Joseph Werle

4.4K posts

Joseph Werle

@josephwerle

Staff Engineer @SocketSecurity | Maintainer @OroComputer, clib, bpkg | ex @RadNFTV, @Spotify, @AppNexus

NYC Katılım Eylül 2009

788 Takip Edilen648 Takipçiler

Joseph Werle retweetledi

Feross@feross·31 Mar

@SocketSecurity Reminder to install Socket for GitHub (it's free!) to protect your PRs from bad dependencies: socket.dev/features/github Also don't forget Socket Firewall to protect your laptop: socket.dev/blog/introduci…

English

542

235.9K

Joseph Werle retweetledi

Andrej Karpathy@karpathy·31 Mar

New supply chain attack this time for npm axios, the most popular HTTP client library with 300M weekly downloads. Scanning my system I found a use imported from googleworkspace/cli from a few days ago when I was experimenting with gmail/gcal cli. The installed version (luckily) resolved to an unaffected 1.13.5, but the project dependency is not pinned, meaning that if I did this earlier today the code would have resolved to latest and I'd be pwned. It's possible to personally defend against these to some extent with local settings e.g. release-age constraints, or containers or etc, but I think ultimately the defaults of package management projects (pip, npm etc) have to change so that a single infection (usually luckily fairly temporary in nature due to security scanning) does not spread through users at random and at scale via unpinned dependencies. More comprehensive article: stepsecurity.io/blog/axios-com…

Feross@feross

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios @1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

English

555

1.1K

10.5K

1.5M

Joseph Werle retweetledi

Feross@feross·31 Mar

@karpathy More information here: socket.dev/blog/axios-npm… Two things that can help: Socket for GitHub (it's free!) to protect your PRs from bad dependencies: socket.dev/features/github Socket Firewall (also free!) to protect your laptop: socket.dev/blog/introduci…

English

105

16.7K

Joseph Werle@josephwerle·23 Mar

daily messages from my agent Sven to my printer is a new kind of feeling

English

Joseph Werle retweetledi

Socket@SocketSecurity·24 Şub

Join us on Feb 25 at 10am PST for a fireside chat with Log4j maintainer @grobmeier and Socket CEO @feross on Log4Shell and the realities of maintaining critical OSS infrastructure. Watch live & get notified: LinkedIn → linkedin.com/events/7431822… YouTube → youtube.com/watch?v=9-uVuh…

YouTube

English

1.8K

Joseph Werle retweetledi

FFmpeg@FFmpeg·15 Ara

@typememetics ffmpeg-rs comes with a free side order of delusion about speed improvements

English

1.5K

32.3K

Joseph Werle retweetledi

Feross@feross·30 Eyl

🚨 Open source supply chain attacks are exploding. Starting today, that ends. We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI. Just run: npm i -g sfw sfw npm install lodash Works for: npm, yarn, pnpm, pip, uv, and cargo.

English

405

43.6K

Joseph Werle retweetledi

Socket@SocketSecurity·30 Eyl

Maintainer compromises used to be rare. Now they’re happening at an alarming rate, as seen in recent attacks. Today we’re giving developers a new layer of defense with Socket Firewall, a free tool that blocks malicious dependencies at install time.

English

9.7K

Joseph Werle retweetledi

Socket@SocketSecurity·8 Eyl

🚀 We’re kicking off another Launch Week at Socket, with a new feature launching every day! First up: Pull Request Stories, a dashboard view that helps security teams track supply chain risks by showing the real impact of every PR.

English

3.8K

Joseph Werle retweetledi

Feross@feross·4 Ağu

🚨 New critical vuln discovered in NestJS Devtools → Full RCE via the browser 😱 All you have to do is… visit a website. 🧵 Here’s how we went from “harmless dev tool” to “pop calc on your Mac”: @nestjs/devtools-integration ships with a local HTTP server that accepts POST requests to /inspector/graph/interact That endpoint? It executes arbitrary JS using a “sandbox” 🤡 built on safe-eval — which is hilariously named. The sandbox uses vm.runInNewContext() — even though NodeJS explicitly says this is not a security mechanism. This means you can break out of it. And we did. Just needed a tiny payload to escape and run shell commands. But the real magic? You can trigger this from any website, thanks to a CSRF bypass trick using text/plain form posts. The result? Remote Code Execution just by visiting a webpage. No clicking required. We responsibly disclosed this to the NestJS team — they fixed it fast and with grace. Props to them 👏 🎯 CVE-2025-54782 📎 GHSA-85cg-cmq5-qjm7 🔍 Found via @SocketSecurity's AI-driven malware detection Full write-up (including POC): socket.dev/blog/nestjs-rc… This is why you don’t run “devtools” that parse and exec random JSON from localhost. Especially not using safe-eval.

Socket@SocketSecurity

🚨 Critical RCE in @nestjs/devtools-integration: A broken sandbox + CSRF lets any website trigger code execution on your dev machine if the dev server is running. Full disclosure: socket.dev/blog/nestjs-rc…

English

7.4K

Joseph Werle@josephwerle·1 Ağu

FAL is the infra you don't hear about, and that's good

@levelsio@levelsio

All my AI startups are powered by @FAL so I invested in them They're one of the nicest people to work with, extremely fast inference times but also extremely fast support The founders are Turkish and now I have a special thing for 🇹🇷 Turkey and wanna visit Istanbul, hard working people that don't tolerate bullshit, I like it The business case for FAL seems real, I tried setting up my own GPU server on @LambdaAPI, it's fun and I got quite far installing Claude Code and letting it do everything But you still get stuck pretty fast, it's a lot of work to manage the layer between GPU and actually getting an AI model to output something fast while being able to scale up on demand (remember other startups with their "Queued" problems when you try run a job) So FAL has its role, it backs a lot of the AI apps you use because the founders want to focus on building useful apps, not mess around with GPU servers

English

208

Joseph Werle@josephwerle·31 Tem

a peak into the zeitgeist - we are cooked

Massimo@Rainmaker1973

Thoughts?

English

176

Joseph Werle retweetledi

MJ@mjackson·31 Tem

I know you think you like React hooks. useState, useEffect, useMemo, useEffectEvent. You like the way they compose. The way they're "just functions". I will destroy them.

English

1.1K

171.8K

Joseph Werle@josephwerle·30 Tem

web devs going to glitch and cry

Тsфdiиg@tsoding

We have JSON at home

English

Joseph Werle retweetledi

Evan You@youyuxi·29 Tem

This just happened 👀

English

162

256

3.5K

338.2K

Joseph Werle@josephwerle·19 Tem

GIF

ZXX

176

Joseph Werle@josephwerle·18 Tem

this is a dopamine hit for some, more tragedy for others

Pontus Abrahamsson — oss/acc@pontusab

Monorepo wins every time.

English

201

Joseph Werle@josephwerle·15 Tem

GIF

Shayan@ImSh4yy

I love React.

ZXX

130

Joseph Werle@josephwerle·10 Tem

this is the best approach to TS. there is too much complexity expressed for no reason in too many projects where you spend more brain space thinking about types than the problem you set out to address

MJ@mjackson

The majority of my TypeScript code is just annotating method signatures, that's it. (Almost) everything else is inferred. Nowadays I find myself hovering over symbols in my editor, waiting for Intellisense to kick in and teach me about my code. So good.

English

117

Joseph Werle@josephwerle·4 Tem

Someone finally said it

SoupyTwist@SoupyTwist

@warmwind_OS Isn’t a warm wind just a fart?

English

113

Keşfet

@SocketSecurity @karpathy @grobmeier @feross @typememetics @elonmusk @BarackObama @taylorswift13