Latest Tech News

Stay updated with the latest in technology, AI, cybersecurity, and more

Filtered by: packages Clear Filter

Tinycolor supply chain attack post-mortem

news.ycombinator.com Scott Cooper 2025-09-19 04:18:38

A malicious GitHub Actions workflow was pushed to a shared repo and exfiltrated a npm token with broad publish rights. The attacker then used that token to publish malicious versions of 20 packages, including @ctrl/tinycolor . My GitHub account, the @ctrl/tinycolor repository were not directly compromised. There was no phishing involved, and no malicious packages were installed on my machine and I already use pnpm to avoid unapproved postinstall scripts. There was no pull request involved becau

Topics: github malicious npm packages versions
Read More
Shop Amazon

CrowdStrike Infested With "Self-Replicating Worms"

futurism.com Unknown 2025-09-20 11:00:07

A year after a glitch at cybersecurity company CrowdStrike triggered a global computer outage affecting millions of computers, the software vendor is being forced to contain a new threat: a swarm of self-replicating worms. As first reported by investigative cybersecurity journalist Brian Krebs, CrowdStrike once again became the launchpad for a potentially debilitating security hazard when some 25 code packages were compromised by a novel strand of malware. Dubbed "Shai-Hulud," the malicious so

Topics: crowdstrike infected npm packages software
Read More
Shop Amazon

Shai-Hulud malware attack: Tinycolor and over 40 NPM packages compromised

news.ycombinator.com Unknown 2025-09-20 20:22:03

Executive Summary The NPM ecosystem is facing another critical supply chain attack. The popular @ctrl/tinycolor package, which receives over 2 million weekly downloads, has been compromised along with more than 40 other packages across multiple maintainers. This attack demonstrates a concerning evolution in supply chain threats - the malware includes a self-propagating mechanism that automatically infects downstream packages, creating a cascading compromise across the ecosystem. The compromised

Topics: 20 community github npm packages
Read More
Shop Amazon

Live Updates: Shai-Hulud, the Most Dangerous NPM Breach in History

news.ycombinator.com Idan Dardikman 2025-09-21 08:26:32

We are tracking the largest and most dangerous npm supply-chain compromise in history, known as the Shai-Hulud malware campaign, which has now impacted hundreds of packages across multiple maintainers. This includes popular libraries such as @ctrl/tinycolor as well as packages maintained by CrowdStrike. Malicious versions embed a trojanized script (bundle.js) designed to steal developer credentials, exfiltrate secrets, and persist in repositories and endpoints through automated workflows. The ta

Topics: github hulud npm packages shai
Read More
Shop Amazon

Self-propagating supply chain attack hits 187 npm packages

bleepingcomputer.com Unknown 2025-09-21 16:46:43

Security researchers have identified at least 187 npm packages compromised in an ongoing supply chain attack, with a malicious self-propagating payload to infect other packages. The coordinated worm-style campaign dubbed 'Shai-Hulud' started yesterday with the compromise of the @ctrl/tinycolor npm package, which receives over 2 million weekly downloads. Since then, the campaign has expanded significantly and now includes packages published under CrowdStrike's npm namespace. From tinycolor to

Topics: attack chain compromised npm packages
Read More
Shop Amazon

Self-Replicating Worm Hits 180+ Software Packages

krebsonsecurity.com Unknown 2025-09-22 00:08:02

At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub, experts warn. The malware, which briefly infected multiple code packages from the security vendor CrowdStrike, steals and publishes even more credentials every time an infected package is installed. The novel malware strain is being dubbed Shai-Hulud — after the name for the giant sandworms

Topics: attack code npm packages said
Read More
Shop Amazon

Self Propagating NPM Malware Compromises over 40 Packages

news.ycombinator.com Unknown 2025-09-22 17:22:03

Executive Summary The NPM ecosystem is facing another critical supply chain attack. The popular @ctrl/tinycolor package, which receives over 2 million weekly downloads, has been compromised along with more than 40 other packages across multiple maintainers. This attack demonstrates a concerning evolution in supply chain threats - the malware includes a self-propagating mechanism that automatically infects downstream packages, creating a cascading compromise across the ecosystem. The compromised

Topics: aws github npm packages secrets
Read More
Shop Amazon

Which NPM package has the largest version number?

news.ycombinator.com Unknown 2025-09-24 22:03:18

Which npm package has the largest version number? I spent way too much time on this I was recently working on a project that uses the AWS SDK for JavaScript. When updating the dependencies in said project, I noticed that the version of that dependency was v3.888.0 . Eight hundred eighty eight. That’s a big number as far as versions go. That got me thinking: I wonder what package in the npm registry has the largest number in its version. It could be a major, minor, or patch version, and it doe

