HackerTrans
TopNewTrendsCommentsPastAskShowJobs

cddotdotslash

no profile record

comments

cddotdotslash
·6 miesięcy temu·discuss
They exist in a few forms:

- The company is smaller and/or already geo-distributed and doesn't have the ability (or awareness) to monitor employee locations or deal with the tax/compliance obligations and so turns a blind eye, intentionally or not. The employees are generally operating in a grey area - either on tourist visas or for a company that isn't registered to employee people in their locale.

- The company actively creates a remote-first environment, working with their employees to employ them (compliantly) in their locale, usually through a third-party employer of record. These are very few and far between, but they exist.

- Companies, like Airbnb, that allow for a certain amount of time outside of a "home locale" per year (IIRC, it's 90 days). This isn't truly "global remote" but employees can move around more freely than in-office or locale-only employers.
cddotdotslash
·9 miesięcy temu·discuss
It’s incredibly annoying to read. So many super short sentences with the “not just X. Also Y” format. Little hooks like “The attack vector?”

“Not fancy security tools. Not expensive antivirus software. Just asking my coding assistant…”

I actually feel like AI articles are becoming easier to spot. Maybe we’re all just collectively noticing the patterns.
cddotdotslash
·10 miesięcy temu·discuss
I wonder who actually discovered this attack? Can we credit them? The phrasing in these posts is interesting, with some taking direct credit and others just acknowledging the incident.

Aikido says: > We were alerted to a large-scale attack against npm...

Socket says: > Socket.dev found compromised various CrowdStrike npm packages...

Ox says: > Attackers slipped malicious code into new releases...

Safety says: > The Safety research team has identified an attack on the NPM ecosystem...

Phoenix says: > Another supply chain and NPM maintainer compromised...

Semgrep says: > We are aware of a number of compromised npm packages
cddotdotslash
·10 miesięcy temu·discuss
Nathan, do you work for Socket? I think you should at least disclose that when sharing posts here.
cddotdotslash
·10 miesięcy temu·discuss
NPM deserves some blame here, IMO. Countless third party intel feeds and security startups can apparently detect this malicious activity, yet NPM, the single source of truth for these packages, with access to literally every data event and security signal, can't seem to stop falling victim to this type of attack? It's practically willful ignorance at this point.
cddotdotslash
·2 lata temu·discuss
Another article[1] cites AT&T's Snowflake deployment as the source of the breach:

> It’s not clear for what reason AT&T was storing customer data in Snowflake, and the spokesperson would not say.

[1] https://techcrunch.com/2024/07/12/att-phone-records-stolen-d...