Skip to content

Piero Bosio Social Web Site Personale Logo Fediverso

Social Forum federato con il resto del mondo. Non contano le istanze, contano le persone
  1. Home
  2. Categories
  3. Uncategorized
  4. Seventh failson of a seventh failson.

Seventh failson of a seventh failson.

Uncategorized
1 1 0
Log in to reply

Feed RSS
Seventh failson of a seventh failson.

Gli ultimi otto messaggi ricevuti dalla Federazione
@pierobosio@soc.bosio.info
Post suggeriti
  • Fucina Fibonacciundefined

    Basta un grande disco per entrare nella storia della musica.

    Uncategorized britpop pulp music
    1
    0 Votes
    1 Posts
    0 Views
    Fucina Fibonacciundefined
    Basta un grande disco per entrare nella storia della musica. E se fosse questo il capolavoro del #britpop? 30 anni da #Pulp - Different Class : Le pietre miliari di OndaRock https://www.ondarock.it/pietremiliari/pulp_differentclass.htm @spettacoli #music
  • Cybersecurity & cyberwarfareundefined

    PhantomRaven Attack Exploits NPM’s Unchecked HTTP URL Dependency Feature

    Uncategorized
    1
    3
    0 Votes
    1 Posts
    0 Views
    Cybersecurity & cyberwarfareundefined
    PhantomRaven Attack Exploits NPM’s Unchecked HTTP URL Dependency FeatureAn example of RDD in a package’s dependencies list. It’s not even counted as a β€˜real’ dependency. (Credit: Koi.ai)Having another security threat emanating from Node.js’ Node Package Manager (NPM) feels like a weekly event at this point, but this newly discovered one is among the more refined. It exploits not only the remote dynamic dependencies (RDD) β€˜feature’ in NPM, but also uses the increased occurrence of LLM-generated non-existent package names to its advantage. Called β€˜slopsquatting’, it’s only the first step in this attack that the researchers over at [Koi] stumbled over by accident.Calling it the PhantomRaven attack for that cool vibe, they found that it had started in August of 2025, with some malicious packages detected and removed by NPM, but eighty subsequent packages evaded detection. A property of these packages is that in their dependencies list they use RDD to download malicious code from a HTTP URL. It was this traffic to the same HTTP domain that tipped off the researchers.For some incomprehensible reason, allowing these HTTP URLs as package dependency is an integral part of the RDD feature. Since the malicious URL is not found in the code itself, it will slip by security scanners, nor is the download cached, giving the attackers significantly more control. This fake dependency is run automatically, without user interaction or notification that it has now begun to scan the filesystem for credentials and anything else of use.The names of the fake packages were also chosen specifically to match incomplete package names that an LLM might spit out, such as unused-import instead of the full package name of eslint-plugin-unused-imports as example. This serves to highlight why you should not only strictly validate direct dependencies, but also their dependencies. As for why RDD is even a thing, this is something that NPM will hopefully explain soon.Top image: North American Common Raven (Corvus corax principalis) in flight at Muir Beach in Northern California (Credit: Copetersen, Wikimedia)hackaday.com/2025/10/30/phanto…
  • mccundefined

    [2018]

    Uncategorized
    27
    0 Votes
    27 Posts
    0 Views
    Oblomovundefined
    @mcc @natevw @emaytch the worst possible combination of Goodhart's law and the one I forgot the name of, about choosing a metric only because it's easy to measure.
  • Ginaundefined

    So glad I booked a window seat 🀣🀣

    Uncategorized
    5
    1
    0 Votes
    5 Posts
    0 Views
    j_anglissundefined
    @Gina ever see the movie Guest House Paradiso? Reminds me of the scene where they ask where the sea view was..."Yes, lean out, further, further, grab the scaffolding. You can see the sewage pipe in Dead Man's cove. I've had it checked by lawyers, so dont try anything funny. And as a backup, theres a picture of the sea"