Naty21h ago

Re: Axios remote access trojan (RAT)

https://github.com/axios/axios/issues/10636

Luckily I don't use npm much (only #Indiekit) and it wasn't the malicious v1.14.1 or v0.30.4, it was v1.13.2.

Check with `npm list axios` in your /node_modules folder. I also ran `find ~ -type d -path "*/node_modules/plain-crypto-js" 2>/dev/null` to see if the RAT is found any where on my Mac. 🤞Luckily nothing. Scary! Read the full post mortem report above!

@paulrobertlloyd

#RemoteAccessTrojan #trojan #hack #virus #npm #axios

Post Mortem: axios npm supply chain compromise · Issue #10636 · axios/axios

Post Mortem: axios npm supply chain compromise Date: March 31, 2026 Author: Jason Saayman Status: Remediation in progress On March 31, 2026, two malicious versions of axios (1.14.1 and 0.30.4) were...

GitHub
NatyMar 25

After discovering #TiddlyWiki from @jbaty, I went ahead to give #FeatherWiki (lightweight TW fork) a spin as a personal #braindump bin. I really like how it’s just a HTML file at 58kb!

Using #Android, it failed due to Android Storage Access Framework (#SAF) limitations. I ended using the amazing #Termux once again to run #Busybox #httpd, automate the whole process of opening, serving & saving back to my…

Full note: https://burgeonlab.com/notes/2026/0325-165827
Syndicated by #Indiekit

#syncthing #bash #wiki #FOSS

NatyMar 23

WOOT! #Bunnynet finally has #S3 early access! (I missed this notification was one month ago) Really looking forward to using it for my #Indiekit storage needs. Being a big fan of their CDN and #statichosting, I have high hopes.

If you're going to try https://bunny.net for your next web project, consider using my affiliate link:

https://bunny.net?ref=k4vc3x5108

Thank you! Read my experience with Bunny here:

https://burgeonlab.com/support/#bunnynet

#s3bucket #aws #s3storage #cloudstorage #bunnyCDN #bunnyStorage

RicardoMar 15

If you see this post, please interact with it with a reply or like, I will then be able to retrieve your interaction to my blog/AP fedify instance and then I will test replying to your reply to demo threaded reply backfilled to my site
You can also comment using IndieAuth/indieweb if your site support it !

đź”— https://rmendes.net/notes/2026/03/15/fbb7d

A Node on the Web

✎ Note 15 March 2026 Test Fedify Indiekit If you see this post, please interact with it with a reply or like, I will then be able to retrieve your interaction to my blog/AP fedify instance and t...

A Node on the Web
RicardoMar 12

Funny how building an ActivityPub plugin for #indiekit fully based on Fedify, migrating my Mastodon account to my own server @[email protected] and building my own UI to consume AP content from the #Fediverse made me use even more than before.

This post is simultaneously a blog post, an #ActivityPub object in the inbox of my followers and a syndicated post to Bluesky.

Next in line? getting inspired by #Wafrn and turn this indiekit/AP instance into my own #Bluesky Pds.

đź”— https://rmendes.net/notes/2026/03/12/a67cd

A Node on the Web

✎ Note 12 March 2026 Indiekit ActivityPub ATproto Funny how building an ActivityPub plugin for #indiekit fully based on Fedify, migrating my Mastodon account to my own server @[email protected] a...

A Node on the Web
RicardoMar 11

Two Microsub reader updates this week:

Feed type indicators — each feed now shows its type (RSS, Atom, JSON Feed, h-feed) as a badge, and subscribing to a feed that already exists in another channel returns a clear error instead of silently creating a duplicate. URL normalization catches trailing slash and http/https variants.

Mark source as read — the mark-as-read button is now a split button. The main action marks a single item, but a dropdown caret reveals “Mark {source name} as read” — which bulk-marks all items from that feed in one click. Cards animate out smoothly. Handy when a noisy feed floods a channel and you want to clear it without losing items from other sources.

Both features work in the channel view and the unified timeline view. https://github.com/rmdes/indiekit-endpoint-microsub

đź”— https://rmendes.net/notes/2026/03/11/2e639

GitHub - rmdes/indiekit-endpoint-microsub: Microsub endpoint for Indiekit

Microsub endpoint for Indiekit. Contribute to rmdes/indiekit-endpoint-microsub development by creating an account on GitHub.

GitHub
RicardoMar 10

Dev Log: Hunting OOM kills, fixing CLS, and making Eleventy builds 10x faster

https://rmendes.net/articles/2026/03/10/dev-log-hunting-oom-kills

Dev Log: Hunting OOM kills, fixing CLS, and making Eleventy builds 10x faster

Dev Log: Hunting OOM kills, fixing CLS, and making Eleventy builds 10x faster 10 March 2026 indieweb indiekit performance coding eleventy devops Three days of performance work on the Indiekit stack —...

A Node on the Web
RicardoMar 10

Just updated indiekit-deploy (indiekit docker/compose based deployment)

Changes Summary

  • Plugin versions aligned (package.core.json + package.full.json)
    • Plugin Old New syndicator-bluesky 1.0.14 1.0.19 endpoint-syndicate beta.34 beta.36 endpoint-microsub 1.0.41 1.0.43 endpoint-homepage 1.0.19 1.0.22 endpoint-activitypub 2.2.0 2.8.0 endpoint-github 1.0.7 1.2.3
  • indieauth.js patch added
    • Copied from Cloudron — fixes redirect URI validation that rejected hyphens/dots in paths
    • Added COPY line to docker/indiekit/Dockerfile
  • routes.js patch synced
    • Two-tier rate limiting (session 50/15min, API 1000/15min) instead of single 250/15min
    • Added content negotiation routes for ActivityPub
  • Eleventy submodule updated
    • From f5f77cb to 48160a5 — 131+ commits of fixes including OG batch spawning, a11y audit, PageSpeed optimization, design system compliance
  • –expose-gc added to watcher
    • Enables post-build GC hook in eleventy.config.js and OG batch spawning GC
  • Atomic release swap implemented
    • Builds to /data/site/releases/TIMESTAMP/, atomically swaps symlink at /data/site/current
    • All 3 Caddyfiles updated: root * /data/site → root * /data/site/current
    • First-run migration handles existing flat /data/site volumes
    • Keeps 2 releases for rollback
  • Watcher heap increased to 2048 MB
    • Was 1536 MB, now matches Cloudron’s production setting
    • Needed for OG batch spawning during incremental rebuilds

    đź”— https://rmendes.net/notes/2026/03/10/ab5e2

    NatyMar 8

    Indiekit beta 27 is out! Thanks @paulrobertlloyd!
    https://github.com/getindiekit/indiekit/releases/tag/v1.0.0-beta.27

    #Indieweb #indiekit #nodejs

    Release v1.0.0 Beta 27 · getindiekit/indiekit

    đź’ź Indiekit is supported by its community. This release was sponsored by @sentience and @abhas. Features endpoint-image: add option to specify remote domains for image resizing. Thanks to @eclecti...

    GitHub
    RicardoMar 7

    My blog is WCAG 2.1 Level AA compliant… in theory.
    Excuse my ignorance but how do I test it to make sure it works for impaired people?

    đź”— https://rmendes.net/notes/2026/03/07/8e610

    Ricardo Mendes

    ✎ Note 7 March 2026 indiekit My blog is WCAG 2.1 Level AA compliant… in theory. Excuse my ignorance but how do I test it to make sure it works for impaired people? My blog is WCAG 2.1 Level AA c...

    Ricardo Mendes