Very elaborated social media hijack or the beginning of the end.

https://github.com/isaacs

#npm #opensource

Looks real, dude from npm seems to fully embrace the memecoin.

A bsky post explaining how it works. Stay sharp, don't let your friends sink their communities with this, money is tight everywhere.

https://bsky.app/profile/kelseyhightower.com/post/3mcqdwot5ss2t

#npm #opensource

From all the "Supply chain attacks" scenarios, the creator of the damn thing going completely nutz on Crypto/AI was never even a concern, lol.

#opensource #npm

Is the creator of npm is running a crypto grift or is it another hijacked/fake account?

#opensource #npm

🇵🇸 @small-tech/cross-platform-hostname module deprecated

https://www.npmjs.com/package/@small-tech/cross-platform-hostname

The release of version 1.1.0 deprecates and removes support for this small module that normalised hostname reporting between Linux/macOS and Windows.

We no longer support Windows as Microsoft is complicit in Israel’s genocide of the Palestinian people¹ and Small Technology Foundation² stands in solidarity with the Boycott, Divestment, and Sanctions (BDS) movement³.

Windows is an ad-infested and surveillance-ridden dumpster fire of an operating system and, alongside supporting genocide, you are putting both yourself and others at risk by using it.

When supporting Linux/macOS, just use the built-in os.hostname() which works the same way on both platforms.

¹ https://www.bdsmovement.net/microsoft
² https://small-tech.org/
³ https://www.bdsmovement.net/

#SmallTechnologyFoundation #crossPlatformHostname #npm #module #deprecation #BDS #Microsoft #Windows #NodeJS #web #dev #FOSS #SmallTech #SmallWeb #israel #genocide #Gaza #Palestine #FreePalestine #techIsPolitical #codeIsPolitical

👍 Zbyszek Tenerowicz: Watch me run malware from NPM | CONFidence

#npm #cybersecurity
https://youtu.be/GqnFNNcycxQ

Web dependencies are broken. Can we fix them?

Dear JS ecosystem, I love you, but you have a dependency management problem when it comes to the Web, and the time has come for an intervention.
— by @leaverou

🤷 https://lea.verou.me/blog/2026/web-deps/

#webdev #frontend #npm #javascript #js #fixthem #dependencies #frontend #dev #fixit #broken #web

NPM to implement staged publishing after turbulent shift off classic tokens

https://socket.dev/blog/npm-to-implement-staged-publishing

#HackerNews #NPM #Staged #Publishing #NPM #Tokens #Software #Development #Open #Source #Technology #News

Caught a bug over the holidays so I’m mostly resting, feeling sorry for myself, and taking the time to at least carry out some mindless housekeeping tasks (updating dependencies, etc.) on some of my Node modules.

Released updates to the following packages yesterday:

Tape-based Node.js testing:

• Tap monkey (https://codeberg.org/small-tech/tap-monkey)
• tap-out (https://codeberg.org/small-tech/tap-out)
• esm-tape-runner (no changes; just migrated to Codeberg: https://codeberg.org/small-tech/esm-tape-runner)

Let’s Encrypt:

• Node Pebble (https://codeberg.org/small-tech/node-pebble)

Enjoy! 💕

#NodeJS #SmallTech #tape #testing #tapMonkey #tapOut #esmTapeRunner #LetsEncrypt #NodePebble #npm #modules

Ez FFmpeg – Video editing in plain English

http://npmjs.com/package/ezff

#HackerNews #EzFFmpeg #VideoEditing #VideoEditingTools #NPM #JavaScript #TechNews

NPM Package with 56K Downloads Caught Stealing WhatsApp Messages

https://www.koi.ai/blog/npm-package-with-56k-downloads-malware-stealing-whatsapp-messages

#HackerNews #NPM #Malware #WhatsApp #Security #Downloads #56K

Is it just me, or is #npm's trusted publishing unnecessarily rigid? Only one workflow filename allowed per package. It's like they never imagined a project having multiple release branches or evolving CI structures. Moving from build.yaml to publish.yaml shouldn't be this annoying. 😩

🤖 STOP aux bots d'IA qui scrapent vos données ! ✋

Au lieu de se battre avec des dizaines de robots.txt (Hello WordPress & Gitea), on passe à l'offensive centralisée. 🛡️

On bloque les GPTBot, ClaudeBot, et autres directement à la porte, au niveau de notre cher NGINX Proxy Manager !

