Deane Barker (@[email protected])

I agree with every word of this. Scream it from the rooftops. https://www.jonoalderson.com/conjecture/javascript-broke-the-web-and-called-it-progress/

jonny (good kind) (@[email protected])

Attached: 2 images Hot off the press of #ExtremelyGoodIdeas : now presenting my newest package `no-more-imports` : https://git.jon-e.net/jonny/no-more-imports importing code is simply beneath you, you are a sacred energy being who does not need to be bothered with typing the word `import` at the top of your module. Well now with `no-more-imports`, you've got a companion that will dynamically modify the AST of your code and bust across interpreter frames to make sure you never have to touch any of that fuck shit package infrastructure ever again. Available now at a pypi near you: https://pypi.org/project/no-more-imports/ #InfrastructuralShitposts #BadIdeas #ActuallyGoodIdeas #IdeasWeAreNotReadyFor

GitHub - morris/vanilla-todo: A case study on viable techniques for vanilla web development.

A case study on viable techniques for vanilla web development. - GitHub - morris/vanilla-todo: A case study on viable techniques for vanilla web development.

The Cybersecurity Librarian :donor: (@[email protected])

Attached: 1 image This weekend PyPi, the python software repository, suspended new accounts: the level of malicious activity has become unmanageable. But this story is not just about Python: the level of risk from software dependencies has risen unimaginably: not a little, not a lot, this is big enough that it is hard to communicate and comprehend. Python (pypi), Javascript (npm), Java (maven), Ruby, and even VS Code extensions are all under constant unrelenting attack. When a single package is trojanized, that threat is inherited by every application that include the compromised package. The number of methods being used for these attacks is growing, and developers are now a "target of choice" for many criminal groups. For example, in 2022 there was a sudden increase in the number of an effectiveness of "Phishing as a Service" (PhaaS) offerings in criminal markets. These services are effective at bypassing MFA. However, you may not know that these services are being used to target developer accounts, including repositories of private and open-source software. They want to trojanize the code and create the next big software-supply-chain compromise. PhaaS is just one method. This weekend's announcement from PyPi was the result of criminals creating a large number of developer accounts so that they can publish malicious clones of existing packages. Typosquatting of packages is not a new phenomena, the constant stream of attacks is new. You might assume that the repository hosts or managers must have a solution. They do not. The problems are diverse and many: from the management of repository hosting, to the security/trust verification features of packaging systems, to the security of repositories and the developers themselves. There is no one solution, but solutions are needed. My action item for you is this. Do not read cybesecurity about software repository compromises in isolation. Look at the forest and not the trees. Big risks are harder to understand that little ones but need the most urgent action. Below are a small selection of stories in the comments to get you started. This is just a tiny fraction of the stories I have read and analyzed in the past year. The "hits just keep on coming". #SoftwareDeveloper #GitHub #PyPi #NPM #Java #Python #CyberSecurity #PhishingAsAService #ThreatIntelligence #CTI #PhaaS #TypoSquatting #VSCode #Malware #SoftwareSupplyChain https://www.bleepingcomputer.com/news/security/pypi-temporarily-pauses-new-users-projects-amid-high-volume-of-malware/ https://www.zdnet.com/article/security-warning-for-software-developers-you-are-now-prime-targets-for-phishing-attacks/ https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-with-more-than-45k-downloads-steal-pii-and-enable-backdoors/ https://therecord.media/malware-found-in-npm-package-with-millions-of-weekly-downloads https://blog.phylum.io/a-pypi-typosquatting-campaign-post-mortem/ https://www.zdnet.com/article/android-warning-these-malicious-apps-had-over-a-million-downloads-from-google-play/ https://www.bleepingcomputer.com/news/security/malicious-microsoft-vscode-extensions-steal-passwords-open-remote-shells/ https://www.bleepingcomputer.com/news/microsoft/vscode-marketplace-can-be-abused-to-host-malicious-extensions/

ZDDenkanstöße

ZDDenkanstöße

ZDDenkanstöße

Stellenangebot Professur "Gesellschaftliche, ethische und soziale Aspekte von Digitalität" bei Hochschule Düsseldorf

Wir suchen Sie als Professor*in für "Gesellschaftliche, ethische und soziale Aspekte von Digitalität" am Fachbereich Sozial- und Kulturwissenschaften.