naugtur
@naugtur.pl
Working on supply chain security for JS. LavaMoat and Endo contributor. meet.js Poland organizer. Node.js user since v0.8.
Addicted to teaching.
https://naugtur.pl
Addicted to teaching.
https://naugtur.pl
Pinned
naugtur
@naugtur.pl
· Jan 29
A Phish on a Fork, no Chips
So you were told that this is the safest way to install a package from github with npm: "test262":...
dev.to
A Phish on a Fork, no Chips.
One more thing to beware in the world of software supply chain risks.
Read if you care about your GitHub actions or dependencies.
Or read it for the fish puns. 🫣
dev.to/naugtur/a-ph...
One more thing to beware in the world of software supply chain risks.
Read if you care about your GitHub actions or dependencies.
Or read it for the fish puns. 🫣
dev.to/naugtur/a-ph...
Reposted by naugtur
Preparing my talk for JSConf JP and I finally drew my mental venn diagram about how Node.js development works 🤪
November 11, 2025 at 7:20 PM
Preparing my talk for JSConf JP and I finally drew my mental venn diagram about how Node.js development works 🤪
Reposted by naugtur
Type stripping is now stable.
Enjoy 🌞
Enjoy 🌞
November 12, 2025 at 5:07 AM
Type stripping is now stable.
Enjoy 🌞
Enjoy 🌞
Reposted by naugtur
Reposted by naugtur
If you’ve wanted to go to #ffconf but couldn’t afford it, I have a ticket spare going.
Much rather it got used. ( my week’s focus got changed. 😞)
Ping me.
Much rather it got used. ( my week’s focus got changed. 😞)
Ping me.
November 10, 2025 at 9:33 AM
If you’ve wanted to go to #ffconf but couldn’t afford it, I have a ticket spare going.
Much rather it got used. ( my week’s focus got changed. 😞)
Ping me.
Much rather it got used. ( my week’s focus got changed. 😞)
Ping me.
Reposted by naugtur
🐝 It’s official: OWASP’s 2025 Top 10 now includes Software Supply Chain Failures.
Half of survey respondents ranked it their top concern, a long overdue recognition in a year marked by high-impact supply chain attacks.
→ socket.dev/blog/owasp-2... #owasp #appsec #cybersecurity
Half of survey respondents ranked it their top concern, a long overdue recognition in a year marked by high-impact supply chain attacks.
→ socket.dev/blog/owasp-2... #owasp #appsec #cybersecurity
OWASP 2025 Top 10 Adds Software Supply Chain Failures, Ranke...
OWASP’s 2025 Top 10 introduces Software Supply Chain Failures as a new category, reflecting rising concern over dependency and build system risks.
socket.dev
November 9, 2025 at 5:57 PM
🐝 It’s official: OWASP’s 2025 Top 10 now includes Software Supply Chain Failures.
Half of survey respondents ranked it their top concern, a long overdue recognition in a year marked by high-impact supply chain attacks.
→ socket.dev/blog/owasp-2... #owasp #appsec #cybersecurity
Half of survey respondents ranked it their top concern, a long overdue recognition in a year marked by high-impact supply chain attacks.
→ socket.dev/blog/owasp-2... #owasp #appsec #cybersecurity
Reposted by naugtur
There's a more secure alternative to texting via your phone's native messaging app. Signal is a free app that employs end-to-end encryption and we have a step-by-step guide to help you learn how to use it. ssd.eff.org/module/how-...
How to: Use Signal
Download location: Google Play Store, Apple App Store
System requirements: Android 5 or later, iOS 13 or later
Version used in this guide: Android: 7.38.6 iPhone: 7.5.1
License: GPLv3
Level: Beginner
Time required: 15-20 minutes
Other reading:
https://signal.org/
https://support.signal.org/
https://signal.org/blog/
Table of Contents
Download and Install Signal
Register and Verify...
ssd.eff.org
November 9, 2025 at 9:01 PM
There's a more secure alternative to texting via your phone's native messaging app. Signal is a free app that employs end-to-end encryption and we have a step-by-step guide to help you learn how to use it. ssd.eff.org/module/how-...
Reposted by naugtur
The world’s first trillionaire initiated a move that has left more than half a million people dead, most of whom are children.
November 7, 2025 at 7:39 AM
The world’s first trillionaire initiated a move that has left more than half a million people dead, most of whom are children.
Reposted by naugtur
This is wild. 99% of the code is legit, with just 20 malicious lines buried in thousands of lines of working code.
cc: @campuscodi.risky.biz
cc: @campuscodi.risky.biz
🚨 New from Socket Threat Research: 9 malicious #NuGet packages deliver time-delayed destructive payloads, designed to crash apps and sabotage industrial control systems.
