@CoderUday Agreed, I feel the same
It's annoying and idiotic, these should be permabanned
...Show more
English
DevDiary
1.9K posts
DevDiary
@devdiary0x
25, Ex-SWE | Vibing until I get my next hustle | Relearning stuff in Public | AI & Tech Navigator | Building @Minmailist
Terminal 加入时间 Ekim 2025
269 关注281 粉丝
npm = neatly packaged malware
Feross@feross
🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.
English
"GSOC ka package" - how brutally has the spirit of open-source been decimated in this nation's student community man!
These 3 words beautifully encapsulate the way engineering colleges and the whole method of educating students about CSE have FAILED.
And for the clueless - GSOC is NOT a fucking internship, it is NOT a get-rick-quick method, it is NOT anything that you've been told about by your favorite bhaiyya-didis on YouTube.
Shreyaaaa✨@shreyadoesstuff
WHY DID I JUST HEAR THE WORDS "GSOC ka package dekha hai? Tum logon ko nahi chahiye kya wo?" SHUT THE FUCK UP SENIORS.
English
Can’t believe I spent years learning all the Tailwind class names just to have AI write them for me
English
Ai is killing every fking field!
Is Game development and App development still safe ?
English
@GeekyVaishnavi Popular opinion:
One algo change and your reach might die. OR you might run out of ideas.
In Google, even if you are kicked out, the name tag is enough to get another job elsewhere. And if you survive layoffs, you can make more money
It's not X OR Google
It's X AND Google
English
the big secret in software engineering is that nobody audits anything, in small or big companies it doesn’t matter, you can have processes and rules and CI tooling to catch specific cases, package analysis, binary analysis, even cybersec on payroll - som1 will just npm i virus
Feross@feross
🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.
English
Should I stay the 6 months countdown again?
We are month 1 into 6 months from AGI
Hadley Harris@Hadley
I’ve heard from 2 people in the last 2 days that internally Anthropic expects to have AGI in 6-12 months. That’s faster than Dario has stated publicly. Plan your business and personal finances appropriately.
English
@georgehanu @wesbos I'm just a solopreneur dude, even I got scared 😂
English
@wesbos Nothing unites JavaScript developers like a random package turning into a national emergency 😬
How many teams are about to learn what is buried in their dependency tree today?
English
DevDiary 已转推
‼️Do not npm install or deploy anything right now
Supply chain attack on axios 1.14.1 - even if you don’t use axios it may be a nested dep.
Pin versions or wait until this is resolved
Maxwell@mvxvvll
@npmjs @GHSecurityLab there is an active supply chain attack on axios@1.14.1 which pulls in a malicious package published today - plain-crypto-js@4.2.1 - someone took over a maintainer account for Axios
English
DevDiary 已转推
✅ Quick actionable checklist right now:
1. Check immediately:
npm ls axios
npm ls plain-crypto-js
2. If you see 1.14.1 → Pin safe version:
In package.json: "axios": "1.14.0" ←
exact version, no ^ or \~
3. Then:
rm -rf node_modules
package-lock.json
npm install
(same for yarn/pnpm)
Malicious versions (1.14.1 & 0.30.4) are already being taken down from npm, but any install in the last few hours may be affected.
Already ran npm install today? Rotate secrets + check temp folders.
Who else found it in transitive deps? Share below 👇
#npm #SupplyChainAttack #JavaScript
English
