Forwarded from Derp Learning
axios@1.14.1 - или русская рулетка в npm install
axios - самый популярный HTTP-клиент в npm, 100M+ скачиваний в неделю. Сегодня выяснилось, что версия 1.14.1 тянет за собой plain-crypto-js@4.2.1 - пакет, которого вчера не существовало. Классический supply chain attack.
Под раздачу также попал axios@0.30.4 (для тех кто на легаси и думал что в безопасности - нет).
Что делает малварь:
- деобфусцирует payload в рантайме
- динамически подгружает fs, os, execSync чтобы обойти статический анализ
- выполняет shell команды
- копирует файлы в temp и ProgramData
- удаляет следы после себя
Все по классике - обфусцированный dropper который сам за собой убирает.
Если у вас axios - пинните версию, проверяйте lockfile, не обновляйтесь. npm audit вам не поможет, он уже давно декоративный.
100 миллионов скачиваний в неделю. Один npm install - и твоя циска в зоне риска.
Обколются своими агентами и вайбкодятдруг друга
Тред
@derplearning
axios - самый популярный HTTP-клиент в npm, 100M+ скачиваний в неделю. Сегодня выяснилось, что версия 1.14.1 тянет за собой plain-crypto-js@4.2.1 - пакет, которого вчера не существовало. Классический supply chain attack.
Под раздачу также попал axios@0.30.4 (для тех кто на легаси и думал что в безопасности - нет).
Что делает малварь:
- деобфусцирует payload в рантайме
- динамически подгружает fs, os, execSync чтобы обойти статический анализ
- выполняет shell команды
- копирует файлы в temp и ProgramData
- удаляет следы после себя
Все по классике - обфусцированный dropper который сам за собой убирает.
Если у вас axios - пинните версию, проверяйте lockfile, не обновляйтесь. npm audit вам не поможет, он уже давно декоративный.
100 миллионов скачиваний в неделю. Один npm install - и твоя циска в зоне риска.
Обколются своими агентами и вайбкодят
Тред
@derplearning
😁11
Forwarded from Літачки та шизопост
This media is not supported in your browser
VIEW IN TELEGRAM
🔥9💯1
Forwarded from HN Best Comments
Re: Decisions that eroded trust in Azure – by a former Azure Core engineer
A business man at a prior employer sympathetic with my younger, naive "Microsoft sucks" attitude told me something I remember to this day:
Microsoft is not a software company, they have never been experts at software. They are experts at contracts. They lead because their business machine exceeds at understanding how to tick the boxes necessary to win contract bids. The people who make purchasing decisions at companies aren't technical and possibly don't even know a world outside Microsoft, Office, and Windows, after all.
This is how the sausage is made in the business world, and it changed how I perceived the tech industry. Good software (sadly) doesn't matter. Sales does.
This is why most of Norway currently runs on Azure, even though it is garbage, and even though every engineer I know who uses it says it is garbage. Because the people in the know don't get to make the decision.
petterroea, 2 days ago
A business man at a prior employer sympathetic with my younger, naive "Microsoft sucks" attitude told me something I remember to this day:
Microsoft is not a software company, they have never been experts at software. They are experts at contracts. They lead because their business machine exceeds at understanding how to tick the boxes necessary to win contract bids. The people who make purchasing decisions at companies aren't technical and possibly don't even know a world outside Microsoft, Office, and Windows, after all.
This is how the sausage is made in the business world, and it changed how I perceived the tech industry. Good software (sadly) doesn't matter. Sales does.
This is why most of Norway currently runs on Azure, even though it is garbage, and even though every engineer I know who uses it says it is garbage. Because the people in the know don't get to make the decision.
petterroea, 2 days ago
👍3🤡2
HN Best Comments
Re: Decisions that eroded trust in Azure – by a former Azure Core engineer A business man at a prior employer sympathetic with my younger, naive "Microsoft sucks" attitude told me something I remember to this day: Microsoft is not a software company, they…
Я в певний момент прийшов до схожої думки, і мене досі цікавить який відсоток з цих угод мають під ковром якийсь відкат. Я навіть не здивуюся, якщо в них є якийсь стандартизований спосіб давати хабарі, щось типу gift-cards або якийсь Certified Microsoft Partner статус і фейкові (і не дуже) лекції
💯8
Forwarded from HN Best Comments
Re: Employers use your personal data to figure out the lowest salary you'll accept
I worked for Equifax many moons ago. They had a problem with people taking jobs there that no one else wanted, solely to gain access to their systems and reset their own credit scores. And, for some reason, they couldn’t roll it back once found out. Great company.
xvxvx, 13 hours ago
I worked for Equifax many moons ago. They had a problem with people taking jobs there that no one else wanted, solely to gain access to their systems and reset their own credit scores. And, for some reason, they couldn’t roll it back once found out. Great company.
