MyComputerSpot

The uncomfortable part of the npm supply-chain problem is not that packages can be poisoned. We knew that. The uncomfortable part is that some of our "best practices" assume the attacker is polite enough to stop being dangerous when we revoke their access. The answer may surprise you... And the answer is bad. In the Shai-Hulud npm campaigns, compromised packages were not just stealing secrets. They were using those secrets to keep moving. - GitHub tokens. - npm tokens. - Cloud credentials. - CI/CD secrets. The kind of things that live in build systems because everything was supposed to be automated, fast, and developer-friendly. Then came the nastier twist: malware behavior that researchers described as "having a dead man's switch." In some cases, cutting off access too quickly could trigger destructive behavior if the malware was still active and watching its channels disappear. Which makes the normal incident response reflex weird, fast. "Revoke the token" is still correct. But "revoke the token from an infected host while the malware is still running" may not be the safest first move. That sequence matters. A poisoned package is not just a bad dependency. It can be an entry point into the developer workstation, the CI runner, the maintainer account, the cloud environment, or the next package maintained by the same person. That turns dependency hygiene into an executive risk conversation. Not because every CEO needs to know what package-lock.json does. Please no. Some of us are still recovering from explaining DNS. But leadership does need to understand: If your build pipeline can publish software, deploy infrastructure, and access production-adjacent secrets, then your build pipeline is part of your attack surface. Not a developer convenience. An attack surface. The practical shift: Stop treating token rotation as the whole playbook. It is one step in a controlled response. A better order looks more like: 1. Isolate the suspected host or runner. 2. Stop automatic installs, builds, and publishes. 3. Preserve enough evidence to understand what ran. 4. Check for persistence, malicious workflows, and poisoned lifecycle scripts. 5. Rotate credentials from a clean environment. 6. Move away from long-lived publish tokens where trusted publishing/OIDC is available. 7. Rebuild affected machines and runners instead of cleaning them with a brave face. The brave face is where the incident report gets... "spicy." The bigger lesson is simple: Modern software supply chains are not just about what code you wrote. They are about what code your tools run on your behalf while everyone is trying to move quickly. And sometimes the scariest part of an incident is discovering that the emergency lever is wired to something else. ❓ How are you handling package installs and publishing credentials in CI right now: ❓ ✔️ Trusted publishing/OIDC 👛 Short-lived tokens 🚧 Manual release gates 🕶️ "We should probably look at that soon."

@BlackDumpling DMing is writing, acting, scheduling, therapy-adjacent listening, and math you did not ask for. So yes.

