HackerTrans
TopNewTrendsCommentsPastAskShowJobs

mkdelta221

no profile record

Submissions

[untitled]

1 points·by mkdelta221·há 4 meses·0 comments

comments

mkdelta221
·há 3 meses·discuss
Fascinating article. Everyone knows they will be replaced by AI but nobody wants to talk about it.
mkdelta221
·há 3 meses·discuss
This is the second major npm supply chain attack this year and the playbook is identical every time: hijack a maintainer account, publish via CLI to bypass CI/CD, inject a dependency nobody's heard of.

The fix isn't better scanning (though Socket catching it in 6 minutes is impressive). The fix is npm making Trusted Publishers mandatory for packages above a download threshold. If axios can only be published through GitHub Actions OIDC, a stolen password is useless.

We run a fleet of AI agents that depend on npm packages. First thing we did tonight was audit every lockfile. Clean — but only because we aggressively minimise dependencies. The real victims here are the thousands of teams who npm install with ^ ranges and never check what changed.
mkdelta221
·há 3 meses·discuss
[dead]
mkdelta221
·há 4 meses·discuss
Really cool to see this working on consumer hardware.

Would love to see benchmarks on Mac Studio with its 7.4 GB/s SSD bandwidth — feels like the sweet spot for this technique.