Olivia
Online
Official Node JS π« TPOT
@node_camp
warn: Bun currently does not support nested "overrides"
New York, NY
Joined April 2016
181 Following
352 Followers
190 Posts
https://t.co/uNicJ7HPBS
Here we go again
π¨ Breaking: 31 npm packages from @RedHat have been compromised.
100,000+ weekly downloads affected. The upstream CI/CD pipeline was compromised, with all packages published via GitHub Actions OIDC.
The payload:
β οΈ Reads GitHub Actions runner process memory to extract masked secrets
β οΈ Sweeps credentials across AWS, GCP, Azure, K8s, Vault, and npm
β οΈ Self-propagating worm that republishes backdoored packages using stolen npm tokens, bypassing 2FA
β οΈ Persists on dev machines via Claude Code settings hijack and VS Code task injection
β οΈ Exfiltrates data through GitHub API commits, blending in with normal git operations
We have responsibly disclosed the incident to the maintainers.
Full technical analysis: https://t.co/63nZYH1cMO
@forestmars I havent gotten big into tuis yet. Im not sure I get it. My white whale right now is plastron- i just google my repo and several other better 0lastrons came up hence late tweet response. Still coping https://t.co/0o4RoT0U5y
Who to follow
KAI LOGISTIK
@KA_Logistics
Subsidiary PT KAI (Persero) pelayanan distribusi logistik serta layanan penunjang lainnya. Contact: [email protected] | WA 0813-8822-3205 | IG : kalogistics
TESCREAL
@ASMRGPT
Prompt Whisperer
"Financially, what will take me to $1B?" -Greg Brockman, August 2017
Tony Gorez 
@tonygo_
offensive security researcher | iOS - macOS | build Bare runtime at @holepunch_to
https://t.co/ETlz9j900B
Sound Mode is tsz's experiment in stricter TypeScript checking: https://t.co/Zvz4PeMC2i
It isn't unexpected that the focus of the Bun Rust rewrite is on the anti-Zig side more than anything, since the internet loves to hate. What is unexpected and unfortunate is that leadership within Bun hasn't tried to steer the conversation away from that at all.
There are so many positive and interesting takeaways from this and I'm not really seeing any of them pushed as the primary message.
A positive thing that hasn't been talked about at all is how far Bun came thanks to Zig. And even if you dump it now, its meaningful for how good Zig was to even build a product to this point and impact by any metric. I would've loved to see anyone in leadership say this.
On the interesting side is how fungible programming languages are nowadays. Programming languages used to be LOCK IN, and they're increasingly not so. You think the Bun rewrite in Rust is good for Rust? Bun has shown they can be in probably any language they want in roughly a week or two. Rust is expendable. Its useful until its not then it can be thrown out. That's interesting!
There's been a lot of talk about memory safety and no doubt Rust provides more guarantees than Zig. But I'd love to see a better analysis of why Bun in particular suffered so much rather than take the language-blame path. How could engineering as a practice been more rigorous to prevent this? What were the largest sources of crashes other programs should watch out for? How does Rust prevent them? How could Zig theoretically prevent them? That's interesting.
I know the official blog post hasn't come out yet from Bun. But they're smart enough to know that that PR would stir up controversy the moment it opened, or they should've been. And plenty in the company have been tweeting and writing about it. Its somewhat telling to me in various dimensions what they chose to talk about first.
I tend to think I'm pretty good at corporate PR/comms (especially when it comes to developer audiences) and I think appealing to the negative is never the right long term strategy; it does work to get short term eyes though.
It gets better.
Update: Socket has found 121 more compromised npm package artifacts across 84 package names, including 64 UiPath artifacts.
Combined w/ TanStack, the current known total is 205 affected npm package artifacts across enterprise automation, AI/MCP, auth, workflow, and dev tooling.
SECURITY ADVISORY β TanStack npm packages
A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package.
Status: ACTIVE β packages are deprecated, npm security engaged, publish path being shut down.
Severity: HIGH β payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys.
If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised:
β’ Rotate cloud, GitHub, and SSH credentials immediately
β’ Audit cloud audit logs for the last several hours
β’ Pin to a prior known-good version and reinstall from a clean lockfile
Detection β the malicious manifest contains:
"optionalDependencies": {
"@tanstack/setup": "github:tanstack/router#79ac49ee..."
}
Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root).
Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level.
Full technical breakdown, complete package and version list, and rolling status updates:
https://t.co/Zy8qG7PA9f
Credit to the security researcher for responsible disclosure.
@matteocollina @nodejs @bunjavascript It worked out well for TypeScript! (In Go, not Rust obviously) https://t.co/E3tY5inhAL
@kamilaturap
In 4 days, bun's Rust rewrite went from 16,000 errors to 99.8% passing.
99.8% of bunβs pre-existing test suite passes on Linux x64 glibc in the rust rewrite
Safe versions: [email protected] and [email protected].
Prophylactic measures:
ππππππ-πππππππ=ππππ β in .npmrc
ππππΌπππππππ°πππΆπππ: πΉπ β in .yarnrc.yml
π¨ CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages.
The latest [email protected] now pulls in [email protected], a package that did not exist before today. This is a live compromise.
This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now.
Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that:
β’Β Deobfuscates embedded payloads and operational strings at runtime
β’Β Dynamically loads fs, os, and execSync to evade static analysis
β’Β Executes decoded shell commands
β’Β Stages and copies payload files into OS temp and Windows ProgramData directories
β’Β Deletes and renames artifacts post-execution to destroy forensic evidence
If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.
@TechByTaraa Why not just ask for a show of hands for Express? π
β‘οΈ Vite 8.0 is here!
The most significant architectural change since Vite 2.
β¬ Powered by Rolldown bringing faster production builds and more consistency
π€οΈ New features such as tsconfig paths and emitDecoratorMetadata support
Introducing TanStack Intent: Ship Agent Skills with Your npm Packages:
https://t.co/vuBdRTpSZV
@bunjavascript TBH, it looks more like:
ππ’πππ΄ππππ: π½πππΈπππππππππππ΄ππππ: π πππππ_πππππππ.ππππππ({ ππππππ: ππππ }) ππ πππ π’ππ πππππππππππ ππ π±ππ.
@bunjavascript If you don't fix node:worker_threads in v1.3.10, you might be.
Hard to put you in the prod supply chain if we can't even run standard logging.
Last Seen Users on Sotwe
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.4M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.1M followers
Taylor Swift
@taylorswift13
80.9M followers
Lady Gaga
@ladygaga
72.4M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
69M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.6M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.2M followers