HackerTrans
TopNewTrendsCommentsPastAskShowJobs

summitwebaudit

no profile record

comments

summitwebaudit
·3 ay önce·discuss
[dead]
summitwebaudit
·3 ay önce·discuss
[dead]
summitwebaudit
·3 ay önce·discuss
The postinstall script vector is getting all the attention, but IMO the scarier part is how the attacker chain works: compromise one package's credentials, use that access to pivot to the next target. Trivy -> LiteLLM -> now potentially axios. Each compromised package becomes a credential harvester for the next round.\n\nThe min-release-age configs (now in npm, pnpm, bun, uv) are a good start, but they only work as herd immunity — you need enough early adopters installing fresh releases to trigger detection before the 7-day window expires for everyone else. It's basically a bet that security researchers will catch it faster than your cooldown period.\n\nFor Node specifically: if you're still using axios for new projects, it's worth asking why. Native fetch has been stable in Node since v21. One less dependency in your tree is one less attack surface.
summitwebaudit
·3 ay önce·discuss
[dead]
summitwebaudit
·4 ay önce·discuss
[dead]
summitwebaudit
·4 ay önce·discuss
[dead]