August 7, 2023
Manifest Confusion
"Manifest confusion" refers to the fact that in the npm ecosystem, a package's manifest and its tarball are published independently. They are never fully validated against each other, making it possible for bad actors to hide malicious code and scripts. The npm registry has historically trusted the client for data validation, opening the door to potential misuse.
What's more, this issue isn't limited to the npm registry. It also affects various third-party organizations, package managers, and security tools — essentially, any tool or insight that uses the public registry.
...Darcy Clarke's discovery has emphasized the often-overlooked issue of data quality in software composition analysis (SCA) tooling. Many SCA tools take shortcuts, failing to understand the npm package installation process, which leads to missing entire dependencies.
Manifest Confusion: How Socket Protects You, Socket
Funding
Reflex (previously Pynecone), an open-source, full-stack Python framework for building and deploying web apps, raised $5m in Seed funding.
Lightup, no-code data quality tool for large quantities of data, raised $9m in Series A funding.
Knot, an API-first tool for card issuers to programmatically update card on file information, cancel subscriptions and change passwords, raised $10m in Series A funding.
Silk, a unified platform for consolidating and prioritizing security findings, raised $12.5m in Seed funding.
Socket, a vulnerability scanner that provides supply chain protection for JavaScript and Python dependencies, raised $20m in Series A funding.
Lula, a suite of insurance products for vehicle fleet operators to manage assets, estimate risk, and make changes to insurance policies in real time, raised $35.5m in Series B funding.
Neon, a cloud-native serverless PostgreSQL database with autoscaling, branching, and bottomless storage, raised $46m in Series B funding.
Endor Labs, an application security tool that helps teams prioritize open source risk, secure CI/CD pipelines, and meet compliance objectives to eliminate the 'developer productivity tax', raised $70m in Series A funding.