Pieter-Jan Dries

New supply chain attack this time for npm axios, the most popular HTTP client library with 300M weekly downloads. Scanning my system I found a use imported from googleworkspace/cli from a few days ago when I was experimenting with gmail/gcal cli. The installed version (luckily) resolved to an unaffected 1.13.5, but the project dependency is not pinned, meaning that if I did this earlier today the code would have resolved to latest and I'd be pwned. It's possible to personally defend against these to some extent with local settings e.g. release-age constraints, or containers or etc, but I think ultimately the defaults of package management projects (pip, npm etc) have to change so that a single infection (usually luckily fairly temporary in nature due to security scanning) does not spread through users at random and at scale via unpinned dependencies. More comprehensive article: https://t.co/EJAZbqAPIQ

(Device) security should be layered, like onions 🧅. What would have stopped this easily on any network was a DNS-level block for NRDs (Newly Registered Domains, age <30 days). We use https://t.co/RnEli81mIx which offers NRD blocking. However this would not work if it was posting to an IP address or if the domain age was older. That is why you need multiple layers of defence: Network level: - DNS blocking for newly registered domains (NextDNS, Pi-hole with NRD lists) - Outbound firewall rules: block unexpected egress from dev environments - Network monitoring/alerting on unusual data uploads Dependency hygiene: - Pin exact versions in your lockfile (no >=1.64.0, use ==1.64.0) - Never auto-update: wait 48-72h before pulling a new release. Most poisoned packages get caught within hours - Use pip install --no-deps and manage the tree yourself when possible - Audit your transitive dependencies. You may depend on 5 packages but actually install 200 - Run pip-audit or safety check in CI before deploying Environment isolation: - Install and test package updates in disposable VMs/containers with only your project dir mounted, never straight on your main machine - Use separate credentials per environment. Your dev box should not hold production keys - Avoid storing long-lived secrets in env vars or dotfiles where any process can read them Process: - Subscribe to security advisories for your key dependencies (Snyk, GitHub Dependabot alerts) - Periodically review if you still need every dependency. The best defence against a poisoned package is not depending on it at all

Still managing visitors with paper logs? 📋 It might seem cheap, but the hidden costs add up fast: in time, errors, compliance risk, and a less-than-professional first impression. We created a practical guide to help you build a business case for digital visitor management, complete with ROI formulas, KPIs, and an internal approval checklist. 👉 https://t.co/ry6OjorNVu

Is your reception leaving a bad first impression 👎 ? Discover common mistakes organizations make when welcoming guests and how to fix them! From poor security to paper logbooks, our latest blog breaks it down with practical solutions. 🪛 Learn how to fix these mistakes: https://t.co/Th3q36Yw0l

Are you overlooking these hidden risks in your manufacturing processes ? From security breaches to compliance issues, these can pose serious threats ⚠️⚠️⚠️ to your operations ! Discover key insights and actionable solutions in our latest post: https://t.co/GBLh6Ddwr3. Learn how to safeguard your facility, streamline processes, and ensure compliance. We would love to hear about your experience and suggestions.