Topics: const number package packages versions
Read More
Shop Amazon

Hackers left empty-handed after massive NPM supply-chain attack

bleepingcomputer.com Unknown 2025-09-30 12:56:15

The largest supply-chain compromise in the history of the NPM ecosystem has impacted roughly 10% of all cloud environments, but the attacker made little profit off it. The attack occurred earlier this week after maintainer Josh Junon (qix) fell for a password reset phishing lure and compromised multiple highly popular NPM packages, among them chalk and degub-js, that cumulatively have more than 2.6 billion weekly downloads. After gaining access to Junon’s account, the attackers pushed maliciou

Topics: attack cloud environments malicious packages
Read More
Shop Amazon

This 2FA phishing scam pwned a developer - and endangered billions of npm downloads

zdnet.com Charlie Osborne 2025-10-03 08:06:38

Elyse Betters Picaro / ZDNET Follow ZDNET: Add us as a preferred source on Google. ZDNET's key takeaways A phishing email was at the heart of the attack. NPM team quickly removed backdoored versions. 18 packages hit, with 2B+ downloads every week. A new digital supply chain attack has targeted popular open-source npm packages with at least two billion downloads per week. 'I've been pwned' On Sept. 8, Josh Junon, a package maintainer whose account was at the center of the attack, revealed

Topics: email junon npm packages phishing
Read More
Shop Amazon

Massive Supply Chain Attack Targets Cryptocurrencies Through NPM

gizmodo.com Lucas Ropek 2025-10-03 16:50:00

A phishing attack aimed at a particular software maintainer’s account has managed to compromise software packages that have over 2.6 billion weekly downloads. BleepingComputer, noting that the infection is being called the “largest supply chain attack in history.” The developer behind the software packages, identified as Josh Junon, was compromised via a phishing scheme targeting several blockchains, including Ethereum, Bitcoin, Solana, and Tron, The Register reports. Junon has been posting abo

Topics: account junon npm packages software
Read More
Shop Amazon

Software packages with more than 2 billion weekly downloads hit in supply-chain attack

arstechnica.com Unknown 2025-10-04 00:37:04

Hackers planted malicious code in open source software packages with more than 2 billion weekly updates in what is likely to be the world’s biggest supply-chain attack ever. The attack, which compromised nearly two dozen packages hosted on the npm repository, came to public notice on Monday in social media posts. Around the same time, Josh Junon, a maintainer or co-maintainer of the affected packages, said he had been “pwned” after falling for an email that claimed his account on the platform w

Topics: code junon npm packages time
Read More
Shop Amazon

Nuclear: Desktop music player focused on streaming from free sources

news.ycombinator.com Unknown 2025-10-11 23:54:12

Desktop music player focused on streaming from free sources Links Official website Downloads Documentation Mastodon Twitter Support channel (Matrix): #nuclear:matrix.org Discord chat: https://discord.gg/JqPjKxE Suggest and vote on new features here: https://nuclear.featureupvote.com/ Readme translations: What is this? nuclear is a free music streaming program that pulls content from free sources all over the internet. If you know mps-youtube, this is a similar music player but with

Topics: https nuclear org packages player
Read More
Shop Amazon

Show HN: Simple modenized .NET NuGet server reached RC

news.ycombinator.com Unknown 2025-10-17 00:00:26

Simple modenized NuGet server implementation. (日本語はこちら) What is this? A simple NuGet server implementation built on Node.js that provides essential NuGet v3 API endpoints. Compatible with dotnet restore and standard NuGet clients for package publishing, querying, and manually downloading. A modern browser-based UI is also provided: You can refer to registered packages. You can check various package attributes. You can download packages by version. You can also publish (upload) packages.

Topics: json nuget package packages server
Read More
Shop Amazon

Much of the World Stops Sending Mail to U.S.

gizmodo.com Aj Dellinger 2025-10-29 03:25:30

Do you have a package coming your way from overseas? (I do, it’s a gift, and I’m very annoyed.) Hopefully it’s not urgent, because it’s going to be a minute before that thing gets to our shores. Questions surrounding the Trump administration’s ongoing tariff regime, including a policy to end an exemption from taxing small packages, have resulted in postal services across the world simply choosing not to ship to the United States until things get sorted out, according to Bloomberg. Central to th

Topics: country packages policy postal world
Read More
Shop Amazon

This new Arch Linux tool takes the hassle out of keeping packages up to date - here's how

zdnet.com Jack Wallen 2025-11-20 02:45:07

Elyse Betters Picaro / ZDNET ZDNET's key takeaways New Arch tool alerts maintainers when packages are outdated. Bumpbuddy automates GitLab issue creation for updates. Web dashboard and API planned for future Bumpbuddy versions. Bumpbuddy is a new Arch Linux tool that aims to improve how maintainers are informed about packages within the primary repositories. This new app uses a background service (daemon) to monitor package versions and even automatically opens issues on GitLab if it detect

