Reposted by Joachim Viide
Merriam-Webster’s human editors have chosen ‘slop’ as the 2025 Word of the Year.
December 15, 2025 at 2:07 PM
Merriam-Webster’s human editors have chosen ‘slop’ as the 2025 Word of the Year.
Last month was one of those years that feel like a decade.
December 15, 2025 at 10:35 AM
Last month was one of those years that feel like a decade.
To recap, NPM allows 2FA TOTP token reuse within the token’s validity window.
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
Seems that NPM too allows TOTP reuse within the time-step window. Seen a similar issue in multiple services over the years.
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
December 12, 2025 at 1:08 PM
To recap, NPM allows 2FA TOTP token reuse within the token’s validity window.
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
Reposted by Joachim Viide
Update on React Server Components CVE-2025-55182: over 165K IPs & 644K domains with vulnerable code found on 2025-12-08 after scan targeting improvements!
See: dashboard.shadowserver.org/statistics/c...
Check for compromise & patch!
Thank you to Validin & LeakIX for the collaboration!
See: dashboard.shadowserver.org/statistics/c...
Check for compromise & patch!
Thank you to Validin & LeakIX for the collaboration!
December 9, 2025 at 4:24 PM
Update on React Server Components CVE-2025-55182: over 165K IPs & 644K domains with vulnerable code found on 2025-12-08 after scan targeting improvements!
See: dashboard.shadowserver.org/statistics/c...
Check for compromise & patch!
Thank you to Validin & LeakIX for the collaboration!
See: dashboard.shadowserver.org/statistics/c...
Check for compromise & patch!
Thank you to Validin & LeakIX for the collaboration!
From the thread: "Attacks from bot compromised Next.js assets spiked on 2025-12-05 from the usual 100 IP baseline to close to a 1000."
If you're not 100% sure you're NOT vulnerable, you should patch your Next.js apps ASAP.
And if you're 100% sure... patch anyway.
If you're not 100% sure you're NOT vulnerable, you should patch your Next.js apps ASAP.
And if you're 100% sure... patch anyway.
Like others we are seeing attacks attempting to exploit React CVE-2025-55182 at scale, incl. botnet related activity. How successful have these attacks been? You can get a view here, where we track compromised host with Next.js attacking our sensors:
dashboard.shadowserver.org/statistics/h...
dashboard.shadowserver.org/statistics/h...
December 8, 2025 at 6:12 PM
From the thread: "Attacks from bot compromised Next.js assets spiked on 2025-12-05 from the usual 100 IP baseline to close to a 1000."
If you're not 100% sure you're NOT vulnerable, you should patch your Next.js apps ASAP.
And if you're 100% sure... patch anyway.
If you're not 100% sure you're NOT vulnerable, you should patch your Next.js apps ASAP.
And if you're 100% sure... patch anyway.
I must go, my people need me.
(Nintendo Museum, Kyoto)
(Nintendo Museum, Kyoto)
December 2, 2025 at 1:54 PM
I must go, my people need me.
(Nintendo Museum, Kyoto)
(Nintendo Museum, Kyoto)
Reposted by Joachim Viide
There are things I will not let go of, but I also don't want to become one of those permanently aggrieved people whose personality has been wholly replaced by three grudges in a trenchcoat.
December 1, 2025 at 12:43 AM
There are things I will not let go of, but I also don't want to become one of those permanently aggrieved people whose personality has been wholly replaced by three grudges in a trenchcoat.
So I'm looking at the latest NPM package SNAFU described at www.aikido.dev/blog/shai-hu....
For example @zapier/zapier-sdk, with 2.6M weekly downloads, was compromised.
The Collaborators section on the package's NPM page lists over 300 accounts. www.npmjs.com/package/@zap...
For example @zapier/zapier-sdk, with 2.6M weekly downloads, was compromised.
The Collaborators section on the package's NPM page lists over 300 accounts. www.npmjs.com/package/@zap...
The threat actors behind Shai Hulud has struck again, hitting Zapier and Ensdomains
A new variant of Shai Hulud has hit Zapier and Ensdomains
www.aikido.dev
November 24, 2025 at 2:39 PM
So I'm looking at the latest NPM package SNAFU described at www.aikido.dev/blog/shai-hu....
For example @zapier/zapier-sdk, with 2.6M weekly downloads, was compromised.
The Collaborators section on the package's NPM page lists over 300 accounts. www.npmjs.com/package/@zap...
For example @zapier/zapier-sdk, with 2.6M weekly downloads, was compromised.
The Collaborators section on the package's NPM page lists over 300 accounts. www.npmjs.com/package/@zap...
The most insightful thing I've read today, and just as true if one drops the “generated by LLM” part.
"We don't need more code [...], we need more people who care."
"We don't need more code [...], we need more people who care."
