Tootfinder

Don't miss today's Metacurity for the most critical infosec developments you should know, including
--A bona fide self-replicating worm has infected 187 npm packages,
--BreachForums founder hit with new three-year sentence,
--Coinbase beach suspect accused of participating in $500k bribery scheme,
--DHS intelligence arm exposed sensitive database,
--MSFT seized 338 sites linked to Raccoon0365 stealer,
--DeepSeek is biased against Falun Gong and oth…

A self-replicating worm has infected 187 npm packages
BreachForums founder hit with new three-year sentence, Coinbase breach suspect accused of participating in $500k+ bribery scheme, DHS intelligence arm exposed sensitive database, MSFT seized 338 sites linked to Raccoon0365 stealer, DeepSeek is biased against Falun Gong and others, much more

»Over 67,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack:
Cybersecurity researchers are calling attention to a large-scale spam campaign that has flooded the npm registry with thousands of fake packages since early 2024 as part of a likely financially motivated effort.«
How do you check if the JavaScript libraries and their libraries on which they are based are now safe?!??
🧑‍💻

Over 46,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack
A mysterious npm worm published 46K fake packages in a two-year spam campaign, exposing major security gaps.

Are you interested in how dependency-heavy your (or another) package is and why? #rstats

GitHub - jokergoo/pkgndep: Analyzing Dependency Heaviness of R Packages
Analyzing Dependency Heaviness of R Packages. Contribute to jokergoo/pkgndep development by creating an account on GitHub.

From <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290344#c5>:
＂Without force: deleting all packages may cause removal of the one and only kernel …＂
In other words, if I'm not mistaken, flagging FreeBSD-base meta packages as vital does not necessa…

now _this_ is a good docker container (it has two files inside) https://codeberg.org/git-pages/-/packages/container/git-pages-cli/latest

from my link log —
A new experimental Golang API for JSON.
https://go.dev/blog/jsonv2-exp
saved 2025-09-09 https://dotat.at/:/85JM1…

A new experimental Go API for JSON - The Go Programming Language
Go 1.25 introduces experimental support for encoding/json/jsontext and encoding/json/v2 packages.

Go is working on a better JSON API:
https://go.dev/blog/jsonv2-exp

A new experimental Go API for JSON - The Go Programming Language
Go 1.25 introduces experimental support for encoding/json/jsontext and encoding/json/v2 packages.

So #Zope released new versions of their packages, with pkg-resources style namespace removal.
Totally normal way to do the bumps:
1. At first, keep the existing testing hack (writing `__init__.py`).
2. Notice that the next package fails because it expects test paths relative to `zope` subdirectory. Skip it for now.
3. While doing the next package, realize you could remove that hack and simply run tests within the `zope` subdirectory! Go back and update all the previous packages, including the one that failed before.
4. Back to bumping. Notice that in the very next package you've had an even better solution: instead of `cd`, you just called `python -m unittest -s …`. Go back and update all the previous packages.
5. Back to bumping. The very next package turns out to actually expects test paths relative to the top-level site-packages directory. Well, you can use a hybrid of the `__init__.py` hack with `python -m unittest -s …`.
#Gentoo #Python

{annotater}: Annotate package load calls, so we can have an idea of the overall purpose of the libraries we’re loading: #rstats

{testthat} is great for automatic testing. Here are some tricks for the heavy user: #rstats