Scarab Field Test #021 — pnpm Self-Upgrade No-Manifest Boundary
Target: pnpm/pnpm Issue: pnpm/pnpm#12240 PR: pnpm/pnpm#12301 Public branch: https://github.com/scarab-systems/pnpm/tree/fix/deps-status-no-manifest La…
Latest Web news from Tech News
All topics
AI
agents
ai
api
architecture
automation
aws
beginners
career
claude
database
devchallenge
devops
javascript
learning
linux
llm
machinelearning
mcp
opensource
performance
productivity
programming
python
react
security
showdev
tutorial
typescript
webdev
Microsoft's npm Packages Got Backdoored. Again. And AI Agents Pulled the Trigger.
73 cryptographically signed npm packages from Microsoft were compromised last week with advanced credential-stealing malware that fires the moment a d…
I Researched the Red Hat npm Incident — Here's What Every Developer Should Know
🚨 What Would I Do If I Accidentally Installed a Malicious npm Package? Recently, I came across reports of a supply chain attack involving npm packages…
SSE в production: почему нативного EventSource недостаточно и что с этим делать
Разбираю, почему нативного EventSource часто недостаточно для production SSE: авторизация через headers, контролируемый reconnect, backoff, race condi…
I built a tiny, zero-dependency React hook for keyboard shortcuts
Most apps eventually need keyboard shortcuts - a command palette on Cmd/Ctrl+K, Esc to close a modal, mod+S to save. I kept rewriting the same keydown…
Rust Was Crashing. Go Fixed It. Copilot Showed Me Why
This is a submission for the GitHub Finish-Up-A-Thon Challenge What I Built Delay Mirror is a supply chain security gateway for package managers (npm,…
[Перевод] Пакетным менеджерам пора ввести период охлаждения
Когда злоумышленник получает доступ к учетной записи мейнтейнера или захватывает заброшенный пакет, вредоносная версия может разойтись по тысячам прое…
I Replaced dotenv With My Own Package — Here's Why You Should Too
I Replaced dotenv With My Own Package — Here's Why You Should Too Every week, the same story. Friday deploy. CI passed. App went up. Then a message in…
How I fixed a silent hang in the XDG Desktop Portal and turned it into an npm package
I was building Parallel — an Electron app for local network screen sharing on Linux. No server, no account, just WebRTC and mDNS between two machines …
I built typecraft-cli: An AI tool that automatically catches missing TypeScript types
We’ve all stared at a schema or a complex function (especially when it's written in TypeScript) and thought... "What the heck type am I actually suppo…
34 malicious packages discovered targeting Solana developers: Steals wallet credentials and SSH keys
Socket Security just published research on TrapDoor malware: 34 malicious packages targeting developers building on Solana, Aptos, and Sui. If you've …
Как вредоносный код переписал мой Git-коммит и заразил десятки проектов и несколько рабочих машин
История о том, как один странный git push оказался началом расследования, которое вывело меня не на один взломанный аккаунт, а на цепочку зараженных р…
npm Scripts and package.json: The Complete Guide (2026)
npm Scripts and package.json: The Complete Guide (2026) Most developers only use npm start and npm install . Here's everything else you're missing. Un…
Mini Shai-Hulud: A persistent supply-chain worm
On April 29th, Aikido researchers detected multiple compromised Node.js packages in SAP's namespace today. The malware adapts to CI environments, stea…
How `shieldcortex audit --deps` Catches the parikhpreyash4 Supply-Chain Attack
Socket Security flagged a campaign yesterday: roughly 700 GitHub repositories carrying a poisoned package.json that drops /tmp/.sshd , pipes curl -skL…
От боли к npm install: TDLib для React-Native, или как я делал проект, а получилась библиотека
Пришла мне как-то идея сделать мобильное приложение на базе Telegram. Полез в npm и сразу нашёл react-native-telegram , но это оказалась обёртка над B…
npm Supply Chain Audit: The Checklist Most Teams Stop Too Early
Originally posted on getcommit.dev . In October 2021, ua-parser-js was used by Facebook, Microsoft, Amazon, and Google. It had 7 million weekly downlo…
Why I Stopped Writing 15 * 60 * 1000 in Every Project
Let me be honest with you. Every time I start a new Node.js project, I copy-paste this from my last one: const limiter = rateLimit ({ windowMs : 15 * …
node-ipc Had a 69 Trust Score Before It Got Hacked. TanStack Had 91.
Two npm supply chain attacks hit the same week. One was predictable. One wasn't. That's the point. May 2026 gave us two back-to-back supply chain atta…
Supply Chain Attacks Aren't Just a Big Library Problem — Here's What You Can Do Today
In May 2026, a worm called Shai-Hulud compromised 42 TanStack packages — including @tanstack/react-router , a library sitting in millions of JavaScrip…
node-ipc снова взломали — но не код, а домен за $9. Разбор атаки через DNS-туннели, которой не увидел ни один SIEM
npm снова горит — и на этот раз атакующим даже не пришлось ломать код. Разбираем свежую supply chain-атаку на node-ipc , где доступ к популярному npm-…
Why npm supply chain attacks keep happening and how to harden your installs
When npm install becomes a security event Look, I love npm. I've been shipping JavaScript for years and the ecosystem is genuinely incredible. But eve…
Protecting your Node.js project against supply-chain attacks
Several recent supply-chain incidents have hit widely used npm packages. The TanStack compromise , for example, affected 42 packages and 84 published …
Gpushx
Hey developers! 👋 I'm Vinnu ( @vinnugollakoti ), Software Engineer from India. Over the years, I’ve worked on Web2, Web3, and multiple AI projects. On…
I Published My First npm Package — Here's Everything I Wish I Knew
I Published My First npm Package — Here's Everything I Wish I Knew Publishing to npm isn't hard. But the details trip everyone up. Here's the complete…
attw script in CopilotKit codebase.
In this article, we review attw script in CopilotKit codebase. You will learn: What is attw? attw script in CopilotKit What is attw? attw is a CLI for…
Sonner vs. robot-toast: When "Invisible" UI Isn't Enough
I used Sonner for almost everything before robot-toast existed. Genuinely liked it. Clean, premium, gets out of the way. You fire a toast, user gets t…
Your MCP dependency scan can pass and still miss HIGH vulnerabilities
Quick story, then the practical part. We scanned five official MCP reference servers from the @modelcontextprotocol npm namespace. Standard tooling ag…
`npm fund`
166 packages are looking for funding run `npm fund` for details I remember when I first saw this message in my terminal, I completely misunderstood it…
I Built My Own Config Format for Node.js That Separates Server and Client Secrets
The problem with dotenv that nobody talks about, and how I fixed it with kq-config. The Problem Every Node.js project I've worked on has the same setu…