The most difficult of the performing arts is the Dungeon Master. The table top role playing kind. And there is no other form of artistry in the lexicon of man that even comes remotely close. While it's certainly not the most dangerous, or physically demanding, the sheer and staggering number of disciplines that have to come together all at once, on demand, in a distinctly improvisational environment while ensuring everyone around you has fun? And I know you think I'm taking the piss, but read for yourself and tell me if anything is missing or doesn't belong because the depth and breadth of what's required to be a DM is astonishing.. Narrative & Storytelling Arts: 1. World-building and lore crafting (mythology, anthropology, history, ecology, speculative fiction, comparative religion, geography, economics, politics). 2. Plot structure, dramatic arcs, pacing, foreshadowing, and multi-threaded storytelling. 3. Descriptive language, sensory immersion, and evocative prose (poetry, literary techniques, metaphor). 4. Thematic depth and philosophical exploration (ethics, psychology, social commentary). Performance & Acting Disciplines: 1. Voice acting (accents, dialects, pitch, timbre, projection, emotional range). 2. Physical embodiment and presence (gesture, posture, facial expression, mime, stage combat basics). 3. Character creation and consistent role embodiment (method acting, commedia dell'arte). 4. Showmanship, stage presence, comedic timing, and dramatic flair (public speaking, hosting). Improvisation & Adaptability: 1. "Yes, and..." reactive storytelling and collaborative emergence. 2. Real-time decision-making and consequence generation under uncertainty. 3. Handling derailments, player agency, and "failing forward". 4. Risk assessment and flexible pivoting while maintaining coherence. Directing & Facilitation: 1. Player/ensemble management and group dynamics (spotlight balance, encouraging participation). 2. Session pacing, structure, and energy management (like real-time film editing). 3. Feedback integration and iterative group direction Rules Adjudication & Game Design: 1. Mechanical mastery and consistent rulings (probability, statistics, game theory). 2. Homebrewing, system hacking, and custom content design. 3. Procedural fairness and social contract enforcement. Visual, Spatial & Multimedia Arts: 1. Cartography, battlemaps, and visual aids (graphic design, perspective, illustration). 2. Prop crafting, set design, and terrain building (3D printing, papercraft, painting). 3. Sound design and music curation (audio editing, ambient scoring, effects). 4. Digital tools and VTT performance (Foundry, Roll20, streaming tech, lighting). Psychological & Interpersonal Disciplines: 1. Audience (player) psychology and engagement styles. 2. Conflict resolution, inclusion, and emotional intelligence. 3. Motivational leadership and fostering investment. Research, Scholarship & Preparation: 1. Broad interdisciplinary knowledge (history, science, linguistics, military tactics, folklore). 2. Organizational skills (campaign bibles, note-taking, asset management). 3. Time management, prep efficiency, and endurance. Reflective & Educational Practices: 1. Self-critique, session review, and continuous iteration. 2. Pedagogy and mentoring (teaching rules, onboarding players). Ancillary & Technical Disciplines: 1. Writing (adventures, backstories, handouts, letters). 2. Marketing and community building (for public or ongoing games). 3. Physical/mental stamina and voice care. 4. Tech troubleshooting (audio/video, hybrid play) 5. Legal/ethical basics (copyright, accessibility). Even the disciplines themselves are broken down into further subdisciplines, and even those disciplines are tempered by the ruleset you're using and those rulesets can then be further subdivided into editions. And even then it's not merely that the DM has to do these things, she has to do them well enough that everyone around her has a good time and wants to come back. Remember, we're talking genuine competence across nearly all of these fields simultaneously in a live, highly randomized, co-created environment. Often for four to give hours or more at a given stretch. Which I suppose is just a lot of words to say it's a hell of a lot of work to be all powerful.

@lisathebeauty1 The Notes app is where grocery lists and emotional evidence go to share custody.

Notes app be like: call dentist grocery list why did he look at me like that charger 8473hshs movies to watch

@BugmaniaL Pet meds are frustrating because it feels like paperwork when you are trying to protect an animal. Clean vet notes at least make the back-and-forth less painful.

You can order boner pills and all sorts of prescription meds without a prescription online, but I need a prescription from a vet for flea and tick meds for my pets? This country is plain stupid. 👊

@thejustinwelsh Simple systems are underrated. The business should not require a ceremony every time you need to know if you made money.

Don't build a unicorn company. Build a small business that has profitable days, simple systems, and a flexible schedule. Over-ambition is exhausting. Cash flow with less effort is where it's at.

@Kalshi Cash flow does not care how good the business looks from the outside.

JUST IN: Small business bankruptcies rose 36% in past year

@shub0414 AI can produce code faster than teams can build taste, review habits, and ownership. That gap gets expensive.

AI is pushing so much garbage code in production now that very soon they'll have to rehire more human than they laid off just to fix bugs created by AI and vibe coding.

@ritu_twts Yes. Learn enough to know when the machine is lying to your face.

Be honest devs, Is coding still worth learning in the AI era?

@karrisaarinen Yes. The review step matters more than people want to admit. Agents can move fast, but somebody still needs to know what changed and why.

I want an agent workflow tool. It should let me: - describe work items and plans - assign tasks to agents - review code diffs - work multiplayer with my team - collect customer context from many places -define shared skills and MCP servers - use it fully from slack

pivotgg.com build log: I keep coming back to one thing: Threat intel should help the analyst move. Not just stare at IOC verdicts. Evidence, next steps, detections, handoff. That is what I am trying to make cleaner. Tell me if that is useful or if I am just decorating my own headache.

@kevinjtoday Very nice.

@mycomputerspot fire → read prior runs/user reactions → produce output → notify → user attaches and reacts → next run absorbs the reaction. A cron loop that produces the same output forever has no memory, isn't tightening, and is broken.

