"CrowdStrike Falcon Prevents Supply Chain Attack Involving Compromised NPM Packages" (crowdstrike.com/en-us/blog/cro…) vs. "Multiple CrowdStrike npm packages published by the crowdstrike-publisher npm account were compromised." (socket.dev/blog/ongoing-s…) 😅😅😅

Submitted to VDP to NVIDIA on Intigriti . Submit, make a marked PoC without stealth, maintainer fixes it partially) as a result. Triager later closes it as N/A 🙃. 0 reason to submit to a VDP if it's a for-profit company. Full Disclosure on X is far less frustrating.

🚨Here is my latest research at EclecticIQ: ShinyHunters teamed up with Scattered Spider to conduct vishing attacks targeting cloud application users, bribing employees for insider access and targeting CI/CD tools for supply chain attacks. 🔗blog.eclecticiq.com/shinyhunters-c…

If there’s one thing I’ve learned from this NPM supply chain fiasco, it’s that Lupin has insane foresight and built Depi long before any of us were thinking about this problem seriously. The Oracle of Grenoble 😆 but seriously, check out Depi!

Excited for this post!! I think we’ll learn that as bad as Shai-Hulud was, an even worse eldritch horror awaits the JavaScript ecosystem when a payload that isn’t #shittymalware goes around.

Definitely an interesting bug class! Almost every single agentic dev product has had a variant of this bug class at one point or the other.

Amazing post showing how the threat actor(s) iterated on and manually spread their worm as the attack progressed.

So here’s the story behind why yesterdays live #metaconnect demo failed - when the chef said “Hey Meta start Live AI” it activated everyone’s Meta AI in the room at once and effectively DDOS’d our servers 🤣 That’s what we get for doing it live!

Finally upgraded my iPhone 13 Mini to a 17 Pro. For the hell of it I upgraded the 13 Mini to iOS 26 (battery replaced few months ago). It’s nearly unusable with normal interactions lagging / stuttering.

I wish someone with a larger megaphone would blast this RFC. I’ve seen tweets by influencers calling out Shai-Hulud - but GitHub can solve this with far less than pain than Shai-Hulud caused companies. Power in numbers….