Socket(@SocketSecurity ):Update: We added our technical analysis. Notable findings: → Likely dormant maintainer account takeover → Payload appended to the CommonJS entrypoint, node-ipc.cjs → Steals developer/CI secrets from env vars and config files → Exfiltrates via DNS TXT queries, not HTTP

Socket

@SocketSecurity

Socket is the #1# software supply chain security platform. Next-gen SCA + SBOM + 0-day prevention. LOVED BY DEVELOPERS. 👀 @npm_malware

Joined November 2021

4.6K Following 15.8K Followers

Socket@SocketSecurity

2026.05.14 17:57

Update: We added our technical analysis. Notable findings: → Likely dormant maintainer account takeover → Payload appended to the CommonJS entrypoint, node-ipc.cjs → Steals developer/CI secrets from env vars and config files → Exfiltrates via DNS TXT queries, not HTTP