Lightnews — Scholar-powered news

Inside the Latest npm Attack (with Feross Aboukhadijeh)

Reposted by Matteo Collina

Feross @feross.bsky.social · 15h

🚨 Another major npm supply-chain attack just hit — and it’s a wake-up call for anyone building on open source.

I join @nodeland.dev — creator of Fastify, Node.js core maintainer, and an open-source legend — and Luca Maraschi to break down how attackers are infiltrating npm.

YouTube video by Platformatic

youtube.com

1 1 5

Matteo Collina @nodeland.dev · 1d

Go build something incredible. Mix PyTorch with Next.js. Run Django inside Fastify. The barriers are gone. If you have any questions, join our community on discord: discord.com/invite/platf...

Join the Platformatic Discord Server!

Check out the Platformatic community on Discord - hang out with 948 other members and enjoy free voice and text chat.

discord.com

Matteo Collina @nodeland.dev · 1d

🎉 @platformatic/python is live NOW on npm!

What will you create? 🔮

Read the full announcement: blog.platformatic.dev/bring-python...

Integrate Python ASGI with Node.js Apps

Run Python ASGI apps inside Node.js using @platformatic/python for seamless integration and improved performance with minimal overhead

blog.platformatic.dev

Matteo Collina @nodeland.dev · 1d

🚀 What's next:

- WebSocket support coming
- Deeper streaming capabilities
- Enhanced observability between runtimes
- Even more performance optimizations

This is just v1. The future is polyglot applications running at native speed.

Matteo Collina @nodeland.dev · 1d

🛠️ The secret sauce:

- Rust-powered http-handler crate for zero-copy bridging
- WebAssembly-based binary patcher for Python library loading
- Thread pool management for Python workers
- Full ASGI protocol support

This isn't a hack. It's production-ready engineering.

GitHub - platformatic/watt-next-fastapi: Demo of FastAPI running in Watt via python-node

Matteo Collina @nodeland.dev · 1d

🧪 We tested a Next.js + FastAPI combo app:

Frontend: Next.js
Backend: FastAPI

Both in ONE process. Deployment? One container. Monitoring? One service. Scaling? Together.

Check it out: github.com/platformatic/watt-next-fastapi

Demo of FastAPI running in Watt via python-node. Contribute to platformatic/watt-next-fastapi development by creating an account on GitHub.

github.com

Matteo Collina @nodeland.dev · 1d

🔥 Or use Watt for the full experience:

npx wattpm@latest create --module=@platformatic/python

This gives you routing, config management, hot reload, and everything else Platformatic offers - now with Python superpowers.

Matteo Collina @nodeland.dev · 1d

💻 Getting started is simple. Drop your Python app in your public docroot and then:

Matteo Collina @nodeland.dev · 1d

🎯 Use cases that are now possible:

- Real-time fraud detection with PyTorch models
- AI chatbots with truly instant responses
- Image processing without API calls
- Pandas data analysis in your Next.js app
- LangChain + Node.js in one process

The latency barrier is gone.

Matteo Collina @nodeland.dev · 1d

⚡ Real benchmarks:

- 5,200 req/sec with @platformatic/python
- Beats fastapi run, daphne, and hypercorn
- Sub-2ms latency
- Zero network overhead

Your ML inference just got 10x faster. Your data pipeline? Same story.

Matteo Collina @nodeland.dev · 1d

🏗️ How it works:

- Embedded Python interpreter runs in your Node process
- Rust bridge handles the translation (zero network overhead!)
- Direct memory sharing between JavaScript and Python threads
- Your FastAPI/Django app runs unchanged

No sockets. No serialization. Just speed.

Matteo Collina @nodeland.dev · 1d

❓ "Wait, Python... inside Node.js? Why?"

Here's the thing: Every time your Node.js frontend calls your Python ML service, you're paying the network tax.

What if that call took microseconds instead of milliseconds? What if it couldn't fail due to network issues?

Launching @platformatic/python: Bring Python ASGI to Your Node.js Applications

Matteo Collina @nodeland.dev · 1d

🚀 BIG NEWS: We just shipped @platformatic/python - run Python ASGI apps INSIDE your Node.js process!

This changes everything for AI/ML + Node.js apps 🧵

youtu.be/8eAAP9IF4xA

Today we are excited to ship @platformatic/python, a new capability for Watt, the Application Server for Node.js, that lets you run Python ASGI applications alongside your existing Node.js workloads.…

youtu.be

1 8 18

Matteo Collina @nodeland.dev · 1d

Your npm dependencies are only as secure as your weakest link.

Don't wait for the next attack to hit your production systems.
🗓️ Join us October 8th for this critical conversation with @feross

Register now: streamyard.com/watch/Wwawp4...

RT to help secure the ecosystem 🔄

2 1

Matteo Collina @nodeland.dev · 1d

The conversation will also cover:

🤝 How enterprises & OSS maintainers can work together
📊 Real data on npm attack trends
🔮 What's coming next in supply chain attacks
💡 Innovative defenses being developed right now

Matteo Collina @nodeland.dev · 1d

For open source maintainers watching: You're on the front lines of this battle.

We'll discuss:
- How to spot suspicious contributions
- Tools to automate security checks
- Building a security-first culture in your project
- Getting support without burning out

Matteo Collina @nodeland.dev · 1d

But here's what you'll learn to do:

✅ Audit your dependency update process
✅ Implement runtime protection (not just static analysis)
✅ Set up proper supply chain monitoring
✅ Create an incident response plan BEFORE you need it

@feross will share his exact playbook.

1 1 1

Matteo Collina @nodeland.dev · 1d

The most chilling part?

Traditional security scanners often miss these attacks entirely.

They're looking for known vulnerabilities, not malicious code cleverly hidden in legitimate-looking packages.

@feross explains exactly why our current tools aren't enough.

Matteo Collina @nodeland.dev · 1d

In this episode, @feross will break down:

🔍 How attackers actually infiltrate npm packages
🎯 Why they targeted THIS specific package
💣 The ripple effects are hitting teams RIGHT NOW
🛡️ What made this attack particularly clever

The details will surprise you.

Matteo Collina @nodeland.dev · 1d

Here's the scary truth:

Your app might have hundreds or thousands of npm dependencies.

Each one is a potential attack vector.

And traditional security tools? They're playing catch-up in a game where attackers keep changing the rules.

Open Source software powers the world, but who supports the maintainers? We do.

Matteo Collina @nodeland.dev · 1d

🚨 The npm ecosystem just got hit with another major supply chain attack.

If your app uses npm packages (spoiler: it does), you must hear this.

We're sitting down with @feross from @SocketSecurity to dissect what happened and how to protect yourself.

Thread 👇

4 2 6

Matteo Collina @nodeland.dev · 2d

🤝 The Open Source Pledge = $2,000/year per developer to OSS maintainers.

For enterprises using open source, supporting these projects isn't optional—it's essential for mitigating risks and ensuring sustainability.

Join us → opensourcepledge.com

Open Source Pledge

opensourcepledge.com