Scott Cooper
@scooper.bsky.social
San Francisco, typescript, xmplaylist.com
Doing frontend stuff at @sentry.io
Doing frontend stuff at @sentry.io
Would've rather seen bun fix their shit tbh
October 28, 2025 at 4:23 PM
Would've rather seen bun fix their shit tbh
I won’t go back. I won’t use generators like effectjs wants either. Next we’ll reinvent zone.js
October 14, 2025 at 7:32 PM
I won’t go back. I won’t use generators like effectjs wants either. Next we’ll reinvent zone.js
Would love to somehow say my package will never have a postinstall script
October 8, 2025 at 1:38 AM
Would love to somehow say my package will never have a postinstall script
I live in constant fear
October 6, 2025 at 4:14 PM
I live in constant fear
dm's are open i think
September 23, 2025 at 12:53 AM
dm's are open i think
A lot of the related security blogs recommended switching to pnpm to avoid running unapproved postinstall scripts.
Mostly mention it because that is already what I am doing.
Mostly mention it because that is already what I am doing.
September 17, 2025 at 4:16 PM
A lot of the related security blogs recommended switching to pnpm to avoid running unapproved postinstall scripts.
Mostly mention it because that is already what I am doing.
Mostly mention it because that is already what I am doing.
they force pushed a branch directly because they were a repo admin. Not a pr.
September 17, 2025 at 3:48 AM
they force pushed a branch directly because they were a repo admin. Not a pr.
no in this case it was a "shai-hulud" branch pushed to a shared repo where multiple people have admin access.
This shai-hulud branch contains a github action that runs on push.
This shared repo had my npm token as a secret for github action publishing.
This shai-hulud branch contains a github action that runs on push.
This shared repo had my npm token as a secret for github action publishing.
September 17, 2025 at 12:16 AM
no in this case it was a "shai-hulud" branch pushed to a shared repo where multiple people have admin access.
This shai-hulud branch contains a github action that runs on push.
This shared repo had my npm token as a secret for github action publishing.
This shai-hulud branch contains a github action that runs on push.
This shared repo had my npm token as a secret for github action publishing.
i believe i figured it out. A project i collaborated on got a "bad" github branch by a collaborator. This project had an npm token of mine.
September 16, 2025 at 8:25 PM
bsky.app/profile/scoo... not 100% certain, but not seeing the bad branches on my own repos
i believe i figured it out. A project i collaborated on got a "bad" github branch by a collaborator. This project had an npm token of mine.
September 16, 2025 at 7:21 AM
bsky.app/profile/scoo... not 100% certain, but not seeing the bad branches on my own repos
i believe i figured it out. A project i collaborated on got a "bad" github branch by a collaborator. This project had an npm token of mine.
September 16, 2025 at 6:35 AM
i believe i figured it out. A project i collaborated on got a "bad" github branch by a collaborator. This project had an npm token of mine.
no not for certain yet, currently it seems like a publish token was public or leaked
Not seeing the weird githu branch names or repos from some of the newer hacks
Not seeing the weird githu branch names or repos from some of the newer hacks
September 16, 2025 at 5:14 AM
no not for certain yet, currently it seems like a publish token was public or leaked
Not seeing the weird githu branch names or repos from some of the newer hacks
Not seeing the weird githu branch names or repos from some of the newer hacks