惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Secure Thoughts
雷峰网
雷峰网
罗磊的独立博客
T
The Blog of Author Tim Ferriss
阮一峰的网络日志
阮一峰的网络日志
量子位
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
云风的 BLOG
云风的 BLOG
人人都是产品经理
人人都是产品经理
GbyAI
GbyAI
Cisco Talos Blog
Cisco Talos Blog
Engineering at Meta
Engineering at Meta
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
A
About on SuperTechFans
D
Darknet – Hacking Tools, Hacker News & Cyber Security
The Cloudflare Blog
Know Your Adversary
Know Your Adversary
T
Threat Research - Cisco Blogs
Spread Privacy
Spread Privacy
D
DataBreaches.Net
T
The Exploit Database - CXSecurity.com
K
Kaspersky official blog
Cyberwarzone
Cyberwarzone
爱范儿
爱范儿
U
Unit 42
Security Latest
Security Latest
M
MIT News - Artificial intelligence
月光博客
月光博客
Scott Helme
Scott Helme
G
Google Developers Blog
有赞技术团队
有赞技术团队
T
Tor Project blog
宝玉的分享
宝玉的分享
Y
Y Combinator Blog
博客园 - Franky
H
Hackread – Cybersecurity News, Data Breaches, AI and More
aimingoo的专栏
aimingoo的专栏
The GitHub Blog
The GitHub Blog
V
V2EX
B
Blog
Apple Machine Learning Research
Apple Machine Learning Research
S
Securelist
博客园 - 三生石上(FineUI控件)
Blog — PlanetScale
Blog — PlanetScale
TaoSecurity Blog
TaoSecurity Blog
Stack Overflow Blog
Stack Overflow Blog
P
Proofpoint News Feed
腾讯CDC
D
Docker
Google Online Security Blog
Google Online Security Blog

Socket

Suno Breached via Shai-Hulud Worm, Leaked Code Exposes AI Mu... Next.js moves to scheduled security releases - Socket 11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windo... Compromised npm Packages in the AsyncAPI Namespace Deliver M... jscrambler npm Package Compromised in Supply Chain Attack - ... Fake Braintree NuGet Package Skims Credit Cards and Harvests... Compromised Injective SDK npm Package Exfiltrates Wallet Key... npm v12 Ships With Install Scripts Off by Default, Begins De... Malicious Go Module Exposes GitHub Malware Lure Network Span... pnpm 11.10 Hardens Registry Authentication to Block Token Re... Coordinated npm and PyPI Campaign Typosquats Popular Secure ... Node.js Considers Public Workflow for Security Reports Amid ... PolinRider: North Korea-Linked Supply Chain Campaign Expands... Risky Biz Podcast: AI Agents Are Raising the Stakes for Soft... Chrome and Firefox Extensions Posing as Free VPNs Add Clipbo... Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages - S... Rolldown Pulls Rust React Compiler Integration After Binary ... Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and Git... Frontier AI Is Now Critical Infrastructure - Socket The Code You Didn't Write Is Still Yours to Defend - Socket GitHub Actions Checkout Now Blocks Risky pull_request_target... Introducing Repository Access Permissions and Custom Roles -... Socket MCP Adds Org Alerts, Threat Feed Review, and Package ... Socket Firewall Now Blocks Malicious VS Code and Open VSX Ex... 140+ Mastra npm Packages Compromised in Coordinated Supply C... npm Package Uses Prompt Injection and Token Flooding to Disr... Introducing Manifest Alerts - Socket GlassWASM: WebAssembly Malware Found in Trojanized Open VSX ... Socket for Linear Is Now Available - Socket US Government Forces Anthropic to Pull Claude Fable Days After Launch 152 Chrome Live Wallpaper Extensions Hid Ad Tracking and Faked Google Search Traffic Andrew Becherer Joins Socket as Chief Information Security Officer Socket Partners with Replit to Block Malicious Packages in AI-Powered Development npm Tooling Bug Incorrectly Marks One-Character Packages as Security Holders Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems pnpm 11.5 Adds Support for Recognizing npm Staged Publishes pnpm 11.5 Adds Support for Recognizing npm Staged Publishes Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages Famous Chollima Targets PHP Developers Through Compromised Packagist Package Famous Chollima Targets PHP Developers Through Compromised Packagist Package Rust Moves to Restrict LLM Use in Contributions After Months of Internal Debate Rust Moves to Restrict LLM Use in Contributions After Months of Internal Debate Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords Feross on TBPN: Socket's Series C and the State of Software Supply Chain Security Feross on TBPN: Socket's Series C and the State of Software Supply Chain Security OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io Laravel Lang Compromised with RCE Backdoor Across 700+ Versions Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects AI Has Taken Over Open Source npm Invalidates Granular Access Tokens as Mini Shai-Hulud Sweeps the Registry Coruna Respawned: Compromised art-template npm Package Leads to iOS Browser Exploit Kit Socket raises $60M Series C at $1B valuation led by Thrive Capital to secure AI-driven software development Socket Raises $60M Series C at a $1B Valuation to Help Enterprises Build Securely With AI Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor Active Supply Chain Attack Compromises @antv Packages on npm Popular node-ipc npm Package Infected with Credential Stealer TeamPCP and BreachForums Launch $1,000 Contest for Supply Chain Attacks Packagist Urges Immediate Composer Update After GitHub Actions Token Leak GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government Socket Named to Rising in Cyber 2026 List of Top Cybersecurity Startups TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud Supply-Chain Attack Socket Releases Free Certified Patches for Critical vm2 Sandbox Escape 5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer pnpm 11 Adds Supply Chain Protection Defaults for Minimum Release Age and Exotic Subdependencies PyPI Fixes High-Severity Access Control Issues Found in Security Audit Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Steal Secrets and Poison CI Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack lightning PyPI Package Compromised in Supply Chain Attack Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Variables SAP CAP npm Packages Hit by Supply Chain Attack Socket Has Acquired Secure Annex 73 Open VSX Sleeper Extensions Linked to GlassWorm Show New Malware Activations Introducing Reachability for PHP Introducing Data Exports Malicious Checkmarx Artifacts Found in Official KICS Docker Repository and Code Extensions Introducing Organization Notifications in Socket Introducing Reports: An Extensible Reporting Framework for Socket Data Socket for Jira Is Now Available Socket Named Top Sales Organization by RepVue NIST Officially Stops Enriching Most CVEs as Vulnerability Volume Skyrockets Socket Selected for OpenAI's Cybersecurity Grant Program Feross on the 10 Minutes or Less Podcast: Nobody Reads the Code 108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure Node.js Drops Bug Bounty Rewards After Funding Dries Up The Hidden Blast Radius of the Axios Compromise
fsnotify Maintainer Dispute Sparks Supply Chain Concerns
Sarah Goodin · 2026-05-09 · via Socket

