Latest Tech News

Stay updated with the latest in technology, AI, cybersecurity, and more

Filtered by: package Clear Filter

Tinycolor supply chain attack post-mortem

news.ycombinator.com Scott Cooper 2025-09-19 04:18:38

A malicious GitHub Actions workflow was pushed to a shared repo and exfiltrated a npm token with broad publish rights. The attacker then used that token to publish malicious versions of 20 packages, including @ctrl/tinycolor . My GitHub account, the @ctrl/tinycolor repository were not directly compromised. There was no phishing involved, and no malicious packages were installed on my machine and I already use pnpm to avoid unapproved postinstall scripts. There was no pull request involved becau

Topics: github malicious npm packages versions
Read More
Shop Amazon

CrowdStrike Infested With "Self-Replicating Worms"

futurism.com Unknown 2025-09-20 11:00:07

A year after a glitch at cybersecurity company CrowdStrike triggered a global computer outage affecting millions of computers, the software vendor is being forced to contain a new threat: a swarm of self-replicating worms. As first reported by investigative cybersecurity journalist Brian Krebs, CrowdStrike once again became the launchpad for a potentially debilitating security hazard when some 25 code packages were compromised by a novel strand of malware. Dubbed "Shai-Hulud," the malicious so

Topics: crowdstrike infected npm packages software
Read More
Shop Amazon

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

news.ycombinator.com Unknown 2025-09-20 20:22:03

Executive Summary The NPM ecosystem is facing another critical supply chain attack. The popular @ctrl/tinycolor package, which receives over 2 million weekly downloads, has been compromised along with more than 40 other packages across multiple maintainers. This attack demonstrates a concerning evolution in supply chain threats - the malware includes a self-propagating mechanism that automatically infects downstream packages, creating a cascading compromise across the ecosystem. The compromised

Topics: 20 community github npm packages
Read More
Shop Amazon

Live Updates: Shai-Hulud, the Most Dangerous NPM Breach in History

news.ycombinator.com Idan Dardikman 2025-09-21 08:26:32

We are tracking the largest and most dangerous npm supply-chain compromise in history, known as the Shai-Hulud malware campaign, which has now impacted hundreds of packages across multiple maintainers. This includes popular libraries such as @ctrl/tinycolor as well as packages maintained by CrowdStrike. Malicious versions embed a trojanized script (bundle.js) designed to steal developer credentials, exfiltrate secrets, and persist in repositories and endpoints through automated workflows. The ta

Topics: github hulud npm packages shai
Read More
Shop Amazon

Self-propagating supply chain attack hits 187 npm packages

bleepingcomputer.com Unknown 2025-09-21 16:46:43

Security researchers have identified at least 187 npm packages compromised in an ongoing supply chain attack, with a malicious self-propagating payload to infect other packages. The coordinated worm-style campaign dubbed 'Shai-Hulud' started yesterday with the compromise of the @ctrl/tinycolor npm package, which receives over 2 million weekly downloads. Since then, the campaign has expanded significantly and now includes packages published under CrowdStrike's npm namespace. From tinycolor to

Topics: attack chain compromised npm packages
Read More
Shop Amazon

Self-Replicating Worm Hits 180+ Software Packages

krebsonsecurity.com Unknown 2025-09-22 00:08:02

At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub, experts warn. The malware, which briefly infected multiple code packages from the security vendor CrowdStrike, steals and publishes even more credentials every time an infected package is installed. The novel malware strain is being dubbed Shai-Hulud — after the name for the giant sandworms

Topics: attack code npm packages said
Read More
Shop Amazon

Self Propagating NPM Malware Compromises over 40 Packages

news.ycombinator.com Unknown 2025-09-22 17:22:03

Executive Summary The NPM ecosystem is facing another critical supply chain attack. The popular @ctrl/tinycolor package, which receives over 2 million weekly downloads, has been compromised along with more than 40 other packages across multiple maintainers. This attack demonstrates a concerning evolution in supply chain threats - the malware includes a self-propagating mechanism that automatically infects downstream packages, creating a cascading compromise across the ecosystem. The compromised

Topics: aws github npm packages secrets
Read More
Shop Amazon

Which NPM package has the largest version number?

news.ycombinator.com Unknown 2025-09-24 22:03:18

Which npm package has the largest version number? I spent way too much time on this I was recently working on a project that uses the AWS SDK for JavaScript. When updating the dependencies in said project, I noticed that the version of that dependency was v3.888.0 . Eight hundred eighty eight. That’s a big number as far as versions go. That got me thinking: I wonder what package in the npm registry has the largest number in its version. It could be a major, minor, or patch version, and it doe

