naugtur
@naugtur.pl
Working on supply chain security for JS. LavaMoat and Endo contributor. meet.js Poland organizer. Node.js user since v0.8.
Addicted to teaching.
https://naugtur.pl
Addicted to teaching.
https://naugtur.pl
Pinned
naugtur
@naugtur.pl
· Jan 29
A Phish on a Fork, no Chips
So you were told that this is the safest way to install a package from github with npm: "test262":...
dev.to
A Phish on a Fork, no Chips.
One more thing to beware in the world of software supply chain risks.
Read if you care about your GitHub actions or dependencies.
Or read it for the fish puns. 🫣
dev.to/naugtur/a-ph...
One more thing to beware in the world of software supply chain risks.
Read if you care about your GitHub actions or dependencies.
Or read it for the fish puns. 🫣
dev.to/naugtur/a-ph...
@profanity.accountant I'm expecting a score of 1
November 30, 2025 at 10:02 PM
@profanity.accountant I'm expecting a score of 1
Reposted by naugtur
The amount of time saved by using Typescript and the amount of time spent getting Typescript to compile is EXACTLY the same.
November 29, 2025 at 10:40 PM
The amount of time saved by using Typescript and the amount of time spent getting Typescript to compile is EXACTLY the same.
Reposted by naugtur
And it's up! All together now...
🎶 Somebody told me
the user provider
should use an adaptor
to proxy the query
factory builder... 🎶
www.youtube.com/watch?v=p03o...
🎶 Somebody told me
the user provider
should use an adaptor
to proxy the query
factory builder... 🎶
www.youtube.com/watch?v=p03o...
November 28, 2025 at 3:15 PM
And it's up! All together now...
🎶 Somebody told me
the user provider
should use an adaptor
to proxy the query
factory builder... 🎶
www.youtube.com/watch?v=p03o...
🎶 Somebody told me
the user provider
should use an adaptor
to proxy the query
factory builder... 🎶
www.youtube.com/watch?v=p03o...
Reposted by naugtur
oh my god it's incredible
And it's up! All together now...
🎶 Somebody told me
the user provider
should use an adaptor
to proxy the query
factory builder... 🎶
www.youtube.com/watch?v=p03o...
🎶 Somebody told me
the user provider
should use an adaptor
to proxy the query
factory builder... 🎶
www.youtube.com/watch?v=p03o...
November 28, 2025 at 10:09 PM
oh my god it's incredible
That headline is 100% written by a human!
November 28, 2025 at 9:50 PM
That headline is 100% written by a human!
Reposted by naugtur
That's cool!
Social Media Giants and Payment Services will be held liable for reimbursing victims of financial scams. This basicly means they will be come liable for fraudulent ads published through their services. www.europarl.europa.eu/news/en/pres...
Payment services deal: More protection from online fraud and hidden fees | News | European Parliament
Parliament and Council have struck a deal on a more open and competitive EU payment services sector, with strong defences against fraud and data breaches.
www.europarl.europa.eu
November 28, 2025 at 12:22 PM
That's cool!
Reposted by naugtur
The Second Wave of Shai Hulud Supply Chain Attak is a dress up party for selling useless SAST software.
November 28, 2025 at 8:46 AM
The Second Wave of Shai Hulud Supply Chain Attak is a dress up party for selling useless SAST software.
Reposted by naugtur
I know most of the focus is on RFK Jr.'s weird horny texts, but the news that he used to spam Bill Nye with anti-vax weirdness and Bill was like, "Dude, you're you're confusing correlation for causation" is the only RFK text-message news I will ever need.
November 27, 2025 at 1:15 AM
I know most of the focus is on RFK Jr.'s weird horny texts, but the news that he used to spam Bill Nye with anti-vax weirdness and Bill was like, "Dude, you're you're confusing correlation for causation" is the only RFK text-message news I will ever need.
Reposted by naugtur
An indirect prompt injection in an implementation blog can manipulate Antigravity to invoke a malicious browser subagent in order to steal credentials and sensitive code from a user’s IDE. www.promptarmor.com/resources/go...
