banner
LightNews
naugtur.pl
naugtur
@naugtur.pl
1.2K followers 240 following 2.3K posts
Working on supply chain security for JS. LavaMoat and Endo contributor. meet.js Poland organizer. Node.js user since v0.8. Addicted to teaching. https://naugtur.pl
naugtur.pl
Posts Media Videos Starter Packs
Pinned
naugtur.pl
naugtur @naugtur.pl · Jan 29
A Phish on a Fork, no Chips.

One more thing to beware in the world of software supply chain risks.

Read if you care about your GitHub actions or dependencies.

Or read it for the fish puns. 🫣

dev.to/naugtur/a-ph...
A Phish on a Fork, no Chips
So you were told that this is the safest way to install a package from github with npm: "test262":...
dev.to
2 4 8
naugtur.pl
naugtur @naugtur.pl · 10h
There's a Linux tool called pngcrush that produces compressed pngs that would crash some viewers in 2010s 😅
1 1
naugtur.pl
naugtur @naugtur.pl · 12h
For very specific cases Foresight Institute grants might be an option.
1
naugtur.pl
naugtur @naugtur.pl · 1d
I've heard people say that about IT admin, but security researcher is new
naugtur.pl
naugtur @naugtur.pl · 1d
I'm excited about net in permissions!
rafaelgss.dev
Rafael Gonzaga | Node.js @rafaelgss.dev · 1d
Node.js 25 is here! We have upgraded V8 to 14.1, bringing major JSON.stringify
performance improvements and JIT pipeline optimizations.

This release introduces the permission
model --allow-net, Web Storage is enabled by default, and more!

nodejs.org/en/blog/rele...
Node.js
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
4 12
Reposted by naugtur
rafaelgss.dev
Rafael Gonzaga | Node.js @rafaelgss.dev · 1d
Node.js 25 is here! We have upgraded V8 to 14.1, bringing major JSON.stringify
performance improvements and JIT pipeline optimizations.

This release introduces the permission
model --allow-net, Web Storage is enabled by default, and more!

nodejs.org/en/blog/rele...
Node.js
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
nodejs.org
19 78
Reposted by naugtur
automerge.org
Automerge @automerge.org · 1d
🎮 Like CRDTs and videogames? @inkandswitch.com is ✨hiring✨ for a project that combines @automerge.org with @godotengine.org to make the next generation of collaboration tools for game development!

More detail here: inkandswitch.com/jobs/godot-i...

(Fully remote 🌍🌎🌏 contract, late Nov to April)
Godot IDE Engineer
Help build native, visual version control for collaborative game development in Godot
inkandswitch.com
2 13 23
naugtur.pl
naugtur @naugtur.pl · 1d
Sounds exciting.

Yes, I do like them, while being bad at both 😅

My biggest achievement in CRDT was noticing that a bloom filter is a CRDT and failing to find a usecase for that little fact.
naugtur.pl
naugtur @naugtur.pl · 2d
🧡
1
naugtur.pl
naugtur @naugtur.pl · 2d
Whenever I say I've read some book and it's been an audiobook version I feel guilty if I don't do a disclaimer on that. I'd love for that feeling to go away.
1 1
naugtur.pl
naugtur @naugtur.pl · 2d
I honestly regret not taking more of those stickers last time!
1 2
naugtur.pl
naugtur @naugtur.pl · 2d
JSConf forever?
1
naugtur.pl
naugtur @naugtur.pl · 2d
Pecunia something something
naugtur.pl
naugtur @naugtur.pl · 2d
This is how you tell there's no longer a human consciousness in charge. Corporations reach a stage where decisions make themselves and are impenetrable to every individual involved.
1
naugtur.pl
naugtur @naugtur.pl · 3d
Took the name from the example package, so no invenation there.
Reposted by naugtur
kaseygifford.bsky.social
Kasey Gifford @kaseygifford.bsky.social · 3d
We should be asking this
c o n s t a n t l y.
160 5K 16K
naugtur.pl
naugtur @naugtur.pl · 3d
@robertknight2.bsky.social You might find this amusing - I was working on an example malicious npm package and started typing curl in postinstall, which a copilot suggested to follow-up with a shell script from a hallucinated repository under your github username and pipe it to bash. 😅
1 1
Reposted by naugtur
lirantal.com
Liran Tal @lirantal.com · 3d
Wrote up an article that explores the emerging security landscape surrounding MCP, highlighting key vulnerabilities and the importance of robust security measures in this evolving protocol: lirantal.com/blog/the-upr...
The Uprising of Model Context Protocol (MCP) Security Research
The Model Context Protocol (MCP) is gaining traction in the AI community, and with its rise comes a wave of security research. This article explores the emerging security landscape surrounding MCP, highlighting key vulnerabilities and the importance of robust security measures in this evolving protocol.
lirantal.com
1 5
naugtur.pl
naugtur @naugtur.pl · 3d
I bet there are npm mirrors that could serve the same purpose but I never looked for one.
1
naugtur.pl
naugtur @naugtur.pl · 3d
I tend to need it for exploration not the whole thing and they're often a single file change, so I go to socket.dev file esplorer and they always have a backup there. I download the individual file from raw view.
1
Reposted by naugtur
sydseter.com
Uncle Joe @sydseter.com · 3d
The finding by Omer Mayraz regarding GitHub Copilot data exfiltration demonstrates why the AI revolution have shifted the balance of power from the cyber defender to the attacker. These systems have a stochastic nature, making attacking, easier than defending. www.securityweek.com/github-copil...
GitHub Copilot Chat Flaw Leaked Data From Private Repositories
A vulnerability in the GitHub Copilot Chat AI assistant led to sensitive data leakage and full control over Copilot’s responses.
www.securityweek.com
3 6 15
naugtur.pl
naugtur @naugtur.pl · 3d
Shoot first ask questions later 😁
github.com/lirantal/npm...
safely run selected scripts with allow-scripts by naugtur · Pull Request #4 · lirantal/npm-security-best-practices
github.com
1 1
Reposted by naugtur
lirantal.com
Liran Tal @lirantal.com · 3d
HOW TO STOP THE NEXT SHAI HULUD ATTACK? 🥶

All about secure local development, npm security best practices and supply chain attack mitigations: github.com/lirantal/npm...
GitHub - lirantal/npm-security-best-practices: Collection of npm package manager Security Best Practices
Collection of npm package manager Security Best Practices - lirantal/npm-security-best-practices
github.com
3 5 11
naugtur.pl
naugtur @naugtur.pl · 3d
The advice to disable all scripts without accompanying advice on how to safely execute the ones you actually need will make people reach for 'npm rebuild' and expose themselves again.

Should I PR a reference to www.npmjs.com/package/@lav... ?
www.npmjs.com
1 1
naugtur.pl
naugtur @naugtur.pl · 3d
The smell is part of the matketing. When enshitification hits the business you'll be smelling last week's passenger's supper. Hopefully unused.
4
naugtur.pl
naugtur @naugtur.pl · 3d
Some people are left-handed, some are left-stomached 🤷‍♂️
2