Liran Tal
@lirantal.com
🦄 Node.js Secure Coding: http://nodejs-security.com
🌟 @GitHub Star
🏅 @OpenJS Pathfinder award for Security
🥑 DevRel at @snyksec
🌟 @GitHub Star
🏅 @OpenJS Pathfinder award for Security
🥑 DevRel at @snyksec
the government will put you in jail for reading phrack while distributing their own sabotage manuals
November 28, 2025 at 7:01 PM
the government will put you in jail for reading phrack while distributing their own sabotage manuals
the government will put you in jail for reading phrack while distributing their own sabotage manuals
November 28, 2025 at 4:01 PM
the government will put you in jail for reading phrack while distributing their own sabotage manuals
what other book should read for the checkout cart ?
November 28, 2025 at 1:04 PM
what other book should read for the checkout cart ?
best city in the world?
November 28, 2025 at 7:01 AM
best city in the world?
look I know it's a 19 minutes read 😅😅😅
but you'll thank me later when you've adopted these hands-on npm security practices for you and your team and thwarted the next Shai-Hulud from attacking you: snyk.io/articles/npm...
but you'll thank me later when you've adopted these hands-on npm security practices for you and your team and thwarted the next Shai-Hulud from attacking you: snyk.io/articles/npm...
November 27, 2025 at 7:00 PM
look I know it's a 19 minutes read 😅😅😅
but you'll thank me later when you've adopted these hands-on npm security practices for you and your team and thwarted the next Shai-Hulud from attacking you: snyk.io/articles/npm...
but you'll thank me later when you've adopted these hands-on npm security practices for you and your team and thwarted the next Shai-Hulud from attacking you: snyk.io/articles/npm...
Shai-Hulud strieks back? The following is a curated, practical, security‑focused npm package manager hardening list of recommended practices for secure local development and open source software maintainers' processes: snyk.io/articles/npm...
Keep this open next to your terminal
Keep this open next to your terminal
NPM Security Best Practices: How to Protect Your Packages After the 2025 Shai Hulud Attack | Snyk
Harden your npm environment against supply chain attacks like Shai-Hulud. Learn 12 essential best practices for developers and maintainers, covering post-install scripts, 2FA, provenance, and deterministic installs.
snyk.io
November 27, 2025 at 4:00 PM
Shai-Hulud strieks back? The following is a curated, practical, security‑focused npm package manager hardening list of recommended practices for secure local development and open source software maintainers' processes: snyk.io/articles/npm...
Keep this open next to your terminal
Keep this open next to your terminal
FYI Snyk has a dedicated Zero-Day report available to quickly show you across your entire projects if any of them is impacted by the Shai-Hulud malware campaign of malicious packages
(screenshot shows the older one from September available too if you haven't keep up to date!)
(screenshot shows the older one from September available too if you haven't keep up to date!)
November 27, 2025 at 10:00 AM
FYI Snyk has a dedicated Zero-Day report available to quickly show you across your entire projects if any of them is impacted by the Shai-Hulud malware campaign of malicious packages
(screenshot shows the older one from September available too if you haven't keep up to date!)
(screenshot shows the older one from September available too if you haven't keep up to date!)
Given Shai-Hulud comeback (hello SHA1-HULUD 👋)
It is quite timely to share my up-to-date repository for modern npm security best practices against supply chain malware attacks:
It is quite timely to share my up-to-date repository for modern npm security best practices against supply chain malware attacks:
GitHub - lirantal/npm-security-best-practices: Collection of npm package manager Security Best Practices
Collection of npm package manager Security Best Practices - lirantal/npm-security-best-practices
github.com
November 27, 2025 at 7:01 AM
Given Shai-Hulud comeback (hello SHA1-HULUD 👋)
It is quite timely to share my up-to-date repository for modern npm security best practices against supply chain malware attacks:
It is quite timely to share my up-to-date repository for modern npm security best practices against supply chain malware attacks:
In this video, Brian challenges GPT-5.1 Codex Max to create a secure, functional note-taking app from scratch. We walk through the setup, backend security, UI generation, and debugging to see how well the newest OpenAI model can handle real coding tasks www.youtube.com/watch?v=ywQp...
Can GPT-5.1 Codex Max Build a SECURE Note taking App?
In this video, I challenge GPT-5.1 Codex Max to create a secure, functional note-taking app from scratch. We walk through the setup, backend security, UI generation, and debugging to see how well the newest OpenAI model can handle real coding tasks. Use Snyk for free to find and fix security issues in your applications today! https://snyk.co/ugLYn ✍️ Resources ✍️ ⏲️ Chapters ⏲️ 00:00 - Intro 00:28 - How to access the model 02:27 - Getting started and prompt 03:28 - Results 06:18 - Security Scanning 08:06 - Conclusion 08:54 - Outro ⚒️ About Snyk ⚒️ Snyk helps you find and fix vulnerabilities in your code, open-source dependencies, containers, infrastructure-as-code, software pipelines, IDEs, and more! Move fast, stay secure. Learn more about Snyk: https://snyk.co/ugLYl 📱 Connect with Us 📱 🖥️ Website: https://snyk.co/ugLYl 🐦 X: http://twitter.com/snyksec 💼 LinkedIn: https://www.linkedin.com/company/snyk 💬 Discord: https://discord.gg/devsecops-community-918181751526948884 ▶️ Subscribe: https://www.youtube.com/c/SnykSec?sub_confirmation=1 🔥 We're hiring! Check our open roles:...
www.youtube.com
November 26, 2025 at 7:01 PM
In this video, Brian challenges GPT-5.1 Codex Max to create a secure, functional note-taking app from scratch. We walk through the setup, backend security, UI generation, and debugging to see how well the newest OpenAI model can handle real coding tasks www.youtube.com/watch?v=ywQp...
fun to see how good the LLM is on bash scripts
November 26, 2025 at 4:01 PM
fun to see how good the LLM is on bash scripts
Snyk maintains a public web page list of Shai-Hulud malicious packages affiliated with malware campaign: security.snyk.io/sha1-hulud-n...