C'est plus propre, plus efficace, et ça fait plaisir à notre CPU. 😉

👉 La méthode complète, avec le fichier .conf à créer : https://wiki.blablalinux.be/fr/blocage-robots-ia-nginx-proxy-manager

#nginx #sysadmin #npm #ia #ai #robots #crawlers

Thinking of switching to #Proton as #Bitwarden has more and more stupid bugs that indicate a lack of any QA process. Seriously undermining my confidence that they won't be breached soon; especially with their giant #NPM graph.

Now I see they are using LLMs to write code (https://github.com/bitwarden/clients/blob/main/.claude/CLAUDE.md). That I know this is of course a benefit of #opensource but it's not really something I want to see in my password manager.

🤖 STOP aux bots d'IA qui scrapent vos données ! ✋

Au lieu de se battre avec des dizaines de robots.txt (Hello WordPress & Gitea), on passe à l'offensive centralisée. 🛡️

On bloque les GPTBot, ClaudeBot, et autres directement à la porte, au niveau de notre cher NGINX Proxy Manager !

C'est plus propre, plus efficace, et ça fait plaisir à notre CPU. 😉

👉 La méthode complète, avec le fichier .conf à créer : https://wiki.blablalinux.be/fr/blocage-robots-ia-nginx-proxy-manager

#nginx #sysadmin #npm #ia #ai #robots #crawlers

A sophisticated, worm-like malware is spreading through npm packages. It steals GitHub, cloud, and npm credentials, then uses them to infect all packages maintained by a compromised developer and exfiltrate data.

The malware has a dead man's switch. If it loses access to its command servers, it triggers a destructive payload that attempts to delete user files on the infected system. Do not abruptly cut off infected machines.

https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack

#security #npm #javascript #programming

Thinking of switching to #Proton as #Bitwarden has more and more stupid bugs that indicate a lack of any QA process. Seriously undermining my confidence that they won't be breached soon; especially with their giant #NPM graph.

Now I see they are using LLMs to write code (https://github.com/bitwarden/clients/blob/main/.claude/CLAUDE.md). That I know this is of course a benefit of #opensource but it's not really something I want to see in my password manager.

These sorts of NPM worms have been around for a LONG time.

It's typically due a common practice of low 2fa opt-in on NPM accounts.

So be sure to setup NPM 2FA if you're a package maintainer do that asap!

A lesser known NPM capability is that you can disable install time scripts. This may break some packages but its worth a try to see if your projects can work with out any install scripts. 👇🏿

https://blog.npmjs.org/post/141702881055/package-install-scripts-vulnerability

#GitHub #NPM #Microsoft #Sha1Hulud #nodejs #javascript

Just finished writing another tool, now I can see NINE known compromised packages are still up for download on NPM! ⚠️

This tool crawls the list of known bad packages and downloads the latest bundle.

It then runs my other checks against the downloaded bundle and logs the results.

https://github.com/datapartyjs/walk-without-rhythm

#WalkWithoutRhythm #Sha1Hulud #NPM #GitHub #Microsoft #nodejs #javascript #cybersecurity #devlog #bash

Just checked back on the Sha1-Hulud virus/worm. FINALLY npm appears free of obviously infected packages.

I still however am seeing infected machines posting their private data publicly on GitHub.

Not only that, I can see infected developer's github repos are being defaced in realtime.

These microsoft owned platforms seem to be really struggling with stopping this worm.

Query for defaced repos 👇🏿

https://github.com/search?q=api.airforce&type=repositories&s=updated&o=desc

#NPM #microsoft #github #Sha1Hulud #WalkWithoutRhythm #cybersecurity