Sidebar CTA Background

Secure your dependencies with us

Socket proactively blocks malicious open source packages in your code.

Install

A dispute over maintainer access in fsnotify, a widely used Go library for cross-platform filesystem notifications, briefly raised takeover concerns this week after contributors were removed from the project’s GitHub organization and recent releases came under scrutiny.

So far, there’s no evidence that any fsnotify release was compromised. The concern is messier and more familiar: when a popular project has unclear maintainer roles, release access, and review norms, downstream users can’t easily tell whether they’re watching routine open source conflict or the early signs of a takeover.

fsnotify provides cross-platform filesystem notifications for Windows, Linux, macOS, BSD, and illumos. GitHub shows fsnotify with 10.7k stars, 969 forks, and 321k dependent projects. At that scale, uncertainty around who can merge and release code becomes a downstream problem almost immediately. The concern came from its role in the stack: low-level file watching code underneath developer tools, CLIs, dev servers, and infrastructure workflows.

Removed maintainer sounded the alarm after losing access#

The concern began after Yasuhiro Matsumoto, a Go developer known online as mattn, posted on X that he had been removed from the fsnotify GitHub organization. In the now-deleted Japanese-language post, he wrote (AI-supplied translation):

Previously, fsnotify became difficult to maintain, so the project looked for maintainers.
→ I joined as a maintainer because I had relevant expertise.
→ Around that time, another person also joined.
→ When I tried to start contributing, I was scolded for “doing things on your own.”
Some time passed after that.
That person seems to have gotten carried away and removed even the original author of fsnotify from the org, which is honestly scary.

The post was later deleted, but claims from it became a central point of discussion in a heated GitHub issue, where users asked project maintainer Martin Tournoij (@arp242) to explain why other maintainers had been removed.

Grafana Staff Developer Advocate Oshi Yamaguchi, who started the thread, noted that fsnotify is widely used by major open source projects and that downstream users needed more context to evaluate the change.

What made the situation look risky from the outside was the combination of signals: a popular dependency, recent releases, changed maintainer access, a deleted public post, and uncertainty about who had authority to review or publish changes. This is why people started asking supply chain questions.

In April, a user asked whether fsnotify could cut a new release after automated scanners started flagging the project as unmaintained.

“Automatic code scanners consider this project as unmaintained if no new release is available within the last 12 months,” the issue said. “This project crossed that threshold on April 4th 2026.”

