🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages.
The latest [email protected] now pulls in [email protected], a package that did not exist before today. This is a live compromise.
This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now.
Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that:
• Deobfuscates embedded payloads and operational strings at runtime
• Dynamically loads fs, os, and execSync to evade static analysis
• Executes decoded shell commands
• Stages and copies payload files into OS temp and Windows ProgramData directories
• Deletes and renames artifacts post-execution to destroy forensic evidence
If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.
@rauchg Handling loads of customer tracking / analytics scripts; especially heavy-handed stuff like hotjar
Since most ecom parts of the biz will ask for those to be added
I spent the last 2 weeks using and learning everything I could about @coollabsio 's Coolify, a self hosted PaaS being built in public by @heyandras
I documented everything in my latest video in the Self Host 101 series over on @syntaxfm
Watch ���: https://t.co/rYd01qgaii
@kevinpaxton82 MSW handles GQL quite well - good shout. Their upcoming API change makes composition a little neater too https://t.co/BLHfdY1rit
Parrot is pretty decent too if you need a standalone server rather than in-process - https://t.co/3IoYbp5oAR
@jecfish@addyosmani@ChromeDevTools Any restrictions on where this feature is available (e.g. localhost only)? Thinking quite a few client-side apps will need accommodate more users being in unexpected states if not
@hostedby20i@dibiconf For pure usability Excalidraw is top of the list for me. Open-source, local data storage and powerful export options. https://t.co/2ApckbHPMQ