Socket will block it with free malicious package firewall
(2025/09/30)
- Reference: 1759261574
- News link: https://www.theregister.co.uk/2025/09/30/socket_will_block_it_with/
- Source link:
Software security biz Socket has released a free command line tool to defend developers against supply chain attacks.
Socket Firewall Free builds upon the company's safe npm tool by extending scanning capabilities beyond the JavaScript/TypeScript ecosystem to Python and Rust. It integrates with the package management tools for these languages – npm , yarn , and pnpm , pip and uv , and cargo .
Dale Bustad, staff software engineer at Socket, wrote in a [1]blog post that the compromise of high-profile project maintainer accounts has become increasingly common, citing the attacks affecting open source projects like tinycolor , chalk , nx , and eslint-config-prettier .
[2]
"What used to be an occasional outlier is becoming disturbingly common, driven by increasingly sophisticated social engineering tactics aimed directly at maintainers," wrote Bustad. "The result is that traditional defenses aren’t enough to protect developers and organizations that rely on open source."
Sign in to sound off
[3]Register for The Register's Forums here.
According to the World Economic Forum's Global Cybersecurity Outlook 2025 [4]report [PDF], 54 percent of large organizations identified supply chain challenges as the largest barrier to effective cyberdefense.
"Supply chain attacks are becoming more frequent and more damaging," said Socket CEO Feross Aboukhadijeh in an email to The Register . "Attackers are getting the keys to the kingdom more often than ever before, and developers need defenses that work in real time.
[5]
[6]
"With Socket Firewall, we’re giving the community a free tool that blocks malicious dependencies at install time, across multiple ecosystems. We pioneered [7]the 'safe npm' approach , and this is the natural next step that we believe will quickly become the standard way developers protect themselves from supply chain attacks."
[8]Warnings about Cisco vulns under active exploit are falling on deaf ears
[9]Greg Kroah-Hartman explains the Cyber Resilience Act for open source developers
[10]One line of malicious npm code led to massive Postmark email heist
[11]Google's dev registration plan 'will end the F-Droid project'
Sarah Gooding, head of content marketing for Socket, told The Register that Socket Firewall relies on a different technical mechanism than the one used for safe npm. Instead of interacting with different package managers, it operates at the network layer by intercepting calls to registries.
Once [12]installed , Socket Firewall Free is invoked by prefixing the package manager installation command with sfw . So to use sfw to install the Python Flask application via uv would require sfw uv pip install flask .
The tool then scans for known malicious packages and prevents them from being downloaded. It covers not only top-level dependencies but also transitive dependencies.
[13]
"Under the hood, it spins up an ephemeral HTTP proxy that intercepts traffic for the subprocess and checks with the Socket API for safety before packages are fetched, extracted, and installed by your package manager," explained Bustad.
The sfw tool blocks network requests for known malicious packages. As such, it won't catch code artifacts that have been cached locally. Socket advises clearing the relevant package manager's cache before invoking sfw .
There's also a paid enterprise version that adds various capabilities for large companies, such as support for custom registries, support for other programming language ecosystems, the ability to block unscanned or unknown packages, and allow lists.
[14]
According to Bustad, Socket relies on AI scans supported by human review for identifying malware. The free version of Socket Firewall will display a warning when an AI scan flags a package. But it won't block the network traffic when the package has yet to be confirmed as malicious though human review. AI detection alone can result in false positives. That behavior is configurable in the paid version.
Bustad says that it uses telemetry for Socket Firewall Free to gather anonymous usage information. "We recognize this can cause reasonable concern for some, so we want to be transparent," he said, noting that the paid version allows telemetry to be configured.
Gathered data includes: a [15]unique, non-reversible identifier per machine; information about blocked packages; latency; errors (no local file system info); and GitHub organization name.
Socket Firewall Free is offered under the [16]PolyForm Shield License 1.0.0 . ®
Get our [17]Tech Resources
[1] https://socket.dev/blog/introducing-socket-firewall
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/devops&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aNxS_wvpKGU-r-lMPx5PlgAAA1Y&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://account.theregister.com/register/
[4] https://reports.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2025.pdf
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/devops&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aNxS_wvpKGU-r-lMPx5PlgAAA1Y&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/devops&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aNxS_wvpKGU-r-lMPx5PlgAAA1Y&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2023/03/16/socket_npm_safe_javascript/
[8] https://www.theregister.com/2025/09/30/cisco_firewall_vulns/
[9] https://www.theregister.com/2025/09/30/cyber_reiliance_act_opinion_column/
[10] https://www.theregister.com/2025/09/29/postmark_mcp_server_code_hijacked/
[11] https://www.theregister.com/2025/09/29/googles_dev_registration_plan_will/
[12] https://github.com/SocketDev/sfw-free/blob/main/README.md
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/devops&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aNxS_wvpKGU-r-lMPx5PlgAAA1Y&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/devops&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aNxS_wvpKGU-r-lMPx5PlgAAA1Y&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://www.npmjs.com/package/node-machine-id
[16] https://polyformproject.org/licenses/shield/1.0.0
[17] https://whitepapers.theregister.com/
Socket Firewall Free builds upon the company's safe npm tool by extending scanning capabilities beyond the JavaScript/TypeScript ecosystem to Python and Rust. It integrates with the package management tools for these languages – npm , yarn , and pnpm , pip and uv , and cargo .
Dale Bustad, staff software engineer at Socket, wrote in a [1]blog post that the compromise of high-profile project maintainer accounts has become increasingly common, citing the attacks affecting open source projects like tinycolor , chalk , nx , and eslint-config-prettier .
