Our team wrote about the ongoing attack on NPM today - 1/3 packages are now spam.

‼️ If you use NPM, your customers cred and $$$ are at risk ‼️

Here’s what the spammers are doing, and how to protect yourself from malicious packages: https://blog-npm-spam.listen-dev.pages.dev/blog/npm-registry-spam-attack/

Web3 dev https://ianh.xyz | Founder mintdrop.com (acq OpenSea)

they/them, candlemaker at 🕯️humankind 🕯️, seemore.tv/humankind, hosting /samantha, /humankind

/cameron for content experiments. I help Creators grow faster @ seemore.tv + /see-more. Curating in /lounge. 
Dev + Veteran + HBS. 
seemore.tv/cameron 🫡

Here to answer any questions if you want @ian ! Supply chain security is my bread and butter.

Hey @samantha I've been using socket.dev and it seems to work pretty well for what we're doing. How does listen.dev compare?

See screenshot, this is the level of detail we get for PRs. https://i.imgur.com/kcDDPun.jpg

Thanks for sharing! We use dynamic behaviour analysis on top of static feedback which socket doesn’t. 

We detect behaviour at the syscalls within the kernel, so we can detect activity going in or out - some payload coming in from outside, unauthorized filesystem access during insertion, invoking child processes, etc