Olivia
Online
John Koster
@johnmkoster
the Blade guy. building
Joined March 2014
253 Following
918 Followers
2.9K Posts
Aikido's malware feed is now built into Composer 2.10, https://t.co/Q20jobCH09's latest release. 🐘 Malware will be blocked at install time automatically, keeping PHP developers safe.
Supply chain attacks on PHP packages are rising. Just weeks ago, attackers hijacked laravel-lang and intercom/intercom-php through stolen credentials to push malicious releases. The new update prevents users from installing malicious or compromised packages like these.
Make sure to update your Composer to get built-in supply chain security!
@willking This getting noted is 🤌😂
its alive! back to what i was doing before #statamic
databases for speed and performance
filesystem for awesome flexibility and the best sync/publishing story
i want both. so here i go.😮💨
databases for speed and performance
filesystem for awesome flexibility and the best sync/publishing story
i want both. so here i go.😮💨
Who to follow
Chris Morrell
@inxilpro
Come find me on Вӏսеskу — @ https://t.co/69lwki0R34
Filament 🦒
@filamentphp
A powerful open-source UI framework for Laravel • Build and ship apps & admin panels fast with Livewire
Larastreamers
@larastreamers
Larastreamers is a platform to explore when artisans are live coding next.
@jeffrey_way That was 🔥
@aarondfrancis Absolutely wild. The amount of restraint exercised when replying to some things 😅
Attention Filament users: we’ve identified and resolved a few security vulnerabilities.
To address these vulnerabilities in your applications, please update to the following versions:
v3.3.52
v4.11.5
v5.6.5
Happy Saturday, everyone! I hope you all have a great weekend 😊
@aarondfrancis Oh heck yes. A side project idea I don’t have to do 🔥🔥
After a very thorough 3 day full security sweep and hardening process, we'd like to issue an official all clear ✅ on TanStack repo and package security. Full details have been updated in our post-mortem and security followup blog (linked below).
TL;DR:
- Only the Router/Start repo was affected. 42 monorepo packages, 2 versions per package. These were promptly deprecated within the hour and removed by NPM shortly after
- All other repos and packages were unaffected and remain secure including: Query, DB, Store, AI, Table, Form, HotKeys, Virtual, Pacer, Config, Devtools, CLI, Intent, etc.
- All available and published versions of every TanStack package are safe to download, including TanStack Router/Start.
https://t.co/KQSXhUM4XM
https://t.co/mtN9hF5Ioy
@aarondfrancis Hey now, that’s a secret!
@jeffrey_way Yup, I do enjoy this style of AI-assisted dev! Maximize the fun
@simonhamp Looks sick
This looks awesome
Just released the best websocket tester / playground 🤩
- 100% free, web-based
- Relay server lets you set custom HTTP headers
- Echo server built-in
- Save workspaces, custom messages, reconnect & heartbeat settings
Need to test websockets? Do it here: https://t.co/B0XsrYWleG
nah im just not gonna run npm install anymore
SECURITY ADVISORY — TanStack npm packages
A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package.
Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down.
Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys.
If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised:
• Rotate cloud, GitHub, and SSH credentials immediately
• Audit cloud audit logs for the last several hours
• Pin to a prior known-good version and reinstall from a clean lockfile
Detection — the malicious manifest contains:
"optionalDependencies": {
"@tanstack/setup": "github:tanstack/router#79ac49ee..."
}
Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root).
Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level.
Full technical breakdown, complete package and version list, and rolling status updates:
https://t.co/Zy8qG7PA9f
Credit to the security researcher for responsible disclosure.
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers