#npm
SSH keys stolen by stream of malicious PyPI and NPM packages
https://www.bleepingcomputer.com/news/security/ssh-keys-stolen-by-stream-of-malicious-pypi-and-npm-packages/
#ycombinator #computers #windows #linux #mac #support #tech_support #spyware #malware #virus #security #Coding #Information_Stealer #Information_stealing_malware #npm #Package_Manager #Packages #PyPI #Repository #virus_removal #malware_removal #computer_help #technical_support
Is anyone else having issues with installing #NPM packages inside the official node:18 #Docker container?
Every install fails with "network request to https://registry.npmjs.org/postcss-load-config/-/postcss-load-config-4.0.2.tgz failed, reason: socket hang up", and it's always another package. 😓
NPM status is all green?!
In today's #NixOS live coding video I demonstrate:
* How to use naersk and crane to build #Rust projects
* How to use #Nix to build artifacts on #GitHub Actions (no more hunting for low-quality #Javascript actions on the market place - CI shouldn't be like #npm!)
https://www.youtube.com/watch?v=js49nhqLLyk
#youtube #programming #liveprogramming #livecoding #devops #tutorial
Red teams and adversaries alike are using software supply chain attacks as a way to gain access to even the most prepared organizations. Today, we discuss several #malicious #npm packages successfully targeting a large financial institution. Is this an adversarial simulation or a legitimate threat? Read on to find out.
https://blog.phylum.io/encrypted-npm-packages-found-targeting-major-financial-institution/
#malware #opensource #javascript #nodejs #software #hacking #infosec #security #cybersecurity
Ist es eigentlich bekannt, das es für #wordpress #gutenɓerg plugins gibt ? Hab mich bei #npm mal umgeschaut, sind intressante dinge dabei. Bin ja nicht so der freund von gutenberg, aber denoch klingen die #plugins intressant 😄
Have anything improved at #npm and #nodejs ecosystem from this funny video exists?
https://www.youtube.com/watch?v=PI5wz2pwXIg
Does anyone still prefer to use one-liner packages like is-odd or is-number ? Or you copy-paste one-liners into your codebase?
Wrote a quite lengthy article on building an Event Based, cross platform, context/state management system with #vanillajs , utilizing what the platform already provides.
Really think this pattern could ease a lot of developers https://matsu.fi/blog/event-based-state/
#protestware found in #Snyk
snyk/sweater-comb #npm package calls out wars in Ukraine, Gaza:
https://www.reversinglabs.com/blog/protestware-taps-npm-to-call-out-wars-in-ukraine-gaza
The video for my #PackagingCon2023 talk is now up on youtube!
I blurted out a bunch of stuff about the kind of work I've done speeding up #NPM and #Orogene, in hopes that it would help some poor soul out there. It's kind of a high-level overview, but it talks about a lot of different things. It's also the first talk I've given in YEARS.
Check it out if you're interested! https://www.youtube.com/watch?v=eh3VME3opnE&list=PLl386dCR5QGTElF3MbltCJupNG1lHK4Nr
Hoping to spare others a headache. If your project...
(a.) uses pnpm
and
(b.) uses `npm-run-all`
and
(c.) has a `package.json` with a `config` object and a `name` item
... you’ll have bugs with any scripts using `npm-run-all`. (https://github.com/mysticatea/npm-run-all/issues/249)
Until this bug is fixed:
(1.) Remove the `name` item.
...or...
(2.) Remove the `config` object.
...or...
(3.) Use `concurrently` for parallel stuff **or** the old `&&` thingy for sequential stuff. (My recommendation.)
@MiaWinter @duponin this reinforces my notion that the #npm ecosystem is a capitalist bargefire
What constitutes "malicious use" is drifting WAY into the normal use operating envelope.
To save money (hiding behind safety)?
Most tools written in the #Javascript / #Node / #npm spehere seems to assume they'll be used exclusively in that context. That means installation instructions often describes adding a dependency to a package.json file, etc. But.. I just want to lint some CSS over here. You've built a perfectly capable standalone tool, so provide a binary, will you?
You might not need #NPM (#NodeJS) if you just need to bundle #TypeScript modules into plain #JavaScript. Also #Sass to #CSS works as a standalone solution.
All you need is `entr` (file observer) and `bun` (TS compiler) and `sass` (Dart Sass).
