Meon Valley Web

@retlehs @TheSEOFramework Watch how it flies when Yoast is removed and @TheSEOFramework added!

Inherited a site that uses Yoast SEO which I hadn't seen the UX for in ages — incredible how bloated and slow it is, plus console.log errors spamming in the block editor The meta box takes up 1250px of height... @TheSEOFramework is still the GOAT

@kunchenguid 😉 github.com/MeonValleyWeb/…

i just hardened most of the npm packages I own against the ongoing supply chain attack using this thread to share what i did in case it's helpful for others the core idea is simple: don't use any third-party package versions that are just published. enforce this with tools 🧵

@DeRonin_ 😉 github.com/MeonValleyWeb/…

🚨USE THIS GUIDE TO PROTECT YOUR COMPUTER FROM NPM HACKS THAT STEAL EVERYTHING IN ONE INSTALL TanStack, a code library used in millions of web apps, got hacked on Monday one install steal every password, key, and credential on your computer this is far not the first hack this month and definitely just the beginning Here's how to protect your machine: [ 1. lock down npm with a 7-day cooldown ]: open ~/.npmrc. keep all existing lines (auth tokens, registry config). append: """ min-release-age=7 minimum-release-age=10080 save-exact=true """ this makes npm refuse any package version published in the last 7 days. attack windows are usually under 24 hours, you skip them entirely [ 2. same cooldown for bun ]: open ~/.bunfig.toml (create if missing). append: """ [install] minimumReleaseAge = 604800 """ 7 days in seconds, same protection in bun's config format [ 3. pin every npm dependency in your projects ]: open package.json. strip every ^ and ~ from versions under: - dependencies - devDependencies - peerDependencies exact versions only. commit your lockfile (bun.lock / package-lock.json / pnpm-lock.yaml) to git so the resolved tree is frozen [ 4. same discipline for python ]: if you use uv (the modern default): commit uv.lock, run `uv sync` to restore if you use pip: requirements.txt with pinned versions, run `pip install --require-hashes -r requirements.txt` if you use poetry: commit poetry.lock, use `poetry install --no-update` never trust `>=` or `~=` ranges in production projects [ 5. pin GitHub Actions to commit SHAs ]: stop using `actions/checkout@v4`. switch to: ```yaml uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 ``` every third-party action runs in your CI with access to repo secrets. pinning the SHA means a compromised maintainer cannot push malicious code into your pipeline [ 6. audit your IDE extensions ]: Cursor, VSCode, Windsurf, every extension is code running with full access to your filesystem, clipboard, and open files - review installed extensions monthly - remove anything you haven't actively used in 30 days - check the publisher, install count, last update, GitHub source before installing - never install extensions that ask for permissions they shouldn't need [ 7. lock down API tokens and credentials ]: - never commit .env to git (add to .gitignore on every project, no exceptions) - use minimum-scope tokens: one repo, one bucket, one workspace - rotate API keys every 90 days, force expiry on critical ones - separate tokens by environment (dev / staging / prod) - enable 2FA on every developer account: GitHub, npm, PyPI, Cloudflare, AWS, OpenAI, Anthropic - never paste secrets into Claude / ChatGPT / any AI chat, they're logged [ 8. set up continuous monitoring ]: - enable Dependabot alerts on every repo (free, takes 2 minutes) - install Socket.dev or Snyk for live vulnerability scanning - subscribe to the npm and PyPI security advisory feeds - follow @snyksec, @socketsecurity, @stepsecurity for early warnings [ 9. how to detect if you got the TanStack payload ]: if you installed any @tanstack/* package between 19:20 and 19:30 UTC on Monday, May 11, treat the host as compromised the detection signature: a malicious manifest contains "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49ee..." } any version with this entry is compromised. the payload is delivered via the git-resolved optionalDependency, whose prepare script runs router_init.js (~2.3 MB, smuggled into the tarball root) how to check fast: - search your lockfile for `@tanstack/setup` references - search node_modules for any `router_init.js` file - if either shows up, jump to section 10 immediately future attacks will use the same trick: malicious code hidden in optionalDependencies or postinstall/prepare scripts. add `grep -r "postinstall\|prepare" node_modules/*/package.json | grep -iE "curl|wget|eval|base64"` to your weekly audit routine [ 10. emergency response if you're already compromised ]: ran an install during a suspected attack window? do this in this exact order: - rotate every cloud credential: AWS, GCP, Kubernetes service accounts, Vault tokens - rotate GitHub personal access tokens, OAuth tokens, SSH keys - revoke active sessions on GitHub, npm, PyPI, all cloud providers - audit AWS / GCP / Kubernetes / Vault audit logs for the last several hours, look for unauthorized API calls - pin to the last known-good version of every @tanstack package and reinstall from a clean lockfile - check ~/.npm, ~/.config, browser cookie stores for tampered files - wipe ~/.bash_history, ~/.zsh_history, local AI chat logs that might have secrets - if you ran the install as root or with sudo: nuke the machine, reinstall from scratch, restore code from git only [ why this matters right now ]: attack chains in supply chain hacks usually only last a few hours before the malicious package gets caught and yanked. during those hours, every developer running `npm install` becomes a victim worse: npm couldn't even UNPUBLISH most of the TanStack malicious versions because of third-party dependencies. the registry's own safeguards are part of the problem. you can't rely on the platform, you have to protect yourself the patterns from the last 18 months: - npm: TanStack on May 11 (42 packages, AWS/GCP/Vault credentials), Shai-Hulud worm hit Nx packages, chalk/debug/ansi-styles worm hit qix maintainer - GitHub Actions: tj-actions/changed-files compromise exposed thousands of repos' secrets - PyPI: ongoing typosquatting campaigns targeting AI/ML packages - IDE extensions: VSCode marketplace caught hosting credential stealers the frequency is rising because the payoff is massive one compromised package lands on millions of machines in hours if you don't lock this down tonight, you're exposed to the next one. and there will be one 30 minutes tonight, or wait for the next attack to clean out your machine Full TanStack breakdown: github.com/TanStack/route…

