banner
LightNews
jviide.iki.fi
Joachim Viide
@jviide.iki.fi
250 followers 26 following 81 posts
https://jviide.iki.fi • A cruel and incompetent charlatan.
jviide.iki.fi
Posts Media Videos Starter Packs
jviide.iki.fi
Joachim Viide @jviide.iki.fi · 18h
Yes.
1
jviide.iki.fi
Joachim Viide @jviide.iki.fi · 1d
Also doubles as a visualization of how Preact Signals work!
carlquintanilla.bsky.social
Carl Quintanilla @carlquintanilla.bsky.social · 2d
NVIDIA and OpenAi:

Concerns that their “increasingly complex and interconnected web of business transactions is artificially propping up the trillion-dollar AI boom.“

@bloomberg.com $NVDA 👀
www.bloomberg.com/news/feature...
7
Reposted by Joachim Viide
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · 8d
I am doing a survey of supply chain attacks, and it's annoying how 95% of the analysis is on payloads vs. compromise vectors.

Yes, you are a very smart reverser and that's a very clever payload. Yes, rolling out phishing-resistant auth is a slog. No, this is not how we make progress.

</rant>
8 16 88
jviide.iki.fi
Joachim Viide @jviide.iki.fi · 8d
"Nobody saw this coming," said the person who actively refused to see it coming.
1
jviide.iki.fi
Joachim Viide @jviide.iki.fi · 21d
preact sigul
A seagull with preact logos as eyes.
5
jviide.iki.fi
Joachim Viide @jviide.iki.fi · 22d
...or set up Trusted Publishing and delete all your NPM tokens 🙂

bsky.app/profile/sxzz...
sxzz.dev
Kevin Deng @sxzz.dev · Aug 15
We encourage everyone to migrate from using npm publish tokens to trusted publisher!

github.com/e18e/ecosyst...
1
jviide.iki.fi
Joachim Viide @jviide.iki.fi · 22d
Pay special attention to "Automation" and "Publish" token types, as they aren't scoped and allow writes. They also never expire.

"Granular" ones are trickier. They MAY be read-only or tightly scoped. It's hard to tell, as the token page doesn't show this info. Their lifetimes can also be very long.
The npmjs.com Access Token page showing one granular token that expires in the year 123456.
1 1
jviide.iki.fi
Joachim Viide @jviide.iki.fi · 22d
This was a very good read. It's also a good reminder to check our own NPM access token pages and maybe delete old lingering tokens.
The npmjs.com Access Token page. The user dropdown menu is open, with the "Access Tokens" link highlighted.
1 2 5
jviide.iki.fi
Joachim Viide @jviide.iki.fi · 24d
The year is 2225. Third Quarter of the Fiscal.

Once more, Coders assemble to present The NPM with their finest work. They celebrate as The NPM flags it all as malware.

No one knows who built The NPM, or why the Takedowning must be observed.

Yet all agree: to neglect it would invite disaster.
3
jviide.iki.fi
Joachim Viide @jviide.iki.fi · 26d
A good post on how Go's tooling is just so nice: hachyderm.io/@laird/11519...

Other ecosystems can learn a lot from Go's approach to supply chain management, standard libraries, and so on.

For example, see @filippo.abyssdomain.expert's "How Go Mitigates Supply Chain Attacks" go.dev/blog/supply-...
Scott Laird (@[email protected])
It's refreshing using #golang's ecosystem after spending time with other languages' tooling. Over the past few years, things have become really slick. I'm not talking about the language itself; it's...
hachyderm.io
1 5
jviide.iki.fi
Joachim Viide @jviide.iki.fi · 26d
Turns out that @skk.moe already opened an issue along these lines a while back: github.com/pnpm/pnpm/is...
[Feature Request] An option to forbidden packages to upgrade from a attested version to a unattested version · Issue #8889 · pnpm/pnpm
Contribution I'd be willing to implement this feature (contributing guide) Describe the user story Rspack recently encountered a token theft attack where it seems that the npm classic token they us...
github.com
1 3
jviide.iki.fi
Joachim Viide @jviide.iki.fi · 27d
pnpm v10.16.0 adds "minimumReleaseAge", a setting for defining how long a version has to have been published before pnpm will install it.

