naugtur
LightNews LightNews
banner
naugtur.pl
naugtur
@naugtur.pl
1.2K followers 240 following 2.4K posts
Working on supply chain security for JS. LavaMoat and Endo contributor. meet.js Poland organizer. Node.js user since v0.8.
Addicted to teaching.

https://naugtur.pl
Posts Replies Media Videos
Pinned
naugtur.pl
naugtur @naugtur.pl · Jan 29
A Phish on a Fork, no Chips.

One more thing to beware in the world of software supply chain risks.

Read if you care about your GitHub actions or dependencies.

Or read it for the fish puns. 🫣

dev.to/naugtur/a-ph...
A Phish on a Fork, no Chips
So you were told that this is the safest way to install a package from github with npm: "test262":...
dev.to
Reposted by naugtur
lizrummy.bsky.social
oh my god
November 10, 2025 at 6:16 PM
Reposted by naugtur
jwo.ng
If you’ve wanted to go to #ffconf but couldn’t afford it, I have a ticket spare going.

Much rather it got used. ( my week’s focus got changed. 😞)

Ping me.
November 10, 2025 at 9:33 AM
Reposted by naugtur
socket.dev
🐝 It’s official: OWASP’s 2025 Top 10 now includes Software Supply Chain Failures.

Half of survey respondents ranked it their top concern, a long overdue recognition in a year marked by high-impact supply chain attacks.

socket.dev/blog/owasp-2... #owasp #appsec #cybersecurity
OWASP 2025 Top 10 Adds Software Supply Chain Failures, Ranke...
OWASP’s 2025 Top 10 introduces Software Supply Chain Failures as a new category, reflecting rising concern over dependency and build system risks.
socket.dev
November 9, 2025 at 5:57 PM
Reposted by naugtur
eff.org
There's a more secure alternative to texting via your phone's native messaging app. Signal is a free app that employs end-to-end encryption and we have a step-by-step guide to help you learn how to use it. ssd.eff.org/module/how-...
How to: Use Signal
Download location: Google Play Store, Apple App Store System requirements: Android 5 or later, iOS 13 or later Version used in this guide: Android: 7.38.6 iPhone: 7.5.1 License: GPLv3 Level: Beginner Time required: 15-20 minutes Other reading: https://signal.org/ https://support.signal.org/ https://signal.org/blog/ Table of Contents Download and Install Signal Register and Verify...
ssd.eff.org
November 9, 2025 at 9:01 PM
Reposted by naugtur
newschambers.bsky.social
The world’s first trillionaire initiated a move that has left more than half a million people dead, most of whom are children.
November 7, 2025 at 7:39 AM
Reposted by naugtur
sarahgooding.bsky.social
This is wild. 99% of the code is legit, with just 20 malicious lines buried in thousands of lines of working code.

cc: @campuscodi.risky.biz
socket.dev Socket @socket.dev · 4d
🚨 New from Socket Threat Research: 9 malicious #NuGet packages deliver time-delayed destructive payloads, designed to crash apps and sabotage industrial control systems.

Read the full analysis → socket.dev/blog/9-malic... #dotnet
9 Malicious NuGet Packages Deliver Time-Delayed Destructive ...
Socket researchers discovered nine malicious NuGet packages that use time-delayed payloads to crash applications and corrupt industrial control system...
socket.dev
November 6, 2025 at 9:41 PM
Reposted by naugtur
abeba.bsky.social
what exactly is "winning the AI race? environmental destruction, labor extraction, ever more intrusive surveillance, mass manipulation, and unprecedented power for the handful???
November 5, 2025 at 9:40 PM
Reposted by naugtur
nullvoxpopuli.com
It's crazy that Apple DMCA Takedown'd someone's upload of code we can all access

November 6, 2025 at 3:11 AM
Reposted by naugtur
robpalmer.bsky.social
A V8 use-case gets 4000% faster 🔥
jasnell.me James Snell @jasnell.me · 5d
So we found another performance regression in V8... specifically in the code for WriteUtf8V2 (the code to write a string out as UTF8)... the fix is in... and get this... it results in a 4000%+ performance increase in one of the benchmarks. Not a typo... 4000% improvement.
November 5, 2025 at 9:21 PM
Reposted by naugtur
firefox.com
Here’s a step by step guide on how to block 3rd-party trackers automatically: Open Firefox. Done.
November 5, 2025 at 5:30 PM
Reposted by naugtur
isaacs.bsky.social
Hey, any SVG blend-mode experts here? (RT for reach please)

Why is this happening? If I set `mix-blend-mode:lighten` on 3 objects to mix full saturation RG and B, it lightens to white, as expected.

But if I use `mix-blend-mode:darken` with CMY, it doesn't go to black. izs.me/blend-mode-s...
izs.me
November 5, 2025 at 5:55 PM
Reposted by naugtur
stefanjudis.com
Quick reminder, if your framework or application requires immutable data structures, `Array.with` will be your friend. It lets you update an item, copies the rest, and provides a new array reference!

