HN Reader

Ask HN: Why isn't capability-based security more common?

6 points by killerstorm 3h ago 8 comments

Paid $2400 to Cloudflare, support refuses to help

129 points by thekonqueror 1d ago 23 comments

How WASM DB and worker messaging helped me handle 500MB in 2s in browser

6 points by vinserello 1d ago 2 comments

Ask HN: What Single File Web Apps do you know of?

9 points by calebm 18h ago 12 comments

Ask HN: What's a good 3D Printer for sub $1000?

8 points by lucideng 23h ago 5 comments

Know Your Rights: A Legal Survival Guide for Indian College Students (2024 Laws)

7 points by Chakrabarti 12h ago 0 comments

What problems are worth solving?

6 points by KopyWasTaken 19h ago 4 comments

Ask HN: Costs for US sales tax compliance for a two-sided marketplace

4 points by throway-9998888 1d ago 2 comments

Ask HN: Generalists, when do you say "I know enough" about any particular topic?

16 points by AbstractH24 4h ago 55 comments

C++ ranges/views vs. Rust iterator

2 points by bijan7 20h ago 1 comments

Mirai Variant "Gayfemboy" Infecting 15K+ Devices Daily – Mitigation Ideas?

7 points by garduno_AA 21h ago 3 comments

GitHub Attack – branches sending secrets to webhook

7 points by danieldspx 22h ago 3 comments

Ask HN: Beer income ideas for a laid-off Nepali Jr.IT support?

2 points by shivajikobardan 11h ago 2 comments

Ask HN: Does anyone have any screenshots of fucked company?

4 points by iamflimflam1 1d ago 4 comments

Cloudflare Security Mistriages on Account Takeover

4 points by matured_kazama 1d ago 0 comments

Lost $300 due to an API key leak from "vibe coding" – Learn from my mistake

7 points by liulanggoukk 1d ago 13 comments

Google Ends Support for Lynx Browser

102 points by zhenyi 5d ago 43 comments

Git Without Stash/Tags

5 points by birb07 1d ago 5 comments

Ask HN: Getting over Burnout with Imposter Syndrome

21 points by chrsig 3d ago 5 comments

Ask HN: Who wants to be hired? (September 2025)

124 points by whoishiring 15d ago 390 comments

Ongoing Supply Chain Attack Targets CrowdStrike NPM Packages

2 talboren 1 9/16/2025, 1:15:28 PM socket.dev ↗

Comments (1)

feross · 1h ago
This is the fourth supply chain compromise on npm in just over a week.

If you don't follow this space closely, here's the bigger picture: these are part of an organized campaign that's hitting popular packages and slipping in malware.

What makes this campaign different is how aggressive it is: the payload doesn’t just run locally -- it actively hunts for developer and CI/CD credentials, spins up rogue GitHub Actions, and uses those to keep propagating. That’s a step beyond the usual crypto miner or info stealer.

npm and other package registries have become the weakest link in modern software. Every developer depends on them, yet a single compromised dependency can cascade into thousands of downstream apps and companies.