Introducing Socket Firewall: Free, Proactive Protection for Your Software Supply Chain

In the past, high-profile maintainer compromises on npm were rare events. Incidents like the infamous event-stream attack in 2018 stood out as shocking anomalies. But that’s no longer the case. In just the last few weeks, we’ve seen trusted open source packages targeted in compromises of tinycolor, chalk, nx, and eslint-config-prettier.

What used to be an occasional outlier is becoming disturbingly common, driven by increasingly sophisticated social engineering tactics aimed directly at maintainers. The result is that traditional defenses aren’t enough to protect developers and organizations that rely on open source.

Socket has helped organizations stay protected from the worst outcomes of supply chain attacks. But attackers don’t just target production environments. They also go after developer machines directly to run malicious code before it reaches production.

To close that gap, we’re introducing Socket Firewall Free: a lightweight tool that protects developer machines in real time, blocking malicious dependencies before they ever reach your laptop or build system. It works out of the box — no API key and no configuration required.

Scaling Protection Across Ecosystems#

If you’ve used our “safe npm” tool before, Socket Firewall will feel familiar. It protects you from installing malicious dependencies when running npm install, but its capabilities go far beyond that. It now covers Python and Rust as well as JavaScript, and support for more ecosystems is rolling out quickly. Although you can continue to use safe npm, we see Socket Firewall as the next step forward, a more scalable and comprehensive approach that will become the standard way to protect installs across ecosystems.

Socket Firewall Free prevents malware from being fetched via package managers:

• for JavaScript & TypeScript via npm, yarn, and pnpm
• for Python via pip & uv
• for Rust via cargo

In the near future, we will also be offering Socket Firewall Enterprise to our customers. This paid version will allow you to configure the policy used to block dependencies, it will expand support for additional package managers and ecosystems, and it will be deployable as a network service. Stay tuned over the next couple of weeks for details.

In the meantime, we’re confident Socket Firewall will help strengthen the open source ecosystems we all depend on.

How It Works#

Once installed, sfw should be prefixed to any supported package manager’s command. E.g.

sfw npm install --save [email protected]
sfw cargo fetch
sfw uv pip install flask

Socket Firewall isn’t limited to protecting you from problematic top-level dependencies. It will also prevent the package manager from fetching any transitive dependency that is known to be malicious. Under the hood, it spins up an ephemeral HTTP proxy that intercepts traffic for the subprocess and checks with the Socket API for safety before packages are fetched, extracted, and installed by your package manager.

A big thanks goes out to Amir Arad who transferred the sfw package to Socket!

Get Started#

To get started, install Socket Firewall onto your developer machine. The simplest installation method is via npm:

npm i -g sfw
# sfw can then be prefixed in front of package manager commands
sfw npm install --save dangerous-package
sfw pip install dangerous-package

IMPORTANT: Socket Firewall works by blocking network requests for package artifacts. If there are no network requests, as is the case when artifacts are cached locally, there is nothing for sfw to block. We recommend that you clear your package manager’s cache (e.g. npm cache clean --force) and use sfw from that point onward.

You can also install manually by downloading the appropriate binary from the releases page, moving it into your PATH, and making it executable. Keep in mind that, if you do this, you’ll need to update the binary periodically as we drop support for older versions.

If you’d like to use sfw in a CI/CD environment, we’ve supplied a GitHub Action you can use to ensure you’re always running the latest version:

on: push

jobs:
  job-id:
    # Socket Firewall supports Linux, Windows, and macOS
    runs-on: ubuntu-latest
    steps:
      # add Socket Firewall to the runner environment
      - uses: socketdev/action@v1
        with:
          mode: firewall
            
      # setup your project (e.g. checkout, setup-node, etc...)
      - uses: actions/checkout@v5
      
      # example usage
      - run: sfw npm ci
      - run: sfw npm install lodash
      - run: sfw pip install requests

In the coming days, Socket Firewall will also be integrated into the Socket CLI, alongside other new and exciting CLI features. Keep an eye out for an upcoming blog post!

Socket Firewall Free vs Socket Firewall Enterprise#

Socket Firewall Free is provided as a free tool for open source and commercial projects alike. In order for this to be sustainable, and to prevent abuse, the tool comes with a few limitations:

• Custom registries are not supported by Socket Firewall Free. This will be supported in the paid version of Socket Firewall.
• Socket utilizes AI scans and subsequent human review when identifying malware.
  • Socket Firewall Free will display a warning if AI-detected potential malware is requested by a package manager but it will not block the associated network traffic.
  • Socket Firewall’s behavior with regard to AI-detected malware will be configurable in the paid version.
  • To make this a bit more concrete: Socket AI caught the tinycolor malware within 1 hour of it being published; a clear win. However, AI detection can also result in false positives. The “right” blocking policy may depend on an organization’s appetite for risk and their unique needs.
• As noted above, Socket Firewall Free supports npm, yarn, pnpm, pip, uv, and cargo. Support for other ecosystems will be included in the paid version of Socket Firewall.
• Unknown or unscanned versions of packages will not be blocked by Socket Firewall Free. This will be configurable in the paid version of Socket Firewall.
• Socket Firewall Free provides no mechanism to allow-list a particular package or version. The paid version of Socket Firewall will include an allow-list mechanism.
• Use of Socket Firewall Free is not rate-limited except in cases where abuse is detected. The limits here are very large and should not be reached in any reasonable use case.

Telemetry#

Socket Firewall Free collects anonymous telemetry. We recognize this can cause reasonable concern for some, so we want to be transparent. Here’s what we collect and why:

• A unique, non-reversible identifier per machine. This allows us to get a sense for usage trends.
• Information about blocked and permitted packages, e.g. name, namespace, version.
• Latency added by Socket Firewall when fetching packages. This will help us detect service degradation and meaningfully measure the improvements we make to the software.
• Errors. This is pretty bare bones; we do not include information from the local filesystem (e.g. call stacks, paths, file names, etc).
• GitHub organization name. To help us understand adoption across teams, Socket Firewall may collect the name of your GitHub organization from your configured remotes. We only collect the org name — never repository names, source code, or commit history.

Additional telemetry events may be added in future versions as we learn more about usage patterns and continue adding features. However, the information we collect will always be anonymous.

Telemetry will be configurable in the enterprise version.

License#

Socket Firewall Free is provided under the PolyForm Shield License 1.0.0. You can also find the license text in the installer repository.

Try It Today#

We’re eager to hear your feedback as you try out Socket Firewall Free. If you have any trouble using sfw please reach out via issues at sfw-free Issues. If you’d like to learn more about Socket Firewall Enterprise, reach out to [email protected] or book a demo today.