Read the full analysis → socket.dev/blog/9-malic... #dotnet
Read the full analysis → socket.dev/blog/9-malic... #dotnet
9 Malicious NuGet Packages Deliver Time-Delayed Destructive ...
Socket researchers discovered nine malicious NuGet packages that use time-delayed payloads to crash applications and corrupt industrial control system...
socket.dev
November 6, 2025 at 9:41 PM
This is wild. 99% of the code is legit, with just 20 malicious lines buried in thousands of lines of working code.
cc: @campuscodi.risky.biz
cc: @campuscodi.risky.biz
Reposted by naugtur
what exactly is "winning the AI race? environmental destruction, labor extraction, ever more intrusive surveillance, mass manipulation, and unprecedented power for the handful???
Nvidia's Jensen Huang says China 'will win' AI race with US, FT reports reut.rs/48YNsTM
Nvidia's Jensen Huang says China 'will win' AI race with US, FT reports
Nvidia CEO Jensen Huang has warned that China will beat the United States in the artificial intelligence race, the Financial Times reported on Wednesday.
reut.rs
November 5, 2025 at 9:40 PM
what exactly is "winning the AI race? environmental destruction, labor extraction, ever more intrusive surveillance, mass manipulation, and unprecedented power for the handful???
Reposted by naugtur
It's crazy that Apple DMCA Takedown'd someone's upload of code we can all access
November 6, 2025 at 3:11 AM
It's crazy that Apple DMCA Takedown'd someone's upload of code we can all access
Reposted by naugtur
A V8 use-case gets 4000% faster 🔥
So we found another performance regression in V8... specifically in the code for WriteUtf8V2 (the code to write a string out as UTF8)... the fix is in... and get this... it results in a 4000%+ performance increase in one of the benchmarks. Not a typo... 4000% improvement.
November 5, 2025 at 9:21 PM
A V8 use-case gets 4000% faster 🔥
Reposted by naugtur
Here’s a step by step guide on how to block 3rd-party trackers automatically: Open Firefox. Done.
November 5, 2025 at 5:30 PM
Here’s a step by step guide on how to block 3rd-party trackers automatically: Open Firefox. Done.
Reposted by naugtur
Hey, any SVG blend-mode experts here? (RT for reach please)
Why is this happening? If I set `mix-blend-mode:lighten` on 3 objects to mix full saturation RG and B, it lightens to white, as expected.
But if I use `mix-blend-mode:darken` with CMY, it doesn't go to black. izs.me/blend-mode-s...
Why is this happening? If I set `mix-blend-mode:lighten` on 3 objects to mix full saturation RG and B, it lightens to white, as expected.
But if I use `mix-blend-mode:darken` with CMY, it doesn't go to black. izs.me/blend-mode-s...
izs.me
November 5, 2025 at 5:55 PM
Hey, any SVG blend-mode experts here? (RT for reach please)
Why is this happening? If I set `mix-blend-mode:lighten` on 3 objects to mix full saturation RG and B, it lightens to white, as expected.
But if I use `mix-blend-mode:darken` with CMY, it doesn't go to black. izs.me/blend-mode-s...
Why is this happening? If I set `mix-blend-mode:lighten` on 3 objects to mix full saturation RG and B, it lightens to white, as expected.
But if I use `mix-blend-mode:darken` with CMY, it doesn't go to black. izs.me/blend-mode-s...
Reposted by naugtur
Quick reminder, if your framework or application requires immutable data structures, `Array.with` will be your friend. It lets you update an item, copies the rest, and provides a new array reference!
It works in all browsers, too! 🎉
It works in all browsers, too! 🎉
November 5, 2025 at 9:31 AM
Quick reminder, if your framework or application requires immutable data structures, `Array.with` will be your friend. It lets you update an item, copies the rest, and provides a new array reference!
It works in all browsers, too! 🎉
It works in all browsers, too! 🎉
Reposted by naugtur
Apple’s App Store gets a new web interface techcrunch.com/2025/11/03/a...
And they promptly misconfigured so people could download the source and leak it to GitHub:
github.com/rxliuli/apps...
And they promptly misconfigured so people could download the source and leak it to GitHub:
github.com/rxliuli/apps...
Apple's App Store gets a new web interface | TechCrunch
Before this update, users could see individual pages for apps on the web, but there was no way to browse within the App Store.
techcrunch.com
November 5, 2025 at 10:59 AM
Apple’s App Store gets a new web interface techcrunch.com/2025/11/03/a...
And they promptly misconfigured so people could download the source and leak it to GitHub:
github.com/rxliuli/apps...
And they promptly misconfigured so people could download the source and leak it to GitHub:
github.com/rxliuli/apps...