My first advice to junior contributors is to STOP using vibe coding for PRs. OSS is always about people more than about code. We don't need more code generated by LLM, we need more people who care.
November 10, 2025 at 1:56 PM
The most insightful thing I've read today, and just as true if one drops the “generated by LLM” part.
"We don't need more code [...], we need more people who care."
"We don't need more code [...], we need more people who care."
”We fed our horse and a competing jet engine hay for a week and then measured their hooves. The results will astound you.”
Web dev discourse in 2025.
Web dev discourse in 2025.
October 14, 2025 at 3:46 PM
”We fed our horse and a competing jet engine hay for a week and then measured their hooves. The results will astound you.”
Web dev discourse in 2025.
Web dev discourse in 2025.
Also doubles as a visualization of how Preact Signals work!
NVIDIA and OpenAi:
Concerns that their “increasingly complex and interconnected web of business transactions is artificially propping up the trillion-dollar AI boom.“
@bloomberg.com $NVDA 👀
www.bloomberg.com/news/feature...
Concerns that their “increasingly complex and interconnected web of business transactions is artificially propping up the trillion-dollar AI boom.“
@bloomberg.com $NVDA 👀
www.bloomberg.com/news/feature...
October 8, 2025 at 11:19 AM
Also doubles as a visualization of how Preact Signals work!
Reposted by Joachim Viide
I am doing a survey of supply chain attacks, and it's annoying how 95% of the analysis is on payloads vs. compromise vectors.
Yes, you are a very smart reverser and that's a very clever payload. Yes, rolling out phishing-resistant auth is a slog. No, this is not how we make progress.
</rant>
Yes, you are a very smart reverser and that's a very clever payload. Yes, rolling out phishing-resistant auth is a slog. No, this is not how we make progress.
</rant>
October 1, 2025 at 3:29 PM
I am doing a survey of supply chain attacks, and it's annoying how 95% of the analysis is on payloads vs. compromise vectors.
Yes, you are a very smart reverser and that's a very clever payload. Yes, rolling out phishing-resistant auth is a slog. No, this is not how we make progress.
</rant>
Yes, you are a very smart reverser and that's a very clever payload. Yes, rolling out phishing-resistant auth is a slog. No, this is not how we make progress.
</rant>
This was a very good read. It's also a good reminder to check our own NPM access token pages and maybe delete old lingering tokens.
September 17, 2025 at 8:01 PM
This was a very good read. It's also a good reminder to check our own NPM access token pages and maybe delete old lingering tokens.
The year is 2225. Third Quarter of the Fiscal.
Once more, Coders assemble to present The NPM with their finest work. They celebrate as The NPM flags it all as malware.
No one knows who built The NPM, or why the Takedowning must be observed.
Yet all agree: to neglect it would invite disaster.
Once more, Coders assemble to present The NPM with their finest work. They celebrate as The NPM flags it all as malware.
No one knows who built The NPM, or why the Takedowning must be observed.
Yet all agree: to neglect it would invite disaster.
September 16, 2025 at 1:14 AM
The year is 2225. Third Quarter of the Fiscal.
Once more, Coders assemble to present The NPM with their finest work. They celebrate as The NPM flags it all as malware.
No one knows who built The NPM, or why the Takedowning must be observed.
Yet all agree: to neglect it would invite disaster.
Once more, Coders assemble to present The NPM with their finest work. They celebrate as The NPM flags it all as malware.
No one knows who built The NPM, or why the Takedowning must be observed.
Yet all agree: to neglect it would invite disaster.
A good post on how Go's tooling is just so nice: hachyderm.io/@laird/11519...
Other ecosystems can learn a lot from Go's approach to supply chain management, standard libraries, and so on.
For example, see @filippo.abyssdomain.expert's "How Go Mitigates Supply Chain Attacks" go.dev/blog/supply-...
Other ecosystems can learn a lot from Go's approach to supply chain management, standard libraries, and so on.
For example, see @filippo.abyssdomain.expert's "How Go Mitigates Supply Chain Attacks" go.dev/blog/supply-...
Scott Laird (@laird@hachyderm.io)
It's refreshing using #golang's ecosystem after spending time with other languages' tooling. Over the past few years, things have become really slick.
I'm not talking about the language itself; it's...
hachyderm.io
September 13, 2025 at 7:26 PM
A good post on how Go's tooling is just so nice: hachyderm.io/@laird/11519...
Other ecosystems can learn a lot from Go's approach to supply chain management, standard libraries, and so on.
For example, see @filippo.abyssdomain.expert's "How Go Mitigates Supply Chain Attacks" go.dev/blog/supply-...
Other ecosystems can learn a lot from Go's approach to supply chain management, standard libraries, and so on.
For example, see @filippo.abyssdomain.expert's "How Go Mitigates Supply Chain Attacks" go.dev/blog/supply-...
pnpm v10.16.0 adds "minimumReleaseAge", a setting for defining how long a version has to have been published before pnpm will install it.
