upvote

points

by lynndotpy17 hours ago |
comments
upvoteby junon5 hours ago|
next
[-]
As the victim of the one from last year, it wasn't particularly fun to read.

The implication that I don't know what I'm looking at, or that I don't know what security is (despite having a clean track record for about 15 years now) was a bit aggravating.

In fact, even months later, the lasting effects have been panicking over anything that is remotely suspicious. The most recent example was just a few days ago. Had just gotten on the plane to go on vacation when someone Liked the original "I've been pwned" post on Bluesky. I misread the notification as being a new message to me saying "You've been pwned" and started to panick. I'd have had no way to address it and it would have ruined the small chance per year I get to have a break.

The attack last year wasn't me misunderstanding security. It was the sum of many, many small things (my history with and perception of npm especially w.r.t. their security posture and poor outreach over the years, being stressed out overall, and being in a rush at that particular moment, and a few other personal things) coming together in a perfect storm that resulted in the attack.

reply
upvoteby adastra2215 hours ago|
prev|
next
[-]
I couldn't tell at first, tbh. It had this vibe: https://github.com/bitcoin/bips/blob/master/bip-0042.mediawi...
reply
upvoteby OhMeadhbh12 hours ago|
parent|
[-]
Yeah. Me too. It looked like a spoof when I started reading, but as I went on it didn't seem to be increasing in it's implausibility.
reply
upvoteby adastra226 hours ago|
parent|
[-]
Well, the one I linked to is real. BIP-42 made bitcoin's monetary policy fixed, by fixing a bug in the client which would have resulted in the initial subsidy code being reset every ~250 years or so. It's just the official writeup documenting it that is silly.
reply
upvoteby zahlman10 hours ago|
prev|
next
[-]
"left-justify" absolutely slayed me :)
reply
upvoteby CoastalCoder1 hours ago|
parent|
next
[-]
Would explain why most of the download traffic comes from the Middle East :)
reply
upvoteby dirkc5 hours ago|
parent|
prev|
[-]
I should have known when the first package was left-justify, but I read until karen before I realized it must be fiction
reply
upvoteby lukewarm70728 minutes ago|
prev|
next
[-]
i got half way through before i realized
reply
upvoteby eithed3 hours ago|
prev|
next
[-]
Contributing factors are entirely serious

edit: actually more and more thing I'm recognizing as being entirely serious (ie benelovent worms :D); satire indistinguishable from reality

reply
upvoteby smsm4211 hours ago|
prev|
next
[-]
Searching for CVE-2024-YIKES also provides a gallery of AI slop blogs that AI-rewrite the content of this post while being absolutely stone cold serious about it.
reply
upvoteby b473a10 hours ago|
parent|
[-]
Currently a Google search for vulpine-lz4 gives a very serious AI overview.
reply
upvoteby trollbridge8 hours ago|
parent|
[-]
Googling is no longer a reliable way to figure out if something is real or not (since, in this case, it just regurgitates the original article, including a couple slop blogs about it)
reply
upvoteby fvv5 hours ago|
prev|
next
[-]
Just because it's not important to pay attention to CVEs, why not waste the readers' time by creating "fictional" CVEs without a disclaimer in the first line? Just because it's not already difficult to scrape through the information and noise on this internet... especially if it appears on the front page of hackernews
reply
upvoteby jmusall5 hours ago|
parent|
next
[-]
Could one mistake this

> Status: Resolved (accidentally)

> Severity: Critical → Catastrophic → Somehow Fine

for a real CVE report?

reply
upvoteby dasyatidprime5 hours ago|
parent|
prev|
[-]
The tag list at the top of the page includes “satire”.
reply
upvoteby philipwhiuk17 hours ago|
prev|
[-]
'nmp'
reply
upvoteby INTPenis16 hours ago|
parent|
next
[-]
Node's Malicious Packages.
reply
upvoteby krautsauer12 hours ago|
parent|
prev|
[-]
I only noticed at goat farming. But anyway, what would a left-justify package do?
reply
upvoteby swiftcoder5 hours ago|
parent|
prev|
next
[-]
> I only noticed at goat farming

Heh. I didn't even blink at that. I know a couple of open-source folks who actually packed up to buy off-grid farms in Portugal

reply
upvoteby yk11 hours ago|
parent|
prev|
[-]
Pull left-pad as dependency presumably.
reply
upvoteby yellowapple9 hours ago|
parent|
[-]
Which then, inexplicably, pulls left-justify as a recursive dependency.
reply
upvoteby dasyatidprime2 hours ago|
parent|
[-]
The dependency cycle is actually the functional mechanism of the code, because they subvert the dedup mechanism in the package manager using a random generation trick. Each recursive copy of the dependencies takes up a little bit more space, which ultimately gets converted to the spaces inserted into the original datum; the caller is expected to adjust the cache settings to signal the desired amount. That's also why if you're using left-justify to process strings, Yarn is recommended for best compatibility. /joke
reply