By Socket — the startup that scans your open-source dependencies before they become your problem — just raised $60 million at a $1 billion valuation. The timing is deliberate. AI coding tools are shipping code faster than any team can review it, and the open-source ecosystem is absorbing the collateral: 454,600 new malicious packages were identified in 2025 alone, a 75% year-over-year jump. Investors are now betting a billion dollars that this problem gets worse before it gets better.
The Investor Roster Is the Real Signal
Thrive Capital led the round, with a16z, Abstract Ventures, and Capital One Ventures participating. That brings Socket’s total funding to $125 million since its 2020 founding. The customer list — Anthropic, xAI, Replit, Cursor, Figma, Vercel — reads like a who’s who of companies building on AI-generated code. These aren’t companies with sprawling legacy security budgets; they’re companies where shipping velocity is the product. The fact that they’re paying for supply chain protection tells you something.
CEO Feross Aboukhadijeh put it plainly: “The volume of third-party code entering production keeps going up, the time anyone spends reviewing it keeps going down.” Thrive’s Philip Clark added: “We need tools like Socket that can identify threats in third party code before they reach production.” Neither quote is surprising. Both should be uncomfortable if you’re a developer who hasn’t thought about this.
AI Tools Have a Supply Chain Blindspot
Here’s the part most coverage is missing. The problem isn’t just that developers copy-paste bad code from Stack Overflow. The problem is that your AI coding tool — Cursor, Copilot, Claude Code — is now installing packages autonomously. Sonatype’s 2026 Supply Chain Report found that “AI code assistants can fetch and install malicious code automatically when prompted to fix dependency errors.” The assistant sees a missing dependency, resolves it, installs it. No human in the loop. No review step.
This is a new attack surface that didn’t exist two years ago. And it’s compounding. Gartner reports that 48% of AI-generated code contains vulnerabilities. ProjectDiscovery’s 2026 AI Coding Impact Report found AI co-authored code has a 2.74x higher security vulnerability rate. CVEs directly attributable to AI-generated code went from 6 in January 2026, to 15 in February, to 35 in March. That curve is not flattening.
The Scale Is Already Alarming
Socket blocks over 1,000 supply chain attacks weekly for its users. More than 99% of open source malware targets npm — the registry that every JavaScript and Node developer touches constantly. In May 2026, the TeamPCP group compromised over 170 npm packages in a single campaign, hitting TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI, with 15 million users potentially exposed. IBM’s 2025 Cost of a Data Breach Report priced a supply chain compromise at $4.91 million on average, with a 267-day mean lifecycle — the longest of any breach vector.
ByteIota covered the antv npm attack last week — 16 million downloads poisoned. The Nx Console VSCode extension was hijacked earlier this month. These aren’t isolated incidents; they’re the new baseline.
What Socket Actually Does
Socket scans open-source packages before you download them — not after, which is where most security tools operate. Its Socket Firewall blocks malicious packages at the gate. Socket Reachability cuts false positives by up to 90%, which matters: alert fatigue kills security programs. The platform detects novel attacks, not just known CVEs, using a combination of behavioral analysis and human verification.
With the new funding, Socket is expanding into code editor extensions, AI tool integrations, and — notably — MCP server security. That last one is worth paying attention to: developers are copying MCP server configs from GitHub READMEs without reviewing the source. It’s the exact same pattern as npm supply chain attacks, just in a new format.
What You Should Do Now
Three things, in order of urgency:
- Audit your transitive dependencies. Your direct dependencies are probably fine. The packages those packages depend on are where attackers hide. Tools like Socket, Snyk, or
npm auditcan surface these, but Socket specifically catches behavioral threats that CVE-based tools miss. - Don’t trust AI tool dependency installs blindly. When your AI coding assistant resolves a missing package, verify what it’s installing before running the code. This is a habit you need to build now, not after an incident.
- Treat MCP configs like you treat package.json. If you’re using MCP-enabled tools, the attack surface has expanded to include every server config you pull from the internet. Review them. The TanStack/Mistral AI campaign is a preview of what this looks like at scale.
The $60 million going to Socket is not a niche security story. It’s a signal that the industry is finally pricing in a risk that developers have been absorbing quietly for years — and that AI is making significantly worse. At the scale the Sonatype 2026 report documents — 1.2 million cumulative malicious packages and counting — the question isn’t whether your dependencies are being targeted. They almost certainly are.
