Recent searches

No recent searches

Search options

Only available when logged in.
det.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon Server des Unterhaltungsfernsehen Ehrenfeld zum dezentralen Diskurs.

Administered by:

Server stats:

1.7K
active users

det.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.3

#npm

6 posts5 participants2 posts today
𝕂𝚞𝚋𝚒𝚔ℙ𝚒𝚡𝚎𝚕<p>»npm als Sicherheitsrisiko — Warum Angriffe zunehmen und wie man vorbeugen kann:<br>npm bleibt anfällig für Supply-Chain-Angriffe. Woran liegt das, was tun npm und GitHub dagegen und wie kann man seine eigenen Projekte schützen?«</p><p>Ich pers. bin kein JavaScript Freund aber nutze es für Web-Anwendungen. Ja es ist aufwändig die Libs und deren Abhängigkeiten durchzusehen und hindert leider auch von Hackern nicht.</p><p>🔧 <a href="https://www.heise.de/blog/npm-als-Sicherheitsrisiko-Warum-Angriffe-zunehmen-und-wie-man-vorbeugen-kann-10590859.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">heise.de/blog/npm-als-Sicherhe</span><span class="invisible">itsrisiko-Warum-Angriffe-zunehmen-und-wie-man-vorbeugen-kann-10590859.html</span></a></p><p><a href="https://chaos.social/tags/webdev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>webdev</span></a> <a href="https://chaos.social/tags/npm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>npm</span></a> <a href="https://chaos.social/tags/javascript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>javascript</span></a> <a href="https://chaos.social/tags/typescript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>typescript</span></a> <a href="https://chaos.social/tags/js" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>js</span></a> <a href="https://chaos.social/tags/ts" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ts</span></a> <a href="https://chaos.social/tags/supplychain" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>supplychain</span></a> <a href="https://chaos.social/tags/sec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sec</span></a></p>
Kevin Karhan :verified:<p><span class="h-card" translate="no"><a href="https://mastodon.social/@michalfita" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>michalfita</span></a></span> <span class="h-card" translate="no"><a href="https://ieji.de/@anselmschueler" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>anselmschueler</span></a></span> <span class="h-card" translate="no"><a href="https://oldbytes.space/@renormalist" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>renormalist</span></a></span> <span class="h-card" translate="no"><a href="https://mkultra.x27.one/@aliceif" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>aliceif</span></a></span> <span class="h-card" translate="no"><a href="https://c.im/@bill88t" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>bill88t</span></a></span> <span class="h-card" translate="no"><a href="https://mstdn.social/@BrodieOnLinux" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>BrodieOnLinux</span></a></span> <span class="h-card" translate="no"><a href="https://social.treehouse.systems/@AsahiLinux" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>AsahiLinux</span></a></span> <span class="h-card" translate="no"><a href="https://mstdn.jp/@landley" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>landley</span></a></span> </p><p>Yeah the extensive dependency on <a href="https://infosec.space/tags/Cargo" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cargo</span></a> and <em>poorly declared or undeclared dependencies</em> ain't a failure of <a href="https://infosec.space/tags/Rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Rust</span></a> <em>entirely</em>...</p><ul><li>Rather it's 99% the blame of <a href="https://infosec.space/tags/developers" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>developers</span></a> and 1% the blame of Rust for normalizing this Internet-centric setup, which had been introduced with even worse systems like <a href="https://infosec.space/tags/pip" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>pip</span></a> and <a href="https://infosec.space/tags/npm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>npm</span></a> but that's beyond the scope of my criticism.</li></ul><p>Point is I want to develop <span class="h-card" translate="no"><a href="https://infosec.space/@OS1337" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>OS1337</span></a></span> into a minimalist <a href="https://infosec.space/tags/toybox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>toybox</span></a> + <a href="https://infosec.space/tags/musl" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>musl</span></a> / <a href="https://infosec.space/tags/linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>linux</span></a> distro which excels with <a href="https://infosec.space/tags/minimalism" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>minimalism</span></a> and <a href="https://infosec.space/tags/Reproduceability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Reproduceability</span></a> of everything.</p><ul><li>This does make things more convoluted since it basically means that every application <em>needs to be it's own, self-contained &amp; statically linked binary</em>, but alas this is more of an edge-case than the norm.</li></ul>
Lovell Fuller<p>🔒 If you publish packages to the npm registry and haven't already seen its new Trusted Publisher feature, please do take a look at <a href="https://docs.npmjs.com/trusted-publishers" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">docs.npmjs.com/trusted-publish</span><span class="invisible">ers</span></a></p><p>🎟️ It uses short-lived OIDC tokens to allow CI-based automation of signed publish-with-provenance.</p><p>📈 According to <a href="https://github.com/sxzz/npm-top-provenance" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/sxzz/npm-top-proven</span><span class="invisible">ance</span></a> I maintain 6 of the top 50 packages that use this feature, and those 6 packages combined have over 600 million downloads each month!</p><p><a href="https://mastodon.social/tags/OpenSource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenSource</span></a> <a href="https://mastodon.social/tags/NodeJS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NodeJS</span></a> <a href="https://mastodon.social/tags/npm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>npm</span></a></p>
Frontend Dogma<p>Which npm Package Has the Largest Version Number?, by (not on Mastodon or Bluesky):</p><p><a href="https://adamhl.dev/blog/largest-number-in-npm-package/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">adamhl.dev/blog/largest-number</span><span class="invisible">-in-npm-package/</span></a></p><p><a href="https://mas.to/tags/npm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>npm</span></a> <a href="https://mas.to/tags/dependencies" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dependencies</span></a> <a href="https://mas.to/tags/versioning" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>versioning</span></a> <a href="https://mas.to/tags/semver" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>semver</span></a></p>