Topics: const number package packages versions
Read More
Shop Amazon

Tesla board chair calls debate over Elon Musk’s $1T pay package ‘a little bit weird’

techcrunch.com Anthony Ha 2025-09-24 17:33:34

In Brief With Tesla shareholders set to vote on a proposed 10-year, $1 trillion compensation package for CEO Elon Musk in November, board chair Robyn Denholm spoke to The New York Times to defend what would be the largest pay package in corporate history. Denholm, who was also on the special committee that put the compensation proposal together, argued that Musk needs to be motivated by extraordinary challenges tied to extraordinary compensation. At the same time, she suggested he’s less inter

Topics: compensation denholm musk package tesla
Read More
Shop Amazon

Behind the scenes of Bun Install

news.ycombinator.com Unknown 2025-09-27 18:39:29

Running bun install is fast, very fast. On average, it runs ~7× faster than npm, ~4× faster than pnpm, and ~17× faster than yarn. The difference is especially noticeable in large codebases. What used to take minutes now takes (milli)seconds. These aren't just cherry-picked benchmarks. Bun is fast because it treats package installation as a systems programming problem, not a JavaScript problem. In this post we’ll explore what that means: from minimizing syscalls and caching manifests as binary,

Topics: bun data file memory package
Read More
Shop Amazon

Behind the Scenes of Bun Install

news.ycombinator.com Unknown 2025-09-29 00:39:29

Running bun install is fast, very fast. On average, it runs ~7× faster than npm, ~4× faster than pnpm, and ~17× faster than yarn. The difference is especially noticeable in large codebases. What used to take minutes now takes (milli)seconds. These aren't just cherry-picked benchmarks. Bun is fast because it treats package installation as a systems programming problem, not a JavaScript problem. In this post we’ll explore what that means: from minimizing syscalls and caching manifests as binary,

Topics: bun data file memory package
Read More
Shop Amazon

Hackers left empty-handed after massive NPM supply-chain attack

bleepingcomputer.com Unknown 2025-09-30 12:56:15

The largest supply-chain compromise in the history of the NPM ecosystem has impacted roughly 10% of all cloud environments, but the attacker made little profit off it. The attack occurred earlier this week after maintainer Josh Junon (qix) fell for a password reset phishing lure and compromised multiple highly popular NPM packages, among them chalk and degub-js, that cumulatively have more than 2.6 billion weekly downloads. After gaining access to Junon’s account, the attackers pushed maliciou

Topics: attack cloud environments malicious packages
Read More
Shop Amazon

This 2FA phishing scam pwned a developer - and endangered billions of npm downloads

zdnet.com Charlie Osborne 2025-10-03 08:06:38

Elyse Betters Picaro / ZDNET Follow ZDNET: Add us as a preferred source on Google. ZDNET's key takeaways A phishing email was at the heart of the attack. NPM team quickly removed backdoored versions. 18 packages hit, with 2B+ downloads every week. A new digital supply chain attack has targeted popular open-source npm packages with at least two billion downloads per week. 'I've been pwned' On Sept. 8, Josh Junon, a package maintainer whose account was at the center of the attack, revealed

Topics: email junon npm packages phishing
Read More
Shop Amazon

Massive Supply Chain Attack Targets Cryptocurrencies Through NPM

gizmodo.com Lucas Ropek 2025-10-03 16:50:00

A phishing attack aimed at a particular software maintainer’s account has managed to compromise software packages that have over 2.6 billion weekly downloads. BleepingComputer, noting that the infection is being called the “largest supply chain attack in history.” The developer behind the software packages, identified as Josh Junon, was compromised via a phishing scheme targeting several blockchains, including Ethereum, Bitcoin, Solana, and Tron, The Register reports. Junon has been posting abo

Topics: account junon npm packages software
Read More
Shop Amazon

Software packages with more than 2 billion weekly downloads hit in supply-chain attack

arstechnica.com Unknown 2025-10-04 00:37:04

Hackers planted malicious code in open source software packages with more than 2 billion weekly updates in what is likely to be the world’s biggest supply-chain attack ever. The attack, which compromised nearly two dozen packages hosted on the npm repository, came to public notice on Monday in social media posts. Around the same time, Josh Junon, a maintainer or co-maintainer of the affected packages, said he had been “pwned” after falling for an email that claimed his account on the platform w

Topics: code junon npm packages time
Read More
Shop Amazon

A critique of package managers

news.ycombinator.com Unknown 2025-10-04 08:18:55

Package Managers are Evil n.b. This is a written version of a dialogue from a YouTube video: 2 Language Creators vs 2 Idiots | The Standup Package managers (for programming languages) are evil. To start, I need to make a few distinctions between concepts a lot of programmers mix up: A package Package Repositories Build Systems Package Managers These are all separate and can have no relation to one another. I have nothing wrong with packages, in fact Odin has packages built into the langu