Watch mode works too. And it's hyper fast. I will hopefully write a short article about it soon. NPM is such a bloated and complex environment, I really don't like it.
#opensource #gnu_linux #webdevelopment #KISS
https://eradman.com/entrproject/
you can use systemd-nspawn to create a container that uses your own root filesystem by specifying --directory=/ --volatile=yes. This mounts a tmpfs into the container’s root, and then mounts your /usr into the container’s /usr in read–only mode. This allows the container to run all the software installed on your machine, while redirecting writes to the tmpfs.
Alternatively, instead of --directory=/ you could specify some other directory that contains an OS image (such as --directory=/var/lib/machines/debian-bookworm or --directory=/var/lib/machines/fedora-38). Multiple containers can transparently share the same image, since all the writes go to a per–container tmpfs
When it is volatile, it really only mounts the /usr inside the specified directory, rather than the directory itself. In particular, /dev and /etc will be empty.
. Statically linking your application, then distributing that application, such as via Docker Hub to others will then require your application to be #GPL licensed in many, many cases within the Linux ecosystem. This may not be desired.
https://news.ycombinator.com/item?id=36488356
https://news.ycombinator.com/item?id=36491392
#python #docker #nix #npm
I’m just reading about JSPM now and I wondering if this is going to help fix performance issues with using NPM and loading too much unused JS upfront?
Does this mean JS will be easier to not bundle wholesale upfront?
Why doesn't #npm resolve package versions that are compatible with current node version?
I'm trying to copy this module, and make a small astro npm module. But I'm realizing that there's no type safety for modules created this way. There's also no way to build a d.ts file because of the astro import. Does anyone have a way to generate types for a astro module?
https://github.com/delucis/astro-embed/tree/main/packages/astro-embed-twitter
Also posted on the Astro discord:
https://discord.com/channels/830184174198718474/1177710409080385546/1177710409080385546
cc @astro
This guide is designed to demonstrate the process of setting up NPM, Node Package Manager, on a Fedora Linux 39 #npm #linux #nodejs #javascript #opensource #programming #server #fedora
https://www.linuxcapable.com/how-to-install-npm-on-fedora-linux/
so wireit-visualizer may actually be becoming a thing. Initial POC was pretty simple. Need some cleanup and testing and then I may release it as a package while investigating if it can be integrated directly into wireit.
Czy na pewno wszyscy dobrze korzystamy z NPM, czyli menedżera pakietów Node.js? Ten artykuł być może niektórym uświadomi, że czasem można robić pewne rzeczy nieco inaczej.
https://blog.bitsrc.io/stop-using-npm-install-in-your-ci-cd-pipeline-ba0378bbebfb
After spending a good part of last 4 months trying to upkeep a simplistic npm based project (static site generator using eleventy) i am this close to declaring npm ecosystem as a strict NO-GO ecosystem for myself. I think i would sleep more peacefully with less npm based softwares in my list of software i use. but its getting increasingly difficult to find non npm based software solutions now a days.
On one side ~500 packages and not everyone wants to or can move fast forward, and such complex dependency trees make me nervous about using such softwares in any capacity.
On other side packages which are over eager to share features with users and do new release every week makes me nervous of a different kind.
Yes NPM, I actually want zero factor authentication… the account was made by mistake (accidentally logged into the wrong NPM instance)… get rid of it! Stop hassling me about it!
> Hi, stuartl!
>
> It looks like you still do not have two-factor authentication (2FA) enabled on your npm account.
Protestware taps npm to call out wars in Ukraine, Gaza
Newly discovered open source software packages on the npm platform contain scripts that broadcast peace messages related to ongoing conflicts in Ukraine and on the Gaza Strip when they are deployed.
Pulse ID: 65577343e96a6fbc131bc152
Pulse Link: https://otx.alienvault.com/pulse/65577343e96a6fbc131bc152
Pulse Author: AlienVault
Created: 2023-11-17 14:05:54
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#OTX #OpenThreatExchange #InfoSec #bot #CyberSecurity #Ukraine #Rce #NPM #AlienVault
#vscode does not report any errors and ‘ #npm run start’ also has 0 errors. #reasonml #emacs
https://reasonml.chat/t/trying-to-get-emacs-and-merlin-working-using-just-reason-cli-no-opam/281/7
New Protestware Uses npm Packages to Call for Peace in Gaza and Ukraine https://www.hackread.com/protestware-npm-packages-peace-gaza-ukraine/ #Protestware #HACKTIVISM #Palestine #Security #Ukraine #Gaza #NPM
🚩 Keep up to date with @nodejs #releases by watching the #Nodejs Release Working Group's last meeting on YouTube!
Topics:
👉 proposal for new release schedule / users are not interested in releases that will not become #LTS
👉 doc: add codenames through to Node.js 34 (2030)
👉 Plans for #npm 10
👉 Release plan - v20.x Active #LTS
👉 Release plan - v18.x #Maintenance #LTS
Interesting: SkyPack - Load optimised npm packages with no install and no build tools.
How to Install Node.js v21 on Linux: A Step-by-Step Guide
#NodeJS #Linux #NPM #SnapPackage #ProgrammingTips #DeveloperGuide #OpenSource #LinuxCommands #TechTutorials
https://linuxtldr.com/installing-node-js/
🐙📦 ljdhar, un package NPM pour récupérer les articles du Journal du Hacker
https://dev.to/benoitpetit/ljdhar-un-package-npm-pour-recuperer-les-derniers-articles-du-journal-du-hacker-pck
It's been a minute since I wrote a #visualDiff test with #playwright; what's the cool #npm package to use these days?
I think I've used #pixelmatch in the past, but there's a #jest package that #copilot is suggesting.
https://www.npmjs.com/package/jest-image-snapshot
#e2e #testing #headless #browser #snapshot #test #functionalTests #cypress #tests #nodejs #webDev #javaScript
clearly, putting node and non-node packages in #npm was a huge mistake
we really need an npm without n
My chat with #npm today:
- You have 8 vulnerabilities
- Ok, then npm audit fix --force !
- I'm done. You now have 131 vulnerabilities.
- Hmmm... okay... npm audit fix --force again, maybe?
- I'm done. You now have 8 vulnerabilities.
Guys!
If you want to make a #crossplatform #app, and you don't know what's framework should I use?
Just use #Tauri and don't waste your time on #electronjs, #flatten or other stuff.
Tauri is light and too easy.
Check out the Tauri site:
#rust #rustlang #javascript #typescript #npmjs #npm #cargo #programming #program #code #hacker #hack #gui #uidesign #ui #uxdesign #ux
https://tauri.app/
📦 Découvrez ce petit package npm qui vous permet de récupérer les derniers articles sur le @journalduhacker Facilitez-vous la veille technologique grâce à #ljdhar Check it out in GitHub/NPM :
- https://github.com/ethicalhcb/ljdhar
- https://www.npmjs.com/package/ljdhar
#Malware is so pervasive in open source, we're able to write nearly daily reports 😬 Today we're covering a fairly complicated attack chain targeted #crypto developers.
https://blog.phylum.io/crypto-themed-npm-packages-found-delivering-stealthy-malware/
I'm looking for a simple (hosted) #service or #npm package that would provide some simple #game and upon completion reveal some hidden message to the player. Need this for a birthday #treasureHunt. All suggestions welcome 🤓
Posted this on @astro #discord but maybe someone here can help?
I can't install a new #astro project by running "npm create astro@latest". Using #pnpm and #yarn works just fine.
#node version: 20.9.0 & #npm is 10.1.0. Tried installing #svelte with npm for comparison & got a similar error, so it's a local issue? When using "npm install" to install #11ty it works with no issues.
Could anyone point me to a direction how to fix this? I'm not very familiar with debugging these kind of things...
How about some #npm #malware to start your day? Along with the #pypi campaign we have been reporting on, we have also identified a large number of #javascript packages deploying a reverse shell.
https://blog.phylum.io/dozens-of-npm-packages-caught-attempting-to-deploy-reverse-shell/
#opensource #cybersecurity #infosec #npmjs #nodejs #supplychain
@mattwilcox #npm, like #nwjs is a lazy way to do things at the cost of extreme amounts of #bloat...
If you've got failing `npm install` (or yarn) commands, you are not alone 🙁
I'm not quite ready to remove the CommonJS builds from my JavaScript libraries yet, but ... I think saying "CommonJS builds support only Node.js” would be safe? ES Module builds would still support Web + Node.js + Deno.
Just wasted a fair bit of time on an issue this would have avoided, bundlers and browsers all support ES Modules these days, and I would very much like to take small steps toward making CommonJS go away.
💥 New episode of The Changelog!
