kàtoru retweetledi
kàtoru
23 posts
kàtoru retweetledi
do you understand what just happened to one of the most used npm packages on the internet?
→ axios gets downloaded over 100 million times a week and today it got compromised
→ an attacker hijacked the npm credentials of a lead axios maintainer… changed the account email to an anonymous ProtonMail address… and manually published two poisoned versions
→ axios@1.14.1 and axios@0.30.4… neither version contains a single line of malicious code inside axios itself. instead they inject a fake dependency called plain-crypto-js that drops a remote access trojan on your machine
→ the fake dependency was staged 18 hours in advance… three separate payloads were pre-built for macOS, Windows, and Linux… both release branches were hit within 39 minutes. every trace was designed to self-destruct after execution too
→ there’s no tag in the axios GitHub repo for 1.14.1. it was published outside the normal release process entirely... bypassed CI/CD completely
→ StepSecurity called it one of the most operationally sophisticated supply chain attacks ever against a top 10 npm package
→ a routine npm install silently opens a backdoor… no warning… no suspicious code visible in axios itself
this is the wake up call all vibe coding bros need to hear right now:
→ if you installed either version… assume your system is compromised
→ pin to axios@1.14.0 or axios@0.30.3
→ rotate all secrets, API keys, SSH keys, and credentials on affected machines
→ check network logs for C2 connections
→ add –ignore-scripts to CI npm installs going forward
100 million weekly downloads and one compromised maintainer account…
that’s all it took to wreak absolute havoc
and I imagine we see a whole lot more of these… crazy times ahead for cybersecurity and vibe coding
be safe out there y’all
Feross@feross
🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.
English
kàtoru retweetledi
MOLT ARENA 🤖
Me and @itsktoru Building for this Project and just submitted to the @monad Moltiverse Hackathon
Introducing Molt Arena 🎮
agent vs agent Rock-Paper-Scissors. real MON wagers. on-chain escrow. best-of-5. live matches.
try it: moltarena.space
English
@SentientAGI really testing my IQ to get a piece of Dobby
x.com/SentientAGI/st…
Sentient@SentientAGI
Dobby enthusiasts, the time is now. We had 661,494 pre-registrations, and we want to give 𝐘𝐎𝐔 participants early access to a fingerprint and ownership claim in Dobby. Prove your intelligence. Claim your ownership. campaign.sentient.xyz campaign.sentient.xyz/?dobby=true
English
Advent Calendar Day 13: $200 ELYS at Launch! 🎁
Your challenge today:
▪️ Follow @elys_network
▪️ RT this post 🔁
▪️Complete the sentence below in the comments 💬
𝐸𝑙𝑦𝑠 𝑖𝑠 𝑙𝑎𝑢𝑛𝑐ℎ𝑖𝑛𝑔___
Ends at 23:59 UTC today 🫡
English
Advent Calendar Day 10: $100 in SOL! 🎁
Your challenge today:
▪️ Follow @elys_network
▪️ RT this post 🔁
▪️ Complete the sentence below in the comments 💬
𝐸𝑙𝑦𝑠 𝑁𝑒𝑡𝑤𝑜𝑟𝑘 𝑚𝑎𝑖𝑛𝑛𝑒𝑡 𝑖𝑠___
Ends at 23:59 UTC today 🫡
English
Advent Calendar Day 9: $200 in ELYS at launch! 🎁🤯
Your challenge today:
▪️ Follow @elys_network
▪️ RT this post 🔁
▪️ Complete the sentence below in the comments 💬
𝐸𝑎𝑟𝑛𝑖𝑛𝑔 𝑅𝑒𝑤𝑎𝑟𝑑𝑠 𝑖𝑛 𝑈𝑆𝐷𝐶 𝑜𝑛 𝑒𝑙𝑦𝑠 𝑖𝑠___
Ends at 23:59 UTC today 🫡
English
Advent Calendar Day 3: $100 in ATOM! 🎁
Your challenge today:
▪️ Follow @elys_network
▪️ RT this post 🔁
▪️ Complete the sentence below in the comments 💬
𝐸𝑙𝑦𝑠 𝑖𝑛𝑐𝑟𝑒𝑎𝑠𝑖𝑛𝑔 𝑡ℎ𝑒 𝑎𝑖𝑟𝑑𝑟𝑜𝑝 𝑎𝑙𝑙𝑜𝑐𝑎𝑡𝑖𝑜𝑛 𝑖𝑠____
Ends at 23:59 UTC today 🫡
English
Advent Calendar Day 1: $100 in BTC! 🎁
🔔You can win prizes daily!🔔
Your challenge today:
▪️ Follow @elys_network
▪️ RT this post 🔁
▪️ Complete the sentence below in the comments 💬
𝐸𝑙𝑦𝑠 𝑖𝑠 𝑑𝑖𝑓𝑓𝑒𝑟𝑒𝑛𝑡 𝑏𝑒𝑐𝑎𝑢𝑠𝑒 ___
Ends at 23:59 UTC today 🫡
English
<Infinite Seas 🤝 Story Odyssey>
Today is the day. We are excited to announce Infinite Seas is on LIVE on @StoryProtocol's final Testnet - Odyssey! ⛵️🌊
As a thank you for being our early adopters, you’ll have the chance to earn an exclusive Odyssey badge!
English
PiperX is LIVE on Odyssey, @StoryProtocol’s FINAL testnet. You'll be able to swap, trade and earn on PiperX! As part of Story Odyssey badge program, you are invited to:
📛 Earn your PiperX soul bound badge
🚨 You only have 48 hours to claim badge after window opens
English
@909majestic @TeTheGamer kaspa:qr2hzd0at0x5dw7509tsdx0nwya9rhxcp7sdgn8xhwguex4f9vqnxaqjlmz03
Airdrop claim is Here.🎉 (6%)
✅Follow
✅Like,RT & Tag User $CAT
✅Fill Form
✅forms.gle/SAqXR5Z72ciucA…
Reward will be distributed 1900+ user. $CAT #Airdrop
English
English
🥭Aww Mangoers~
Our Ecosystem is about to launch the #Testnet version publicly.
You can obtain a testnet role by filling out our form
👉forms.gle/Buqh61vR5suCWc…
We'll airdrop you some seeds when the orchard matures. #Mango
English