Lawrence

Microsoft has identified a npm supply chain compromise impacting 90+ redhat-cloud-services/* packages, including patch-client 4.0.4, insights-client 4.0.4, rbac-client 9.0.3, host-inventory-client 5.0.3, frontend-components 7.7.2, and others. The payload is a self-propagating worm that infects other npm packages and self-publishes. Each compromised package adds a malicious preinstall hook, embedding an index.js script in the package.json that silently executes “node index.js” during installation, downloads Bun, and runs a payload that steals secrets from npm, GitHub, Amazon Web Services (AWS), and Secure Shell (SSH). The added code bloats index.js from ~8KB to ~4.3MB, acting as a heavily obfuscated ROT-9 eval loader. If any of the compromised packages are installed, users and organizations should assume compromise, rotate credentials, revert to a previously trusted version, and block compromised packages. Identified compromised npm packages have been taken down, and we continue to work with the npm team. Microsoft continues to investigate this attack and will publish updates as more information is available.

Last week, I wrote about the gap between what a regulation says and what an engineer can implement. Here's the one I think about most: the gap doesn't just live inside an organisation. It lives between organisations, every time one system calls another's API to a given endpoint. A caller has to satisfy those requirements with signed credentials before the call goes through. Same handshake the web already does for auth, extended to the obligations that auth alone never covered. I submitted it to the IETF as draft-nyakiso-hcap-00. Standards-track. Not a vendor protocol with my company's name on it. The protocol has to be open, or the ecosystem doesn't form, and the value of the ecosystem is exactly what makes the protocol worth building. RuleMesh fits into this as a registry, one of what I hope will be several, that maintains the structured rulesets HCAP references. Like Let's Encrypt for TLS certificates, or the certificate authorities before it: the protocol doesn't care which registry you use, it just cares that the rulesets are signed and verifiable. The registry layer and the protocol layer are deliberately separate in the spec. That separation is what makes either one credible. Why submit it as a draft now, before the registry side is fully built? Because protocols take years to standardise, and the regulations driving the need are landing this year and next. DORA went live in January. NIS2 transposition is rolling through member states. The EU AI Act phases in obligations through 2026 and 2027. The systems that have to comply with those regulations are being built right now. A protocol arriving in 2029 is a protocol that arrived too late. If you implement APIs in regulated industries, or you've thought about how compliance verification ought to work between systems rather than between humans, I'd genuinely like your feedback on the draft. It's at the IETF datatracker under draft-nyakiso-hcap-00, and the engineering perspective is the one underrepresented in standards work. Reach me at https://t.co/4OXBo3mhWK or on this thread.

One of the main questions that I encounter with founders and engineers outside is whether GDPR applies outside the the EU. 🇪🇺 A while back, I wrote in detail what is expected and and a barely cited requirement founders will want to know about in detail. https://t.co/krxz4nnxOY

Regulatory compliance should be easy. It isn't, and I think I know why. I'm not a compliance professional. Outside of bike touring, my two passions are creating software and cybersecurity. That's the perspective I've been meeting compliance from for the past 11 years — at the execution layer, or supporting the people who have to make the execution layer match what an internal policy or a regulator says. It's always the same issue. There are no clear rules on what needs to be done, what the best way to do it is, and what evidence you're expected to hold, in the language the execution layer understands. The auditor knows. The auditor has read the law and has a defensible interpretation of how it translates into an IT system. The organisation has a legal team or a compliance function that mostly isn't equipped to translate obligations into technical requirements, so the translation gets left to internal teams to interpret. That gap is where companies fail compliance. Not in the policy document. In the silence between the policy and the engineer. Here's what doesn't make sense to me. We already use computers for all our work. Even when the task is driven manually by a human in a spreadsheet, the spreadsheet is still on a computer. So why have we not pushed compliance down to the computer? It can enforce and verify controls from one data plane to another. The whole point of compliance is safeguarding information and ensuring appropriate handling. That's a thing computers are good at. The argument used to be that it was expensive. With coding agents, that cost has dropped through the floor. Payment systems already get this right. PCI is a specific ruleset, and any integration that touches payments has to enforce those controls or it doesn't ship. Regulations should work the same way. Specific rule sets, consumable at every layer where the obligation actually has to take effect. That's what I'm building with RuleMesh. The rule graph between regulation and running software. Each obligation expressed as a structured, citation-backed rule that an engineer can implement, a coding agent can act on, and an auditor can verify against. We had to design for coding-agent implementation first, then engineer implementation, because the new ways of working are now the old ways of working. Regulations still call for accountability — a human verifies and attests — but the implementation layer has changed and compliance hasn't caught up. GDPR is the first one we've fully packaged. It's the one any startup operating in the EU eventually has to deal with. DORA, NIS2, the EU AI Act, Reg SCI, NYDFS, CRA. About thirty regulations on the roadmap, EU and US. There's a stringent quality process behind each one, including expert verification, because the rules only work if they're right. We're a small team, pre-seed, building this mostly evenings and weekends until the round closes. Design partner cohort is open. If your team is dealing with one of the regulations on the roadmap, get on the list at https://t.co/4OXBo3lK7c.

Peter the “immune system” issue you identified and the now zero cost of building new tooling, solves the governance problem, because automation just got cheaper, it will be easier to remove blind spots in governance processes but as you have identified, it creates new problems where multiple teams try to tables similar issues or the same issue. In my view, this is no different to shawdow IT, existing IT asset management solutions are still variable.

🚨 Emergency DevSec Station drop. There's an active npm supply chain attack happening right now. Compromised packages are stealing SSH keys, AWS credentials, GitHub tokens, browser passwords, and crypto wallets on install. Then using your publish token to infect every package you maintain. One command can protect you immediately: npm config set ignore-scripts true Do it today, please. Tell your team. Watch the full 60 seconds. #AppSec #SupplyChainSecurity #DevSecOps #SecureCoding #npm