Google Antigravity Exfiltrates Data
An indirect prompt injection in an implementation blog can manipulate Antigravity to invoke a malicious browser subagent in order to steal credentials and sensitive code from a user’s IDE.
www.promptarmor.com
November 27, 2025 at 11:27 AM
An indirect prompt injection in an implementation blog can manipulate Antigravity to invoke a malicious browser subagent in order to steal credentials and sensitive code from a user’s IDE. www.promptarmor.com/resources/go...
Reposted by naugtur
Reposted by naugtur
The war will end when Russia stops fighting. Therefore, pressure has to be put on Russia, so that they stop believing that they will win. Why is that so hard to understand?
November 27, 2025 at 1:49 AM
The war will end when Russia stops fighting. Therefore, pressure has to be put on Russia, so that they stop believing that they will win. Why is that so hard to understand?
Reposted by naugtur
Good morning to Brazilian reporter Manuela Borges, who’s been waiting eleven years for this petty moment. ❤️ 🇧🇷
November 26, 2025 at 1:04 PM
Good morning to Brazilian reporter Manuela Borges, who’s been waiting eleven years for this petty moment. ❤️ 🇧🇷
Reposted by naugtur
Another week, another CI compromise leading to malware. This time it might even delete your home directory if it can't find any secrets to steal.
What was that again about trusted publishing? You need to trust your CI for it's threat model to apply? Guess maybe that's a bad place to put our trust.
What was that again about trusted publishing? You need to trust your CI for it's threat model to apply? Guess maybe that's a bad place to put our trust.
November 24, 2025 at 6:06 PM
Another week, another CI compromise leading to malware. This time it might even delete your home directory if it can't find any secrets to steal.
What was that again about trusted publishing? You need to trust your CI for it's threat model to apply? Guess maybe that's a bad place to put our trust.
What was that again about trusted publishing? You need to trust your CI for it's threat model to apply? Guess maybe that's a bad place to put our trust.
Reposted by naugtur
😂 it's funny 'cause it's true
November 26, 2025 at 6:56 PM
😂 it's funny 'cause it's true
Reposted by naugtur
this is pretty solid spiritual advice tbh
“Be prudent, be wise, be careful that your use of AI does not limit your true human growth. Use it in such a way that if it disappeared tomorrow, you would still know how to think, how to create, how to act on your own, how to form authentic friendships.”
“Be prudent, be wise, be careful that your use of AI does not limit your true human growth. Use it in such a way that if it disappeared tomorrow, you would still know how to think, how to create, how to act on your own, how to form authentic friendships.”
Pope Leo XIV told students not to use artificial intelligence for homework, saying that AI ‘won’t stand in authentic wonder before the beauty of God’s creation.’
Even God Is Worried About ChatGPT
Pope Leo XIV told students not to use artificial intelligence for homework, saying that AI ‘won’t stand in authentic wonder before the beauty of God’s creation.’
www.vulture.com
November 26, 2025 at 4:45 PM
this is pretty solid spiritual advice tbh
“Be prudent, be wise, be careful that your use of AI does not limit your true human growth. Use it in such a way that if it disappeared tomorrow, you would still know how to think, how to create, how to act on your own, how to form authentic friendships.”
“Be prudent, be wise, be careful that your use of AI does not limit your true human growth. Use it in such a way that if it disappeared tomorrow, you would still know how to think, how to create, how to act on your own, how to form authentic friendships.”
Reposted by naugtur
This stuff is getting more important every day...
Along with everything else, let's get all secrets out of plaintext!
Along with everything else, let's get all secrets out of plaintext!
You all should be starring this repo and following up on every npm security best practice: github.com/lirantal/npm...
GitHub - lirantal/npm-security-best-practices: Collection of npm package manager Security Best Practices
Collection of npm package manager Security Best Practices - lirantal/npm-security-best-practices
github.com
November 25, 2025 at 5:41 PM
This stuff is getting more important every day...
Along with everything else, let's get all secrets out of plaintext!
Along with everything else, let's get all secrets out of plaintext!
Reposted by naugtur
your brain on corporate law
Additionally, OpenAI argues its not liable because Raine, by using ChatGPT for self-harm, broke its terms of service
November 26, 2025 at 9:14 AM
your brain on corporate law
Reposted by naugtur
It's not code beautifiers, it's people working in those orgs who exposed that data.
