Pelle Wessman

@voxpelli
646 Followers
835 Following
4.2K Posts
Web developer, +10 years of web dev, creator, non-influencer, open source contributor, #nodejs user, #IndieWeb participant, #TypesInJs advocate. Lives in southernmost Sweden πŸ‡ΈπŸ‡ͺ
GitHubhttps://github.com/voxpelli
Blueskyhttps://bsky.app/profile/voxpelli.com
Bloghttps://voxpelli.com
Profilehttps://kodfabrik.se
Pelle Wessman1d ago
Socket1d ago

🚨 New Investigation: Attackers are hunting the maintainers behind Lodash, Fastify, buffer, Pino, mocha, Express, and #Nodejs core, because compromising one of them means write access to packages downloaded billions of times a week.

Multiple high-impact maintainers have all confirmed they were targeted in the same coordinated social engineering campaign that compromised Axios.

https://socket.dev/blog/attackers-hunting-high-impact-nodejs-maintainers

Attackers Are Hunting High-Impact Node.js Maintainers in a C...

Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.

Socket
Pelle Wessman2d ago
Show threadPelle Wessman2d ago
And this is what that app contained. (Thankfully I never ran it)
Pelle Wessman2d ago
Pelle Wessman2d ago
If it’s anything like what they attempted with me then a new modus operandi is to create social credibility and even group pressure, then have a planned video call on a faked version of a real streaming service, then show credible errors and urge to download a native app. This is what I got:

RE: https://bsky.app/profile/did:plc:n6f3j47vjucu5ijwdmow7n2w/post/3mijss2fl2k2j
Pelle Wessman4d ago
IAintShootinMis4d ago

#NPM #axios maintainer has lost control of their account. Malicious versions 1.14.1 and 0.30.4 have been published which include a RAT.

NPM has pulled the effected versions and the payload. Time to clean up and see if you were effected.

StepSecurity has an awesome write up on this issue with #iocs

Link follows this toot.

#CTI #infosec #node #cybersecurity #security #nodejs #js #malware

Pelle Wessman4d ago
blazr4d ago
lol. black hats actually discovered they could just use the frontdoor with #NPM β€” https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
axios Compromised on npm - Malicious Versions Drop Remote Access Trojan - StepSecurity

Hijacked maintainer account used to publish poisoned axios releases including 1.14.1 and 0.30.4. The attacker injected a hidden dependency that drops a cross platform RAT. We are actively investigating and will update this post with a full technical analysis.

Pelle WessmanMar 26
Ivory by Tapbots Mar 26

Ivory v2.5 is now available in the App Store!

What's new:
- Audio Playback (including support for posting audio files)
- Configure 4 Swipe Gestures for Posts
- Support for Viewing Rich Text Posts
- Various bug fixes.

Download the update here:
https://apps.apple.com/us/app/ivory-for-mastodon-by-tapbots/id6444602274

Pelle WessmanMar 19

RE: https://mastodon.social/@stroughtonsmith/116255419547147086

This is why I find https://setapp.com/ to be a great thing – on MacOS and iOS alike.

It lowers the threshold to get started with a subscription.

@stroughtonsmith Any thoughts on adding Pastel to Setapp?

Pelle WessmanMar 17
Here to say that Eurosky.social seems to have issues. Good to have an account here as well then πŸ₯³
Pelle WessmanFeb 17
BleepingComputerFeb 17

Vulnerabilities with high to critical severity ratings affecting popular Visual Studio Code (VSCode) extensions collectively downloaded more than 128 million times could be exploited to steal local files and execute code remotely.

https://www.bleepingcomputer.com/news/security/flaws-in-popular-vscode-extensions-expose-developers-to-attacks/

Flaws in popular VSCode extensions expose developers to attacks

Vulnerabilities with high to critical severity ratings affecting popular Visual Studio Code (VSCode) extensions collectively downloaded more than 128 million times could be exploited to steal local files and execute code remotely.

BleepingComputer
Pelle WessmanJan 26
@ecosystems @andrewnez There's quite a large discrepancy between https://github.com/neostandard/neostandard/network/dependents?dependent_type=PACKAGE and https://packages.ecosyste.ms/registries/npmjs.org/packages/neostandard/dependent_packages – do you know how that comes?