Just a short one. It‘s been several months since I last posted and I always get a weird anxiety about my writing being a bit shit when it’s been ages, so best not to overthink it. Yesterday the Nx Console extension for VSCode was compromised. It just so happens that I’d turned off auto updates in VSCode, as had I left them on I could have very well gotten pwned like 6000+ others. It’s getting exhausting working with NPM. Literally every single week it feels like a new vulnerability or supply chain attack happens. The Tanstack one was huge, and I suspect the true size is yet to reveal itself since that used verified pipelines and publishing to spread malware. To give the Tanstack team credit, it’s not like they were particularly loose with their security, but got caught out by one of the many dark patterns of GitHub Actions.I could be doing literally everything right and still get pwned. Rotate secrets every quarter, use SSO where possible, pin dependencies, limit third party packages…
No comments yet. Log in to reply on the Fediverse. Comments will appear here.