Published on: 2025-06-24 04:37:41
60 packages have been discovered in the NPM index that attempt to collect sensitive host and network data and send it to a Discord webhook controlled by the threat actor. According to Socket’s Threat Research team, the packages were uploaded to the NPM repository starting May 12 from three publisher accounts. Each of the malicious packages contains a post-install script that automatically executes during ‘npm install’ and collects the following information: Hostname Internal IP address User
Keywords: data npm packages socket threat
Find related items on AmazonPublished on: 2025-06-26 04:15:27
Researchers have found malicious software that received more than 6,000 downloads from the NPM repository over a two-year span, in yet another discovery showing the hidden threats users of such open source archives face. Eight packages using names that closely mimicked those of widely used legitimate packages contained destructive payloads designed to corrupt or delete important data and crash systems, Kush Pandya, a researcher at security firm Socket, reported Thursday. The packages have been
Keywords: attack data diversity downloads packages
Find related items on AmazonPublished on: 2025-06-27 17:50:28
When I wrote Why is Debian the way it is?, a year and a half ago, I was asked to also cover why Debian changes the software it packages. Here’s a brief list of examples of why that happens: Software in Debian needs to follow certain policies as set by Debian over the years, and documented in the Debian Policy Manual. These are mostly mundane things like system wide configuration being in /etc , documentation in /usr/share/doc , and so on. Some of this is more intricate, like when names of execu
Keywords: debian free manual packages software
Find related items on AmazonPublished on: 2025-06-28 15:20:30
When we talk about LlamaIndex, we’re actually referring to an ecosystem consisting of more than 650 Python packages, mostly Integrations and Packs. All these packages share a single GitHub repository, what engineers fondly call a “monorepo”. In this article, we’re going to introduce LlamaDev , our new tool for managing monorepos at scale, and explain the challenges we ran into with existing tooling to get us to this point. The challenge: 650+ dependency trees Each Python package in the monorep
Keywords: package packages pants python uv
Find related items on AmazonPublished on: 2025-07-06 15:42:31
Published May 13, 2025 Last week, the CPython developers rolled out CPython 3.14.0b1. This week, PyCon 2025 kicks off in Pittsburgh, PA. Both events mark a significant milestone for the effort to ship and stabilize free-threaded Python. This is the story of the first year of that effort and how our team at Quansight played a key role in enabling experimental use of the free-threaded build with real production workflows that depend on a complex set of dependencies. Introduction: Why are we wor
Keywords: build free packages python threaded
Find related items on AmazonPublished on: 2025-07-25 08:05:32
For most of the 20th century, U.S. mailboxes looked like this: They hewed to the principle of good design and form follows function. As with the USPS' blue mail deposit boxes, the top is rounded to shed water. The classic mailbox is made of galvanized steel, which was once inexpensive to produce. The carrier signal flag is a nice touch; if the postal delivery driver has no mail to deliver to you that day and the flag is down, they know there's no need for them to stop. That design dates back
Keywords: day mail mailbox packages usps
Find related items on AmazonPublished on: 2025-07-29 09:06:21
Shein and Temu prices rise as Trump closes postage loophole 8 hours ago Share Save Peter Hoskins Business reporter Share Save Getty Images A duty-free loophole for low-value packages has been closed by President Donald Trump, pushing up prices for US customers of firms like Shein and Temu. The Chinese online retail giants relied on the so-called "de minimis" exemption to sell and ship low-value items directly to the US without having to pay duties or import taxes. Supporters of the loophole,
Keywords: exemption loophole packages said trump
Find related items on AmazonPublished on: 2025-07-30 12:04:58
A tool to manage versioning and changelogs with a focus on multi-package repositories The changesets workflow is designed to help when people are making changes, all the way through to publishing. It lets contributors declare how their changes should be released, then we automate updating package versions, and changelogs, and publishing new versions of packages based on the provided information. Changesets has a focus on solving these problems for multi-package repositories, and keeps package
Keywords: changes changeset changesets package packages
Find related items on AmazonPublished on: 2025-07-30 16:25:36