I had a bookmarklet that would click all "load diff" buttons on a @github.com PR view and now the load diff button no longer has a single attribute that can be used to tell it's that button 😭
November 4, 2025 at 8:59 AM
I had a bookmarklet that would click all "load diff" buttons on a @github.com PR view and now the load diff button no longer has a single attribute that can be used to tell it's that button 😭
Reposted by naugtur
Reposted by naugtur
The full CBS interview with Trump about the pardon of Binance's Changpeng Zhao is shocking. "Why did you pardon him?" "I have no idea who he is. I was told that he was a victim ... They sent him to jail and they really set him up. That's my opinion. I was told about it."
November 3, 2025 at 7:10 PM
The full CBS interview with Trump about the pardon of Binance's Changpeng Zhao is shocking. "Why did you pardon him?" "I have no idea who he is. I was told that he was a victim ... They sent him to jail and they really set him up. That's my opinion. I was told about it."
Reposted by naugtur
🚨 The new Glassworm malware? it invisible Unicode characters to hide in source code. 35,800+ victims.
Protect your codebase:
```bash
npx anti-trojan-source --files='**/*.js'
```
Here's a full guide: snyk.io/articles/def...
Protect your codebase:
```bash
npx anti-trojan-source --files='**/*.js'
```
Here's a full guide: snyk.io/articles/def...
Defending Against Glassworm: The Invisible Malware That's Rewriting Supply Chain Security | Snyk
Defend against Glassworm, the invisible malware rewriting supply chain security. Learn how anti-trojan-source detects and prevents these Unicode attacks, protecting your VS Code extensions and credent...
snyk.io
November 3, 2025 at 5:57 PM
🚨 The new Glassworm malware? it invisible Unicode characters to hide in source code. 35,800+ victims.
Protect your codebase:
```bash
npx anti-trojan-source --files='**/*.js'
```
Here's a full guide: snyk.io/articles/def...
Protect your codebase:
```bash
npx anti-trojan-source --files='**/*.js'
```
Here's a full guide: snyk.io/articles/def...
Reposted by naugtur
An under-discussed topic: how the hottest software engineering job of the early 2010s is seeing a steady but ongoing decline the last few years.
I'm talking about the native iOS and Android positions. Outside of Big Tech, few startups/scaleups hire for this. Since ~2022?
I'm talking about the native iOS and Android positions. Outside of Big Tech, few startups/scaleups hire for this. Since ~2022?
November 3, 2025 at 3:29 PM
An under-discussed topic: how the hottest software engineering job of the early 2010s is seeing a steady but ongoing decline the last few years.
I'm talking about the native iOS and Android positions. Outside of Big Tech, few startups/scaleups hire for this. Since ~2022?
I'm talking about the native iOS and Android positions. Outside of Big Tech, few startups/scaleups hire for this. Since ~2022?
Reposted by naugtur
Pretty extraordinary story here
www-bbc-co-uk.cdn.ampproject.org/c/s/www.bbc....
www-bbc-co-uk.cdn.ampproject.org/c/s/www.bbc....
China intimidated UK university to ditch human rights research, documents show - BBC News
Sheffield Hallam University apologises to Professor Laura Murphy for restricting her academic freedom.
www-bbc-co-uk.cdn.ampproject.org
November 3, 2025 at 6:20 AM
Pretty extraordinary story here
www-bbc-co-uk.cdn.ampproject.org/c/s/www.bbc....
www-bbc-co-uk.cdn.ampproject.org/c/s/www.bbc....
Reposted by naugtur
Top neglected topics in software rn
Security
Ethics
Security
Ethics
November 1, 2025 at 2:31 PM
Top neglected topics in software rn
Security
Ethics
Security
Ethics
Reposted by naugtur
Did not see this coming: #Canva made #Affinity free and is investing to revamp it.
Smart growth move and a win for creators... pro-grade tools for free.
First look: www.youtube.com/watch?v=CzPz...
#Design #AffinitySuite
Smart growth move and a win for creators... pro-grade tools for free.
First look: www.youtube.com/watch?v=CzPz...
#Design #AffinitySuite
Meet the new Affinity
YouTube video by Canva
www.youtube.com
November 1, 2025 at 11:20 AM
Did not see this coming: #Canva made #Affinity free and is investing to revamp it.
Smart growth move and a win for creators... pro-grade tools for free.
First look: www.youtube.com/watch?v=CzPz...
#Design #AffinitySuite
Smart growth move and a win for creators... pro-grade tools for free.
First look: www.youtube.com/watch?v=CzPz...
#Design #AffinitySuite
Reposted by naugtur
We survived the removal of Flash, how bad can the removal of XSLT be?
November 1, 2025 at 11:32 AM
We survived the removal of Flash, how bad can the removal of XSLT be?
Reposted by naugtur
