Socket

What is it?

Socket is a software supply chain security platform that monitors open-source package registries (npm, PyPI, Go, Maven Central, RubyGems) and detects malicious, vulnerable, and unwanted packages. It clones every major registry in real time, runs static analysis and LLM-based code inspection on every new package within seconds of publication, and flags threats before they reach developer environments. It deploys as a GitHub app for PR scanning and provides CLI wrappers (“safe npm”, “safe pip”) that intercept risky installs at the developer’s terminal.

Why did they build it?

Traditional software composition analysis (SCA) tools rely on the CVE/NVD system, which tracks accidental vulnerabilities in software. That system largely does not cover malicious packages. Feross Aboukhadijeh, Socket’s CEO, estimates 90-95% of malicious packages never receive a CVE. When registries like npm or PyPI discover a malicious package, they remove it silently: no CVE, no advisory, no notification. Companies running internal package mirrors (Artifactory, etc.) for build reliability end up in a worse position than the public: they continue hosting and serving malicious packages that have already been pulled from the public registry, with no mechanism to find out.

Socket exists to fill that gap.

How does the detection actually work?

Socket replicates every package published to major registries within seconds. Each package undergoes:

• Static analysis of source code for known malicious patterns (install scripts, network calls, filesystem access, shell execution)
• Maintainer behavior analysis - track record, account age, publishing history, whether the author has ever published before
• Dependency graph analysis - trustworthiness of the transitive dependency tree
• LLM-based code review - catches obfuscated code, data exfiltration, and novel threats that static rules miss

Results go through a human security research team for validation before entering Socket’s data feed. The system currently identifies roughly 100 supply chain attacks per week and has cataloged over 16,000 malicious packages to date.

What does it catch beyond malware?

Socket distinguishes between three categories: vulnerable, malicious, and unwanted. The “unwanted” category covers a gray area that registries themselves often will not act on. Examples include:

• Protestware - packages that inject political messaging or redirect users based on geolocation. Socket flagged the event-source-polyfill package (600,000 weekly downloads), which opened protest tabs for users in Eastern European time zones. GitHub/npm declined to remove it, but no enterprise wants it in production.
• Telemetry collection - packages that phone home with the installer’s IP address, hostname, or system info for maintainer analytics. Not malicious per se, but creates unnecessary risk.
• Typosquatting - packages registered one character off from popular libraries, sitting dormant until someone mistypes an install command.
• License violations and compliance issues

How does it integrate into developer workflows?

Socket operates at two points:

PR scanning: A GitHub app that flags risky dependency changes in pull requests before they merge. It shows what changed, what risks were introduced, and lets teams set policies to block, warn, or monitor.

CLI wrappers: “Safe npm” and “safe pip” wrap the standard package manager CLIs. If a developer typos a package name, Socket intercepts it with a “did you mean?” prompt, warning that the package has 50 downloads while a near-identical name has 20 million. It also blocks known-malicious packages and flags policy violations (license restrictions, telemetry) at install time.

Socket also connects to internal package mirrors (Artifactory, etc.) to scan for packages that have been removed from public registries but remain cached internally.

What doesn’t it do?

Socket focuses on open-source package registries. It is not a general-purpose application security scanner, DAST tool, or container security platform. It does not scan proprietary first-party code.

Risky Business appearances

• Sponsored interview: Socket CEO on why tracking vulnerabilities isn’t enough for open source repositories (July 2024, Tom Uren)
• Snake Oilers: Socket, Teleport and Mandiant’s Purple Team (April 2023, Patrick Gray)
• RB #726 - Sponsored interview segment on LLMs in Socket (October 2023, Patrick Gray)
• Product demo video

Sources

• RBNEWSSI51 sponsor interview (July 2024, Tom Uren + Feross Aboukhadijeh)
• Socket website
• Product demo video

Disclosure

Socket has been a sponsor of both the Risky Business podcast and Risky Business News newsletter.

Socket

Secure your dependencies. Ship with confidence.