The issue shows how security tooling can inadvertently create pressure on a mature infrastructure library that is usually maintained in bursts.

Matsumoto published v1.10.0 soon after, followed by v1.10.1 on May 4, 2026. The latest release fixed inotify behavior where sibling watches that shared a path prefix could be removed or renamed incorrectly.

Maintainer removed access over rushed merges and sponsorship changes#

In the GitHub thread, Tournoij contends that the removed accounts had commit rights for historical reasons, not because they were active maintainers. He said the recent changes were merged too quickly, lacked sufficient discussion, and required cleanup.

“This isn't a case of ‘one maintainer removes other maintainers’ because they were never ‘maintaining’ anything in any meaningful sense until they self-appointed them as such with no discussion and started committing stuff of dubious quality,” he said.

The project had previously handed out commit rights broadly, including to people who had made earlier fixes, and this access no longer matched actual project stewardship.

“In any other project they never would have had commit rights,” he wrote.

Tournoij also pushed back on speculation that the access change represented a hostile takeover or supply chain event.

“This narrative of ‘oh noes, arp242 maliciously hijacked a project’ is just incorrect,” he commented, pointing readers to the commit history. “Seriously? Ya'll need to enhance your calm – the commit log isn't a secret.”

Tournoij said the access removals were a trust and quality-control decision. The recent work had moved too quickly, had not been sufficiently reviewed across fsnotify’s supported platforms, and risked reintroducing the kind of inconsistency he had spent years cleaning up.

He also said the funding change was a major reason he removed access, arguing that Matsumoto committed the sponsorship update directly to main early in the work and without discussion:

Now, all of that would be up to there, but updating the sponsors file as one of the first actions by committing directly to main with no discussion what-so-ever is just taking the piss. Additional context here is that mattn withdrew funds from thanks.dev a few times over the years before having done any work here (other than the aforementioned bugfix).

Matsumoto later acknowledged that part of his deleted X post was wrong, including his claim that access had also been revoked from original maintainers, and apologized.

He also said the FUNDING.yml update was a mistake in hindsight, but said his recent maintenance activity was in response to the project’s lack of a release for more than a year.

“I did not step forward to take anything over; I stepped forward to help a user who had raised an alert that there had been no release for a year,” he said.

Matsumoto pointed to recent bug fixes across Windows, kqueue, and inotify, plus test stabilization, release work, and follow-up on stalled issues. He argued that the work amounted to real maintenance, and said his remaining concern was that fsnotify now lacked another maintainer who could cross-check changes.

Translation added another layer of ambiguity. In the GitHub thread, one commenter noted that Japanese often omits subjects, while machine translation into English may insert one to make the sentence grammatical. Part of the deleted post was translated as “we recruited a maintainer,” though the commenter said Matsumoto “didn't actually say ‘we.’” Matsumoto later said he is not a native English speaker and uses machine translation for source-code comments.

Kubernetes users weighed forks and alternatives#

The concern also surfaced downstream. A Kubernetes issue titled “fsnotify/fsnotify - Healthy or not?” said the project should be watched carefully and, if necessary, Kubernetes should evaluate forks or consider forking it. The issue included notes describing fsnotify as a widely used dependency and pointed to gofsnotify/fsnotify, a separate implementation Matsumoto said he created after losing access to the original org, as something to monitor.

The chaotic way this incident unraveled shows the practical cost of governance ambiguity. Even without evidence of malicious code, a sudden change in who controls a dependency can send downstream users into verification mode.

"Dependencies like fsnotify are 'low' enough in the stack to be 'forgotten' about," Docker principal software engineer Sebastiaan van Stijn, a maintainer of Moby, containerd, and runc, commented on the thread. "Supply-chain attacks are a reality, and dependabot makes it very easy for projects to 'just update a dependency' without giving it much thought."

The early stages of a real supply chain compromise and the early stages of a maintainer dispute can look similar from the outside. Both can involve unexpected releases, unclear authority, changes in access, and contradictory public claims.

In xz-utils, the concern was malicious code introduced through a long-running social engineering effort. Maintainers are still shell-shocked from that incident, and users now treat unusual maintainer activity in critical dependencies with more suspicion than they might have a few years ago.

The underlying security issue with fsnotify is that users had limited visibility into how maintainer authority was assigned, removed, or reviewed.

For widely used open source packages, maintainer access stops being an internal matter when users can’t tell who actually controls the release pipeline. The fsnotify incident shows how little ambiguity it takes to set off that review. One access-control dispute in a low-level dependency sent users checking release history, watching forks, and asking whether routine updates were still safe. Clearer project roles and release authority will not prevent every dispute, but they would make access-control changes easier to verify before speculation fills the gap.