Pinned
Feross
28.8K posts
Feross
@feross
⚡️ Founder + CEO @SocketSecurity (socket.dev) • 🌲 Visiting lecturer @Stanford (cs253.stanford.edu) • ❤️ Open source @WebTorrentApp + @StandardJS
The Nintendo Switch uses my open source code 🤯@feross Have you seen that the Nintendo Switch uses your safe-buffer? (I for some reason scrolled through their incredibly long license list)
- Detect pressed keys via microphone audio capture in real-time. Uses training data captured by typing first. Very neat! github.com/ggerganov/kbd-… Based on ideas in this classic traffic analysis paper: Timing Analysis of Keystrokes and Timing Attacks on SSH people.eecs.berkeley.edu/~daw/papers/ss…
GIF - 🤩 Exciting news! I'm ready to share the project I've been working on for the past 2 months. ✨ Wormhole – the fastest way to send files ✨ Wormhole lets you share files with end-to-end encryption and it's super fast. Send a file in just 2 seconds: wormhole.app
00:00 - I wish more developers understood the constant stream of malware that is posted to npm, PyPI, and all package managers... Here's just a taste of some crazy malware Socket identified in the past couple weeks... All malware descriptions were FULLY WRITTEN by Socket AI.
- 🙌 Just released a CLI tool called `thanks` to help you thank the open source maintainers you depend on! ✨ 1. Run 'npx thanks' in your project 2. See which of your dependencies are seeking donations! 💸 🌟 Open source authors, add yourself to the list: github.com/feross/thanks
GIF - Irresponsible post. End-to-end encryption works precisely because it assumes untrusted infrastructure. Whether Signal runs on AWS, GCP, or their own servers doesn’t matter -- the math does. Every Wi-Fi hotspot, ISP, and backbone in between is untrusted by design.I don’t trust Signal anymore
- 🚨 The Express.js repo got swamped with spam PRs thanks to a YouTube tutorial gone wrong. Hundreds of low-effort contributions flooded in, creating chaos for maintainers. Some called it an "attack on open source", as pages of "UTTER GARBAGE" piled up in the Express.js project.
- The `xz` package backdoor is just the tip of the iceberg. There's a CONSTANT low-level stream of malware and spyware being uploaded to npm, PyPI, and Go registries. I want to share a few examples from the 20,000+ malicious packages we detected so far:
00:00 - 🚨 Major active supply chain attack just hit npm. Popular package @ctrl/tinycolor was trojanized — and it didn’t stop there. Over 40 packages were silently modified to steal secrets from dev machines & CI pipelines. Our team at Socket caught it. Full report coming soon. Stay
- "someone transferred ~0.05 BTC (currently ~$900), paying 0.01 BTC in fees (currently ~$180) and the network burned enough electricity for that single transaction to drive a Model S well over 1000km, or power an average house in Germany for about a month" – @dcposch