Protect those packages.. #npm github.com/MeonValleyWeb/…

@ryancarson github.com/MeonValleyWeb/…

Add a minimum package age to help protect you from attacks like this

@Teknium I’m doing something wrong, mine just grinds to a halt and sits there! Keep going back to @opencode to get things finished!

🫡🫡🫡

@ClaudeDevs @claudeai Stream ended without a final message Wassuppppp??

@steipete @eastdakota @Cloudflare I paid them because I felt guilty as to how good it was!

@eastdakota @Cloudflare I still haven’t paid you folks a singe cent! 😅

Built on @Cloudflare Workers. Peter is so cool!

@lucaronin might help managing those PR’s 😬

@BlackboxAIhost The offline-first architecture is brilliant. When your kid needs medical care during a power outage or network failure, having truly resilient systems isn't just convenience - it's survival. Building for the edge cases that actually matter.

The desktop app that manages markdown knowledge bases

@ryancarson Tough day?

Please, pretty please, *actually* test restoring from your db backup (which, for the love of god, should be from an offsite location).

@MelkoXMR @turshija Explain?

@turshija Why the fuck would you use the same machine for your work and to store your cryptos ?

I got completely owned by the most sophisticated hack I've ever encountered. I'm a developer. I know what scams look like. This didn't look like one. 🧵

@AlexFinn You don’t need Opus 4.7 to run basic everyday tasks - they run fine with Qwen, Kimi2.5 and GPT! Use Codex when needed.. You keep spending $1000 a month and ranting on here if it makes you feel good - you have great ideas but you’re losing us with rants like that!