Topics: code hell managers package people
Read More
Shop Amazon

Tesla's board to Elon Musk: Hit these milestones, and we'll make you a trillionaire

engadget.com Unknown 2025-10-05 12:09:14

It's September 2025, and things are looking peachy keen. Sure, the US job market has taken a nosedive. And yeah, only one in four Americans believes they have a good chance of improving their standard of living. But hey, Tesla's board has proposed a pay package that could make Elon Musk the world's first trillionaire. What really matters is that someone is having a good time, right? Tesla's board laid out what's by far the biggest CEO compensation package in history on Friday. It reads like the

Topics: company elon musk package tesla
Read More
Shop Amazon

Nuclear: Desktop music player focused on streaming from free sources

news.ycombinator.com Unknown 2025-10-11 23:54:12

Desktop music player focused on streaming from free sources Links Official website Downloads Documentation Mastodon Twitter Support channel (Matrix): #nuclear:matrix.org Discord chat: https://discord.gg/JqPjKxE Suggest and vote on new features here: https://nuclear.featureupvote.com/ Readme translations: What is this? nuclear is a free music streaming program that pulls content from free sources all over the internet. If you know mps-youtube, this is a similar music player but with

Topics: https nuclear org packages player
Read More
Shop Amazon

Removing Guix from Debian

news.ycombinator.com Unknown 2025-10-14 06:49:40

Removing Guix from Debian [LWN subscriber-only content] As a rule, if a package is shipped with a Debian release, users can count on it being available, and updated, for the entire life of the release. If package foo is included in the stable release—currently Debian 13 ("trixie")—a user can reasonably expect that it will continue to be available with security backports as long as that release is supported, though it may not be included in Debian 14 ("forky"). However, it is likely that the Gui

Topics: debian guix package release said
Read More
Shop Amazon

Show HN: Simple modenized .NET NuGet server reached RC

news.ycombinator.com Unknown 2025-10-17 00:00:26

Simple modenized NuGet server implementation. (日本語はこちら) What is this? A simple NuGet server implementation built on Node.js that provides essential NuGet v3 API endpoints. Compatible with dotnet restore and standard NuGet clients for package publishing, querying, and manually downloading. A modern browser-based UI is also provided: You can refer to registered packages. You can check various package attributes. You can download packages by version. You can also publish (upload) packages.

Topics: json nuget package packages server
Read More
Shop Amazon

Much of the World Stops Sending Mail to U.S.

gizmodo.com Aj Dellinger 2025-10-29 03:25:30

Do you have a package coming your way from overseas? (I do, it’s a gift, and I’m very annoyed.) Hopefully it’s not urgent, because it’s going to be a minute before that thing gets to our shores. Questions surrounding the Trump administration’s ongoing tariff regime, including a policy to end an exemption from taxing small packages, have resulted in postal services across the world simply choosing not to ship to the United States until things get sorted out, according to Bloomberg. Central to th

Topics: country packages policy postal world
Read More
Shop Amazon

Kimbal Musk on Elon's Tesla pay package: 'My brother deserves to be paid'

cnbc.com Annie Palmer 2025-10-29 18:33:10

Kimbal Musk, the younger brother of the world's wealthiest person, said Elon Musk "deserves to be paid," as Tesla remains locked in a legal saga over its CEO's pay package. "I think my brother deserves to be paid," Kimbal Musk said on CNBC's "Squawk Box" on Friday. "He has zero pay for the past six to eight years. I don't think that's right. I'll let Tesla shareholders make that decision, but I believe that it does need to be. He needs to be paid." Elon Musk isn't paid a salary or any cash bon

Topics: elon musk package pay tesla
Read More
Shop Amazon

AGENTS.md – Open format for guiding coding agents

news.ycombinator.com Unknown 2025-11-04 22:15:03

# Sample AGENTS.md file ## Dev environment tips - Use `pnpm dlx turbo run where <project_name>` to jump to a package instead of scanning with `ls` . - Run `pnpm install --filter <project_name>` to add the package to your workspace so Vite, ESLint, and TypeScript can see it. - Use `pnpm create vite@latest <project_name> -- --template react-ts` to spin up a new React + Vite package with TypeScript checks ready. - Check the name field inside each package's package.json to confirm the right nam

Topics: package pnpm project_name run test
Read More
Shop Amazon

Will AI replace all software? Why GPT-5 emboldens the doomsayers

zdnet.com Tiernan Ray 2025-11-17 21:00:00

maciek905/Getty Images ZDNET's key takeaways Wall Street fears AI models will replace all packaged software. AI models' coding ability is still very mixed. Software executives are positioning their firms to be survivors. The modern software industry has existed for 50 years, since the founding of Microsoft in 1975. "Bill built the first software company in the industry," said late Apple co-founder and CEO Steve Jobs in 2007, referring to Microsoft co-founder Bill Gates. "Bill was really fo

