jpoesen | πŸ‡ͺπŸ‡Ί | πŸ³οΈβ€πŸŒˆ

@[email protected]
218 Followers
93 Following
1.5K Posts

πŸ”₯ FOR HIRE: Your Personal Drupal Coach πŸ”₯

--------------------
I teach #PHP, #Drupal, #SQL, and #Linux foundations.

I talk less about Drupal over at https://social.jpoesen.com/@jpoesen

Your Personal Drupal Coachhttps://jpoesen.com/drupal-training
Pixelfedhttps://pixelfed.social/jpoesen
Drupalhttps://drupal.org/u/jpoesen
Linkedinhttps://linkedin.com/in/jpoesen
jpoesen | πŸ‡ͺπŸ‡Ί | πŸ³οΈβ€πŸŒˆ13h ago
Danielle ForΓ©4d ago
I’ve had so many conversations now with long-time very serious open source contributors and advocates from a bunch of different projects that all are basically versions of, β€œAre we still doing something worth doing? Have we become evil corporate drones but just poor and tired? Am I alone in caring about this?”
jpoesen | πŸ‡ͺπŸ‡Ί | πŸ³οΈβ€πŸŒˆ14h ago
Waxy.org1d ago
For the fourth time, nominations for this year's Tiny Awards celebrating the "best of the small, poetic, creative, handmade web" are open. https://waxy.org/2026/06/tiny-awards-2026-nominees-are-open/
Tiny Awards 2026 nominees are open - Waxy.org

For the fourth time, nominations for this year's Tiny Awards celebrating the "best of the small, poetic, creative, handmade web" are open.

Waxy.org
jpoesen | πŸ‡ͺπŸ‡Ί | πŸ³οΈβ€πŸŒˆ5d ago
JΓΌrgen Haas5d ago

The new ECA Workflow Modeler: built from scratch in 6 weeks, 87,000 lines, 2.1x more test code than production code.

React 18 + TypeScript, infinite canvas, execution replay, live testing, WCAG AA accessibility tested in CI. Every commit runs through 15 gates.

Quality standards that match commercial SaaS. Open source reference architecture for Drupal + React.

Try it: https://www.drupal.org/project/modeler
Read about it: https://go.lakedrops.com/eca-next-chapter-post-4

#Drupal #ECA #React #QualityEngineering #OpenSource

jpoesen | πŸ‡ͺπŸ‡Ί | πŸ³οΈβ€πŸŒˆ6d ago
github.com/ghostwriter6d ago

The packages published by the user "spruko" are all executing arbitrary, obfuscated or malicious code… via "autoload.files" entry in composer.json

It reads an embedded payload from a fake `index.jpg` file, decodes it through multiple de-obfuscation functions, and executes it via `eval()` in almost ever php file.

I have no interest to investigate further, but somebody should look into it and take action.

https://packagist.org/users/spruko
https://github.com/spruko

jpoesen | πŸ‡ͺπŸ‡Ί | πŸ³οΈβ€πŸŒˆJun 2
Tom OotesJun 2

Volgende week is het zover, dan organiseren wij met @developer de govtrack op FOST Amsterdam.

En het goede nieuws is, we hebben gratis tickets voor jullie:
🎟️ https://portal.joinfost.io/event/future-of-software-technologies-amsterdam-2026/cf522e15-399f-4c1f-8365-3a72346f16f0/dutch-government?coupon=OPENSOURCE

Dutch Government API Event

jpoesen | πŸ‡ͺπŸ‡Ί | πŸ³οΈβ€πŸŒˆJun 2
Matthieu NapoliJun 1

Conferences: steal this idea from Laravel Live Japan πŸ™
no lunch buffet, lunch is outside with optional "lunch pairing" (groups of 4 ppl)

- solo attendees meet people instead of eating alone
- simpler org and cheaper tickets
- eat better food (and local food when traveling)

jpoesen | πŸ‡ͺπŸ‡Ί | πŸ³οΈβ€πŸŒˆMay 29
Sebastian Bergmann May 28

RE: https://mastodon.social/@seldaek/116651920344034250

I am very excited about this update!

The #PHP ecosystem cannot thank @seldaek, @naderman, and everyone at #Packagist and everybody contributing to #Composer enough for the amazing work they are doing.

jpoesen | πŸ‡ͺπŸ‡Ί | πŸ³οΈβ€πŸŒˆMay 28

The PHP Foundation just published its 2025 Impact and Transparency Report.

Clearly laid out, and a great way to share information and inspire confidence to the community they support.

If only more open source tech related support organisations would be so open and communicative.

https://thephp.foundation/blog/2026/05/27/impact-and-transparency-report-2025/

The PHP Foundation Impact and Transparency Report 2025

The PHP Foundation β€” Supporting, Advancing, and Developing the PHP Language

jpoesen | πŸ‡ͺπŸ‡Ί | πŸ³οΈβ€πŸŒˆMay 27
DanielMay 26

Here is the uncomfortable truth: every developer I know has side projects gathering dust on a server somewhere. Those are exactly what automated vulnerability scanners are looking for.

I learned this the hard way when a forgotten project with outdated #Laravel dependencies became an attacker's entry point. They stole my env, sent 50k spam emails, and I spent the night panicking.

Full story here:
https://danielpetrica.com/50-000-spam-emails-and-a-3-am-panic-what-happened-when-i-forgot-about-a-side-project/

#Laravel #PHP #programming

jpoesen | πŸ‡ͺπŸ‡Ί | πŸ³οΈβ€πŸŒˆMay 27

Iztok Smolic (Agiledrop) explains how his team almost got #phished.

Turns out a "potential client" with a #TypoSquatted email address sent a demo #git repository that had a post-checkout hook ready to run code with full permissions.

Another attack vector I wasn't aware of 😬

https://www.linkedin.com/posts/iztok-agiledrop_we-almost-got-phished-this-week-not-by-share-7464980887990935552-tmru

We almost got "phished" this week. Not by some sloppy "Nigerian prince" email but by a fake client. Here's what happened... Someone filled out the contact form on our website. They said they needed… | Iztok Smolic 🩸 | 13 comments

We almost got "phished" this week. Not by some sloppy "Nigerian prince" email but by a fake client. Here's what happened... Someone filled out the contact form on our website. They said they needed help with a software project. The email looked normal. The spec looked normal (a bit AI-generated, but who isn't using AI these days?). They sent a Dropbox link with a TAR file. Inside was a git repo and a note: "please check out the NDA branch first". During a weekly sales sync meeting, Ales noticed something was off. The sender's domain was off by one letter from a real website. We looked closer at the repo. There was a hidden "post-checkout" hook in the codebase. A binary file. If any developer had run "git checkout NDA" on their machine, that binary would have executed with their full user permissions. We pulled it apart in a container with Claude's help. It had scripts for Linux, macOS, and Windows. It was built to grab system data and ship it off to an API hosted on Vercel. We work with clients like Deutsche Telekom and University of Ljubljana. One "git checkout" away from a very bad day. Phishing isn't just bad emails anymore. It's full fake projects, with specs and repos and personas. People are reporting the same trick disguised as job offers. A "recruiter" reaches out, sends a coding test or a take-home repo, and asks the candidate to run it locally. Same playbook, different wrapper. If your developers run that on a work machine, you have the same problem we almost had. If you lead a dev team, talk to your people this week. Show them this story. The next attack won't look like an attack. It will look like a client or a job opportunity. Has anyone else had these experiences? | 13 comments on LinkedIn

LinkedIn