A nice countermeasure against accidental installs of short-lived compromised packages before they get taken down. Not a 100% fix, but a great additional step!
Release pnpm 10.16 · pnpm/pnpm
Minor Changes There have been several incidents recently where popular packages were successfully attacked. To reduce the risk of installing a compromised version, we are introducing a new settin...
github.com
8 64 200
Reposted by Joachim Viide
pixelatedboat.bsky.social
pixelatedboat aka “mr bluesky” @pixelatedboat.bsky.social · Sep 10
Thank god AI has finally solved the problem of there not being enough podcasts
15 340 2.9K
jviide.iki.fi
Joachim Viide @jviide.iki.fi · 29d
FWIW, reported this to them via HackerOne yesterday. Got a prompt response back that this is a known low risk issue and that they don't consider this to present a significant security risk.
3
jviide.iki.fi
Joachim Viide @jviide.iki.fi · 29d
Seems that NPM too allows TOTP reuse within the time-step window. Seen a similar issue in multiple services over the years.

Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
1 2 7
jviide.iki.fi
Joachim Viide @jviide.iki.fi · Sep 9
NPM supports switching from Authenticator App (TOTP) based 2FA to more phishing resistant WebAuthn based 2FA.

Adding a WebAuthn security key and disabling the Authenticator App is a pretty quick process.

For example Apple Touch ID & Windows Hello work! Physical keys work too, but aren't required.
8 17
jviide.iki.fi
Joachim Viide @jviide.iki.fi · Aug 27
Malicious versions of the nx package + some packages under the @nx/* scope were published to npm.

The compromised versions scan the file system, search for credentials, and post them publicly to GitHub.

www.aikido.dev/blog/popular...
Popular nx packages compromised on npm
The popular nx package on npm was compromised, and stolen data was published on GitHub publicly
www.aikido.dev
19 25
jviide.iki.fi
Joachim Viide @jviide.iki.fi · Aug 26
Every line of code is a liability, and now with the power of AI, I can create 8000 new liabilities per day!
2 11
jviide.iki.fi
Joachim Viide @jviide.iki.fi · Aug 21
t
3
jviide.iki.fi
Joachim Viide @jviide.iki.fi · Aug 21
1. make it work
2. [object Object]
3. make it fas
1 1 8
jviide.iki.fi
Joachim Viide @jviide.iki.fi · Aug 15
Update one @types/* package, introduce 80 new indirect dependencies + 16 new maintainers into our supply chain.
The "Tonnin Seteli" meme. A man staring into the void with a blank expression.
10
Reposted by Joachim Viide
filippo.abyssdomain.expert
Filippo Valsorda @filippo.abyssdomain.expert · Aug 13
I edited my Cross-Site Request Forgery countermeasures research into a stand-alone article, including recommendations reusable by other projects.

tl;dr: no need for tokens or keys, modern browsers tell you if a request is cross-origin!

words.filippo.io/csrf
Cross-Site Request Forgery
Cross-Site Request Forgery countermeasures can be greatly simplified using request metadata provided by modern browsers.
words.filippo.io
4 16 71
Reposted by Joachim Viide
madamexmysyery.bsky.social
Witch Erin @madamexmysyery.bsky.social · Jul 30
Tweet: me: can you dust my wets? Server: you can just ask for Parmesan cheese me, confused, lifts all of my spaghetti with my hands: please, My wets.
2 17 180
Reposted by Joachim Viide
pierremortel.bsky.social
Pierre Mortel @pierremortel.bsky.social · Aug 3
How to prevent a bunch of bullshit
3 15 54
Reposted by Joachim Viide
aplante.com
Alex Plante 🐀👑 @aplante.com · Aug 9
tell me about it, tiny aloe plant on the counter at the cafe near my house
a tiny aloe plant with a post it note that says LEAVE ME ALONE! TRYING TO LIVE >:(
10 1.7K 10K