"When we started, we were very focused on application dependencies, your JavaScript, your Python, your Java and Secure Annex started from the extension perspective," Feross Aboukhadijeh, founder and CEO of Socket, told ISMG.
Why Socket purchased Secure Annex
Socket, a San Francisco-based company, has purchased Secure Annex, a Kansas City-area extension security startup founded in November 2024. The acquisition is framed as a strategic move to broaden visibility and control across the software development life cycle by pairing Socket's existing focus on application dependencies — open-source libraries and packages — with Secure Annex's specialization in browser and integrated development environment (IDE) extensions.
Aboukhadijeh described modern development as a continuous chain that now includes code editors, artificial intelligence assistants, third-party packages and extensions. Bringing the two companies' capabilities together, he said, "gives us really good coverage across all the ecosystems that matter." The combined platform is intended to span dependencies, extensions and developer tools to give buyers a common view of third-party code and tools.
Secure Annex and John Tuckner
Secure Annex was formed in November 2024 and, according to the reporting, counts John Tuckner as its sole employee. Tuckner is a longtime security practitioner who spent more than four years at Tines, where he created a team focused on security automation research. His prior roles include leading customer success engineering at Cyderes, serving as a principal solutions engineer at Optiv, working as an information security architect at Apria Healthcare and as a security infrastructure engineer at H&R Block.
Tuckner told ISMG he started Secure Annex to address a niche problem of browser extensions and sees the issue as one the larger players in security are not addressing. He said he views the integration with Socket as a way to tie extension-level telemetry and controls to insight about package repositories such as npm.
AI, MCP servers, and a widening supply-chain surface
Both executives singled out artificial intelligence as a driver of change in the software supply chain. Aboukhadijeh said AI enables automated analysis at a scale that was previously impossible, improving the ability to identify malicious packages and suspicious behavior. Tuckner described AI as changing who participates in software development, saying "it's turned everybody into a citizen developer" and that nontraditional contributors are gaining access to sensitive credentials.
Tuckner also pointed to the emergence of MCP servers — which he said have blurred the line between developer tools and consumer applications — as an area of new risk. He noted that MCP servers, code extensions and "AI skills" that have appeared over the past year increase complexity and surface area. Where previously repositories such as npm were the primary concern, attacks are now targeting Docker images, browser extensions and developer tools, he said, making the supply-chain problem "much bigger."
Why browser and IDE extensions matter
The reporting highlights that browser and IDE extensions are often trusted by default yet can have deep access to sensitive data and workflows. Marketplaces for extensions, the article notes, have historically been slow to detect and respond to malicious activity. Secure Annex's focus, as framed by Tuckner, is on endpoint controls: controlling what gets installed and executed on developers' laptops, including pre-installation controls to block or vet extensions before deployment.
Tuckner offered a concrete example: a browser extension that compromised crypto wallets and began with an npm attack. He said investigating the extension required information about the npm space, underscoring the value of tying extension telemetry and package intelligence together in a single platform.
What this means for technologists, enterprises, and end users
- Technologists and security teams: The combined platform aims to deliver a unified view across code repositories, extensions and endpoint-installed tools, addressing a gap where application security and IT security responsibilities overlap. According to Aboukhadijeh, buyers increasingly want "a common view of what third-party code and tools are being introduced, where they're running, what they're doing and whether they're safe to use."
- Enterprises and procurement leaders: The deal signals an approach that emphasizes pre-installation controls and policy enforcement for extensions and developer tools — controls that procurement and IT teams will need to integrate into developer workflows, especially as developers use local AI assistants and installed applications.
- End users and citizen developers: Tuckner warned that AI-driven participation in development has broadened the set of people introducing code and tools into environments, often without deep security knowledge. That increases the chance that sensitive credentials and workflows could be exposed through seemingly benign extensions and local tools.
The acquisition stitches together two fragments of the supply-chain problem — package dependencies and endpoint extensions — into a single visibility and control claim. Socket and Secure Annex frame the move as a response to a more diversified attack surface driven by extensions, developer tools and AI-enabled contributors. How effectively the combined platform can deliver the pre-installation controls, telemetry and policy enforcement they describe remains the concrete test ahead.
