Finally got around to fixing up my moment-javaformat plugin so it publishes to npmjs with provenance. Not too much trouble to set up! I also updated my github signing key while I was at it so the UI shows "verified”.

Here's the latest: https://www.npmjs.com/package/@rangerrick/moment-javaformat

But it's terrible and you shouldn't follow that link unless you want psychic damage.

strike one: moment, don’t use it!
strike two: dates! not even once!
strike three: wait, what the fuck, java format strings?

alepm - Advanced Package Manager

https://blog.manalejandro.com/~/Artículos/alepm%20-%20Advanced%20Package%20Manager/

Malicious PyPI and npm Packages Exploits Dependencies in Supply Chain Attacks

A malicious PyPI package named termncolor was discovered which introduces
persistence and remote code execution via its dependency colorinal.

Pulse ID: 68a39c3e7cf73961aaebaaa8
Pulse Link: https://otx.alienvault.com/pulse/68a39c3e7cf73961aaebaaa8
Pulse Author: cryptocti
Created: 2025-08-18 21:33:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Malicious PyPI and npm Packages Exploits Dependencies in Supply Chain Attacks

A malicious PyPI package named termncolor was discovered which introduces
persistence and remote code execution via its dependency colorinal. Termncolor had
355 downloads, while colorinal saw 529 before both were removed.

Pulse ID: 68a375790eb016d8cb794209
Pulse Link: https://otx.alienvault.com/pulse/68a375790eb016d8cb794209
Pulse Author: cryptocti
Created: 2025-08-18 18:48:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

*sigh*

Even with #nix, building #npm/#yarn packages still sucks...

New supply-chain attacks hit open-source repos:
#PyPI: termncolor & colorinal delivered multi-stage malware with Windows & Linux backdoors.

#npm: packages redux-ace,rtk-logger posed as dev tools & job tests, stealing iCloud Keychain, browser data, wallets:
https://thehackernews.com/2025/08/malicious-pypi-and-npm-packages.html

“eslint-config-prettier” npm package Compromised by a Phishing Attack

Pulse ID: 68a0d1af45d25006ff26f70d
Pulse Link: https://otx.alienvault.com/pulse/68a0d1af45d25006ff26f70d
Pulse Author: cryptocti
Created: 2025-08-16 18:45:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#NPM package tar-fs Link Directory Traversal #Vulnerability

https://github.com/google/security-research/security/advisories/GHSA-xrg4-qp5w-2c3w

Uncovering a Web3 Interview Scam

A Ukrainian Web3 team's interview process involved cloning a GitHub repository containing malicious components. Analysis revealed the project replaced a legitimate dependency with a malicious NPM package, rtk-logger@1.11.5. This package collected sensitive data, including cryptocurrency wallet information, from popular browsers and uploaded it to an attacker-controlled server. The malware also implemented keylogging, screen capture, and clipboard monitoring. Two other GitHub accounts were found using a similar malicious package. The scam aimed to trick interviewees into executing malicious code, potentially leading to data leaks and asset theft. Developers are advised to exercise caution when handling unknown GitHub projects and to use isolated environments for execution.

Pulse ID: 689c7d9c70e5cba54257d1a9
Pulse Link: https://otx.alienvault.com/pulse/689c7d9c70e5cba54257d1a9
Pulse Author: AlienVault
Created: 2025-08-13 11:57:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

In light of the ongoing enshittification of #GitHub and the inevitable expansion to #npm, I'm delighted to see that although founded by the commercial entity behind #Deno, https://jsr.io/ shifted to an open governance model earlier this year and is working on "establish[ing] a legal home for JSR, either by joining an existing foundation (e.g., Linux Foundation, OpenJS) or forming its own 501(c)(3) or similar entity."

https://deno.com/blog/jsr-open-governance-board

I hope everyone currently fleeing #GitHub is also aware that #npm belongs to GitHub since 2020

Three facts about Microsoft:

Microsoft recently had it's A.I. division take over Github.

Microsoft also owns npm.

Microsoft also hosts over 11 thousand terabytes of Israeli military data on it's Azure servers collected from the mass surveillance of Palestinians, which the Israeli military uses to blackmail people, hold them in captivity, and justify killing them after the fact.

Så trist å miste Inger Johanne og hennar kompetanse!
https://sirdalmedia.no/2025/08/gir-seg-etter-27-ar-i-sirdal-kompetanse-som-ikke-blir-brukt-mister-man/

Målet med omorganisering, initiert av kommunedirektør Fuhr var....? Og når skal den vera ferdig?

Folk sluttar jo over ein låg sko i kommunen.

Как собрать npm-пакет в 2025 и не облажаться

Думаю, многие из вас публиковали npm-пакеты в опенсорс или для работы (или хотя бы подумывали об этом). Но сборка библиотек сильно отличается от сборки приложений, а советы по публикации npm-пакетов в интернете часто противоречат друг другу или оказываются устаревшими. За свою карьеру я портатил недели, публикуя пакеты с кривой сборкой, разбирая жалобы пользователей и читая срачи известных деятелей опенсорса. И я готов поделиться с вами самыми свежими советами: Минификация: помогает или мешает? Транспиляция: как не перестараться? Полифиллы: да, но нет. Сорсмапы: кому они вообще нужны? Бандлить или не бандлить?

https://habr.com/ru/articles/936010/

Malicious npm Packages Target WhatsApp Integrations For Remote Data Destruction

Pulse ID: 68974c7d3af4a64a31f19a8a
Pulse Link: https://otx.alienvault.com/pulse/68974c7d3af4a64a31f19a8a
Pulse Author: cryptocti
Created: 2025-08-09 13:26:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.