A nice countermeasure against accidental installs of short-lived compromised packages before they get taken down. Not a 100% fix, but a great additional step!
A nice countermeasure against accidental installs of short-lived compromised packages before they get taken down. Not a 100% fix, but a great additional step!
Release pnpm 10.16 · pnpm/pnpm
Minor Changes
There have been several incidents recently where popular packages were successfully attacked. To reduce the risk of installing a compromised version, we are introducing a new settin...
github.com
September 12, 2025 at 10:49 PM
pnpm v10.16.0 adds "minimumReleaseAge", a setting for defining how long a version has to have been published before pnpm will install it.
A nice countermeasure against accidental installs of short-lived compromised packages before they get taken down. Not a 100% fix, but a great additional step!
A nice countermeasure against accidental installs of short-lived compromised packages before they get taken down. Not a 100% fix, but a great additional step!
Reposted by Joachim Viide
Thank god AI has finally solved the problem of there not being enough podcasts
September 10, 2025 at 3:03 AM
Thank god AI has finally solved the problem of there not being enough podcasts
Seems that NPM too allows TOTP reuse within the time-step window. Seen a similar issue in multiple services over the years.
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
September 10, 2025 at 1:24 PM
Seems that NPM too allows TOTP reuse within the time-step window. Seen a similar issue in multiple services over the years.
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
NPM supports switching from Authenticator App (TOTP) based 2FA to more phishing resistant WebAuthn based 2FA.
Adding a WebAuthn security key and disabling the Authenticator App is a pretty quick process.
For example Apple Touch ID & Windows Hello work! Physical keys work too, but aren't required.
Adding a WebAuthn security key and disabling the Authenticator App is a pretty quick process.
For example Apple Touch ID & Windows Hello work! Physical keys work too, but aren't required.
September 9, 2025 at 12:36 PM
NPM supports switching from Authenticator App (TOTP) based 2FA to more phishing resistant WebAuthn based 2FA.
Adding a WebAuthn security key and disabling the Authenticator App is a pretty quick process.
For example Apple Touch ID & Windows Hello work! Physical keys work too, but aren't required.
Adding a WebAuthn security key and disabling the Authenticator App is a pretty quick process.
For example Apple Touch ID & Windows Hello work! Physical keys work too, but aren't required.
Malicious versions of the nx package + some packages under the @nx/* scope were published to npm.
The compromised versions scan the file system, search for credentials, and post them publicly to GitHub.
www.aikido.dev/blog/popular...
The compromised versions scan the file system, search for credentials, and post them publicly to GitHub.
www.aikido.dev/blog/popular...
Popular nx packages compromised on npm
The popular nx package on npm was compromised, and stolen data was published on GitHub publicly
www.aikido.dev
August 27, 2025 at 11:52 AM
Malicious versions of the nx package + some packages under the @nx/* scope were published to npm.
The compromised versions scan the file system, search for credentials, and post them publicly to GitHub.
www.aikido.dev/blog/popular...
The compromised versions scan the file system, search for credentials, and post them publicly to GitHub.
www.aikido.dev/blog/popular...
Every line of code is a liability, and now with the power of AI, I can create 8000 new liabilities per day!
August 26, 2025 at 5:53 PM
Every line of code is a liability, and now with the power of AI, I can create 8000 new liabilities per day!
1. make it work
2. [object Object]
3. make it fas
2. [object Object]
3. make it fas
August 21, 2025 at 2:58 PM
1. make it work
2. [object Object]
3. make it fas
2. [object Object]
3. make it fas
Update one @types/* package, introduce 80 new indirect dependencies + 16 new maintainers into our supply chain.
August 15, 2025 at 2:51 PM
Update one @types/* package, introduce 80 new indirect dependencies + 16 new maintainers into our supply chain.
Reposted by Joachim Viide
I edited my Cross-Site Request Forgery countermeasures research into a stand-alone article, including recommendations reusable by other projects.
tl;dr: no need for tokens or keys, modern browsers tell you if a request is cross-origin!
words.filippo.io/csrf
tl;dr: no need for tokens or keys, modern browsers tell you if a request is cross-origin!
words.filippo.io/csrf
Cross-Site Request Forgery
Cross-Site Request Forgery countermeasures can be greatly simplified using request metadata provided by modern browsers.
words.filippo.io
August 13, 2025 at 4:06 PM
I edited my Cross-Site Request Forgery countermeasures research into a stand-alone article, including recommendations reusable by other projects.
tl;dr: no need for tokens or keys, modern browsers tell you if a request is cross-origin!
words.filippo.io/csrf
tl;dr: no need for tokens or keys, modern browsers tell you if a request is cross-origin!
words.filippo.io/csrf
Reposted by Joachim Viide