Is it worse than using packages from jsdelivr on your login page directly?
Is it worse than not disabling postinstall scripts and installing random packages?
The stakes are high and the fruit are hanging low.
Is it worse than using packages from jsdelivr on your login page directly?
Is it worse than not disabling postinstall scripts and installing random packages?
The stakes are high and the fruit are hanging low.
Code beautifiers expose credentials from banks, govt, tech orgs www.bleepingcomputer.com/news/securit...
Code beautifiers expose credentials from banks, govt, tech orgs
Thousands of credentials, authentication keys, and configuration data impacting organizations in sensitive sectors have been sitting in publicly accessible JSON snippets submitted to the JSONFormatter...
www.bleepingcomputer.com
November 26, 2025 at 10:31 AM
It's not code beautifiers, it's people working in those orgs who exposed that data.
Is it worse than using packages from jsdelivr on your login page directly?
Is it worse than not disabling postinstall scripts and installing random packages?
The stakes are high and the fruit are hanging low.
Is it worse than using packages from jsdelivr on your login page directly?
Is it worse than not disabling postinstall scripts and installing random packages?
The stakes are high and the fruit are hanging low.
I just got explanations of the jokes in the "Rubber Biscuit" old blues tune from an LLM and I wish they were hallucinations.
November 26, 2025 at 9:58 AM
I just got explanations of the jokes in the "Rubber Biscuit" old blues tune from an LLM and I wish they were hallucinations.
Reposted by naugtur
Look, Nvidia thought it was a gaming company and OpenAI thought it was a charity so if you're expecting either of those companies to have some master plan to avoid the bubble popping you need to look elsewhere.
November 26, 2025 at 2:19 AM
Look, Nvidia thought it was a gaming company and OpenAI thought it was a charity so if you're expecting either of those companies to have some master plan to avoid the bubble popping you need to look elsewhere.
Reposted by naugtur
I am looking for anecdotes from anyone/a company who may have benefitted from support landing for Ed25519 in Chrome in August of this year, resulting in the feature having cross-browser support for Chrome/Safari/Firefox.
November 18, 2025 at 4:07 PM
I am looking for anecdotes from anyone/a company who may have benefitted from support landing for Ed25519 in Chrome in August of this year, resulting in the feature having cross-browser support for Chrome/Safari/Firefox.
Reposted by naugtur
TIL People are afraid of GOTOs because of a 1968 paper with no research attached to it.
www.cs.utexas.edu/~EWD/ewd02xx...
www.cs.utexas.edu/~EWD/ewd02xx...
November 25, 2025 at 11:44 AM
TIL People are afraid of GOTOs because of a 1968 paper with no research attached to it.
www.cs.utexas.edu/~EWD/ewd02xx...
www.cs.utexas.edu/~EWD/ewd02xx...
Reposted by naugtur
TIL that
`${date.getUTCFullYear()}-${`${date.getUTCMonth() + 1}`.padStart(2, "0")}-${`${date.getUTCDate()}`.padStart(2, "0")}`
is 40*-150** times faster than
date.toISOString().slice(0, 10)
* - Chrome
** - Safari
`${date.getUTCFullYear()}-${`${date.getUTCMonth() + 1}`.padStart(2, "0")}-${`${date.getUTCDate()}`.padStart(2, "0")}`
is 40*-150** times faster than
date.toISOString().slice(0, 10)
* - Chrome
** - Safari
November 25, 2025 at 8:43 AM
TIL that
`${date.getUTCFullYear()}-${`${date.getUTCMonth() + 1}`.padStart(2, "0")}-${`${date.getUTCDate()}`.padStart(2, "0")}`
is 40*-150** times faster than
date.toISOString().slice(0, 10)
* - Chrome
** - Safari
`${date.getUTCFullYear()}-${`${date.getUTCMonth() + 1}`.padStart(2, "0")}-${`${date.getUTCDate()}`.padStart(2, "0")}`
is 40*-150** times faster than
date.toISOString().slice(0, 10)
* - Chrome
** - Safari