Zero-Day Vulnerability Alert | Snyk
Critical alert: Packages affected by zero-day vulnerabilities that are actively being exploited in the wild.
security.snyk.io
November 26, 2025 at 11:31 AM
Snyk maintains a public web page list of Shai-Hulud malicious packages affiliated with malware campaign: security.snyk.io/sha1-hulud-n...
something to keep in mind in terms of AI attacks and LLM security - in traditional apps, an attacker can't inject malicious code into a traditional database to alter its core logic, but they can poison an AI training dataset to subtly influence how a model behaves
November 26, 2025 at 10:01 AM
something to keep in mind in terms of AI attacks and LLM security - in traditional apps, an attacker can't inject malicious code into a traditional database to alter its core logic, but they can poison an AI training dataset to subtly influence how a model behaves
Reposted by Liran Tal
This stuff is getting more important every day...
Along with everything else, let's get all secrets out of plaintext!
Along with everything else, let's get all secrets out of plaintext!
You all should be starring this repo and following up on every npm security best practice: github.com/lirantal/npm...
GitHub - lirantal/npm-security-best-practices: Collection of npm package manager Security Best Practices
Collection of npm package manager Security Best Practices - lirantal/npm-security-best-practices
github.com
November 25, 2025 at 5:41 PM
This stuff is getting more important every day...
Along with everything else, let's get all secrets out of plaintext!
Along with everything else, let's get all secrets out of plaintext!
did you know? the average cost of an AI-related data breach has reached $4.45 million
Security roundup: Top AI stories in 2024 | IBM
With the AI landscape rapidly evolving, it's worth looking back before moving forward. These are our top five AI security stories for 2024.
www.ibm.com
November 26, 2025 at 7:00 AM
did you know? the average cost of an AI-related data breach has reached $4.45 million
did you know? the average cost of an AI-related data breach has reached $4.45 million
Security roundup: Top AI stories in 2024 | IBM
With the AI landscape rapidly evolving, it's worth looking back before moving forward. These are our top five AI security stories for 2024.
www.ibm.com
November 25, 2025 at 7:00 PM
did you know? the average cost of an AI-related data breach has reached $4.45 million
You all should be starring this repo and following up on every npm security best practice: github.com/lirantal/npm...
GitHub - lirantal/npm-security-best-practices: Collection of npm package manager Security Best Practices
Collection of npm package manager Security Best Practices - lirantal/npm-security-best-practices
github.com
November 25, 2025 at 1:42 PM
You all should be starring this repo and following up on every npm security best practice: github.com/lirantal/npm...
I published on the weekend about 6+ blog posts on public disclosures of security vulnerabilities in npm packages that sadly their maintainers did not respond, you're welcome to browse and learn about secure coding practices
November 25, 2025 at 10:01 AM
I published on the weekend about 6+ blog posts on public disclosures of security vulnerabilities in npm packages that sadly their maintainers did not respond, you're welcome to browse and learn about secure coding practices
when are we getting Andrej Karpathy's version of vibe coding disclaimer for AI generated code?
that's very thoughtful (source from his repo of llm council)
that's very thoughtful (source from his repo of llm council)
November 25, 2025 at 7:00 AM
when are we getting Andrej Karpathy's version of vibe coding disclaimer for AI generated code?
that's very thoughtful (source from his repo of llm council)
that's very thoughtful (source from his repo of llm council)
minimax m2 looks like a good local small model for agentic coding, especially as it is just 10B params
November 24, 2025 at 7:00 PM
minimax m2 looks like a good local small model for agentic coding, especially as it is just 10B params
yet another MCP server repository with vulnerable code, yet the maintainer is unresponsive to my security request ooofff :(
GitHub - EmilyThaHuman/database-mcp: database-mcp
database-mcp. Contribute to EmilyThaHuman/database-mcp development by creating an account on GitHub.
github.com
November 24, 2025 at 4:00 PM
yet another MCP server repository with vulnerable code, yet the maintainer is unresponsive to my security request ooofff :(
Soon hitting 900 subscribers to my Node.js Security Newsletter: www.nodejs-security.com/newsletter
November 24, 2025 at 10:01 AM
Soon hitting 900 subscribers to my Node.js Security Newsletter: www.nodejs-security.com/newsletter
reporting CVEs is hard and this MCP server might get used without users aware of the security vulnerability I found because maintainer isn't responding...
Improper Access Control results in bypassing a "read-only" mode for mcp-dbutils MCP Server · Issue #116 · donghao1393/mcp-dbutils
--> July 26 communication: Hi, Can you please enable Private Vulnerability Report in this repository settings so I can disclose a security issue for this project? --> September 20 update: Improper ...
github.com
November 24, 2025 at 7:00 AM
reporting CVEs is hard and this MCP server might get used without users aware of the security vulnerability I found because maintainer isn't responding...
wrapped up my MCP Security talk at AI Native DevCon, it was fun and great, thanks for coming to my talk and hit me up if you have any questions :-)
November 19, 2025 at 7:01 PM
wrapped up my MCP Security talk at AI Native DevCon, it was fun and great, thanks for coming to my talk and hit me up if you have any questions :-)