https://github.com/betterleaks/betterleaks
Let's hope the defunding of medical research can stop so this can become true
The chalk/debug one https://www.aikido.dev/blog/npm-debug-and-chalk-packages-com... I believe socket also found it this way just a bit later. The dev later said that Charlie notifying him probably shaved off some very…
Hmm, sure, I can agree that the position is extremist, I still don't agree that 1 (or some) extremist positions makes the current people in power extremist. Or at least, maybe they are, but I think most of the…
Not really, app sec companies scan npm constantly for updated packages to check for malware. Many attacks get caught that way. e.g. the debug + chalk supply chain attack was caught like this:…
Again, I disagree, I wouldn't call it extremist. It's vile and wrong, but people all over the political spectrum are in favour of this. there's a difference between something being bad or self-serving, and something…
There's multiple security firms by now that constantly scan updated npm packages for malware. Obviously those companies can only do this after a new package has been published. Npm could add this as an automated step…
or maybe let's not? their actions are clearly not extremist, absolutely not perfect and not always equally democratic, but not extremist or violent like the actual extremists...
on the other hand, the previous supply chain attack was found by automated tech. Also, if MS would be so kind as to just run similar scans at the time a package is updated instead of after the package is updated (which…
Yes to the you guys can detect it in my codebase, but it's generally not required for someone to report a compromised package, we do also discover them ourselves quite fast due to automated scans of npm package updates.…
I'm so sick of people saying this. If you use js for any non-tiny project, you'll have a bunch of packages. Due to how modules work in js, you'll have many, many sub dependencies. Nobody has time to review every package…
https://circleid.com/posts/chat-control-proposal-advances-de... https://fightchatcontrol.eu/ https://european-pirateparty.eu/chatcontrol-eu-ministers-wan...
unphishable 2fa would have prevented this specific case tho... what are you talking about?
the company that first found this vulnerability also has a tool for this https://www.npmjs.com/package/@aikidosec/safe-chain
I think it's quite good, there's a sense of urgency, but it's also not "immediately change it!" they gave more than a day, and stated that it would be a temporary lock. Feel like this one really hit the spot on that…
https://github.com/betterleaks/betterleaks
Let's hope the defunding of medical research can stop so this can become true
The chalk/debug one https://www.aikido.dev/blog/npm-debug-and-chalk-packages-com... I believe socket also found it this way just a bit later. The dev later said that Charlie notifying him probably shaved off some very…
Hmm, sure, I can agree that the position is extremist, I still don't agree that 1 (or some) extremist positions makes the current people in power extremist. Or at least, maybe they are, but I think most of the…
Not really, app sec companies scan npm constantly for updated packages to check for malware. Many attacks get caught that way. e.g. the debug + chalk supply chain attack was caught like this:…
Again, I disagree, I wouldn't call it extremist. It's vile and wrong, but people all over the political spectrum are in favour of this. there's a difference between something being bad or self-serving, and something…
There's multiple security firms by now that constantly scan updated npm packages for malware. Obviously those companies can only do this after a new package has been published. Npm could add this as an automated step…
or maybe let's not? their actions are clearly not extremist, absolutely not perfect and not always equally democratic, but not extremist or violent like the actual extremists...
on the other hand, the previous supply chain attack was found by automated tech. Also, if MS would be so kind as to just run similar scans at the time a package is updated instead of after the package is updated (which…
Yes to the you guys can detect it in my codebase, but it's generally not required for someone to report a compromised package, we do also discover them ourselves quite fast due to automated scans of npm package updates.…
I'm so sick of people saying this. If you use js for any non-tiny project, you'll have a bunch of packages. Due to how modules work in js, you'll have many, many sub dependencies. Nobody has time to review every package…
https://circleid.com/posts/chat-control-proposal-advances-de... https://fightchatcontrol.eu/ https://european-pirateparty.eu/chatcontrol-eu-ministers-wan...
unphishable 2fa would have prevented this specific case tho... what are you talking about?
the company that first found this vulnerability also has a tool for this https://www.npmjs.com/package/@aikidosec/safe-chain
I think it's quite good, there's a sense of urgency, but it's also not "immediately change it!" they gave more than a day, and stated that it would be a temporary lock. Feel like this one really hit the spot on that…