j0hnh

360 posts

j0hnh banner
j0hnh

j0hnh

@johthn

Posts are my own and not that of my Org

Dublin Katılım Şubat 2010
534 Takip Edilen102 Takipçiler
j0hnh retweetledi
Andrej Karpathy
Andrej Karpathy@karpathy·
New supply chain attack this time for npm axios, the most popular HTTP client library with 300M weekly downloads. Scanning my system I found a use imported from googleworkspace/cli from a few days ago when I was experimenting with gmail/gcal cli. The installed version (luckily) resolved to an unaffected 1.13.5, but the project dependency is not pinned, meaning that if I did this earlier today the code would have resolved to latest and I'd be pwned. It's possible to personally defend against these to some extent with local settings e.g. release-age constraints, or containers or etc, but I think ultimately the defaults of package management projects (pip, npm etc) have to change so that a single infection (usually luckily fairly temporary in nature due to security scanning) does not spread through users at random and at scale via unpinned dependencies. More comprehensive article: stepsecurity.io/blog/axios-com…
Feross@feross

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

English
558
1.1K
10.5K
1.5M
j0hnh retweetledi
Andrej Karpathy
Andrej Karpathy@karpathy·
Software horror: litellm PyPI supply chain attack. Simple `pip install litellm` was enough to exfiltrate SSH keys, AWS/GCP/Azure creds, Kubernetes configs, git credentials, env vars (all your API keys), shell history, crypto wallets, SSL private keys, CI/CD secrets, database passwords. LiteLLM itself has 97 million downloads per month which is already terrible, but much worse, the contagion spreads to any project that depends on litellm. For example, if you did `pip install dspy` (which depended on litellm>=1.64.0), you'd also be pwnd. Same for any other large project that depended on litellm. Afaict the poisoned version was up for only less than ~1 hour. The attack had a bug which led to its discovery - Callum McMahon was using an MCP plugin inside Cursor that pulled in litellm as a transitive dependency. When litellm 1.82.8 installed, their machine ran out of RAM and crashed. So if the attacker didn't vibe code this attack it could have been undetected for many days or weeks. Supply chain attacks like this are basically the scariest thing imaginable in modern software. Every time you install any depedency you could be pulling in a poisoned package anywhere deep inside its entire depedency tree. This is especially risky with large projects that might have lots and lots of dependencies. The credentials that do get stolen in each attack can then be used to take over more accounts and compromise more packages. Classical software engineering would have you believe that dependencies are good (we're building pyramids from bricks), but imo this has to be re-evaluated, and it's why I've been so growingly averse to them, preferring to use LLMs to "yoink" functionality when it's simple enough and possible.
Daniel Hnyk@hnykda

LiteLLM HAS BEEN COMPROMISED, DO NOT UPDATE. We just discovered that LiteLLM pypi release 1.82.8. It has been compromised, it contains litellm_init.pth with base64 encoded instructions to send all the credentials it can find to remote server + self-replicate. link below

English
1.4K
5.4K
28K
66.4M
j0hnh retweetledi
whoisli.am
whoisli.am@LiamPTFarrelly·
Proud of the team today as we announce our Series B. We’re hiring across GTM & Engineering. If you want to be part of a team that’s rethinking the problem, not just the solution, join us 👉 evervault.com/careers
Shane Curran@arcurn

Today, we’re excited to announce @Evervault's $25M Series B, led by Ribbit Capital with continued support from @sequoia, @IndexVentures, @kleinerperkins, and @nextplayVC. This round comes at a time when sensitive data exchange on the web is going parabolic. Since 2019, we’ve been focused on building durable infrastructure for engineering teams to collect, process, share, and enrich sensitive data -- while keeping it encrypted at all times. We thought we were making good progress in encrypting the web, helping customers like @tryramp, @Rippling, @finix, @TheOverwolf, @Uniswap, @CarTrawler, and hundreds of others secure more than $5bn/year in payment flows and 100m+ unique tokens per month. But the past year has shown that our enemy -- plaintext data -- is getting stronger and more pervasive. Our vision is to build the clearinghouse for sensitive data, helping companies exchange sensitive data in a secure and encrypted way. This round helps us encrypt more of the web by further refining our developer experience, building deeper integrations with trusted third-parties, and increasing the value we can offer our customers for more data types. First and foremost, thank you to our customers. You trusted Evervault to sit directly in the flow of your most sensitive data (payments, identity, financial information, and more) and that trust is not something we take lightly. Your feedback, your requirements, and the problems you bring to us every day are what shape the product and push us forward. Thank you to the Evervault team. What you’ve built is genuinely special: infrastructure that lets developers process sensitive data without ever having to see it in plaintext. The pace, craft, care, and ambition you bring to work every day are what makes this company what it is. And thank you to our new investors for believing in the vision of making security architectural rather than procedural. We’re grateful to have partners who understand both the scale of the problem and the opportunity ahead. The internet still assumes that sensitive data must exist in plaintext somewhere. We’re building the infrastructure to change that. Onwards! More here 👉 evervault.com/blog/series-b?…