Frontend Dogma<p>Mastering npx: A Cheatsheet for npm and Node.js Power Users, by (not on Mastodon or Bluesky):</p><p><a href="https://web.archive.org/web/20251003185515/https://www.nodejs-security.com/blog/mastering-npx-cheatsheet-npm-nodejs-power-users" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">web.archive.org/web/2025100318</span><span class="invisible">5515/https://www.nodejs-security.com/blog/mastering-npx-cheatsheet-npm-nodejs-power-users</span></a></p><p><a href="https://mas.to/tags/npx" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>npx</span></a> <a href="https://mas.to/tags/cheatsheets" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cheatsheets</span></a> <a href="https://mas.to/tags/examples" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>examples</span></a> <a href="https://mas.to/tags/nodejs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nodejs</span></a> <a href="https://mas.to/tags/npm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>npm</span></a></p>
AA<p>Socket Podcast: Inside the Recent npm Supply Chain Attacks <a href="https://socket.dev/blog/podrocket-podcast-npm-supply-chain-attacks" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">socket.dev/blog/podrocket-podc</span><span class="invisible">ast-npm-supply-chain-attacks</span></a> <span class="h-card" translate="no"><a href="https://fosstodon.org/@SocketSecurity" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>SocketSecurity</span></a></span> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/npm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>npm</span></a> <a href="https://infosec.exchange/tags/JavaScript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JavaScript</span></a></p>
Frontend Dogma<p>How Deno Protects Against npm Exploits, by <span class="h-card" translate="no"><a href="https://fosstodon.org/@deno_land" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>deno_land</span></a></span>:</p><p><a href="https://deno.com/blog/deno-protects-npm-exploits" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">deno.com/blog/deno-protects-np</span><span class="invisible">m-exploits</span></a></p><p><a href="https://mas.to/tags/deno" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>deno</span></a> <a href="https://mas.to/tags/npm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>npm</span></a> <a href="https://mas.to/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a></p>
Frontend Dogma<p>npm Security Best Practices, by (not on Mastodon or Bluesky):</p><p><a href="https://github.com/bodadotsh/npm-security-best-practices" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/bodadotsh/npm-secur</span><span class="invisible">ity-best-practices</span></a></p><p><a href="https://mas.to/tags/npm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>npm</span></a> <a href="https://mas.to/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://mas.to/tags/provenance" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>provenance</span></a> <a href="https://mas.to/tags/bestpractices" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bestpractices</span></a></p>
⚯ Michel de Cryptadamus ⚯<p>CEO of <a href="https://universeodon.com/tags/Vercel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vercel</span></a> (an app deployment platform beloved by vibe coders) posted a selfie of himself with <a href="https://universeodon.com/tags/Netanyahu" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Netanyahu</span></a> and within 24 hours a bunch of his top engineers have quit and thousands of customers are fleeing the platform.</p><p>sad!</p><p>(making things even worse for him is probably the fact that the CEO of one his biggest competitors <a href="https://universeodon.com/tags/Replit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Replit</span></a> is a <a href="https://universeodon.com/tags/palestinian" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>palestinian</span></a> american who went on <a href="https://universeodon.com/tags/JoeRogan" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JoeRogan</span></a> to talk about the situation in gaza)<br><a href="https://x.com/rauchg/status/1972669025525158031" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">x.com/rauchg/status/1972669025</span><span class="invisible">525158031</span></a></p><p><a href="https://universeodon.com/tags/Israel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Israel</span></a> <a href="https://universeodon.com/tags/palestine" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>palestine</span></a> <a href="https://universeodon.com/tags/gaza" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>gaza</span></a> <a href="https://universeodon.com/tags/GuillermoRauch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GuillermoRauch</span></a> <a href="https://universeodon.com/tags/uspol" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>uspol</span></a> <a href="https://universeodon.com/tags/uspolitics" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>uspolitics</span></a> <a href="https://universeodon.com/tags/javascript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>javascript</span></a> <a href="https://universeodon.com/tags/typescript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>typescript</span></a> <a href="https://universeodon.com/tags/app" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>app</span></a> <a href="https://universeodon.com/tags/apps" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>apps</span></a> <a href="https://universeodon.com/tags/node" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>node</span></a> <a href="https://universeodon.com/tags/nodejs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nodejs</span></a> <a href="https://universeodon.com/tags/npm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>npm</span></a> <a href="https://universeodon.com/tags/vibecoding" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vibecoding</span></a> <a href="https://universeodon.com/tags/vibecoders" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vibecoders</span></a> <a href="https://universeodon.com/tags/supabase" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>supabase</span></a></p>
Sebastian Cohnen<p><a href="https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/#looking-ahead-trusted-publishers" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.blog/changelog/2025-09-</span><span class="invisible">29-strengthening-npm-security-important-changes-to-authentication-and-token-management/#looking-ahead-trusted-publishers</span></a></p><p>While I do think that “Trusted Publishing" using OIDC is a good idea in general, without allowing to configure custom OIDC providers is kind of a problem. RubyGems for example only supports GitHub and Buildkite.</p><p><a href="https://ruby.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://ruby.social/tags/npm" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>npm</span></a> <a href="https://ruby.social/tags/rubygems" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rubygems</span></a></p>
Olly 👾

