Dev By RayRay -👨‍💻

⚠️ New "IronWorm" supply-chain attack: 30+ npm packages from @ asteroiddao shipped a malicious Rust binary firing on preinstall. It sweeps 86 env vars + 20 credential files (AWS, GCP, Vault, npm, plus AI keys like Anthropic & OpenAI), hits Exodus wallets, hides behind an eBPF rootkit, and beacons over Tor. Self-propagates via npm Trusted Publishing OIDC, with backdated commits faked as claude/dependabot/renovate.

⚠️ Multiple @ redhat-cloud-services npm packages were found carrying malicious payloads that fire via a preinstall hook on every npm install. All packages were published via GitHub Actions OIDC, indicating the CI/CD pipeline was compromised. The payload targets GitHub Actions secrets, AWS, GCP, Azure, Kubernetes, HashiCorp Vault, npm and CircleCI tokens. It reads /proc/mem to bypass log masking, self-propagates via harvested npm tokens bypassing 2FA, and persists on developer devices via Claude Code and VS Code injection.

🚨 NPM Malware-slop Alert!🚨 We detected and reported a malware-slop package to npm - the malware uses it's OWN PRIVATE GitHub token, which is EMBEDDED INSIDE the malware itself - to read sensitive information and upload it to the threat actor's GitHub repository. The malware is still live on npm - https://t.co/uH8mU1a4dw The threat actor's GitHub page was opened 5h ago - https://t.co/WhqZ6BaLRM Detailed report will be published tomorrow.

🚨 BREAKING: Active supply chain attack across npm, PyPI, and Crates.​io. Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems. TrapDoor targets #crypto, #DeFi, AI, and security developers, stealing wallets, SSH keys, cloud credentials, GitHub tokens, browser data, env vars, and API keys. Socket detected releases with a median detection time of 5 minutes, 27 seconds. The fastest detection occurred 58 seconds after publication.

🚨 Ongoing supply chain attack on Composer packages! We just found multiple laravel-lang/* packages compromised on Packagist (lang, http-statuses, attributes). Payload runs at autoload time. At least 50 package versions were compromised. If you installed a compromised version, the malware already executed. Pin to a clean COMMIT (not version) and rotate secrets immediately. If your lockfile already had an older commit from before today, you are safe. But you should not update at the moment.

200 yıllık biyoloji kitabı bir hafta sonunda öldü. birisi oturmuş, hücreleri 3d gezdiğin bir app yapmış. video oyunu gibi. nöronu döndürüyorsun, aksonun içine giriyorsun, organeli tek tek ayıklıyorsun. > arayüz: gpt image 2 > kod: gemini 3.5 flash iki model. bir hafta sonu. matbaanın 1450'den beri yapamadığı şey. birkaç yıla okullarda standart bu olacak. bizimkiler hala "tablet mi defter mi" tartışıyor. oğlum çocuk hücreyi elinde çeviriyor artık. sen neredesin?

Fork your dependencies, trim them to only your use case, never update unless it breaks for your users. I’ve been vocal about this for 10+ years. I’ve always said that updating is way riskier than latent bugs (which can be tracked and CVEs monitored). If you are updating a dependency, it’s on you to analyze every single commit in the full transitive set of dependencies. If you dont see anything compelling, dont update! I remember at HashiCorp once in awhile an engineer would try to update a dep or replace a DIY lib with an external one and id always ask “show me the commit we need.” Dont update for the sake of it. Feeling pretty swell about this mentality with all the supply chain attacks happening.

Si estás usando npm install, estás en peligro. ¡Así de crudo te lo cuento para que reacciones! Ayer se comprometieron paquetes de TanStack en npm. De las bibliotecas más usadas en el mundo JavaScript. Y de ahí saltó a Mistral, OpenSearch, UiPath, PyPI... Porque muchos ataques no necesitan que importes nada. Basta con una instalación para infectarte. ¿Cómo? Colando scripts como preinstall o postinstall que se ejecutan durante la instalación. Lo importante es que tiene solución: ① Usa pnpm 11 Viene con defensas por defecto contra este tipo de ataques. ② Si sigues usando pnpm 10, npm, yarn o bun Activa minimumReleaseAge y ponle 1440. Evita instalar versiones publicadas el mismo día. ③ Bloquea scripts de instalación por defecto pnpm evita que cualquier dependencia ejecute código en tu máquina solo por instalarla. Por favor, comparte esto para que le llegue al máximo número de personas y paremos la cadena de ataques.

🚨 How the TanStack npm attack actually happened: 1. Attacker opened a normal-looking pull request (#7378) on the TanStack repo. 2. GitHub automatically ran CI tests on that PR. 3. Code inside the PR stole the workflow's GitHub Actions Cache write token during the test run. 4. The attacker used that token to plant poisoned files in the shared build cache. The PR could be closed afterwards. The poisoned cache stays. 5. The official release workflow later pulled from the cache, baked the malicious files into the build, and signed and published 84 malicious package versions to npm.