Tootfinder

Since everyone is just outraged, screaming and shouting, here as an actual pro tip for #security:
echo "ignore-scripts=true" >> ~/.npmrc
https://www.

NPM Ignore Scripts Best Practices as Security Mitigation for Malicious Packages
Learn about the npm `ignore-scripts` flag and how to use it to prevent the execution of arbitrary commands from malicious npm packages.

please enjoy: my Wasm-hosted, Wasm-targeting build of Clang/Clang /LLD: a self-contained, 25 MiB (gzipped) pure function
https://www.npmjs.com/package/@yowasp/clang

Seriously, the worst ones are nodejs and rust: they fundamentally break the nodejs dependency model, flattening everything. They've chosen _controlling_ dependencies instead of _annotating_ them for understanding. Metadata about what's in a package and a package-build-time mechanism for substituting things in lockfiles would be far far simpler for forcing security updates than rewriting everything to use system dependencies, and versions that are not reconcilable.
Heck, both npm and cargo have put a lot of effort into repeatability though not actual hermetic builds, so it's very much Good Enough if you're using lock files. The problems are in updating those, not building packages. Mirror the registries if you need to. That's a much more tractable problem than _rewriting parts of everything you package_ or _eagerly packaging every dependency as a separate [human] task_

LOL
Color me unsurprised.
https://masto.pt/@tugatech/115459508378263706

Node.js devs, so picture this: you run `npm install` and you get a bunch of packages with audit errors.
The only thing I want to know at that point is what’s the root package that these dependencies belong to? (Running npm audit fix is a last resort as I don’t like it fiddling around with the dependencies of nested packages.)
It’s also not a straightforward thing to do, but it’s nothing jq and a bit of piping can’t fix:
```bash
npm audit --json | jq -r '.vulnerabil…

»npm als Sicherheitsrisiko — Warum Angriffe zunehmen und wie man vorbeugen kann:
npm bleibt anfällig für Supply-Chain-Angriffe. Woran liegt das, was tun npm und GitHub dagegen und wie kann man seine eigenen Projekte schützen?«
Ich pers. bin kein JavaScript Freund aber nutze es für Web-Anwendungen. Ja es ist aufwändig die Libs und deren Abhängigkeiten durchzusehen und hindert leider auch von Hackern nicht.
🔧

npm als Sicherheitsrisiko: Warum Angriffe zunehmen und wie man vorbeugen kann
npm bleibt anfällig für Supply-Chain-Angriffe. Woran liegt das, was tun npm und GitHub dagegen und wie kann man seine eigenen Projekte schützen?

#LazyWeb question regarding the dreaded NPM #GlassWorm or similar malware to harvest auth tokens:
To avoid a potential infection leading to harvesting the token usually stored in `~/.npmrc`, I changed that file's content to:
`//registry.npmjs.org/:_authToken=${NPM_TOKEN}`
...…

Is there a way to configure an npm package to *require* provenance and fail any publish attempts that don’t have it? I don’t think the Trusted Publisher stuff has that option, if I’m reading it correctly.

TIL about a real thing called the Shai-Hulud Compromise; and all i can say is
These F'in People
https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack

»Over 67,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack:
Cybersecurity researchers are calling attention to a large-scale spam campaign that has flooded the npm registry with thousands of fake packages since early 2024 as part of a likely financially motivated effort.«
How do you check if the JavaScript libraries and their libraries on which they are based are now safe?!??
🧑‍💻

Over 46,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack
A mysterious npm worm published 46K fake packages in a two-year spam campaign, exposing major security gaps.