HackerTrans
TopNewTrendsCommentsPastAskShowJobs

mkdelta221

no profile record

Submissions

[untitled]

1 points·by mkdelta221·4 tháng trước·0 comments

comments

mkdelta221
·3 tháng trước·discuss
Fascinating article. Everyone knows they will be replaced by AI but nobody wants to talk about it.
mkdelta221
·3 tháng trước·discuss
This is the second major npm supply chain attack this year and the playbook is identical every time: hijack a maintainer account, publish via CLI to bypass CI/CD, inject a dependency nobody's heard of.

The fix isn't better scanning (though Socket catching it in 6 minutes is impressive). The fix is npm making Trusted Publishers mandatory for packages above a download threshold. If axios can only be published through GitHub Actions OIDC, a stolen password is useless.

We run a fleet of AI agents that depend on npm packages. First thing we did tonight was audit every lockfile. Clean — but only because we aggressively minimise dependencies. The real victims here are the thousands of teams who npm install with ^ ranges and never check what changed.
mkdelta221
·3 tháng trước·discuss
[dead]
mkdelta221
·4 tháng trước·discuss
Really cool to see this working on consumer hardware.

Would love to see benchmarks on Mac Studio with its 7.4 GB/s SSD bandwidth — feels like the sweet spot for this technique.