Tootfinder

Legacy Python Bootstrap Scripts Create Domain-Takeover Risk in Multiple PyPI Packages
Cybersecurity researchers have discovered vulnerable code in legacy Python packages that could potentially pave the way for a supply chain compromise on the Python Package Index (PyPI) via a domain takeover attack.
:python: https:/…

Legacy Python Bootstrap Scripts Create Domain-Takeover Risk in Multiple PyPI Packages
Old Python bootstrap scripts and a malicious PyPI package expose developers to domain takeover and RAT risks.

Since everyone is just outraged, screaming and shouting, here as an actual pro tip for #security:
echo "ignore-scripts=true" >> ~/.npmrc
https://www.

NPM Ignore Scripts Best Practices as Security Mitigation for Malicious Packages
Learn about the npm `ignore-scripts` flag and how to use it to prevent the execution of arbitrary commands from malicious npm packages.

Caught a bug over the holidays so I’m mostly resting, feeling sorry for myself, and taking the time to at least carry out some mindless housekeeping tasks (updating dependencies, etc.) on some of my Node modules.
Released updates to the following packages yesterday:
Tape-based Node.js testing:
• Tap monkey (https://

tap-monkey
A tap formatter that’s also a monkey.

Dear LazyWeb: I need to get my blog search off Google, it’s becoming unusable. Sometime in the last year I saw talk (Fedi posts I think?) about two different local-search packages (both JavaScript I think?). Thought I bookmarked ’em but can’t find ’em. Does this ring bells for anyone?

Is there any way, yet, to send small packages to friends in #Gaza? I know that sending money through systems like chuffed.org is probably more useful, but being able to send a personal gift would, I think, do more to raise spirits.

HFuzzer: Testing Large Language Models for Package Hallucinations via Phrase-based Fuzzing
Yukai Zhao, Menghan Wu, Xing Hu, Xin Xia
https://arxiv.org/abs/2509.23835 https://

HFuzzer: Testing Large Language Models for Package Hallucinations via Phrase-based Fuzzing
Large Language Models (LLMs) are widely used for code generation, but they face critical security risks when applied to practical production due to package hallucinations, in which LLMs recommend non-existent packages. These hallucinations can be exploited in software supply chain attacks, where malicious attackers exploit them to register harmful packages. It is critical to test LLMs for package hallucinations to mitigate package hallucinations and defend against potential attacks. Although re…

Debian Hint #22: Wondering which Debian mirror is best for you? Check out
the apt-spy and netselect-apt packages, which can give you information
about how various mirror sites perform.

I have a habbit of making (too) many (small) packages for functionality that might be reused in different context. {box} might be an alternative by making scripts into modlues that can be loaded: #RStats <…

‘box’: Write Reusable, Composable and Modular R Code
A modern module system for R. Organise code into hierarchical, composable, reusable modules, and use it effortlessly across projects via a flexible, declarative dependency loading syntax.

Barring any last minute hesitations by Linus Torvalds,
Linux 6.18 stable is expected for release in a little more than 24 hours from now...
Linux 6.18 is also anticipated to become this year's Long Term Support (LTS) kernel version
in being the last major kernel release of 2025.
https://masto.ai/@phoro…

Phoronix (@phoronix@masto.ai)
Attached: 1 image CachyOS Improves Intel Video Acceleration Experience In addition to the release today of a big refresh to Endeavour OS, CachyOS is out with their latest ISO refresh for this additional Arch Linux powered desktop OS. CachyOS for its November 2025 refresh brings installer improvements, now installs additional packages for media acceleration when capable Intel graphics are detected, handling for Bcachefs with its DKMS module, and other improveme… https://www.phoronix.com/news…

Real software engineers don't like the idea of some inexplicable and
greasy hardware several aisles away that may stop working at any
moment. They have a great distrust of hardware people, and wish that
systems could be virtual at *___all* levels. They would like personal
computers (you know no one's going to trip over something and kill your
DFA in mid-transit), except that they need 8 megabytes to run their
Correctness Verification Aid packages.…