taste of some crazy malware Socket identified in the past couple weeks...
All malware descriptions were FULLY WRITTEN by Socket AI.
This code is using curl to send the contents of the file '/etc/passwd' to a remote server. This is a highly suspicious and potentially malicious behavior as it could cause sensitive data to be sent to an attacker's server.
Read my latest post, featured in the @github ReadME project!
Do your part to secure the open source supply chain!
WE'RE JUST BEGINNING TO RECKON WITH NEW SECURITY RISKS INTRODUCED BY THE TANGLED WEB OF DEPENDENCIES IN OUR APPS.
Open source ecosystems have transformed 🔄 software development, but they also come with security 🛡 risks due to third-party dependencies. Supply chain attacks are now a significant threat. ⚠️
Our new Project Health Report helps security teams perform a full security audit of a repo. 🔐👩💻👨💻
📊 Unlike real-time Socket Alerts which monitor PRs, Project Health Reports analyze a repo and provide a full list of dependency risks. 📋⚠️
2/ 🕵️♀️ Security teams can use filters to focus on issues of a certain severity, such as "Critical" or "High" issues, or specific issues like "Network access", "Environment variable access" or "Filesystem access." 📈🔍
🤖 Introducing Socket AI – ChatGPT-Powered Threat Analysis
@SocketSecurity is using ChatGPT to examine every npm and PyPI package for security issues!
🤯 In just 2 days, we confirmed 227 vulnerable and malware packages, all discovered with the help of ChatGPT
💸⏰ Scaling human analysis to cover the entire npm registry has been prohibitively expensive and time-consuming—until now. 🎉
ChatGPT 🤖 is helping us improve signal-to-noise and speed up manual audit processes so we can cover all OSS.
📢 Move over Kardashians 📸, John Wick 🕶️🔫 is the new media obsession!
🌊 The npm registry is drowning in a tsunami of spam, and it's all thanks to everyone's favorite gun-toting antihero.
Yesterday, we counted 4,600 npm packages about John Wick. Today, it's almost 5,600! 🤯💥
🚀 That's right, folks – a mind-blowing 0.02% of npm is now dedicated to Mr. Wick.
🍲 We've already cooked up some ways to handle these pesky packages and made some interesting discoveries! 🕵️♀️🔍
But they still shipped the version that crashes the whole tab with a null pointer exception in Safari 14.1.
This should have been fixed before release.
Sep 14, 2020 • 18 tweets • 5 min read
My friend has a @1Password Family subscription and let the credit card lapse. She didn't notice the emails asking to update the card.
1Password completely deleted her account and logged her out on all devices. Now she can't access her 100+ passwords and 2FA tokens
WTF
I feel terrible because I recommended @1Password to her as I have to countless friends over the years.
For as long as I've used 1Password, their policy was to make passwords read-only when a license or subscription expires. Never to remotely wipe your passwords as punishment
Jun 3, 2020 • 11 tweets • 3 min read
I just built a site to help you make a friend in 2 minutes! My goal is to help people stuck indoors because of COVID-19 (or police curfews) to make meaningful connections with strangers. Hope you love it!
1. You are matched with a random partner for a video chat 2. You're given a deep question to discuss 3. You have 2 minutes to discuss it!
The only rule is: no small talk!
Jul 5, 2018 • 27 tweets • 11 min read
🤯 Just read a fascinating paper called "The Surprising Creativity of Digital Evolution"
🤣 It's a bunch of HILARIOUS anecdotes showing how Artificial Life systems often produce SUPER surprising and SHOCKINGLY ridiculous results. 😲
👇 THREAD
😜 "Selection Gone Wild"
"It is often functionally simpler for evolution to just exploit loopholes in the quantitative measure than it is to achieve the actual desired outcome"
Jun 4, 2018 • 11 tweets • 3 min read
My thoughts on GitHub...
Microsoft in 2018 isn't an evil monopolist anymore. They've actually invested heavily in open source, recently becoming the #1 contributor on GitHub including to many projects that are not their own (e.g. @electronjs) but there are some downsides. 1/10
Downside 1: One less independent tech company. GitHub used to be an independent advocate for open source. Now, it'll be yet another service of Big Tech Inc. Historically, companies use acquisitions to push users into their ecosystem to sell more products and services. 2/10
Jan 7, 2018 • 7 tweets • 2 min read
❤️ Alan Watts:
"My goodness, don't you remember when you went first to school?
You went to kindergarten.
And kindergarten, the idea was to push along so that you could get into first grade.
And then push along so that you could get into second grade, third grade, and so on,
Going up and up and then you went to high school and this was a great transition in life.
And now the pressure is being put on, you must get ahead.
You must go up the grades and finally be good enough to get to college.
Aug 19, 2017 • 28 tweets • 3 min read
1/ Ryan Dahl (creator of Node.js) wrote an epic rant and then quit writing software for a while. I want to repost it here now.
2/ "I hate almost all software. It's unnecessary and complicated at almost every layer. At best I can congratulate someone for quickly...
