Axios Compromised on npm—Malicious Versions Drop Remote Access Trojan, by (not on Mastodon or Bluesky):
Hijacked maintainer account used to publish poisoned axios releases including 1.14.1 and 0.30.4. The attacker injected a hidden dependency that drops a cross platform RAT. We are actively investigating and will update this post with a full technical analysis.
mogenius/renovate-operator: Operator to streamline renovate executions in Kubernetes
"Run Renovate on your own infrastructure with CRD-based scheduling, parallel execution, auto-discovery, and a built-in UI."
Link: https://github.com/mogenius/renovate-operator
#linkdump #dependencies #development #kubernetes #renovate #tool
We should all be using dependency cooldowns
"A “cooldown” is exactly what it sounds like: a window of time between when a dependency is published and when it’s considered suitable for use. The dependency is public during this window, meaning that “supply chain security” vendors can work their magic while the rest of us wait any problems out."
Link: https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
No One Owes You Supply-Chain Security, by @purplesyringa.bsky.social:
https://purplesyringa.moe/blog/no-one-owes-you-supply-chain-security/
In case you’re unaware, I’m not a developer. I’m actually an autistic catgirl annoyed by suboptimal use of computing power, and fixing that happens to involve programming. Crucially, it also includes discussing foundational technology with people behind the scenes, and apparently that makes me more aware of social aspects of this sphere. So, I have opinions about criticism of crates.io for supply-chain attacks. After a dozen similar articles, I have some select words to voice about why it’s off the mark.
Maven ist für viele Java-Einsteiger eines der ersten Werkzeuge, die ihnen im Projektalltag begegnen. Und oft wirkt es am Anfang abstrakt: eine `pom.xml`, viele unbekannte Elemente, fremde Ordnerstruktur, automatische Downloads - was passiert hier eigentlich? Als Ausbilder sehe...
https://magicmarcy.de/maven-was-ist-das-ueberhaupt
#Maven #pom.xml #POM #Abhängigkeiten #Dependencies #dependency #Convention_over_Configuration #groupId #artifactId #version #Bibliothek #compile #test #package #jar
Maven ist für viele Java-Einsteiger eines der ersten Werkzeuge, die ihnen im Projektalltag begegnen. Und oft wirkt es am Anfang abstrakt: eine pom.xml, viele unbekannte Elemente, fremde Ordnerstruktur, automatische Downloads – was passiert hier eigentlich? Als Ausbilder sehe ich immer wieder, wie sehr Maven den Einstieg erleichtern kann, wenn man einmal verstanden hat, was es macht: Es organisiert dein Projekt, verwaltet Abhängigkeiten, baut dein Programm und sorgt dafür, dass es auf jedem Rechner gleich gebaut werden kann. In diesem Beitrag führe ich dich Schritt für Schritt durch die Grundlagen.
Minimum Release Age Is an Underrated Supply Chain Defense, by @daniakash.com:
https://daniakash.com/posts/simplest-supply-chain-defense/
#security #dependencies #npm #bun #pnpm #yarn #deno #renovate #dependabot #axios
The Hidden Blast Radius of the Axios Compromise, by @ahmadnassri (@SocketSecurity):
https://socket.dev/blog/hidden-blast-radius-of-the-axios-compromise
Ubuntu 26 apt install #apt #dependencies
True that:
“Every Dependency You Add Is A Supply Chain Attack Waiting To Happen”, Ben Hoyt (https://benhoyt.com/writings/dependencies/).
Via Lobsters: https://lobste.rs/s/j6uemk/every_dependency_you_add_is_supply_chain
On HN: https://news.ycombinator.com/item?id=47613210
#Security #Dependencies #Programming #SupplyChainAttacks #ComputerSecurity
Frontend Dogma
tobru 🇨🇭 🧑🚒
magicmarcy
Andy Miller
AskUbuntu
रञ्जित (Ranjit Mathew)