Self Propagating NPM Malware Compromises over 40 Packages (stepsecurity.io)

33 points by jamesberthoty 28m ago 12 comments

Hosting a website on a disposable vape (bogdanthegeek.github.io)

1168 points by BogdanTheGeek 17h ago 421 comments

60 years after Gemini, newly processed images reveal details (arstechnica.com)

80 points by sohkamyung 2d ago 20 comments

"Your" vs. "My" in user interfaces (adamsilver.io)

237 points by Twixes 8h ago 103 comments

Learn x86-64 assembly by writing a GUI from scratch (2023) (gaultier.github.io)

140 points by ibobev 3d ago 15 comments

Migrating to React Native's New Architecture (shopify.engineering)

8 points by vidyesh 3d ago 0 comments

IBM Technology Atlas (ibm.com)

49 points by taubek 4h ago 37 comments

The Mythical Creatures of London (londonist.com)

16 points by zeristor 3d ago 3 comments

React is winning by default and slowing innovation (lorenstew.art)

548 points by dbushell 18h ago 612 comments

William Gibson Reads Neuromancer (2004) (bearcave.com)

250 points by exvi 14h ago 68 comments

macOS Tahoe (apple.com)

490 points by Wingy 18h ago 666 comments

Wanted to spy on my dog, ended up spying on TP-Link (kennedn.com)

460 points by kennedn 19h ago 150 comments

Automating Distro Updates in CI (paretosecurity.com)

14 points by zupo 3h ago 4 comments

I feel Apple has lost its alignment with me and other long-time customers (morrick.me)

373 points by mgrayson 11h ago 354 comments

PayPal to support Ethereum and Bitcoin (newsroom.paypal-corp.com)

445 points by DocFeind 21h ago 344 comments

How big a solar battery do I need to store all my home's electricity? (shkspr.mobi)

346 points by FromTheArchives 23h ago 431 comments

Addendum to GPT-5 system card: GPT-5-Codex (openai.com)

234 points by wertyk 17h ago 135 comments

GPT-5-Codex (openai.com)

324 points by meetpateltech 18h ago 105 comments

People Who Hunt Down Old TVs (bbc.com)

91 points by tmendez 3d ago 52 comments

Why do we keep gravitating toward complexity? (kyrylo.org)

104 points by PaulHoule 12h ago 131 comments

Linux phones are more important now than ever (feddit.org)

551 points by wicket 11h ago 333 comments

Launch HN: Trigger.dev (YC W23) – Open-source platform to build reliable AI apps

143 points by eallam 20h ago 58 comments

Basics of Equality Saturation (egglog-python.readthedocs.io)

8 points by todsacerdoti 3d ago 1 comments

Show HN: Pyproc – Call Python from Go Without CGO or Microservices (github.com)

26 points by acc_10000 7h ago 7 comments

I wish my web server were in the corner of my room (2022) (interconnected.org)

87 points by jonassaid 3d ago 61 comments

CubeSats are fascinating learning tools for space (jeffgeerling.com)

194 points by warrenm 21h ago 78 comments

How People Use ChatGPT [pdf] (cdn.openai.com)

137 points by nycdatasci 16h ago 67 comments

Removing newlines in FASTA file increases ZSTD compression ratio by 10x (log.bede.im)

265 points by bede 3d ago 103 comments

Massive Attack turns concert into facial recognition surveillance experiment (gadgetreview.com)

293 points by loteck 13h ago 134 comments

How to self-host a web font from Google Fonts (blog.velocifyer.com)

163 points by Velocifyer 21h ago 121 comments

Assassination Sparks Social Media Crackdown (kenklippenstein.com)

20 points by kgdiem 7h ago 4 comments

When Your Father Is a Magician, What Do You Believe? (thereader.mitpress.mit.edu)

79 points by pseudolus 4d ago 17 comments

RustGPT: A pure-Rust transformer LLM built from scratch (github.com)

359 points by amazonhut 1d ago 170 comments

Boring work needs tension (iaziz786.com)

123 points by iaziz786 20h ago 65 comments

A qualitative analysis of pig-butchering scams (arxiv.org)