Here's the truth people are afraid to admit: Even if using Opus 4.7 with OpenClaw costs you $1,000 a month through the API, you still need to be paying for it When it comes to OpenClaw there's simply no second best model ChatGPT is completely useless for OpenClaw. Doesn't complete tasks, actively deletes and messes up files, has no idea how to use tools Every night before I go to bed I pray ChatGPT 5.5 matches Claude at OpenClaw usage. OpenAI has been a lot more consumer friendly when it comes to limits and oauth use But at the moment there is no dodging the truth. Claude is the only way to go for OpenClaw I look at it like this: OpenClaw with Opus 4.7 is a super intelligent employee that works 24/7 without complaint Even if I pay $1,000 a month for API usage ($12,000 a year) that's still a steal compared to hiring humans I'd be paying over $100,000 a year if I hired an actual person. And they wouldn't be working 24 hours a day and they wouldn't be immediately responding to my telegram chats and they'd file HR complaints if I talked to them the way I talked to my Claw I'm confident OpenAI is training their new models for OpenClaw usage, but in the meantime, there's simply no 2nd best. Pay for the API.

@tonysimons_ Have to 💯 agree with you!

This is a wild take -- and I'm a big Alex Finn fan, let me just preface this rant with that. Suggesting people pay $1,000 a month in this economy is ludicrous. I pay for: > ChatGPT Plus ($20) > Claude Pro ($20) > MiniMax Highspeed Token Plan ($40) I'm seriously considering throwing in another $10 for a @NousResearch portal subscription for the immense value it brings to Hermes users. This is more than enough inference for 99% of the people using AI agents right now. Unless you're doing some really deep shit, spending $1,000 a month on API fees is just insane. Remember, this is coming from an influencer with almost half a million followers here and a thriving YouTube channel. $1k a month likely isn't hurting Alex's wallet a bit. But for many of you reading this, it's just flat out not necessary. Especially for smaller businesses who don't have or don't want to spend an extra 1k a month. On a side note, I'm really surprised to see Alex still riding the OpenClaw wave as hard as he is. Hermes is a superior product. He uses it, so he can't deny that fact. Kinda feels a bit irresponsible to be still plugging OpenClaw so hard when there's no argument as to which is a better option for 99.9% of the people watching his videos. Alex, I doubt you'll see this (or even care if you do)... I'll still keep watching your videos, but I'd really love to see you start covering Hermes more, brother. Do your subscribers that favor. The views will still keep rollin' in. (Spoiler alert: building a mission control dashboard doesn't count as doing really deep shit either, by the way. Save those premium tokens and build something useful, folks.) /EndRant 🙃

@flomeindl @eliana_jordan Constantly fighting with @OpenClaw I mean it’s a great battle but constantly crawling for fixes etc or getting codex to dive in and fix it! Have been looking at @NousResearch to see if it will solve an issue - not done with #OpenClaw yet!

I’ve been using Clawdbot since December, and while a lot has improved, the huge ecosystem has also made it feel bloated. For my use case, too much now feels inefficient or unnecessary. Hermes feels lighter, more flexible, faster, and better on token consumption. Obviously it depends on the workflow, but for our marketing and outbound sales pipeline on our own VPS, Hermes is currently unbeatable.

openclaw or hermes for marketing?

@codenprose @petergyang @NotionHQ or @obsdmd that is the question?

@petergyang I'm still waiting for someone to put all of these into the same app so I don't lose my mind.

Went from having multiple terminals open to just two apps open :)

Tower 16 for Mac introduces AI Commits — generate commit messages and customize prompts to match your team's conventions! git-tower.com/blog/tower-mac…

@retlehs Brilliant- using it now!

🔎 quien — a better WHOIS. Domain lookups with a clean TUI instead of parsing raw 𝚠𝚑𝚘𝚒𝚜 output. DNS records, mail config, SSL certs, HTTP headers, and tech stack detection all in one tool. github.com/retlehs/quien

Superwhisper's next update might be too powerful to release publicly. The new voice model is so fast at transcription it started finishing sentences users hadn't thought of yet... We even put it in a sandbox and it dictated its way out. It also identified a flaw in the English language that had gone unnoticed for 600 years. Linguists have been informed. Out of an abundance of caution, we are withholding the update until further notice. Sincerely, The Superwhisper Team