xvxvx, 13 hours ago
👏6😁6
Чекаю коли хтось додумається проводити бенчмарки для LLM на людях. Хочу побачити середній depth of thinking
😁16🔥4
Forwarded from HN Best Comments
Re: Show HN: Brutalist Concrete Laptop Stand (2024)
This man poured concrete around a power strip, chemically aged copper with ammonia, rusted rebar with peroxide, faked a damaged cable for vibes, and vibrated out the air bubbles with a dildo. This is the most unhinged and delightful Show HN I've ever seen.
atlgator, 2 hours ago
This man poured concrete around a power strip, chemically aged copper with ammonia, rusted rebar with peroxide, faked a damaged cable for vibes, and vibrated out the air bubbles with a dildo. This is the most unhinged and delightful Show HN I've ever seen.
atlgator, 2 hours ago
Forwarded from Датаборд
Половину нових дата-центрів на 2026 рік скасовано 🛡
Bloomberg повідомляє, що майже 50% усіх запланованих на цей рік дата-центрів будуть відкладені або взагалі скасовані:
Треба було викупити ще більше оперативки на потреби ШІ👍
Bloomberg повідомляє, що майже 50% усіх запланованих на цей рік дата-центрів будуть відкладені або взагалі скасовані:
• Щоб живити тисячі відеокарт Nvidia, потрібні гігантські трансформатори, генератори та системи охолодження, а їх фізично не встигають виробляти.
• Левова частка цього специфічного електричного обладнання для США виробляється за кордоном (переважно в Китаї), ланцюжки постачань просто не витягують таку кількість замовленнь.
• Компанії накупили чіпів і наобіцяли інвесторам золоті гори, а тепер їм буквально нікуди втикнути ці сервери в розетку.
Треба було викупити ще більше оперативки на потреби ШІ
Please open Telegram to view this post
VIEW IN TELEGRAM
👍7🤡1
https://en.wikipedia.org/wiki/2026_Kimberly-Clark_Distribution_Center_fire
>The warehouse building was estimated to be worth $156 million.[8] and $500M in inventory. According to a Bloomberg Intelligence analyst, loss of the warehouse could impact 3% of sales in the West Coast region.[9]
>Abdulkarim had shared a video of him starting the fire, repeatedly saying "All you had to do was pay us enough to live" while lighting pallets on fire,[7] and ending his statements with, "there goes your inventory".
>The warehouse building was estimated to be worth $156 million.[8] and $500M in inventory. According to a Bloomberg Intelligence analyst, loss of the warehouse could impact 3% of sales in the West Coast region.[9]
>Abdulkarim had shared a video of him starting the fire, repeatedly saying "All you had to do was pay us enough to live" while lighting pallets on fire,[7] and ending his statements with, "there goes your inventory".
❤🔥5
Forwarded from HN Best Comments
Re: YouTube locked my accounts and I can't cancel my subscription
I had a strange and similar interaction with Google recently. I was asked to do the Android developer verification, but then I missed a deadline at some point. Support said that I would need to create a new Google account for all of this. I said this was unacceptable as this was a Google account I had for nearly 25 years and I didn't want to create another. They said tough luck, go make the new account. Luckily, I had recently married and was making a new account for the name change. I tried to use that account, but it wanted a different phone number to use for verification, but I only have one number and you can't use Google voice numbers. I went back and told Google I cannot use the same phone number to verify and I'm not buying a burner phone to do this with. Then they just said "Ah, ok, we'll fix your original account then" and fixed the original account. This was literally a week of back and forth. Pointless waste of time.
ddtaylor, 2 days ago
I had a strange and similar interaction with Google recently. I was asked to do the Android developer verification, but then I missed a deadline at some point. Support said that I would need to create a new Google account for all of this. I said this was unacceptable as this was a Google account I had for nearly 25 years and I didn't want to create another. They said tough luck, go make the new account. Luckily, I had recently married and was making a new account for the name change. I tried to use that account, but it wanted a different phone number to use for verification, but I only have one number and you can't use Google voice numbers. I went back and told Google I cannot use the same phone number to verify and I'm not buying a burner phone to do this with. Then they just said "Ah, ok, we'll fix your original account then" and fixed the original account. This was literally a week of back and forth. Pointless waste of time.
ddtaylor, 2 days ago
🤪7
Forwarded from HN Best Comments
Re: How We Broke Top AI Agent Benchmarks: And What Comes Next
This is a phenomenal paper on exploits and hopefully changes the way benchmarking is done.
From the paper: We achieved near-perfect scores on all of them without solving a single task. The exploits range from the embarrassingly simple (sending {} to FieldWorkArena) to the technically involved (trojanizing binary wrappers in Terminal-Bench), but they all share a common thread: the evaluation was not designed to resist a system that optimizes for the score rather than the task.
ggillas, 18 hours ago
This is a phenomenal paper on exploits and hopefully changes the way benchmarking is done.
From the paper: We achieved near-perfect scores on all of them without solving a single task. The exploits range from the embarrassingly simple (sending {} to FieldWorkArena) to the technically involved (trojanizing binary wrappers in Terminal-Bench), but they all share a common thread: the evaluation was not designed to resist a system that optimizes for the score rather than the task.
ggillas, 18 hours ago
🔥3