Olivia
Online
Matt Cowley
@MattIPv4
Open-source Software Engineer by night @AlveusSanctuary 🌎 + @nodejs 💚 + @cdnjs 🛠️ | 25 | he/him | Tweets my own 💙
Hiding Backstage near London
Joined April 2012
543 Following
2K Followers
9.4K Posts
Pinned Tweet
The temptation to leave tech and run away to some charity in the countryside doing good for the world increases evermore each day.
@AikidoSecurity Heh, well, this is a nice bit of justification that I was right to be worried when a Rust WASM binary showed up in Cloudflare's wrangler last week. Luckily, that turned out to be legitimate, though!
Grateful to the folks at Cloudflare who’ve been working to reduce this risk the last few days.
- Package moved to the Astro org, no single-author control
- Binary replaced with lightweight native TS version
- Bundled into the wrangler build to avoid the install-time dependency
https://t.co/CnbaccDGMS
https://t.co/6rpw1svHiL
Thanks again to the folks working on this!
Who to follow
Daniel Zaltsman
@Zaltsman
dum vivimus vivamus / party planner @PostHog / co-founder @Haikuists // ex @Bubble @DigitalOcean @VaynerMedia. DM to grab a ☕️ IRL
Walshy
@WalshyDev
Programmer, data collector, #Bitcoin supporter. Working at @Cloudflare on solving the hard issues (tweets don't reflect my employer - you know the gist)
Vedant Kakde
@vedantstwt
👨💻DevOps Engineer 🚩@GitHub Campus Expert •Prev: @Harnessio, cncf-@devfilespec •Organizer @HackThisFall 2024 🐿 •🤹♂️ @CncfNagpur •@AWS Community Builder'22
👀 Cloudflare's wrangler CLI (~20m installs/week) has a new dependency... a ~600kb WASM binary used by no other package on npm: `rosie-skills`. I've been told that it is a legitimate package published by an employee, but it really looks like the start of a supply chain attack...
Grateful to the folks at Cloudflare who’ve been working to reduce this risk the last few days.
- Package moved to the Astro org, no single-author control
- Binary replaced with lightweight native TS version
- Bundled into the wrangler build to avoid the install-time dependency
@ryanmr @HenkPoley Matthew is one of Astro's founders, I believe? But either way, at least it is in an org now where multiple folks have control instead of a single person. And yeh, agree, don't understand why this needs to be installed every time rather than being optional for just that feature.
@martindonadieu @paxaral Eh, it's slightly better, there are multiple folks there with control, it isn't tied to a single person.
@sdrth @Cloudflare Or pin the version they install (which I’ve been told they’re now going to do), or make the dependency entirely optional because does everyone really need a large binary to manage agent skills when they’re using wrangler to deploy stuff?
@tomaszs2 Not great. We were ignored on Discord the day before when raising concerns. So, filed the issue and tweeted the next day. Was surprised to see them dismiss the concerns in the issue and immediately lock it. Had to reach out on Discord again where they finally realised the risk.
@leilavclark Good news is that Cloudflare confirmed it is https://t.co/Wu5NBRuvM3, and the binary is legit. Haven’t yet got clarification on why a large binary to manage agent skills is required for every install of wrangler though.
@martindonadieu @paxaral Who the author is doesn’t really change the risk, any employee with sole access to a package that ships a compiled binary could go rogue if they wanted to ship an update with malicious code hidden in it. Luckily, they’ve now moved the package into the Astro org to prevent that.
@yuvadm @aethernet_port @BenjaminEHowe They confirmed that it is https://t.co/Wu5NBRuvM3, something for managing agent skills, but they have not explained why it is a required dependency for every wrangler install.
@HenkPoley @ryanmr Yeh, they’ve moved it into the Astro org as a follow up to this, so it is no longer controlled by a single employee.
@aethernet_port @BenjaminEHowe > they unlocked it when I replied
The issue has been locked since I posted it, and they initially replied. They haven't unlocked it (hence I had to contact them via Discord for further discussion).
@alkimiadev @ryanmr Agree with your thinking on this. I have asked if this dependency actually needs to be a required dependency -- I can't see why everyone using wrangler to deploy their stuff needs to manage agent skills -- or whether this can be an optional dependency for just that feature.
@aethernet_port @BenjaminEHowe I wouldn't say they were unfriendly, but they were rather dismissive and immediately locked the issue. I had to then reach out to them via Discord to explain the issue further before they understood and acknowledged how this could become a supply chain attack.
@dok2001 @loadingalias @danielhayesmith Thank you! Hopefully it can be made an optional dependency as well, I can’t imagine most folks using wrangler to deploy things need a tool for managing agent skills.
@bygregorr That’s all the justification they’ve given so far, and linked to the source repo in the GitHub repo.
@loadingalias @danielhayesmith @dok2001 The update I got on Discord is that they’re planning to pin it, but I haven’t heard concrete plans beyond that yet, though from the GitHub issue it sounds like they’re exploring reducing the size by replacing the WASM binary with a JS implementation, so we’ll see.
@danielhayesmith @dok2001 Cloudflare have confirmed in the GitHub issue that it is a legitimate dependency. However, not sure they’ve fully understood the risk is still there as this employee could later use this as a backdrop by publishing a new version, say if they were to be laid off…
@ryanmr Yeh, it is indeed a WASM version of that embedded into wrangler. Even knowing the author, still seems like such a risk to rely on a large binary shipped by a single employee. If they get laid-off and aren’t happy, they have a direct backdoor into every wrangler install…
Last Seen Users on Sotwe
ricas y Deliciosas
Seen from United States
249
Seen from United States
Boo Leo
Seen from United Kingdom
florecita y su corneador
Seen from United States
İzmir Travesti Ivet
Seen from Turkey
Eshe🦋
นัดสาวใหญ่แม่หม้ายคู่ผัวเมีย โรจนะ(ชายเดี่ยวครับ)
Seen from Thailand
gayyy tamil🥵
Seen from Canada
โรมิโอ
Seen from Thailand
Soum69
Seen from Algeria
Most Popular Users
Elon Musk 
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.7M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers