Social Software Distribution. #activityPub #ATproto #NPM
Posted into THE FEDIVERSE VS. CORPORATE SOCIAL MEDIA @the-fediverse-vs-corporate-social-media-mobileatom
npm
About 18 years ago, I wrote an implementation of the VIC cipher for Flash. Someone emailed me out of the blue yesterday asking if I'd ported it to #JavaScript. Well, here it is. I published it on the #npm registry. It should work with #deno as well, if you prefer that.
A prompt-injected GitHub issue tricked Cline’s AI triage bot into running attacker code, leading to a compromised npm token and a malicious cline@2.3.0 release. 🧩
Around 4,000 developers unknowingly got OpenClaw installed with broad system access, showing how “AI installs AI” can quietly escalate supply-chain risk. 🛡️
🔗 https://grith.ai/blog/clinejection-when-your-ai-tool-installs-another
#TechNews #Security #SupplyChain #AI #Developers #GitHub #npm #PromptInjection #OpenClaw #Cline #DevOps #DevSecOps #Automation #Privacy #Cybersecurity
Congratulations are in order for npmx, which has today entered into alpha!
It may still be early days, but it’s a masterclass in community-first building. One of the most impressive open-source projects I’ve seen in terms of ethos.
npmx is how open-source should be done. I’ve written about it here: https://vale.rocks/micros/20260303-1200
the joys of #npm: you'll have less vulnerabilities, but they will be more critical !
```
7 vulnerabilities (5 low, 2 high)
npm audit fix --force
5 vulnerabilities (1 low, 1 moderate, 2 high, 1 critical)
```
Seeing the recent events going on with #npm I removed node from my computer for now.
It think, who ever is doing those attacks really doesn't care a bit about the maintainers behind the packages.
What do you think about this?
Edited 177d ago
"No way to prevent this" say users of only language where this regularly happens
Wer den Kalten Krieg noch erlebt hat, kennt das Gefühl vielleicht: eine Situation, bei der man im Nachhinein realisiert, dass man haarscharf an einer Katastrophe vorbeigeschrammt ist.
So eine Situation gab es gestern. Ein Angreifer hat 20 Pakete eines Entwicklers auf dem JavaScript-Paketmanager #npm kompromittiert und darüber Schadsoftware ausgerollt. Mit zwei Milliarden (sic!) wöchentlichen Downloads hätte das verheerende Auswirkungen haben können. Es blieb bei einem Schreck und blauem Auge, weil der Angreifer „nur” einen Kryptominer eingesetzt hat, statt den Zugriff für einen beispiellosen Ransomware-Angriff zu missbrauchen.
