Mastodawn

Another day, another supply chain attack, this time Axios: https://github.com/axios/axios/issues/10604

Makes me glad I'm lazy and intentional about dependency updates. But it's a worrying trend. Soon we'll be tracking these things by the hour.

[email protected] and [email protected] are compromised · Issue #10604 · axios/axios

more details: https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan Most likely, a maintainer's GitHub and npm accounts are compromised as these iss...

GitHub

Show thread

Ian 23h ago

@geerlingguy While the Node ecosystem being as popular as it is makes it a big target, it also means these issues have a lot of visibility leading to real change.

Show thread

Diane 22h ago

@geerlingguy

I'm getting the feeling automation is dangerous, and all our authentication tokens should be on physical hardware that requires human interaction to approve a request.

Show thread

The Orange Theme 22h ago

@geerlingguy Who could have foreseen that <script> as a service would go horribly, horribly wrong?

Show thread

Benny 21h ago

@geerlingguy it's gotten really bad. That's why for a while now I've only been developing in a DevContainer. For my side projects, I'm relying more and more on #Deno, as I hope its security architecture will prevent exactly these kinds of threats.

Show thread