Socket Acquires Secure Annex to Expand Extension Security Across Browsers and Developer Tools

Founder John Tuckner, the company’s sole employee, joins Socket as it broadens its platform across another part of the software supply chain

SAN FRANCISCO, CA, UNITED STATES, April 28, 2026 /EINPresswire.com/ -- Socket today announced it has acquired Secure Annex, a security company founded by security professional John Tuckner. Tuckner is joining Socket as part of the acquisition.

Socket helps organizations identify and block malicious code in open source software before it reaches production. With Secure Annex, the company is expanding that work beyond packages into browser and editor extensions, MCP servers, AI skills, and other tools that increasingly shape how software gets built and used.

These tools are easy to install, update automatically, and often operate with broad access inside browsers, coding environments, and AI workflows. That has made them a growing blind spot for many organizations, even as they become more central to everyday work.

Secure Annex was built to help organizations monitor that layer more closely across both browser and editor extension ecosystems. Its technology gives companies better visibility into what is being installed, what is changing over time, and what could introduce security risk. The company has already worked with customers across consumer tech, security, fintech, and industrial software, including Reddit, Brave, Torq, and Movable Ink.

The deal builds on Socket’s extension scanning work and research findings on malicious extensions. Most recently, Socket identified 108 Chrome extensions linked to data theft and session hijacking, and 73 Malicious Open VSX Extensions Linked to the GlassWorm campaign.

“More of the software people rely on every day now comes in through extensions and tools, not just packages,” said Feross Aboukhadijeh, founder and CEO of Socket. “Those tools are easy to install and easy to trust, but they can also create blind spots for organizations. John has done important work in this area, and bringing Secure Annex into Socket helps us cover more of the software organizations depend on every day.”
Tuckner founded Secure Annex after seeing how little visibility most organizations had into this part of their environment, even as it became more important. His research has focused on browser extensions, developer tools, and the ways attackers use updates and account changes to distribute malicious code at scale.

“I started Secure Annex after watching extensions become a major attack surface. Most organizations had no visibility into what they were installing,” said John Tuckner, founder of Secure Annex, who is joining Socket as part of the acquisition. “These issues are no longer just a developer problem or just an IT problem. Each compromise gives attackers a new way to move across organizations with ease. Socket understood that early, and joining the company gives this work a chance to become part of a broader solution.”

Today, Socket protects more than 14,000 organizations (including Anthropic, xAI, Replit, Cursor, Figma, Vercel, Gusto, Mercado LIbre, and Cribl), 1.2 million code repositories, and 2 million commits every month. It helps prevent more than 1,000 supply chain attacks each week. With this acquisition, Socket is expanding its coverage across both open source packages and extensions, two areas that increasingly shape how software is built and used. This is the company’s second acquisition, following its 2025 acquisition of Coana to expand reachability analysis.

About Socket
Socket is a developer-first security platform that protects organizations from software supply chain attacks. By analyzing open source dependencies for malicious behavior, Socket helps teams identify and block threats before they reach production.

Sarah Gooding
Socket Inc
press@socket.dev
Visit us on social media:
LinkedIn
Bluesky
Instagram
X

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.