johnterickson.bsky.social

Microsoft has uncovered a supply chain attack involving malicious npm packages registered under organizational scopes that mirror real internal corporate namespaces, employing dependency confusion technique to deploy a reconnaissance payload. https://t.co/z2GjRIAyYS A threat actor operating under three maintainer aliases, mr.4nd3r50n, ce-rwb, and t-in-one, published malicious packages that impersonate internal corporate packages, with several spoofing internal enterprise infrastructure URLs in their package.json to appear legitimate. Once installed, the packages download and execute an obfuscated payload from an attacker-controlled command-and-control (C2) server to collect system information, hostnames, environment variables, and developer context. Read the blog for in-depth analysis and mitigation, detection, and hunting details.

My students asked me if it was true that the entire Internet was really coded by hand. All those kernels, protocols, router firmware, browsers, databases, etc. Somebody coded these and debugged them by hand?!?!? They used BBEdit?!?!??! The idea that this was even possible seems amazing to them. I can imagine some future Moon Landing like conspiracy theory that says it never happened.

When simulation becomes the norm, it weakens the human capacity for discernment. As a result, our social bonds close in upon themselves, forming self-referential circuits that no longer expose us to reality. We thus come to live within bubbles, impermeable to one another. Feeling threatened by anyone who is different, we grow unaccustomed to encounter and dialogue. In this way, polarization, conflict, fear and violence spread. What is at stake is not merely the risk of error, but a transformation in our very relationship with truth.