Paul
@ismisepaul.bsky.social
Reposted by Paul
Comics peeps. I am finally clocking off from work tomorrow and doing my annual splurge on as many of the year's best titles as I can get my hands on. What've been your highlights of 2025? Ongoing weeklies, collected tpbs, one-off graphic novels, reissues, indies, whatever you've got.
December 18, 2025 at 4:13 PM
Comics peeps. I am finally clocking off from work tomorrow and doing my annual splurge on as many of the year's best titles as I can get my hands on. What've been your highlights of 2025? Ongoing weeklies, collected tpbs, one-off graphic novels, reissues, indies, whatever you've got.
Reposted by Paul
Read more here: socket.dev/blog/socket-...
Socket Firewall Now Available in Docker Hardened Images - So...
Socket Firewall Free is now bundled into Docker Hardened Images, adding build-time and dependency-install supply chain protection on top of hardened b...
socket.dev
December 17, 2025 at 7:03 PM
Read more here: socket.dev/blog/socket-...
Reposted by Paul
Version 1 of the OWASP AI testing guide just got published.
I promise you, from my own experience, this will save you a lot of heartache.
github.com/OWASP/www-pr...
I promise you, from my own experience, this will save you a lot of heartache.
github.com/OWASP/www-pr...
November 27, 2025 at 10:31 AM
Version 1 of the OWASP AI testing guide just got published.
I promise you, from my own experience, this will save you a lot of heartache.
github.com/OWASP/www-pr...
I promise you, from my own experience, this will save you a lot of heartache.
github.com/OWASP/www-pr...
Reposted by Paul
Given Shai-Hulud comeback (hello SHA1-HULUD 👋)
It is quite timely to share my up-to-date repository for modern npm security best practices against supply chain malware attacks:
It is quite timely to share my up-to-date repository for modern npm security best practices against supply chain malware attacks:
GitHub - lirantal/npm-security-best-practices: Collection of npm package manager Security Best Practices
Collection of npm package manager Security Best Practices - lirantal/npm-security-best-practices
github.com
November 27, 2025 at 7:01 AM
Given Shai-Hulud comeback (hello SHA1-HULUD 👋)
It is quite timely to share my up-to-date repository for modern npm security best practices against supply chain malware attacks:
It is quite timely to share my up-to-date repository for modern npm security best practices against supply chain malware attacks:
Reposted by Paul
Shai-Hulud Returns: Over 300 NPM packages infected via fake Bun runtime within hours
helixguard.ai/blog/malicio...
helixguard.ai/blog/malicio...
November 24, 2025 at 12:38 PM
Shai-Hulud Returns: Over 300 NPM packages infected via fake Bun runtime within hours
helixguard.ai/blog/malicio...
helixguard.ai/blog/malicio...
Reposted by Paul
Troy Parrott's 96th-minute winner keeps Ireland's World Cup hopes alive!
The 23-year-old's hat-trick earns his country victory and a spot in the play-offs, breaking Hungarian hearts in the process.
Remarkable scenes in Budapest.
The 23-year-old's hat-trick earns his country victory and a spot in the play-offs, breaking Hungarian hearts in the process.
Remarkable scenes in Budapest.
November 16, 2025 at 4:08 PM
Troy Parrott's 96th-minute winner keeps Ireland's World Cup hopes alive!
The 23-year-old's hat-trick earns his country victory and a spot in the play-offs, breaking Hungarian hearts in the process.
Remarkable scenes in Budapest.
The 23-year-old's hat-trick earns his country victory and a spot in the play-offs, breaking Hungarian hearts in the process.
Remarkable scenes in Budapest.
Reposted by Paul
🚀 GitHub is making Actions more secure by default
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
Towards a secure by default GitHub Actions · community · Discussion #179107
Why are you starting this discussion? Product Feedback What GitHub Actions topic or product is this about? Workflow Configuration Discussion Details Today, GitHub announced upcoming changes to the ...
github.com
November 11, 2025 at 6:38 PM
🚀 GitHub is making Actions more secure by default
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
Reposted by Paul
The release candidate of the OWASP Top 10 2025 has been released
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
Introduction - OWASP Top 10:2025 RC1
OWASP Top 10:2025 RC1
owasp.org
November 7, 2025 at 12:19 PM
The release candidate of the OWASP Top 10 2025 has been released
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
Reposted by Paul
There's some really big caveats to this. A thread.
New: Google says it has discovered at least 5 malware families that use AI to rewrite their code and generate new capabilities on the fly, suggesting AI-powered malware is finally starting to take off. cloud.google.com/blog/topics/...
Report also has interesting stories about state actors' AI use.
Report also has interesting stories about state actors' AI use.
November 5, 2025 at 3:52 PM
There's some really big caveats to this. A thread.
Reposted by Paul
Just prompt it they way you like. E.g with something like this: docs.vibe-coding-framework.com/document-tem...
Security-Focused Prompts | Vibe Coding Framework
docs.vibe-coding-framework.com
November 1, 2025 at 8:59 AM
Just prompt it they way you like. E.g with something like this: docs.vibe-coding-framework.com/document-tem...
Reposted by Paul
🚨 Open source supply chain attacks are exploding.
Starting today, that ends.
We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.
Just run:
npm i -g sfw
sfw npm install lodash
Works for: npm, yarn, pnpm, pip, uv, and cargo.
Starting today, that ends.
We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.
Just run:
npm i -g sfw
sfw npm install lodash
Works for: npm, yarn, pnpm, pip, uv, and cargo.
September 30, 2025 at 6:06 PM
🚨 Open source supply chain attacks are exploding.
Starting today, that ends.
We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.
Just run:
npm i -g sfw
sfw npm install lodash
Works for: npm, yarn, pnpm, pip, uv, and cargo.
Starting today, that ends.
We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.
Just run:
npm i -g sfw
sfw npm install lodash
Works for: npm, yarn, pnpm, pip, uv, and cargo.
Reposted by Paul
September 23, 2025 at 11:59 AM
Reposted by Paul
🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Ongoing Supply Chain Attack Targets CrowdStrike npm Packages...
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that previously hit Tinycolor and dozen...
socket.dev
September 16, 2025 at 6:15 PM
🚨 Update: The "Shai-Hulud" supply chain attack has expanded to nearly 500 trojanized npm packages, including several from CrowdStrike, all using the same malware first seen in Tinycolor.
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Full details and package list: socket.dev/blog/ongoing... #NodeJS #JavaScript
Reposted by Paul
#NPM:The popular @ctrl/tinycolor package with over 2mln weekly downloads has been compromised alongside 40+ other NPM packages (including Crowdstirke packages!) in a sophisticated supply chain attack:
#SoftwareSupplyChainSecurity
👇
#SoftwareSupplyChainSecurity
👇
ctrl/tinycolor and 40+ NPM Packages Compromised - StepSecurity
The popular @ctrl/tinycolor package with over 2 million weekly downloads has been compromised alongside 40+ other NPM packages in a sophisticated supply chain attack. The malware self-propagates across maintainer packages, harvests AWS/GCP/Azure credentials using TruffleHog, and establishes persistence through GitHub Actions backdoors - representing a major escalation in NPM ecosystem threats.
www.stepsecurity.io
September 16, 2025 at 2:44 PM
#NPM:The popular @ctrl/tinycolor package with over 2mln weekly downloads has been compromised alongside 40+ other NPM packages (including Crowdstirke packages!) in a sophisticated supply chain attack:
#SoftwareSupplyChainSecurity
👇
#SoftwareSupplyChainSecurity
👇
Reposted by Paul
Hi everyone. The 'next day' busy-ness has fully set in.
Since I still haven't gotten any followup from npm regarding account actions taken, and given that I have now been approached by authorities, I will need to hold off on the post-mortem for a day or two.
Sincerest apologies for the delay.
Since I still haven't gotten any followup from npm regarding account actions taken, and given that I have now been approached by authorities, I will need to hold off on the post-mortem for a day or two.
Sincerest apologies for the delay.
September 9, 2025 at 2:10 PM
Hi everyone. The 'next day' busy-ness has fully set in.
Since I still haven't gotten any followup from npm regarding account actions taken, and given that I have now been approached by authorities, I will need to hold off on the post-mortem for a day or two.
Sincerest apologies for the delay.
Since I still haven't gotten any followup from npm regarding account actions taken, and given that I have now been approached by authorities, I will need to hold off on the post-mortem for a day or two.
Sincerest apologies for the delay.
Reposted by Paul
🚨URGENT: A series of popular packages maintained by qix have just been compromised.