[2]
"What used to be an occasional outlier is becoming disturbingly common, driven by increasingly sophisticated social engineering tactics aimed directly at maintainers," wrote Bustad. "The result is that traditional defenses aren’t enough to protect developers and organizations that rely on open source."
Sign in to sound off
[3]Register for The Register's Forums here.
According to the World Economic Forum's Global Cybersecurity Outlook 2025 [4]report [PDF], 54 percent of large organizations identified supply chain challenges as the largest barrier to effective cyberdefense.
"Supply chain attacks are becoming more frequent and more damaging," said Socket CEO Feross Aboukhadijeh in an email to The Register . "Attackers are getting the keys to the kingdom more often than ever before, and developers need defenses that work in real time.
[5]
[6]
"With Socket Firewall, we’re giving the community a free tool that blocks malicious dependencies at install time, across multiple ecosystems. We pioneered [7]the 'safe npm' approach , and this is the natural next step that we believe will quickly become the standard way developers protect themselves from supply chain attacks."
[8]Warnings about Cisco vulns under active exploit are falling on deaf ears
[9]Greg Kroah-Hartman explains the Cyber Resilience Act for open source developers
[10]One line of malicious npm code led to massive Postmark email heist
[11]Google's dev registration plan 'will end the F-Droid project'
Sarah Gooding, head of content marketing for Socket, told The Register that Socket Firewall relies on a different technical mechanism than the one used for safe npm. Instead of interacting with different package managers, it operates at the network layer by intercepting calls to registries.
Once [12]installed , Socket Firewall Free is invoked by prefixing the package manager installation command with sfw . So to use sfw to install the Python Flask application via uv would require sfw uv pip install flask .
The tool then scans for known malicious packages and prevents them from being downloaded. It covers not only top-level dependencies but also transitive dependencies.
[13]
"Under the hood, it spins up an ephemeral HTTP proxy that intercepts traffic for the subprocess and checks with the Socket API for safety before packages are fetched, extracted, and installed by your package manager," explained Bustad.
The sfw tool blocks network requests for known malicious packages. As such, it won't catch code artifacts that have been cached locally. Socket advises clearing the relevant package manager's cache before invoking sfw .
There's also a paid enterprise version that adds various capabilities for large companies, such as support for custom registries, support for other programming language ecosystems, the ability to block unscanned or unknown packages, and allow lists.
[14]
According to Bustad, Socket relies on AI scans supported by human review for identifying malware. The free version of Socket Firewall will display a warning when an AI scan flags a package. But it won't block the network traffic when the package has yet to be confirmed as malicious though human review. AI detection alone can result in false positives. That behavior is configurable in the paid version.
Bustad says that it uses telemetry for Socket Firewall Free to gather anonymous usage information. "We recognize this can cause reasonable concern for some, so we want to be transparent," he said, noting that the paid version allows telemetry to be configured.
Gathered data includes: a [15]unique, non-reversible identifier per machine; information about blocked packages; latency; errors (no local file system info); and GitHub organization name.
Socket Firewall Free is offered under the [16]PolyForm Shield License 1.0.0 . ®
Get our [17]Tech Resources
[1] https://socket.dev/blog/introducing-socket-firewall
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/devops&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aNxS_wvpKGU-r-lMPx5PlgAAA1Y&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://account.theregister.com/register/
[4] https://reports.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2025.pdf
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/devops&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aNxS_wvpKGU-r-lMPx5PlgAAA1Y&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/devops&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aNxS_wvpKGU-r-lMPx5PlgAAA1Y&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2023/03/16/socket_npm_safe_javascript/
[8] https://www.theregister.com/2025/09/30/cisco_firewall_vulns/
[9] https://www.theregister.com/2025/09/30/cyber_reiliance_act_opinion_column/
[10] https://www.theregister.com/2025/09/29/postmark_mcp_server_code_hijacked/
[11] https://www.theregister.com/2025/09/29/googles_dev_registration_plan_will/
[12] https://github.com/SocketDev/sfw-free/blob/main/README.md
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/devops&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aNxS_wvpKGU-r-lMPx5PlgAAA1Y&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/devops&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aNxS_wvpKGU-r-lMPx5PlgAAA1Y&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://www.npmjs.com/package/node-machine-id
[16] https://polyformproject.org/licenses/shield/1.0.0
[17] https://whitepapers.theregister.com/
Re: Whois Feross Aboukhadijeh ..
IGotOut
Is that the paid or free version of ChatGPT?
Whois Feross Aboukhadijeh ..
“Feross is founder and CEO at Socket (https://socket.dev), a developer-first security platform. Feross has worked in open source software for 10+ years writing some of the most-downloaded JavaScript packages. [1]Feross is a lecturer at Stanford where he teaches CS 253 Web Security . Socket makes a developer-first security platform that prevents vulnerable and malicious open source dependencies from infiltrating your software supply chain. Thousands of organizations in every industry use Socket to safely discover, audit, and manage OSS at scale.”
[2]CS 253 Web Security
“Topics include: Principles of web security, attacks and countermeasures, the browser security model, web app vulnerabilities, injection, denial-of-service, TLS attacks, privacy, fingerprinting, same-origin policy, cross site scripting, authentication, JavaScript security, emerging threats, defense-in-depth, and techniques for writing secure code. Course projects include writing security exploits, defending insecure web apps, and implementing emerging web standards.”
[1] https://www.crunchbase.com/person/feross-aboukhadijeh
[2] https://web.stanford.edu/class/cs253/