ANTHOLOGY from @allthingsopen 2023! Featuring:
🌟 @sudomateo (former Engineer at #HashiCorp working on #Terraform Enterprise)
🌟 Nithya Ruff (Head of the #OSPO at #Amazon)
🌟 @ljharb (#opensource #maintainer at-large with dependencies in most #JavaScript apps out there)
#allthingsopen #licensing #opentofu #npm #funding #maintainers
#npm, this:
“ […] what we’re trying to do here is kind of crazy. We want to:
* Download code
* from the internet
* written by unknown individuals
* that we haven’t read
* that we execute
* with full permissions
* on our laptops and servers
* where we keep our most important data
This is what we’re doing every day when we use npm install. It’s a miracle that this system works—and that it’s continued to mostly work for this long!”
Advertisish but interesting:
Just put together a rant on JS modularity here
A fun weekend project - simplifying my #TypeScript #NPM library build process down to the bare minimum. https://tedspence.com/improving-on-typescript-package-build-processes-cc0af64849e0
> You can't get faster than No Build
"The state of the art is no longer in finding more sophisticated ways to build JavaScript or CSS. It's not to build at all. To lean on HTTP/2 and the now universal support for import maps to avoid bundling."
https://world.hey.com/dhh/you-can-t-get-faster-than-no-build-7a44131c
#webDev #javaScript #css #html #http #http2 #useThePlatform #struggleStack #react #vue #svelte #rails #rubyOnRails #ruby #typescript #web #webpack #bun #vite #npm #nodejs
Arguably optimizing for 0-dependencies packages is kinda wrong in some cases, because if you use 100 packages, each with 0 dependencies, then most likely there is going to be a decent amount of code duplication in there, and the packages won't necessarily work well together.
is it malware if the #npm package name tells you it’s stealing /etc/passwd?
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #39/2023 is out! It includes the following and much more:
➝ 🔓 #GitHub repos bombarded by info-stealing commits masked as #Dependabot
➝ 🇯🇵 💸 #Sony Investigating After Hackers Offer to Sell Stolen Data
➝ 🔓 #BORN Ontario child registry #databreach affects 3.4 million people
➝ 🇭🇰 🔓 Personal data of 25,000 Hongkongers at risk after #cyberattack against consumer watchdog, up from earlier estimate of 8,000
➝ 🇺🇸 🔓 National Student Clearinghouse data breach impacts 890 #schools
➝ 🇨🇦 ✈️ #AirCanada discloses data breach of employee and 'certain records'
➝ 🇰🇵 🇪🇸 North Korean hackers posed as #Meta recruiter on #LinkedIn
➝ 👥 ShadowSyndicate: A New #Cybercrime Group Linked to 7 #Ransomware Families
➝ 🇷🇺 ✈️ Russian flight booking system suffers ‘massive’ cyberattack
➝ 🇨🇳 🇺🇸 Chinese hackers stole emails from US State Dept in #Microsoft breach, Senate staffer says
➝ 🇨🇳 Chinese Hackers TAG-74 Targets South Korean Organizations in a Multi-Year Campaign
➝ 🇺🇦 🚀 Ukrainian Military Targeted in Phishing Campaign Leveraging #Drone Manuals
➝ 🥷🏻 💰 Hackers steal $200M from #crypto company #Mixin
➝ 🇳🇬 ⚖️ Nigerian man pleads guilty to attempted $6 million BEC email heist
➝ 🇺🇸 ⚖️ ShinyHunters member pleads guilty to $6 million in data theft damages
➝ 🇨🇳 #China-Linked Budworm Targeting Middle Eastern #Telco and Asian Government Agencies
➝ 🇨🇳 🚪 Backdoored firmware lets China state hackers control #routers with “magic packets”
➝ 🇺🇸 👮🏻♂️Security researcher warns of chilling effect after feds search phone at #airport
➝ 🦠 ❗️FBI Warns Organizations of Dual Ransomware, Wiper Attacks
➝ 🤖 🦠 #Bing Chat responses infiltrated by ads pushing #malware
➝ 🏥 🎣 Red Cross-Themed #Phishing Attacks Distributing DangerAds and AtlasAgent Backdoors
➝ 🥷🏻 🐍 #SSH keys stolen by stream of malicious #PyPI and #npm packages
➝ 🏦 🎠 New Variant of #Banking #Trojan BBTok Targets Over 40 Latin American Banks
➝ 🦠 🚪 #Deadglyph: New Advanced Backdoor with Distinctive Malware Tactics
➝ 🚀 #Sysdig Launches Realtime Attack Graph for Cloud Environments
➝ 🐛 📨 Critical vulnerabilities in #Exim threaten over 250k #email servers worldwide
➝ 🔓 Progress warns of maximum severity WS_FTP Server vulnerability
➝ 🩹 🔥 #Google fixes fifth actively exploited Chrome zero-day of 2023
➝ 🩹 🍏 #macOS 14 #Sonoma Patches 60 #Vulnerabilities
➝ 🩹 🦊 #Firefox 118 Patches High-Severity Vulnerabilities
➝ 🤫 ✅ Google quietly corrects previously submitted disclosure for critical #webp 0-day
➝ 👀 🇪🇬 0-days exploited by commercial surveillance vendor in #Egypt
📚 This week's recommended reading is: "Philosophy of Cybersecurity" by @LukaszOlejnik and Artur Kurasinski
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
https://infosec-mashup.santolaria.net/p/infosec-mashup-week-392023
FYI – I’m available for #coaching / #teaching / conference talks / shorter #freelancing gigs (1-2 days at a time)
I’m right now primarily focusing on my own projects but happy to share my experience with others + never wrong to refill the wallet a bit.