Seven malicious PyPi packages were found using Gmail's SMTP servers and WebSockets for data exfiltration and remote command execution. The packages were discovered by Socket's threat research team, who reported their findings to the PyPI, resulting in the removal of the packages. However, some of these packages were on PyPI for over four years, and based on third-party download counters, one was downloaded over 18,000 times. Here's the complete list shared by Socket: Coffin-Codes-Pro (9,000
Keywords: coffin downloads gmail package packages
Find related items on AmazonPublished on: 2025-08-06 00:50:19
is a news writer fond of the electric vehicle lifestyle and things that plug in via USB-C. He spent over 15 years in IT support before joining The Verge. DHL Express is resuming shipments of packages valued over $800 that are bound for consumers in the US, Reuters reports. The international shipping company had suspended the shipments last week due to “a surge in formal customs clearances” amidst the Trump administration’s sweeping tariffs on international goods. Effective today, business-to-c
Keywords: 800 company dhl packages shipments
Find related items on AmazonPublished on: 2025-08-18 16:58:17
This post will describe how I design my programs in Go. I needed this for work, and while I searched for a link, nothing quite fits my coding practices out there. The word “Layered” can pull up some fairly close descriptions, but I want to lay out what I do. Deriving Some Requirements Go has a rule that I believe is underappreciated in its utility and whose implications are often not fully grasped, which is: Packages may not circularly reference each other. It is strictly forbidden. A compile
Keywords: circular code just package packages
Find related items on AmazonPublished on: 2025-08-29 23:19:29
A new class of supply chain attacks named 'slopsquatting' has emerged from the increased use of generative AI tools for coding and the model's tendency to "hallucinate" non-existent package names. The term slopsquatting was coined by security researcher Seth Larson as a spin on typosquatting, an attack method that tricks developers into installing malicious packages by using names that closely resemble popular libraries. Unlike typosquatting, slopsquatting doesn't rely on misspellings. Instead
Keywords: ai hallucinated names package packages
Find related items on AmazonPublished on: 2025-08-29 21:22:35
The rise of AI-powered code generation tools is reshaping how developers write software - and introducing new risks to the software supply chain in the process. AI coding assistants, like large language models in general, have a habit of hallucinating. They suggest code that incorporates software packages that don't exist. As we noted in March and September last year, security and academic researchers have found that AI code assistants invent package names. In a recent study, researchers found
Keywords: ai code hallucinated package packages
Find related items on AmazonPublished on: 2025-08-31 15:40:26
Fedora change aims for 99% package reproducibility Ready to give LWN a try? With a subscription to LWN, you can stay current with what is happening in the Linux and free-software community and take advantage of subscriber-only site features. We are pleased to offer you a free trial subscription, no credit card required, so that you can see for yourself. Please, join us! The effort to ensure that open-source software is reproducible has been gathering steam over the years, and gaining traction
Keywords: build fedora package packages reproducible
Find related items on AmazonPublished on: 2025-09-05 08:20:27
is platforms and communities reporter with five years of experience covering the companies that shape technology and the people who use their tools. Donald Trump is making it even more expensive for US consumers to shop online from Chinese retailers like Temu and Shein. In an executive order amendment published Tuesday night, Trump raised the tariff rate for packages valued under $800 entering the US from China and Hong Kong that previously were exempt. The increase essentially triples what sho
Keywords: china packages percent tariffs trump
Find related items on AmazonPublished on: 2025-09-09 04:22:27
I rebuilt (the top-50 popcon) Debian and Ubuntu packages, on amd and arm64, and compared the results a couple of months ago. Since then the Reproduce.Debian.net effort has been launched. Unlike my small experiment, that effort is a full-scale rebuild with more architectures. Their goal is to reproduce what is published in the Debian archive. One differences between these two approaches are the build inputs: The Reproduce Debian effort use the same build inputs which were used to build the publi
Keywords: build debian packages rebuild stage
Find related items on AmazonPublished on: 2025-09-13 09:38:58
