Supply chain attacks — when hackers takeover public packages and then you or your agent install them — have been devastating on the industry, and will become a bigger problem in the future.
Proud to say Replit has shielded our customers from every one of these attacks thanks to our partnership with @SocketSecurity
Many users praise Replit's new Package Firewall with Socket for blocking malicious packages and aiding developers, while others worry autonomous agents auto-installing dependencies will create major new security risks.
it was great partnering with @amasad @stkenned on this, read more about Replit Auto-Protect, and how they are investing in tooling that protects builders by default: https://replit.com/blog/package-firewall
thrilled to finally announce something I've been working on for a while:
@SocketSecurity is officially powering @Replit’s new Package Firewall!
By evaluating dependencies directly at the install path, we are protecting builders from hallucinated or malicious packages before they can execute. We're currently blocking 8,000+ bad packages a day across builders on Replit.
Ship fast, vibe safely. 🛡️
Read the full breakdown: https://socket.dev/blog/socket-partners-with-replit-to-block-malicious-packages
@amasad how do you handle a package that gets compromised between your last scan and an agents install trigger
@amasad Amjad bhai I was just learning a new skill and I was struggling with YouTube tutorials
Replit just made the software for me and the agent does all the work
What a time to win yaar💙
@amasad I'm sure you have seen this open letter to SaaS vendors on supply chain and the call to action... this is what tier 1 enterprise requires. Top tier security is the minimum bar.
And Replit seems to have got security pretty well handled 👍
https://www.jpmorganchase.com/about/technology/blog/open-letter-to-our-suppliers
@amasad
@elalvarobalbin @amasad We constantly monitor for newly reported vulnerabilities and notify builders + can even auto-open patches in builder's projects when a new critical CVE is reported: https://replit.com/blog/auto-protect
@amasad Great news!
@amasad agent install is the multiplier here. one compromised package gets pulled into a hundred sandboxes before anyone notices the upstream takeover
@amasad Socket and Replit make a great team. Keeping open source packages safe is so important.
@amasad Yes 👍
@amasad Worth noting: npm pulled 1,200+ malicious packages in 2025 — before agents started auto-installing deps without human review. Once agents get build-pipeline write access, this kind of firewall stops being optional and becomes baseline infra.
@AhmadNassri @amasad @SocketSecurity @Replit Big!
@amasad agents auto-installing code = exponential security risk growth.
@AhmadNassri @amasad @SocketSecurity @Replit So good.
@amasad Thank you. Skim was built on Replit, shipped in 5 days too.
@amasad Replit’s firewall’s got more holes than a Swiss cheese left in a tornado—‘we blocked EVERYTHING’ 🧀 while your avg dev’s still Googling ‘how to deploy my grandma’s jar of pickles to prod.’
@amasad Surprising part isn’t the warning, it’s how AI agents amplify package trust issues at scale. Distribution becomes the vulnerability. @lynn_v1 sharp on system risk.
@amasad agreed, the agent auto-install angle makes this so much worse
@AhmadNassri @amasad @SocketSecurity @Replit Its a great integration taking away worries from builders and increasing trust values of our apps built in @Replit .. i took an opportunity to roast socket on my replit built app.. hope it did well
Supply chain attacks — when hackers takeover public packages and then you or your agent install them — have been devastating on the industry, and will become a bigger problem in the future.
Proud to say Replit has shielded our customers from every one of these attacks thanks to our partnership with @SocketSecurity