Topics I’m extra thrilled about: #TypesInJS #vanillaJS #nodejs #fastify #opensource #npm #eslint #linting #maintainership #restAPI
Anybody know how to stop npm using "git+ssh://git@github.com/org/repo" URLs in package-lock.json files even if the dependency is using "https://github.com/org/repo"
LOL another supply chain attack in #NPM using postinstall scripts - an issue I REPORTED TO NPM OVER 6 YEARS AGO BUT THE CLOSED AS WONTFIX
https://www.cyber-oracle.com/p/malicious-npm-packages-strike-again
(The POC I wrote to prove it - https://github.com/tanepiper/steal-ur-stuff)
#Development #Explorations
Speeding up the JavaScript ecosystem: Polyfills gone rogue · You wanted a banana and got a jungle https://ilo.im/1599o9
_____
#WebDev #Polyfills #Npm #Dependencies #Eslint #Frontend #JavaScript
JavaScript package maintainers – what are you using to track and display package bundle size?
Bundlephobia has been great, but (1) the maintainer has been asking for support for a while without success, and (2) the service has unfortunately become unreliable, probably as a result.
This is actually a pretty awesome (but lengthy) post about Bun and why you probably shouldn't jump on the train already.
Bun hype. How we learned nothing from Yarn
https://dev.to/thejaredwilcurt/bun-hype-how-we-learned-nothing-from-yarn-2n3j
#Coding #WebDev #JavaScript #NPM #Bun #BunJS #Yarn #ESBuild #Node #NodeJS
#Development #Overviews
The state of web frameworks on Deno · Web frameworks you can already host near your users https://ilo.im/158qvn
_____
#WebDev #Deno #NodeJS #Npm #Frontend #Backend #Frameworks #JavaScript #TypeScript
Vad är det för sago-verklighet som #EbbaBusch snackar om när hon säger att #samhället har sett en förskjutning i rätt och fel och dom nu ställer det tillrätta igen?
Ebba, nej, samhället har inte förskjutit sin #moral. Det som har hänt är #NewPublicManagement #NPM
#WTF nu pitchar hon #angiverilagen med att "det vore ju bra om man hade rapporterat att Akilov var kvar i landet. Då hade inte terrordådet skett".
@deno_land I tried Deno real quick. I think it’s actually much better than I thought. 👍
BUILD WIREIT INTO #NPM!
y'a trop de gestionnaires de paquet, je vais en faire un pour tous les maîtriser.
ainsi naquit #Ni pour gérer #yarn, #pnpm, #npm, et #bun.
#xkcd serait fier de ça.
#shrawberry #nightswhosayni
Hey @astro, I tried running a brand new Astro project with #npm but there seems to be an issue when installing the dependencies?
When running "npm run dev" it cannot find the "astro" command. When installing it with #yarn everything works fine and as expected (no error during dependency install). 🤷♂️
#Development #Releases
Astro 3.0 · The modern web framework now supports the View Transitions API https://ilo.im/15190t
_____
#WebDev #Frontend #Framework #OpenSource #JavaScript #ViewTransitionsAPI #Npm