Socket has acquired Secure Annex to expand extension security across browsers, IDEs, and AI tools.
April 28, 2026
2 min read
Today I'm excited to share that Socket has acquired Secure Annex, the extension security company founded by John Tuckner. John is joining Socket, and we’re excited to have him here.
John has spent the last year doing some of the sharpest work anywhere on extension security, building Secure Annex into a product that security teams at Reddit, Brave, Torq, and Movable Ink depend on. He did it as a solo founder, which makes what he shipped even more impressive. The research he's published on compromised browser extensions has pushed this conversation forward in a way few others have.
This is our second acquisition in 12 months, following Coana last year, which brought reachability analysis into the platform. Secure Annex extends our coverage beyond package managers to the software people install with one click through extensions, AI tools, and other surfaces, often with little review.
The pace of supply chain attacks right now is relentless. Over the past week alone, Socket published findings on compromises affecting npm packages, Docker images, VS Code releases, GitHub Actions, and Open VSX sleeper extensions. The line between ecosystems is getting thinner, with attackers moving across packages, extensions, containers, CI/CD, and AI-adjacent tooling in rapid succession.
Acquiring Secure Annex is part of a bigger product direction for Socket: moving protection closer to the point of install across the software that enters an organization through developers, AI agents, and automated workflows. Socket Firewall already blocks malicious packages before they reach a developer’s environment, and we will soon extend that same protection to more browser and code editor extensions, MCP servers, and AI tools.
To Secure Annex customers: we're excited to support you. Pricing stays the same. The features you use today will continue to work as we migrate and reach parity inside Socket. There will be no gap in coverage during that process. Over time, these capabilities will be rolled more fully into Socket, and we'll keep you updated as that happens.
For Socket customers, this will strengthen the extension coverage we already have and broaden the range of tools we can protect. Expect us to move fast here. We’re going to keep investing in the places where the software supply chain is under attack to protect the open source ecosystem.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Company News
Socket won two 2026 Reppy Awards from RepVue, ranking in the top 5% of all sales orgs. AE Alexandra Lister shares what it's like to grow a sales career here.
Company News
/Security News
Socket is an initial recipient of OpenAI's Cybersecurity Grant Program, which commits $10M in API credits to defenders securing open source software.
Company News
Join Socket for live demos, rooftop happy hours, and one-on-one meetings during BSidesSF and RSA 2026 in San Francisco.