211 points by stmw 1d ago 132 comments

Debian Upgrade Marathon: 3.1 Sarge (wrongthink.link)

48 points by zdw 3d ago 7 comments

Death to type classes (jappie.me)

121 points by zeepthee 4d ago 73 comments

Which NPM package has the largest version number? (adamhl.dev)

162 points by genshii 1d ago 72 comments

Experimental browser MMO with bots, boss fights and power-ups (blobeer.com)

11 points by daniellax 3d ago 10 comments

From unit tests to whole universe tests (with will wilson of antithesis) [video] (youtube.com)

26 points by zdw 2d ago 15 comments

The Artistry of Avril Harrison (2024) (scanlineartifacts.co.uk)

22 points by rbanffy 2d ago 3 comments

California reached a union deal with tech giants (politico.com)

53 points by markerz 16h ago 42 comments

Programming Deflation (tidyfirst.substack.com)

106 points by dvcoolarun 21h ago 84 comments

GuitarPie: Electric Guitar Fretboard Pie Menus (andreasfender.com)

40 points by DonHopkins 21h ago 4 comments

GPT‑5-Codex and upgrades to Codex (simonwillison.net)

52 points by amrrs 16h ago 7 comments

How Tim Cook sold out Steve Jobs (anildash.com)

29 points by pjmlp 5h ago 8 comments

Human writers have always used the em dash (theringer.com)

111 points by FromTheArchives 3d ago 130 comments

ERP Therapy Sucks (taylor.town)

50 points by surprisetalk 2d ago 42 comments

The Revised Report on Scheme or An UnCommon Lisp (1985) [pdf] (dspace.mit.edu)

42 points by swatson741 14h ago 7 comments

Turgot Map of Paris (en.wikipedia.org)

62 points by Michelangelo11 2d ago 16 comments

Self Propagating NPM Malware Compromises over 40 Packages

33 jamesberthoty 12 9/16/2025, 11:22:03 AM stepsecurity.io ↗

Comments (12)

madeofpalk · 40s ago

My main takeaway from all of these is to stop using tokens, and rely on mechanisms like OIDC to reduce the blast radius of a compromise.

How many tokens do you have lying around in your home directory in plain text, able to be read by anything on your computer running as your user?

l___l · 1m ago

Is there a theoretical framework that can prevent this from happening? Proof-carrying code?

dist-epoch · 17s ago

There are, but they have huge performance penalties.

Stuff like intents "this math library is not allowed to access the network".

gchamonlive · 14m ago

We've seen many reports of supply chain attacks affecting NPM. Are these symptoms of operational complexity, which can affect any such service, or is there something fundamentally wrong with NPM?

liveoneggs · 6m ago

It's the entire blase nature of js development in general.

koakuma-chan · 6m ago

> is there something fundamentally wrong with NPM?

Its users don't check who the email is from

dist-epoch · 7m ago

It's just where the users and the juicy targets are.

NPM packages are used by huge Electron apps like Discord, Slack, VS Code, the holy grail would be to somehow slip something inside them.

guidedlight · 42s ago

We don't see these attacks nearly as severe or frequent on Maven, which is a much older package management solution. Maven users would be far more attractive targets given corporates extensively run Java.

anthk · 5m ago

Every NPM turd should be run with bubblewrap or a similar sandbox toolkit at least.

freakynit · 12m ago

New day, new npm malware. Sigh..

motorest · 6m ago

> New day, new npm malware. Sigh..

This. But the problem seems to go way deeper than npm or whatever package manager is used. I mean, why is anyone consuming a package like colors or tinycolors? Do projects really need to drag in a random dependency to handle these usecases?

diggan · 2m ago

So rather than focusing on how Microsoft/npm et al can prevent similar situations in the future, you chose to think about what relevance/importance each individual package has?

There will always be packages that for some people are "but why?" but for others are "thank god I don't have to deal with that myself". Sure, colors and whatnot are tiny packages we probably could do without, but what are you really suggesting here? Someone sits and reviews every published package and rejects it if the package doesn't fit your ideal?