Как вредоносный код переписал мой Git-коммит и заразил десятки проектов и несколько рабочих машин
История о том, как один странный git push оказался началом расследования, которое вывело меня не на один взломанный аккаунт, а на цепочку зараженных р…
Latest News
⚑ Report a ProblemTech news from the best sources
All topics
- игры
AI
Gear
News
Tech
agents
ai
api
architecture
automation
beginners
career
claude
devchallenge
devops
javascript
llm
machinelearning
mcp
opensource
performance
productivity
programming
python
react
security
showdev
tutorial
typescript
webdev
npm Scripts and package.json: The Complete Guide (2026)
npm Scripts and package.json: The Complete Guide (2026) Most developers only use npm start and npm install . Here's everything else you're missing. Un…
Mini Shai-Hulud: A persistent supply-chain worm
On April 29th, Aikido researchers detected multiple compromised Node.js packages in SAP's namespace today. The malware adapts to CI environments, stea…
How `shieldcortex audit --deps` Catches the parikhpreyash4 Supply-Chain Attack
Socket Security flagged a campaign yesterday: roughly 700 GitHub repositories carrying a poisoned package.json that drops /tmp/.sshd , pipes curl -skL…
От боли к npm install: TDLib для React-Native, или как я делал проект, а получилась библиотека
Пришла мне как-то идея сделать мобильное приложение на базе Telegram. Полез в npm и сразу нашёл react-native-telegram , но это оказалась обёртка над B…
npm Supply Chain Audit: The Checklist Most Teams Stop Too Early
Originally posted on getcommit.dev . In October 2021, ua-parser-js was used by Facebook, Microsoft, Amazon, and Google. It had 7 million weekly downlo…
Why I Stopped Writing 15 * 60 * 1000 in Every Project
Let me be honest with you. Every time I start a new Node.js project, I copy-paste this from my last one: const limiter = rateLimit ({ windowMs : 15 * …
node-ipc Had a 69 Trust Score Before It Got Hacked. TanStack Had 91.
Two npm supply chain attacks hit the same week. One was predictable. One wasn't. That's the point. May 2026 gave us two back-to-back supply chain atta…
Взлом GitHub-репозиториев Grafana Labs: как атака на цепочку поставок npm привела к краже кодовой базы и вымогательству
Часть I: Первопричина - атака Mini Shai-Hulud на экосистему TanStack Цепочка поставок как вектор атаки 11 мая 2026 года, в промежутке с 19:20 до 19:26…
Tired of setting up environment for Lib creation?
From Frustration to Automation BarbWire BarbWire BarbWire Follow May 18 From Frustration to Automation # npm # cli # vite # javascript Comments Add Co…
Supply Chain Attacks Aren't Just a Big Library Problem — Here's What You Can Do Today
In May 2026, a worm called Shai-Hulud compromised 42 TanStack packages — including @tanstack/react-router , a library sitting in millions of JavaScrip…
node-ipc снова взломали — но не код, а домен за $9. Разбор атаки через DNS-туннели, которой не увидел ни один SIEM
npm снова горит — и на этот раз атакующим даже не пришлось ломать код. Разбираем свежую supply chain-атаку на node-ipc , где доступ к популярному npm-…
Why npm supply chain attacks keep happening and how to harden your installs
When npm install becomes a security event Look, I love npm. I've been shipping JavaScript for years and the ecosystem is genuinely incredible. But eve…
Protecting your Node.js project against supply-chain attacks
Several recent supply-chain incidents have hit widely used npm packages. The TanStack compromise , for example, affected 42 packages and 84 published …
Gpushx
Hey developers! 👋 I'm Vinnu ( @vinnugollakoti ), Software Engineer from India. Over the years, I’ve worked on Web2, Web3, and multiple AI projects. On…
I Published My First npm Package — Here's Everything I Wish I Knew
I Published My First npm Package — Here's Everything I Wish I Knew Publishing to npm isn't hard. But the details trip everyone up. Here's the complete…
attw script in CopilotKit codebase.
In this article, we review attw script in CopilotKit codebase. You will learn: What is attw? attw script in CopilotKit What is attw? attw is a CLI for…
Sonner vs. robot-toast: When "Invisible" UI Isn't Enough
I used Sonner for almost everything before robot-toast existed. Genuinely liked it. Clean, premium, gets out of the way. You fire a toast, user gets t…
Your MCP dependency scan can pass and still miss HIGH vulnerabilities
Quick story, then the practical part. We scanned five official MCP reference servers from the @modelcontextprotocol npm namespace. Standard tooling ag…
`npm fund`
166 packages are looking for funding run `npm fund` for details I remember when I first saw this message in my terminal, I completely misunderstood it…
I Built My Own Config Format for Node.js That Separates Server and Client Secrets
The problem with dotenv that nobody talks about, and how I fixed it with kq-config. The Problem Every Node.js project I've worked on has the same setu…
Supply chain npm vs PyPI: I compared both simulations and the most dangerous vector isn't what everyone thinks
Supply chain npm vs PyPI: I compared both simulations and the most dangerous vector isn't what everyone thinks I'd just finished the PyPI post, closed…
React stack 2026: карта лучших библиотек по категориям
Открываете очередной React-проект в 2026 году и смотрите на белый экран package.json . Какой роутер? Vite или Next.js? shadcn/ui или Mantine? Zustand …
I never expected this response ~robot-toast
It started with an SSO project. I was building an IDP server — the kind that handles authentication across connected domains. I wanted a Google-like w…
npm audit isn't enough: I simulated a supply chain attack on my Node dependencies and found what the scanner can't see
npm audit isn't enough: I simulated a supply chain attack on my Node dependencies and found what the scanner can't see The right answer for protecting…
"Why I stopped trusting npm audit (and built my own)"
Generate a CycloneDX SBOM and deterministic, audit-ready risk report from your package-lock.json. You run npm audit. It says “47 vulnerabilities.” Coo…
guard-install now scans GitHub repos before you run them
Hey everyone, I shared this earlier as a CLI to analyse npm packages before installing. Since then, I’ve added something I think is even more useful: …
gni-compression is on npm — What a month of building a domain-adaptive LLM compressor taught me
Seven articles ago I shipped a serialization layer that recovered 1M+ messages losslessly. Today the package is on npm and the compression numbers are…