Compromised packages include:
• has-ansi - 12 million weekly downloads - V6.0.1
• supports-hyperlinks - 19m weekly downloads - v4.1.1
• chalk-template - 3.9m weekly downlaods - V1.1.1
Compromised packages include:
• has-ansi - 12 million weekly downloads - V6.0.1
• supports-hyperlinks - 19m weekly downloads - v4.1.1
• chalk-template - 3.9m weekly downlaods - V1.1.1
September 8, 2025 at 3:45 PM
🚨URGENT: A series of popular packages maintained by qix have just been compromised.
Compromised packages include:
• has-ansi - 12 million weekly downloads - V6.0.1
• supports-hyperlinks - 19m weekly downloads - v4.1.1
• chalk-template - 3.9m weekly downlaods - V1.1.1
Compromised packages include:
• has-ansi - 12 million weekly downloads - V6.0.1
• supports-hyperlinks - 19m weekly downloads - v4.1.1
• chalk-template - 3.9m weekly downlaods - V1.1.1
Reposted by Paul
A cryptostealer malware was pushed to a number of npm packages including debug, chalk , and a number of utility packages as a result of the compromise of a single contributor.
We published guidance for customers and non-customers for how to detect if you were affected:
semgrep.dev/blog/2025/ch...
We published guidance for customers and non-customers for how to detect if you were affected:
semgrep.dev/blog/2025/ch...
September 8, 2025 at 5:21 PM
A cryptostealer malware was pushed to a number of npm packages including debug, chalk , and a number of utility packages as a result of the compromise of a single contributor.
We published guidance for customers and non-customers for how to detect if you were affected:
semgrep.dev/blog/2025/ch...
We published guidance for customers and non-customers for how to detect if you were affected:
semgrep.dev/blog/2025/ch...
Reposted by Paul
Is red teaming taking its final breath? www.csoonline.com/article/4012...
The top red teamer in the US is an AI bot
Chatbot “Xbow” tops the leaderboard on HackerOne, revealing just how good AI has gotten at identifying cybersecurity vulnerabilities. Experts say this is both good and bad.
www.csoonline.com
July 2, 2025 at 3:41 PM
Is red teaming taking its final breath? www.csoonline.com/article/4012...
Reposted by Paul
The solo maintainer for libxml2 is no longer accepting embargoed vulnerability reports, citing the unsustainable burden as an unpaid volunteer. Security issues will be treated like any other bug report moving forward.
socket.dev/blog/libxml2... #opensource #cybersecurity
socket.dev/blog/libxml2... #opensource #cybersecurity
libxml2 Maintainer Ends Embargoed Vulnerability Reports, Cit...
Libxml2’s solo maintainer drops embargoed security fixes, highlighting the burden on unpaid volunteers who keep critical open source software secure.
socket.dev
June 18, 2025 at 1:20 AM
The solo maintainer for libxml2 is no longer accepting embargoed vulnerability reports, citing the unsustainable burden as an unpaid volunteer. Security issues will be treated like any other bug report moving forward.
socket.dev/blog/libxml2... #opensource #cybersecurity
socket.dev/blog/libxml2... #opensource #cybersecurity
Reposted by Paul
🚨 Socket’s Threat Research Team has uncovered 60 npm packages using post-install scripts to silently exfiltrate hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint. The payload is identical across all 60 packages: socket.dev/blog/60-mali... #JavaScript #NodeJS
60 Malicious npm Packages Leak Network and Host Data in Acti...
Socket’s Threat Research Team has uncovered 60 npm packages using post-install scripts to silently exfiltrate hostnames, IP addresses, DNS servers, an...
socket.dev
May 23, 2025 at 1:45 AM
🚨 Socket’s Threat Research Team has uncovered 60 npm packages using post-install scripts to silently exfiltrate hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint. The payload is identical across all 60 packages: socket.dev/blog/60-mali... #JavaScript #NodeJS
Reposted by Paul
Our investigation of the #GitHub workflow vulnerability wrapped up on May 12, and we've confirmed that there has been no code modification, unauthorized access to production systems, exposure of customer data, or access to personal information.
Here's a summary of what happened and what's next.
Here's a summary of what happened and what's next.
Grafana security update: post-incident review for GitHub workflow vulnerability and what's next | Grafana Labs
/static/assets/img/blog/grafana-security-fix.png
grafana.com
May 17, 2025 at 8:30 AM
Our investigation of the #GitHub workflow vulnerability wrapped up on May 12, and we've confirmed that there has been no code modification, unauthorized access to production systems, exposure of customer data, or access to personal information.
Here's a summary of what happened and what's next.
Here's a summary of what happened and what's next.
Reposted by Paul