Topics: arch bumpbuddy maintainers new packages
Read More
Shop Amazon

Debian 13 "Trixie"

news.ycombinator.com Unknown 2025-11-23 09:18:45

Debian 13 trixie released August 9th, 2025 After 2 years, 1 month, and 30 days of development, the Debian project is proud to present its new stable version 13 (code name trixie ). trixie will be supported for the next 5 years thanks to the combined work of the Debian Security team and the Debian Long Term Support team. Debian 13 trixie ships with several desktop environments, such as: GNOME 48, KDE Plasma 6.3, LXDE 13, LXQt 2.1.0, Xfce 4.20 This release contains over 14,100 new packag

Topics: available debian packages release trixie
Read More
Shop Amazon

Fake WhatsApp developer libraries hide destructive data-wiping code

bleepingcomputer.com Unknown 2025-11-26 21:42:30

Two malicious NPM packages posing as WhatsApp development tools have been discovered deploying destructive data-wiping code that recursively deletes files on a developer's computers. Two malicious NPM packages currently available in the registry target WhatsApp developers with destructive data-wiping code. The packages, discovered by researchers at Socket, masquerade as WhatsApp socket libraries and were downloaded over 1,100 times since their publication last month. Despite Socket having fil

Topics: com github malicious packages socket
Read More
Shop Amazon

Trump Ends Tariff Exemption for Small Packages

wired.com Zeyi Yang 2025-12-13 02:17:11

US President Donald Trump just dealt another blow to the embattled ecommerce industry, which is still reeling from sweeping tariffs Trump announced in the spring. On Wednesday, Trump signed an executive order widening the impact of those tariffs and making it more expensive for Americans to buy foreign products on sites like eBay, Etsy, and Amazon. The order eliminates the so-called “de minimis” provision, a long-standing policy that allowed people in the US to import packages valued at less th

Topics: minimis packages shipments tariffs trump
Read More
Shop Amazon

Supply-chain attacks on open source software are getting out of hand

arstechnica.com Unknown 2025-12-22 05:50:37

It has been a busy week for supply-chain attacks targeting open source software available in public repositories, with successful breaches of multiple developer accounts that resulted in malicious packages being pushed to unsuspecting users. The latest target, according to security firm Socket, is JavaScript code available on repository npm. A total of 10 packages available from the npm page belonging to global talent agency Toptal contained malware and were downloaded by roughly 5,000 users be

Topics: attack github npm packages publishing
Read More
Shop Amazon

Open source repositories are seeing a rash of supply-chain attacks

arstechnica.com Unknown 2025-12-22 11:50:37

It has been a busy week for supply-chain attacks targeting open source software available in public repositories, with successful breaches of multiple developer accounts that resulted in malicious packages being pushed to unsuspecting users. The latest target, according to security firm Socket, is JavaScript code available on repository npm. A total of 10 packages available from the npm page belonging to global talent agency Toptal contained malware and were downloaded by roughly 5,000 users be

Topics: attack github npm packages socket
Read More
Shop Amazon

Hackers breach Toptal GitHub account, publish malicious npm packages

bleepingcomputer.com Unknown 2025-12-25 16:26:04

Hackers compromised Toptal's GitHub organization account and used their access to publish ten malicious packages on the Node Package Manager (NPM) index. The packages included data-stealing code that collected GitHub authentication tokens and then wiped the victims' systems. Toptal is a freelance talent marketplace that connects companies with software developers, designers, and finance experts. The company also maintains internal developer tools and design systems, most notably Picasso, which

Topics: github malicious packages picasso toptal
Read More
Shop Amazon

npm 'accidentally' removes Stylus package, breaks builds and pipelines

bleepingcomputer.com Unknown 2025-12-28 11:21:25

npm has taken down all versions of the real Stylus library and replaced them with a "security holding" page, breaking pipelines and builds worldwide that rely on the package. A security placeholder webpage is typically displayed when malicious packages and libraries are removed by the admins of npmjs.com, the world's largest software registry primarily used for JavaScript and Node.js development. But that isn't quite the case for Stylus: a legitimate "revolutionary" library receiving 3 million

Topics: npm npmjs package packages stylus
Read More
Shop Amazon

OSS Rebuild: open-source, rebuilt to last

news.ycombinator.com Posted Matthew Suozzo 2025-12-29 18:53:46

Today we're excited to announce OSS Rebuild, a new project to strengthen trust in open source package ecosystems by reproducing upstream artifacts. As supply chain attacks continue to target widely-used dependencies, OSS Rebuild gives security teams powerful data to avoid compromise without burden on upstream maintainers. The project comprises: Automation to derive declarative build definitions for existing PyPI (Python), npm (JS/TS), and Crates.io (Rust) packages. SLSA Provenance for thousan