English
0
2
10
355
j0hnh retweetledi
Shane Curran
Shane Curran@arcurn·
Today, we’re excited to announce @Evervault's $25M Series B, led by Ribbit Capital with continued support from @sequoia, @IndexVentures, @kleinerperkins, and @nextplayVC. This round comes at a time when sensitive data exchange on the web is going parabolic. Since 2019, we’ve been focused on building durable infrastructure for engineering teams to collect, process, share, and enrich sensitive data -- while keeping it encrypted at all times. We thought we were making good progress in encrypting the web, helping customers like @tryramp, @Rippling, @finix, @TheOverwolf, @Uniswap, @CarTrawler, and hundreds of others secure more than $5bn/year in payment flows and 100m+ unique tokens per month. But the past year has shown that our enemy -- plaintext data -- is getting stronger and more pervasive. Our vision is to build the clearinghouse for sensitive data, helping companies exchange sensitive data in a secure and encrypted way. This round helps us encrypt more of the web by further refining our developer experience, building deeper integrations with trusted third-parties, and increasing the value we can offer our customers for more data types. First and foremost, thank you to our customers. You trusted Evervault to sit directly in the flow of your most sensitive data (payments, identity, financial information, and more) and that trust is not something we take lightly. Your feedback, your requirements, and the problems you bring to us every day are what shape the product and push us forward. Thank you to the Evervault team. What you’ve built is genuinely special: infrastructure that lets developers process sensitive data without ever having to see it in plaintext. The pace, craft, care, and ambition you bring to work every day are what makes this company what it is. And thank you to our new investors for believing in the vision of making security architectural rather than procedural. We’re grateful to have partners who understand both the scale of the problem and the opportunity ahead. The internet still assumes that sensitive data must exist in plaintext somewhere. We’re building the infrastructure to change that. Onwards! More here 👉 evervault.com/blog/series-b?…
Shane Curran tweet media
English
40
30
279
73.3K
j0hnh retweetledi
Evervault
Evervault@evervault·
Skimmers are evolving. So should your defenses. Evervault Page Protection prevents card data breaches at the source—right in your checkout. + It covers PCI DSS 4.0 requirements 6.4.3 and 11.6.1. So you can sleep—and audit—better. Sign up for free today. bit.ly/go-page-protec…
Evervault tweet media
English
0
2
13
3.8K
Iarnród Éireann
Iarnród Éireann@IrishRail·
Services between Malahide and Donabate are currently suspended due to a vehicle hitting a bridge. Update to follow. @TFIupdates -AB
English
12
0
1
19.3K
j0hnh retweetledi
Shane Curran
Shane Curran@arcurn·
In the past few months, we've hosted a few dinners & table talks on network tokens. The common theme is that they're interesting, but the value and implementation details are 𝘷𝘦𝘳𝘺 unclear. Join our webinar on December 4 to hear some practical tips! evervault.com/webinars/netwo…
English
1
1
6
1.1K
j0hnh retweetledi
Evervault
Evervault@evervault·
🥁🥁🥁🥁 Introducing Evervault 3D-Secure, refreshingly modular and performant
English
1
3
14
3K
j0hnh
j0hnh@johthn·
@GRtweets7 @IrishRail Which in turn screws up all the darts southbound during peak rush hour... I hope someone is analysing the knock on effects of the changes. E.g. Darts are inaccessible by the time they get to Raheny.
English
1
0
0
132
j0hnh retweetledi
Shane Curran
Shane Curran@arcurn·
Excited to announce @Evervault's new payments security platform! We're letting companies control their own payment data without the security and compliance headaches, so they're not locked in and can avail of the huge range of processing choices. evervault.com/blog/launching…
English
1
9
65
4.5K
j0hnh
j0hnh@johthn·
@markofu @evervault We're two for two :D (don't mind those little grey lads, burn off in no time )
j0hnh tweet media
English
0
0
0
39
Nev Flynn
Nev Flynn@NevFlynn·
Life update: I’ve joined @elevenlabs as a Design Engineer! Pumped to work with this incredible team and technology. Here’s a teaser from my first ship: a landing page for an upcoming product, ElevenStudios. Expect more waveform shaders 🫡
English
27
12
302
28.1K
j0hnh
j0hnh@johthn·
Great insights if you are managing risk in the payments security, PCI DSS space - and relatively unbiased - Visa bi-annual threat report - H2 2023 usa.visa.com/content/dam/VC…
English
0
0
2
66

Keşfet

@Evervault @sequoia @IndexVentures @kleinerperkins @nextplayVC @tryramp @Rippling @finix