With President Donald Trump’s new tariff plan, your online shopping packages coming directly from China are about to get much more expensive. In February, the Trump administration moved to get rid of a little-known rule that allows US consumers to avoid tariffs on low-value packages. The de minimis exemption meant that packages valued under $800 could enter the US duty-free, and shoppers — as well as retailers — relied on the exemption regularly, even if they didn’t realize it. Nearly 1.4 billi
Keywords: china coming exemption minimis packages
Find related items on AmazonPublished on: 2025-09-14 00:38:58
With President Donald Trump’s new tariff plan, your online shopping packages coming directly from China are about to get much more expensive. In February, the Trump administration moved to get rid of a little-known rule that allows US consumers to avoid tariffs on low-value packages. The de minimis exemption meant that packages valued under $800 could enter the US duty-free, and shoppers — as well as retailers — relied on the exemption regularly, even if they didn’t realize it. Nearly 1.4 billi
Keywords: china coming exemption minimis packages
Find related items on AmazonPublished on: 2025-09-15 02:43:16
A driver for an independent contractor to FedEx delivers packages on Cyber Monday in New York, U.S, on Monday, Nov. 27, 2023. President Donald Trump on Wednesday signed an executive order shutting the de minimis trade loophole, effective May 2. Trump in February abruptly ended the de minimis trade exemption, which allows shipments worth less than $800 to enter the U.S. duty-free. The order overwhelmed U.S. Customs and Border Protection employees and caused the U.S. Postal Service to temporaril
Keywords: customs minimis packages shipments trump
Find related items on AmazonPublished on: 2025-09-24 16:22:41
Ten npm packages were suddenly updated with malicious code yesterday to steal environment variables and other sensitive data from developers' systems. The campaign targeted multiple cryptocurrency-related packages, and the popular 'country-currency-map' package was downloaded thousands of times a week. The malicious code was discovered by Sonatype researcher Ali ElShakankiry and is found in two heavily obfuscated scripts, "/scripts/launch.js" and "/scripts/diagnostic-report.js," which execute
Keywords: downloads malicious npm packages version
Find related items on AmazonPublished on: 2025-09-28 08:00:00
Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. This way, even if the victim removes the malicious packages, the backdoor remains on their system. The new tactic was discovered by researchers at Reversing Labs, who warned about the risk it entails, even if the packages weren't downloaded in large numbers. "It's not unusual to encounter downloaders on npm; they are may
Keywords: ethers legitimate npm package packages
Find related items on AmazonPublished on: 2025-10-21 14:42:19
Six malicious packages have been identified on npm (Node package manager) linked to the notorious North Korean hacking group Lazarus. The packages, which have been downloaded 330 times, are designed to steal account credentials, deploy backdoors on compromised systems, and extract sensitive cryptocurrency information. The Socket Research Team discovered the campaign, which linked it to previously known Lazarus supply chain operations. The threat group is known for pushing malicious packages i
Keywords: code malicious malware package packages
Find related items on AmazonPublished on: 2025-11-07 11:00:00
The software supply chain is notoriously porous: a reported 81% of codebases contain high- or critical-risk open source vulnerabilities. A single vulnerability can have a far-reaching impact on the wider software supply chain, as evidenced by the likes of the Log4Shell exploit that saw millions of applications exposed to potential remote code execution hacks via the Log4j logging library. Northern Irish startup Cloudsmith is setting out to solve this exact problem with its cloud-native “artifac
Keywords: cloudsmith package packages software source
Find related items on AmazonGo K’awiil is a project by nerdhub.co that curates technology news from a variety of trusted sources. We built this site because, although news aggregation is incredibly useful, many platforms are cluttered with intrusive ads and heavy JavaScript that can make mobile browsing a hassle. By hand-selecting our favorite tech news outlets, we’ve created a cleaner, more mobile-friendly experience.
Your privacy is important to us. Go K’awiil does not use analytics tools such as Facebook Pixel or Google Analytics. The only tracking occurs through affiliate links to amazon.com, which are tagged with our Amazon affiliate code, helping us earn a small commission.
We are not currently offering ad space. However, if you’re interested in advertising with us, please get in touch at [email protected] and we’ll be happy to review your submission.