Dev By RayRay -👨‍💻

I built a security scan skill for AI agents to handle the manual heavy lifting. 🛠️🛡️ Add it to your project in seconds: npx skills add devbyray/agent-skill-security-scan Full details on GitHub: github.com/devbyray/agent… What should I automate next? 👇 #AI #InfoSec #DevTools

Just about an hour ago in Dallas. #huphollandhup #FIFAWorldcup #oranje

DALLAS = ORANJE! 🧡🫨 #NothingLikeOranje #FIFAWorldCup #NEDJPN

npm v12 will stop running dependency install scripts by default. Postinstall scripts have powered many recent npm supply chain attacks, from Nx s1ngularity to Shai-Hulud. It won’t solve everything, and it should not have taken this long, but it closes a very real attack path.

Less than 24 hours ago, Anthropic dropped Claude Fable 5. Minds are blown. And people are already coming up with wild use cases. 10 examples:

npm recently introduced staged publishing, and it directly targets the attack pattern behind most of the supply chain compromises we tracked this year. Instead of npm publish pushing packages live instantly, npm stage publish puts them in a queue. A human with 2FA has to approve, preventing attackers from pushing malicious package versions with stolen tokens We open-sourced a SAST rule that catches "npm publish" in your GitHub Actions workflows and flags it for migration.

Okay this is genuinely insane. SpaceX just unveiled a satellite whose only job is to run AI. Not internet. Not GPS. Just compute, floating in orbit. It's called AI1, and the reason behind it breaks your brain. AI data centers on Earth are hitting a wall, not a chip wall, a physics wall. They need staggering amounts of power and water just to stay cool, and we're running out of grid and land to build them. So Musk's answer is: stop building them on Earth. In orbit, the sun never sets. Free power, 24/7. No water for cooling, you just radiate heat into the vacuum of space. The two things choking AI on the ground barely exist up there. And here's the wild part: Musk says it's easier to build than a Starlink satellite. Strip out the complex antennas and it's "a lot of solar cells, a radiator, and some laser links." One AI1 carries the compute of an Nvidia GB300 rack, the same hardware data centers fight over down here. AI1 is just the first one. The plan is a constellation of up to a million of them. And the timing isn't an accident, SpaceX goes public this week at a ~$1.75 trillion target. This isn't a rocket company anymore. It's positioning itself as the power grid for AI, in space. The race for AI compute just left the planet. Literally. @SpaceX

Traditional malware sneaks onto a machine. Supply chain malware gets invited. The developer runs npm install and the malicious code lands with full permission to execute. That inversion breaks both EDR and proxies at the design level. EDR has no way to tell the difference between malicious code and legitimate code doing the exact same thing. And proxies only work when developers are actually on them, which they often aren't. The scan never runs. Both tools solve real problems for the threats they were designed for. Supply chain attacks just aren't one of them.

VoidZero, the team behind Vite, Vitest, Rolldown, Oxc, and Vite+, is joining Cloudflare. Vite stays open source, vendor-agnostic, and built for everyone. cfl.re/3Q1XYSX

Wake up babe: VoidZero just joined Cloudflare

‼️🚨 A new npm supply-chain attack compromised 57 packages across over 286 malicious versions in under 2 hours. The attackers used self-replicating malware, a new version of the Miasma worm, which also used evasion techniques to stay under the radar. The payload targets CI/CD and developer credentials, including GitHub Actions secrets, cloud credentials, Vault tokens, SSH keys, npm and GitHub tokens, and password-manager stores. This variant also injects AI coding assistant config files at `.claude`, `.cursor`, `.gemini`, and `.vscode` paths, a separate persistence and repo-poisoning angle.

⚠️ New "IronWorm" supply-chain attack: 30+ npm packages from @ asteroiddao shipped a malicious Rust binary firing on preinstall. It sweeps 86 env vars + 20 credential files (AWS, GCP, Vault, npm, plus AI keys like Anthropic & OpenAI), hits Exodus wallets, hides behind an eBPF rootkit, and beacons over Tor. Self-propagates via npm Trusted Publishing OIDC, with backdated commits faked as claude/dependabot/renovate.

⚠️ Multiple @ redhat-cloud-services npm packages were found carrying malicious payloads that fire via a preinstall hook on every npm install. All packages were published via GitHub Actions OIDC, indicating the CI/CD pipeline was compromised. The payload targets GitHub Actions secrets, AWS, GCP, Azure, Kubernetes, HashiCorp Vault, npm and CircleCI tokens. It reads /proc/mem to bypass log masking, self-propagates via harvested npm tokens bypassing 2FA, and persists on developer devices via Claude Code and VS Code injection.

Mapbox is expensive and runs on US infrastructure. Today we're launching Rijwind: the European alternative. Map tiles, geocoding and routing, hosted in 🇳🇱 The Netherlands. Privacy-friendly by default. More features coming soon!

@Dovydas44444 I'm not against the US, but because someone on the other side is so volatile, I'm very happy our Dutch government once made a good choice to not allow this deal! 💪

🇳🇱The Netherlands has never blocked a 🇺🇸US deal. Kyndryl's €100M was first. Kyndryl is a US company spun out of IBM. It tried to buy a Dutch firm called Solvinity. Solvinity runs DigiD, the login millions of Dutch people use. They use it for taxes, healthcare, and pensions. A US law lets American agencies demand data from US companies. If you log in with DigiD, your most private data was at stake. So the Netherlands decided that the system was not for sale for a US bidder. Is the growing mistrust of US tech companies going to become a more structural obstacle for US investment in 🇪🇺EU: A) Yes; B) No?

@MosheTov @AikidoSecurity @OX__Security That is great! 💪

@devbyrayray @AikidoSecurity Well... @OX__Security is already on top of it 😉

🚨 NPM Malware-slop Alert!🚨 We detected and reported a malware-slop package to npm - the malware uses it's OWN PRIVATE GitHub token, which is EMBEDDED INSIDE the malware itself - to read sensitive information and upload it to the threat actor's GitHub repository. The malware is still live on npm - npmjs.com/package/mouse5… The threat actor's GitHub page was opened 5h ago - github.com/unplowed3584 Detailed report will be published tomorrow.

@steipete @AikidoSecurity, maybe there is a better way to prevent this overwrite 🙈

There's security, and there's clankers.

Enforce mininum age policies at the network level with Aikido device protection. No bypass for claude, cursor, or the like.