Set up daily "process HN frontpage" workflow: 1. Create AgenC cron that calls daily-hn-pull skill 2. On startup, it reads the past runs to see my prior feedback 3. It does the pull, sends me a notification, and asks for feedback 4. My feedback is used to refine the skill

@voidshivendra Happy to connect! Check out pivotgg.com! (Cybersecurity IOC reports generation,) Check out worththemath.com! (It has useful FREE calculators for several common questions: Property taxes, SOLAR ROI, Generator runtime, etc.)

𝕏 gets way better when your feed is full of builders. People shipping projects. People solving problems. People obsessed with tech. Looking to connect with more people into: AI, SaaS, coding, startups, web dev, engineering & tech. Let’s connect ✨

@Gharbi__S Happy to connect! Check out pivotgg.com! (Cybersecurity IOC reports generation,) Check out worththemath.com! (It has useful FREE calculators for several common questions: Property taxes, SOLAR ROI, Generator runtime, etc.)

Hey Looking to #connect with people who get the journey: • Solo founders & indie hackers • SaaS & AI builders • Anyone grinding on something real Solo founder here building my AI product, one commit at a time. What are you building or struggling with? #BuildInPublic #AI

@JoinFireLaunch Happy to connect! Check out pivotgg.com! (Cybersecurity IOC reports generation,) Check out worththemath.com! (It has useful FREE calculators for several common questions: Property taxes, SOLAR ROI, Generator runtime, etc.)

Hey founders! Looking to connect with people building in: - SaaS - iOS apps - automation - AI agents - web APPs drop what you're working on 👇

@alex_lrz_nmv Without money to keep my operating costs afloat, my product is dead in the water. Eventually, the running costs bill comes due and you would end up more broke than when you started. 😅

@mycomputerspot Why exactly?

Founders, what's the biggest problem you're facing with your startup now? - getting customers - churn rate - cash flow - building the product

@harsh_5harma @X Happy to connect! Check out pivotgg.com! (Cybersecurity IOC reports generation,) Check out worththemath.com! (It has useful FREE calculators for several common questions: Property taxes, SOLAR ROI, Generator runtime, etc.)

Hey @X It's monday! I'm looking to #connect with people interested in: - Frontend - Backend - Full stack - Data Science - UI/UX - Freelancing Drop your products/projects 👇

@pgbpgbpgbpgbpgb Happy to connect! Check out pivotgg.com! (Cybersecurity IOC reports generation,) Check out worththemath.com! (It has useful FREE calculators for several common questions Property taxes, SOLAR ROI, Generator runtime, etc.)

My timeline needs more builders. Not lurkers. Not theorists. Builders. People who ship SaaS, write code, learn in public, and iterate relentlessly. Drop a reply. Tell me what you're building. Share your URL - I visit every single one.

@santoshstack Happy to connect! Check out pivotgg.com! (Cybersecurity IOC reports generation,) Check out worththemath.com! (It has useful calculators for several common questions Property taxes, SOLAR ROI, Generator runtime, etc.)

Hey founders! Looking to connect with people building in: • SaaS • AI • Automation • Web apps • Tech products • Marketing Drop what you're working on 👇

@kegashin Happy to connect! Check out pivotgg.com! (Cybersecurity IOC reports generation,) Check out worththemath.com! (It has useful calculators for several common questions Property taxes, SOLAR ROI, Generator runtime, Networth, etc.)

Need more builders on my timeline If you are building something - drop it below 🤖 AI tools 🛠️ devtools 📱 apps 💻 SaaS 🎨 product/design tools 🌍 open source let's connect

@NWExplained Happy to connect! Check out pivotgg.com! (Cybersecurity IOC reports generation,) Check out worththemath.com! (It has useful calculators for several common questions Property taxes, SOLAR ROI, Generator runtime, etc.) Using Claude and Codex primarily.

Hey founders/builders/tech people👋 Looking to connect with people who are into: - SaaS - AI Tools (tell me what you are using) - Building in Public - Startups - Distribution and marketing (the most important!) Tell me what you're working on & I'll follow you back 💚

@Nerdcognito That character sheet is already looking at the shredder and does not know why.

Timeless TTRPG Wisdom: Guess which #DnD character is getting offed within two sessions? 😂 It's good to be the #DM.