Paul H
@bijouxbeejuice.bsky.social
Ex-GitHub/Microsoft. All views my own. Recruiters may not DM me
It’s a commonly held bit of folk wisdom that if you have influenza you’ll know it - that “the flu” is always bad and “a cold” is not.
This is wrong! It can be mild or asymptomatic.
People think they can diagnose which virus they have from how they feel - vibe medicine!
It takes a test to know.
This is wrong! It can be mild or asymptomatic.
People think they can diagnose which virus they have from how they feel - vibe medicine!
It takes a test to know.
December 11, 2025 at 2:28 PM
It’s a commonly held bit of folk wisdom that if you have influenza you’ll know it - that “the flu” is always bad and “a cold” is not.
This is wrong! It can be mild or asymptomatic.
People think they can diagnose which virus they have from how they feel - vibe medicine!
It takes a test to know.
This is wrong! It can be mild or asymptomatic.
People think they can diagnose which virus they have from how they feel - vibe medicine!
It takes a test to know.
Reposted by Paul H
An issue we're seeing at all levels of university is that many students are simply refusing to do *anything*. They aren't reading the syllabus, aren't following assignment guidelines, aren't engaging with material, ignoring deadlines. And this might seem like old news, but it truly has ramped up.
November 28, 2025 at 10:15 PM
An issue we're seeing at all levels of university is that many students are simply refusing to do *anything*. They aren't reading the syllabus, aren't following assignment guidelines, aren't engaging with material, ignoring deadlines. And this might seem like old news, but it truly has ramped up.
Reposted by Paul H
in light of the current supply chain attacks, I've just published a @github.com action to detect packages that _lose_ their provenance.
📦 supports pnpm-lock.yaml, package-lock.json, yarn.lock (v1)
🎨 inline GitHub annotations
✅ JSON output + configurable
💪 published in TS with zero deps
📦 supports pnpm-lock.yaml, package-lock.json, yarn.lock (v1)
🎨 inline GitHub annotations
✅ JSON output + configurable
💪 published in TS with zero deps
GitHub - danielroe/provenance-action: GitHub Action that detects dependency provenance downgrades from lockfile changes (npm/pnpm/yarn).
GitHub Action that detects dependency provenance downgrades from lockfile changes (npm/pnpm/yarn). - danielroe/provenance-action
github.com
September 16, 2025 at 12:17 PM
in light of the current supply chain attacks, I've just published a @github.com action to detect packages that _lose_ their provenance.
📦 supports pnpm-lock.yaml, package-lock.json, yarn.lock (v1)
🎨 inline GitHub annotations
✅ JSON output + configurable
💪 published in TS with zero deps
📦 supports pnpm-lock.yaml, package-lock.json, yarn.lock (v1)
🎨 inline GitHub annotations
✅ JSON output + configurable
💪 published in TS with zero deps
I wrote a script to show the exact commit versions of Actions used in your workflows on GitHub Actions.
Useful for stuff like the tj-actions/changed-files and reviewdog compromises.
github.com/github/audit...
#DevSecOps #SupplyChainSecurity #Actions #CiCd #GitHub #TJActions #ReviewDog
Useful for stuff like the tj-actions/changed-files and reviewdog compromises.
github.com/github/audit...
#DevSecOps #SupplyChainSecurity #Actions #CiCd #GitHub #TJActions #ReviewDog
GitHub - github/audit-actions-workflow-runs: Audit your GitHub Actions workflow runs to see exactly which Actions were downloaded
Audit your GitHub Actions workflow runs to see exactly which Actions were downloaded - github/audit-actions-workflow-runs
github.com
April 7, 2025 at 8:05 PM
I wrote a script to show the exact commit versions of Actions used in your workflows on GitHub Actions.
Useful for stuff like the tj-actions/changed-files and reviewdog compromises.
github.com/github/audit...
#DevSecOps #SupplyChainSecurity #Actions #CiCd #GitHub #TJActions #ReviewDog
Useful for stuff like the tj-actions/changed-files and reviewdog compromises.
github.com/github/audit...
#DevSecOps #SupplyChainSecurity #Actions #CiCd #GitHub #TJActions #ReviewDog
There was malware ☣️ in all tags for the GitHub Action
tj-actions/changed-files (2k stars ⭐️, 23k dependents)
Every tag 🏷️ was updated to a commit that injected malware
It dumped memory to search for secrets, to dump to logs - this will have most affected public repos
#Actions #AppSec #Malware
tj-actions/changed-files (2k stars ⭐️, 23k dependents)
Every tag 🏷️ was updated to a commit that injected malware
It dumped memory to search for secrets, to dump to logs - this will have most affected public repos
#Actions #AppSec #Malware
March 18, 2025 at 9:31 PM
⚠️ Another GitHub Action was hacked ☣️, reviewdog/action-setup v1, again leaking secrets in workflow logs
Wiz is reporting that it was used in the hack of tj-actions/changed-files, and that other Actions under reviewdog were also affected
#SupplyChain #GitHubActions #AppSec #Malware #ReviewDog
Wiz is reporting that it was used in the hack of tj-actions/changed-files, and that other Actions under reviewdog were also affected
#SupplyChain #GitHubActions #AppSec #Malware #ReviewDog
GitHub Action supply chain attack: reviewdog/action-setup | Wiz Blog
A supply chain attack on tj-actions/changed-files leaked secrets. Wiz Research found another attack on reviewdog/actions-setup, possibly causing the compromise.
www.wiz.io
March 18, 2025 at 9:24 PM
⚠️ Another GitHub Action was hacked ☣️, reviewdog/action-setup v1, again leaking secrets in workflow logs
Wiz is reporting that it was used in the hack of tj-actions/changed-files, and that other Actions under reviewdog were also affected
#SupplyChain #GitHubActions #AppSec #Malware #ReviewDog
Wiz is reporting that it was used in the hack of tj-actions/changed-files, and that other Actions under reviewdog were also affected
#SupplyChain #GitHubActions #AppSec #Malware #ReviewDog