Scarab Field Test #021 — pnpm Self-Upgrade No-Manifest Boundary
Target: pnpm/pnpm Issue: pnpm/pnpm#12240 PR: pnpm/pnpm#12301 Public branch: https://github.com/scarab-systems/pnpm/tree/fix/deps-status-no-manifest La…
DevOps
⚑ Report a ProblemLatest DevOps news from Tech News
All topics
agents
ai
api
architecture
automation
aws
beginners
career
cloud
database
devchallenge
devops
docker
gemma
javascript
kubernetes
llm
machinelearning
mcp
opensource
performance
productivity
programming
python
security
showdev
softwareengineering
tutorial
typescript
webdev
Microsoft's npm Packages Got Backdoored. Again. And AI Agents Pulled the Trigger.
73 cryptographically signed npm packages from Microsoft were compromised last week with advanced credential-stealing malware that fires the moment a d…
I Researched the Red Hat npm Incident — Here's What Every Developer Should Know
🚨 What Would I Do If I Accidentally Installed a Malicious npm Package? Recently, I came across reports of a supply chain attack involving npm packages…
Агенты генерируют код быстрее. Дубли тоже
Код стало писать дешевле: большие команды и AI-агенты быстрее создают новые файлы, паттерны и, иногда, дубли. Если поиск copy-paste работает медленно,…
Rust Was Crashing. Go Fixed It. Copilot Showed Me Why
This is a submission for the GitHub Finish-Up-A-Thon Challenge What I Built Delay Mirror is a supply chain security gateway for package managers (npm,…
34 malicious packages discovered targeting Solana developers: Steals wallet credentials and SSH keys
Socket Security just published research on TrapDoor malware: 34 malicious packages targeting developers building on Solana, Aptos, and Sui. If you've …
npm Scripts and package.json: The Complete Guide (2026)
npm Scripts and package.json: The Complete Guide (2026) Most developers only use npm start and npm install . Here's everything else you're missing. Un…
Mini Shai-Hulud: A persistent supply-chain worm
On April 29th, Aikido researchers detected multiple compromised Node.js packages in SAP's namespace today. The malware adapts to CI environments, stea…
How `shieldcortex audit --deps` Catches the parikhpreyash4 Supply-Chain Attack
Socket Security flagged a campaign yesterday: roughly 700 GitHub repositories carrying a poisoned package.json that drops /tmp/.sshd , pipes curl -skL…
npm Supply Chain Audit: The Checklist Most Teams Stop Too Early
Originally posted on getcommit.dev . In October 2021, ua-parser-js was used by Facebook, Microsoft, Amazon, and Google. It had 7 million weekly downlo…
Why I Stopped Writing 15 * 60 * 1000 in Every Project
Let me be honest with you. Every time I start a new Node.js project, I copy-paste this from my last one: const limiter = rateLimit ({ windowMs : 15 * …
node-ipc Had a 69 Trust Score Before It Got Hacked. TanStack Had 91.
Two npm supply chain attacks hit the same week. One was predictable. One wasn't. That's the point. May 2026 gave us two back-to-back supply chain atta…
Взлом GitHub-репозиториев Grafana Labs: как атака на цепочку поставок npm привела к краже кодовой базы и вымогательству
Часть I: Первопричина - атака Mini Shai-Hulud на экосистему TanStack Цепочка поставок как вектор атаки 11 мая 2026 года, в промежутке с 19:20 до 19:26…
Supply Chain Attacks Aren't Just a Big Library Problem — Here's What You Can Do Today
In May 2026, a worm called Shai-Hulud compromised 42 TanStack packages — including @tanstack/react-router , a library sitting in millions of JavaScrip…
node-ipc снова взломали — но не код, а домен за $9. Разбор атаки через DNS-туннели, которой не увидел ни один SIEM
npm снова горит — и на этот раз атакующим даже не пришлось ломать код. Разбираем свежую supply chain-атаку на node-ipc , где доступ к популярному npm-…
Why npm supply chain attacks keep happening and how to harden your installs
When npm install becomes a security event Look, I love npm. I've been shipping JavaScript for years and the ecosystem is genuinely incredible. But eve…
Gpushx
Hey developers! 👋 I'm Vinnu ( @vinnugollakoti ), Software Engineer from India. Over the years, I’ve worked on Web2, Web3, and multiple AI projects. On…
I Published My First npm Package — Here's Everything I Wish I Knew
I Published My First npm Package — Here's Everything I Wish I Knew Publishing to npm isn't hard. But the details trip everyone up. Here's the complete…
Sonner vs. robot-toast: When "Invisible" UI Isn't Enough
I used Sonner for almost everything before robot-toast existed. Genuinely liked it. Clean, premium, gets out of the way. You fire a toast, user gets t…
`npm fund`
166 packages are looking for funding run `npm fund` for details I remember when I first saw this message in my terminal, I completely misunderstood it…
Supply chain npm vs PyPI: I compared both simulations and the most dangerous vector isn't what everyone thinks
Supply chain npm vs PyPI: I compared both simulations and the most dangerous vector isn't what everyone thinks I'd just finished the PyPI post, closed…
npm audit isn't enough: I simulated a supply chain attack on my Node dependencies and found what the scanner can't see
npm audit isn't enough: I simulated a supply chain attack on my Node dependencies and found what the scanner can't see The right answer for protecting…
"Why I stopped trusting npm audit (and built my own)"
Generate a CycloneDX SBOM and deterministic, audit-ready risk report from your package-lock.json. You run npm audit. It says “47 vulnerabilities.” Coo…
gni-compression is on npm — What a month of building a domain-adaptive LLM compressor taught me
Seven articles ago I shipped a serialization layer that recovered 1M+ messages losslessly. Today the package is on npm and the compression numbers are…