#NPM #Package caught using #QR #Code to fetch #Malware

Newly discovered npm package 'fezbox' employs QR codes to retrieve cookie-stealing malware from the threat actor's server. The package, masquerading as a utility library, leverages this innovative steganographic technique to harvest sensitive data, from a compromised machine.

socket.dev/blog/malicious-fezb

#it#security#privacy
Continued thread
michabbb

📋 Roadmap includes expanded theme design options for styling different applications

🛠️ Config management planned for #Waybar, #Omarchy, and other applications

💻 Full development setup available with #npm install and #Tauri development commands

🔄 Built for #opensource community with #MIT license and welcoming contributions

🌐 github.com/tahayvr/omarchist

A GUI app for Omarchy. . Contribute to tahayvr/omarchist development by creating an account on GitHub.
GitHubGitHub - tahayvr/omarchist: A GUI app for Omarchy.A GUI app for Omarchy. . Contribute to tahayvr/omarchist development by creating an account on GitHub.
esa

Det er en del samtaler om #SupplyChainSecurity gitt hendelsene med #NPM nylig, men virker som om det er noe enda mer dramatisk som foregår i #Ruby-økosystemet, hvor #DHH:s støtte til høyreekstremister er en sentral del av historien, samt hvor skral økonomien til sentral Ruby-infrastruktur er.

For et shitshow, og en advarsel til økosystemene for andre språk.

joel.drapper.me/p/rubygems-tak

joel.drapper.meShopify, pulling strings at Ruby Central, forces Bundler and RubyGems takeoverRuby Central recently took over a collection of open source projects from their maintainers without their consent.
Netzpalaver

Shai-Hulud-Angriff verdeutlich Schwachstellen in der Open-Source-Sicherheit

Open-Source ist das Rückgrat der digitalen Infrastruktur, doch die jüngste Shai-Hulud-Angriff offenbart, wie fragil ihre Lieferkette tatsächlich ist. Das JFrog Security Research Team hat 164 kompromittierte npm-Pakete in 338 Versionen identifiziert, die darauf ausgelegt waren, Zugangsdaten von Entwickler-Rechnern und CI/CD-Umgebungen abzugreifen. Betroffen waren Tokens für AWS, GCP, Github und npm, die in von Angreifern kontrollierte Github-Repositories exfiltriert wurden.

#Authentifizierung #Cybersecurity #Cybersicherheit #GitHub
@JFrogSecurity
#Lieferkette #NPM #npmAngriff #OpenSource #ShaiHuludAngriff #ZeroTrust
@JFrog

netzpalaver.de/2025/09/24/shai

TrendingLive feeds
About