Philipp Burckhardt

GraphMaker for easy graph building: describe in English what nodes and edges you want, and it handles the rest via OpenAI's help. Support for trees, DAGs, styling, saving in multiple formats etc. Work in progress, please send @CRGenovese and me feedback! github.com/isle-project/g…

We identified 72 malicious Open VSX extensions linked to the GlassWorm campaign, including many cases where the malware is distributed transitively by being delilvered via covert extension packs. See below for link to our full coverage.

We are starting a research internship program at @SocketSecurity We are particularly interested in PhD students who want to apply their research ideas in the broad space of software supply chain security and simultaneously gain industry experience and real-world impact.⬇️

And the malicious Rust crates here socket.dev/blog/two-malic…

Stay vigilant and keep those dependencies scanned! Read more about the QR code attack here: socket.dev/blog/malicious…

While we haven't seen major supply chain attacks hitting any of the major open-source ecosystems, the Socket Threat Research Team uncovered some fascinating and creative attack techniques worth sharing:

Hey, you! Want to protect your dev machine from npm malware without changing your workflow? Try a new tool that transparently isolates npm cli in a docker container. No need to remember to do anything! Early access: github.com/lavamoat/kipuka RT for reach 😉 and help me improve

Direct link to post: blog.stdlib.io/reflection-on-…

On the @stdlibjs blog, we just published my take on @METR_Evals's surprising study: AI tools made experienced developers 19% slower (expectation: 40% faster!)🤯 I dive into the why, where AI coding tools actually help, and how I've shifted from handholding AI to async delegation.

Read more: socket.dev/blog/protestwa…

Undocumented Protestware We found hidden functionality in 28+ npm packages that disables UI for Russian-language users visiting .ru or .by domains. No CVEs. No advisories. No documentation. Just behavior-based disruption quietly copied into packages and shipped to production.

Two major npm supply chain discoveries this week from the Socket Research Team highlight a critical gap in traditional security approaches. Both threats would slip past security tools that rely on vulnerability databases or metadata alone.

@typesfast "The Wealth and Poverty of Nations" by David Landes.

What’s the best history book you’ve read?

These packages, disguised as "the cheapest Cursor API," install backdoors that steal credentials and modify crucial files. In total, sw-cur, sw-cur1, and aiide-cur have been downloaded 3,200+ times before discovery. Read more on the Socket blog: socket.dev/blog/malicious…

🚨 With vibe coding being on everyone's minds and AI code generations seemingly becoming ubiquitous, it is not surprising that this attracts also malicious actors. Kirill Boychenko just uncovered three malicious npm packages targeting Cursor users on macOS.

Over the last few months, I have been picking up Cursor again after finding it not substantially improving my productivity when I tried it last year. It, and the LLMs powering AI code completions, have gotten so much better that I now really enjoy its agent workflow.