Topics: build oss packages rebuild security
Read More
Shop Amazon

OSS Rebuild: open-source, Rebuilt to Last

news.ycombinator.com Posted Matthew Suozzo 2025-12-31 00:53:46

Today we're excited to announce OSS Rebuild, a new project to strengthen trust in open source package ecosystems by reproducing upstream artifacts. As supply chain attacks continue to target widely-used dependencies, OSS Rebuild gives security teams powerful data to avoid compromise without burden on upstream maintainers. The project comprises: Automation to derive declarative build definitions for existing PyPI (Python), npm (JS/TS), and Crates.io (Rust) packages. SLSA Provenance for thousan

Topics: build oss packages rebuild security
Read More
Shop Amazon

Arch Linux pulls AUR packages that installed Chaos RAT malware

bleepingcomputer.com Unknown 2026-01-03 21:12:39

Arch Linux has pulled three malicious packages uploaded to the Arch User Repository (AUR) were used to install the CHAOS remote access trojan (RAT) on Linux devices. The packages were named "librewolf-fix-bin", "firefox-patch-bin", and "zen-browser-patched-bin," and were uploaded by the same user, "danikpapas," on July 16. The packages were removed two days later by the Arch Linux team after being flagged as malicious by the community. "On the 16th of July, at around 8pm UTC+2, a malicious AU

Topics: arch aur linux packages repository
Read More
Shop Amazon

Firefox-patch-bin, librewolf-fix-bin AUR packages contain malware

news.ycombinator.com Unknown 2026-01-04 16:48:48

On the 16th of July, at around 8pm UTC+2, a malicious AUR package was uploaded to the AUR. Two other malicious packages were uploaded by the same user a few hours later. These packages were installing a script coming from the same GitHub repository that was identified as a Remote Access Trojan (RAT). The affected malicious packages are: - librewolf-fix-bin - firefox-patch-bin - zen-browser-patched-bin The Arch Linux team addressed the issue as soon as they became aware of the situation. As of to

Topics: aur bin malicious packages uploaded
Read More
Shop Amazon

North Korean XORIndex malware hidden in 67 malicious npm packages

bleepingcomputer.com Unknown 2026-01-13 02:47:09

North Korean threat actors planted 67 malicious packages in the Node Package Manager (npm) online repository to deliver a new malware loader called XORIndex to developer systems. The packages collectively count more than 17,000 downloads and were discovered by researchers at package security platform Socket, who assess them to be part of the continued Contagious Interview operation. Socket researchers say that the campaign follows threat activity detected since April. Last month, the same acto

Topics: loader malware npm packages researchers
Read More
Shop Amazon

Solving Wordle with uv's dependency resolver

news.ycombinator.com Unknown 2026-01-27 21:28:30

Introduction In a previous life, I wrote a Sudoku solver that relied on Poetry's dependency resolver. We ended up selling that startup to EDB (not because of the Poetry hack), which means that they now own this IP. And, since then, Python packaging has advanced, with uv taking the world by storm. This means that it's time for a refresh. Can we use uv instead of Poetry? And can we solve a Wordle instead of a Sudoku? For the impatient: you can get the solver from my GitHub. Run uv run main.py r

Topics: letter package packages position version
Read More
Shop Amazon

Ubuntu: Introducing Debcrafters

news.ycombinator.com Unknown 2026-02-12 04:42:43

Earlier this year, Canonical’s Ubuntu Engineering organisation gained a new team, seeded with some of our most prolific contributors to Ubuntu. Debcrafters is a new team dedicated to the maintenance of the Ubuntu Archive. The team’s primary goal is to maintain the health of the Ubuntu Archive, but its unique construction aims to attract a broad range of Linux distribution expertise; contributors to distributions like Debian, Arch Linux, NixOS and others are encouraged to join the team, and will

Topics: archive debcrafters packages team ubuntu
Read More
Shop Amazon
Trending Topics
Hot Now
ai 3579 apple 2974 new 2359 google 1989 content 1709
Popular
like 1476 company 1408 pro 1305 iphone 1128 app 1112 zdnet 1094 said 1042 data 1036 does 896 reviews 882
Emerging
editorial 861 amazon 854 game 800 samsung 764 phone 756 pixel 754 android 730 just 712 available 679 users 676
About GoKawiil

GoKawiil is a project by nerdhub.co that curates technology news from trusted sources. We built this site to provide a cleaner, more mobile-friendly experience without intrusive ads or heavy JavaScript.

Privacy

Your privacy matters. GoKawiil doesn't use Google Analytics or Facebook Pixel. The only tracking occurs through affiliate links to Amazon.

Advertising

Interested in advertising? Contact us at [email protected]