Topics: ai code gpt packaged software
Read More
Shop Amazon

Go 1.25 Release Notes

news.ycombinator.com Unknown 2025-11-18 15:25:01

Introduction to Go 1.25 The latest Go release, version 1.25, arrives in August 2025, six months after Go 1.24. Most of its changes are in the implementation of the toolchain, runtime, and libraries. As always, the release maintains the Go 1 promise of compatibility. We expect almost all Go programs to continue to compile and run as before. Changes to the language There are no languages changes that affect Go programs in Go 1.25. However, in the language specification the notion of core types

Topics: file json new package runtime
Read More
Shop Amazon

This new Arch Linux tool takes the hassle out of keeping packages up to date - here's how

zdnet.com Jack Wallen 2025-11-20 02:45:07

Elyse Betters Picaro / ZDNET ZDNET's key takeaways New Arch tool alerts maintainers when packages are outdated. Bumpbuddy automates GitLab issue creation for updates. Web dashboard and API planned for future Bumpbuddy versions. Bumpbuddy is a new Arch Linux tool that aims to improve how maintainers are informed about packages within the primary repositories. This new app uses a background service (daemon) to monitor package versions and even automatically opens issues on GitLab if it detect

Topics: arch bumpbuddy maintainers new packages
Read More
Shop Amazon

StarDict sends X11 clipboard to remote servers

news.ycombinator.com Unknown 2025-11-21 00:08:13

StarDict sends X11 clipboard to remote servers [LWN subscriber-only content] StarDict is a GPLv3-licensed cross-platform dictionary application. It includes dictionaries for a number of languages, and has a rich plugin ecosystem. It also has a glaring security problem: while running on X11, using Debian's default configuration, it will send a user's text selections over unencrypted HTTP to two remote servers. On August 4, Vincent Lefevre reported the problem to the oss-security mailing list an

Topics: package plugin problem stardict user
Read More
Shop Amazon

Debian 13 "Trixie"

news.ycombinator.com Unknown 2025-11-23 09:18:45

Debian 13 trixie released August 9th, 2025 After 2 years, 1 month, and 30 days of development, the Debian project is proud to present its new stable version 13 (code name trixie ). trixie will be supported for the next 5 years thanks to the combined work of the Debian Security team and the Debian Long Term Support team. Debian 13 trixie ships with several desktop environments, such as: GNOME 48, KDE Plasma 6.3, LXDE 13, LXQt 2.1.0, Xfce 4.20 This release contains over 14,100 new packag

Topics: available debian packages release trixie
Read More
Shop Amazon

Fake WhatsApp developer libraries hide destructive data-wiping code

bleepingcomputer.com Unknown 2025-11-26 21:42:30

Two malicious NPM packages posing as WhatsApp development tools have been discovered deploying destructive data-wiping code that recursively deletes files on a developer's computers. Two malicious NPM packages currently available in the registry target WhatsApp developers with destructive data-wiping code. The packages, discovered by researchers at Socket, masquerade as WhatsApp socket libraries and were downloaded over 1,100 times since their publication last month. Despite Socket having fil

Topics: com github malicious packages socket
Read More
Shop Amazon

Tesla awards Musk $29 billion in shares with prior pay package in limbo

cnbc.com Chris Eudaily 2025-12-06 16:27:37

Tesla CEO Elon Musk was awarded an interim pay package of 96 million shares of the company over the weekend. The shares would be worth about $29 billion. Tesla stock climbed about 2% Monday. The company said in a filing Sunday that the pay package would vest in two years as long as Musk continued as CEO or in another key executive position. The new award would be forfeited if the legal battle over his 2018 compensation ends with Musk being able to exercise the larger pay package, which was va

Topics: company compensation musk package pay
Read More
Shop Amazon
Trending Topics
Hot Now
ai 3579 apple 2974 new 2359 google 1989 content 1709
Popular
like 1476 company 1408 pro 1305 iphone 1128 app 1112 zdnet 1094 said 1042 data 1036 does 896 reviews 882
Emerging
editorial 861 amazon 854 game 800 samsung 764 phone 756 pixel 754 android 730 just 712 available 679 users 676
About GoKawiil

GoKawiil is a project by nerdhub.co that curates technology news from trusted sources. We built this site to provide a cleaner, more mobile-friendly experience without intrusive ads or heavy JavaScript.

Privacy

Your privacy matters. GoKawiil doesn't use Google Analytics or Facebook Pixel. The only tracking occurs through affiliate links to Amazon.

Advertising

Interested in advertising? Contact us at [email protected]