It works in all browsers, too! 🎉
Array.with() code snippet.
November 5, 2025 at 9:31 AM
Reposted by naugtur
codepo8.bsky.social
Apple’s App Store gets a new web interface techcrunch.com/2025/11/03/a...
And they promptly misconfigured so people could download the source and leak it to GitHub:
github.com/rxliuli/apps...
Apple's App Store gets a new web interface | TechCrunch
Before this update, users could see individual pages for apps on the web, but there was no way to browse within the App Store.
techcrunch.com
November 5, 2025 at 10:59 AM
naugtur.pl
I had a bookmarklet that would click all "load diff" buttons on a @github.com PR view and now the load diff button no longer has a single attribute that can be used to tell it's that button 😭
November 4, 2025 at 8:59 AM
Reposted by naugtur
infrequently.org
Just leaving this here.

infrequently.org/2025/10/the-...
The App Store Was Always Authoritarian - Infrequently Noted
Apple bent the knee for months, leaving many commentators to ask why. But the reasons are not mysterious: Apple wants things that only the government can provide, things that will defend and extend it...
infrequently.org
November 4, 2025 at 5:58 AM
Reposted by naugtur
molly.wiki
The full CBS interview with Trump about the pardon of Binance's Changpeng Zhao is shocking. "Why did you pardon him?" "I have no idea who he is. I was told that he was a victim ... They sent him to jail and they really set him up. That's my opinion. I was told about it."
NORAH O'DONNELL: Looked at this, the government at the time said that C.Z. had caused "significant harm to U.S. national security", essentially by allowing terrorist groups like Hamas to move millions of dollars around. Why did you pardon him? PRESIDENT DONALD TRUMP: Okay, are you ready? I don't know who he is. I know he got a four-month sentence or something like that. And I heard it was a Biden witch hunt. And what I wanna do is see crypto, 'cause if we don't do it it's gonna go to China, it's gonna go to-- this is no different to me than AI. My sons are involved in crypto much more than I-- me. I-- I know very little about it, other than one thing. It's a huge industry. And if we're not gonna be the head of it, China, Japan, or someplace else is. So I am behind it 100%. This man was, in my opinion, from what I was told, this is, you know, a four-month sentence. But this man was treated really badly by the Biden administration. And he was given a jail term. He's highly respected.
November 3, 2025 at 7:10 PM
Reposted by naugtur
lirantal.com
🚨 The new Glassworm malware? it invisible Unicode characters to hide in source code. 35,800+ victims.

Protect your codebase:

```bash
npx anti-trojan-source --files='**/*.js'
```

Here's a full guide: snyk.io/articles/def...
Defending Against Glassworm: The Invisible Malware That's Rewriting Supply Chain Security | Snyk
Defend against Glassworm, the invisible malware rewriting supply chain security. Learn how anti-trojan-source detects and prevents these Unicode attacks, protecting your VS Code extensions and credent...
snyk.io
November 3, 2025 at 5:57 PM
Reposted by naugtur
gergely.pragmaticengineer.com
An under-discussed topic: how the hottest software engineering job of the early 2010s is seeing a steady but ongoing decline the last few years.

I'm talking about the native iOS and Android positions. Outside of Big Tech, few startups/scaleups hire for this. Since ~2022?
November 3, 2025 at 3:29 PM
Reposted by naugtur
hetanshah.bsky.social
Pretty extraordinary story here
www-bbc-co-uk.cdn.ampproject.org/c/s/www.bbc....
China intimidated UK university to ditch human rights research, documents show - BBC News
Sheffield Hallam University apologises to Professor Laura Murphy for restricting her academic freedom.
www-bbc-co-uk.cdn.ampproject.org
November 3, 2025 at 6:20 AM
Reposted by naugtur
nullvoxpopuli.com
Top neglected topics in software rn

Security
Ethics

November 1, 2025 at 2:31 PM
Reposted by naugtur
loige.co
Did not see this coming: #Canva made #Affinity free and is investing to revamp it.

Smart growth move and a win for creators... pro-grade tools for free.

First look: www.youtube.com/watch?v=CzPz...

#Design #AffinitySuite
Meet the new Affinity
YouTube video by Canva
www.youtube.com
November 1, 2025 at 11:20 AM
Reposted by naugtur
nicr.dev
We survived the removal of Flash, how bad can the removal of XSLT be?
November 1, 2025 at 11:32 AM
Reposted by naugtur
depthsofwikipedia.bsky.social
October 31, 2025 at 10:59 PM
Reposted by naugtur
stefanjudis.com
I don't agree with all the points being made here, but this opening sentence really hits home. 👇

blog.pabloecortez.com/its-insultin...
It seems so rude and careless to make me, a person with thoughts, ideas, humor, contradictions and life experience to read something spit out by the equivalent of a lexical bingo machine because you were too lazy to write it yourself.
October 31, 2025 at 1:03 PM
Reposted by naugtur
captainhowdy.bsky.social
From this day in 2016.
#Halloween
An IKEA instruction sheet for "NOSFERATU" that shows the bald-headed IKEA man telling you you'll need a hammer and a wooden stake for this. The next panel down shows two images. The first has a frowning IKEA man kneeling next to an open coffin while the moon is up. No, IKEA man. Do not do this. The next image is the same, but the sun is up and he's smiling. This is the way, IKEA man. The next panel shows IKEA man struggling to move a coffin on his own. The large black 'X' across this image shows what a terrible idea this is. The adjacent image has the bald-headed IKEA man getting the help of curly-haired IKEA man and moving coffins as a duo is now a doddle. The bottom panel shows a puzzled IKEA man staring into the open coffin while holding the stake and hammer. The last image shows IKEA man being bitten by the swirling figure emerging from the coffin. He's dropped his tools and is looking to curly-haired IKEA man for help, but curly-haired IKEA man has already shit his pants and is giving it legs in a cowardly act of self-preservation. Don't be surprised when bald-headed IKEA man comes tapping at your window in the dead of night, curly-haired IKEA man.
October 31, 2025 at 8:01 AM