Peter van der Zee
@pvdz.ee
π€ 435
π₯ 92
π 972
tafka @kuvos eng
@socket.dev
- 15yr js/ts - rust - ex vercel - ex fb - js1k-guy
pinned post!
Today is my first day at
@socket.dev
! π± Perfectly aligns with what I want. Stoked to get started π§
over 1 year ago
3
28
1
This is a big deal. It kills like 99% of all npm malware we see today. Give or take. It won't go away. Of course. But it helps.
add a skeleton here at some point
8 days ago
0
8
2
"great win!" - hung my queen in move 6 - opponent timed out at move 10 pfff. never give up and all that but
10 days ago
0
1
0
not sure about kimi's output there but close enough. I think gpt's output also refers to me but not entirely sure. if not, that would be a bit of a curious coincidence.
23 days ago
0
0
0
ok, gartner. great ... "journalism" you got going there π
24 days ago
0
0
0
Hey AI make this thing go faster. It takes 15min for this case and that's just slow. I set 10min as goal to keep it going. AI: it's too tough, can't do it * cuts off 90s AI: now it's really too tough, can't do it * cuts off 80s AI: that's really it * cuts to under 10min AI: ok, all done Me: wtf?
27 days ago
1
0
0
Asserted dominance by defeating both my kids at chess. Despite hanging my queen in both occasions π. One even tricked me in doing so! They'll get me eventually. Just let me have this.
30 days ago
0
1
0
It's fine to be skeptical against AI generated code. It's fine to block it from your repo because it's too noisy or commonly has quality problems or whatever. It's probably true. But to state that it's "invariably garbage" just _destroys_ your credibility. Why would you do that. Who hurt you?
about 2 months ago
0
0
0
Me: why does my wishlist seem to be growing all the time... Also me: 80% discount? Hmmm, nah. Not yet.
about 2 months ago
0
0
0
"Perfect randomness". Some years ago they would probably call that "Pure magic". In some years they'll call it "Primary school education" or "duh". I don't believe in factual randomness. We just don't know how it works, yet.
about 2 months ago
0
0
0
@baggerspion.bsky.social
open up your dms you doodoo
about 2 months ago
0
0
0
An aspect I like about current code assists is the freeform that still just works. You can dump large debug blobs and say "fix this" before it or after it and it can distinct the mechanical output from the user request. And it works in various contexts, very efficiently. Almost flawlessly so.
about 2 months ago
0
0
0
I want a `git lock` which locks the git status to a read-only state under a pincode. Goal is to allow an AI to read the state but not to make changes to it. They're too snap happy to just checkout or commit or whatever and I don't have an easy way of allowing read-only only. Any tips?
about 2 months ago
1
0
0
Rest of my Sunday is cooking
about 2 months ago
0
2
0
More like breaking my Sunday afternoon. So what I don't get having done this research is: why would an actor go through all this trouble only to put their malware research and code PUBLIC together WITH the actual c2 infra. Like, wtf? You can't be stupid to have come this far. But at the same time...
add a skeleton here at some point
about 2 months ago
1
1
0
Weee are night and day π΅
about 2 months ago
0
0
0
I'm not sure how we're not going to have a mass forced credential roll at this point tbh. github, aws, gcp, ai vendors, and anything in between should just force a roll event of credentials on their customers, sooner than later. disruptive? yes. but so is getting hacked. so...
about 2 months ago
1
1
0
Socket raised a C round! (Maybe we should be SoCket now! ok eeew no) All I can see on my part is that I've been having an awesome time working on AI and with AI, detection, and what not. Lucky to be part in the right place at the right time :D
bsky.app/profile/fero...
add a skeleton here at some point
about 2 months ago
0
9
2
'using' is probably the biggest change in a while that will be visible in code bases very quickly. It's just sugar but I like it, slightly awkward keyword notwithstanding
add a skeleton here at some point
about 2 months ago
2
13
2
I wish these llm benchmarks would include a chess elo :D
about 2 months ago
0
0
0
Works or b0rks? ``` console.log(delete undefined); console.log(delete null); ```
2 months ago
0
0
0
reposted by
Peter van der Zee
Wes
2 months ago
Was a good morning to roll out our
@socket.dev
firewall integration which had these packages blocked in ~6min from publish.
add a skeleton here at some point
2
22
7
This phrasing makes sense to me tbh
add a skeleton here at some point
2 months ago
0
0
0
Works or B0rks? ``` const a = {[-NaN]:1}; console.log('a:', a[-NaN], a["-NaN"]); const b = {"-NaN":1}; console.log('b:', b[-NaN], b["-NaN"]); const c = {-NaN:1}; console.log('c:',c[-NaN], c["-NaN"]); ``` Will it hit (1) or is -NaN the same as NaN and so it fails? What if it were a map or a set?
2 months ago
0
0
0
The google maps moment will be when some vendor offers free gpt/claude level AI (yeah, with all the same pro's and cons)
3 months ago
0
0
0
Damn, what a day. What a week. How am I supposed to get any work done this way.
3 months ago
0
1
0
I wonder if an AI assistant actually "understands" it when I say there's a "mikado effect" when you have to start to untangle a mess top to bottom in a particular order. Like, it's obvious for us, even looking at a picture of the game if you've somehow never played it. But for an AI?
3 months ago
0
0
0
dangit, school system not writing with proper punctuation caps and syntax actually proves you're human! the bots could never lower themselves to write invalid sentences!
3 months ago
0
1
0
try { } catch (x) rethrow A,B { } "but not A,B", "ignoring A,B", "dont catch A,B", "catch (x) if A,B", I dunno... Seems like an AbortError is a viable real world common candidate to get this treatment (arguably, that's "abusing" the throw mechanic as a side channel, but that ship has sailed)
3 months ago
0
0
0
Anyone know of a chess book that teaches you an opening by like puzzles and steps you through lines for a particular opening and explains most of them into the middle game, but also the ideas behind it, why certain moves are bad, etc? Maybe a bit modern? I'm not finding books that hit the spot :/
3 months ago
0
0
0
The axios compromise blast radius is much much much bigger than people seem to suspect. The secret: transitive dependencies with open ranges making it extremely obscure and difficult to detect whether you were affected, after the fact.
add a skeleton here at some point
4 months ago
0
6
4
Dog ate my homework -> Claude rimraffed me, sir.
4 months ago
0
0
0
Arguably, it's okay to reduce your phantom opaque rate limits down to borderline useless when your users still won't hit these new limits (either) anyways, right? Because you can't reach rate limits WHEN THE PRODUCT HAS AN INCIDENT/OUTAGE ALL THE TIME :smart: oof.
4 months ago
0
0
0
Yikes.
socket.dev/blog/axios-n...
loading . . .
Supply Chain Attack on Axios Pulls Malicious Dependency from...
A supply chain attack on Axios introduced a malicious dependency,
[email protected]
, published minutes earlier and absent from the projectβs GitHu...
https://socket.dev/blog/axios-npm-package-compromised
4 months ago
0
1
1
Wtf? Just sitting in a semi public book case. For like, casual reading?
4 months ago
1
0
0
45min was more like uhhh 10h Terraria board game. Game was ok, price way too high for the low replay value. No unlocks or anything and little variation is kind of disappointing for 2026? We only spawned one (unavoidable) boss, missed the others due to rng. Focused on the wrong game components imo.
4 months ago
0
0
0
Oldschool JS, is that code from like two years ago?
4 months ago
0
1
0
Ok good think we didn't reassign tab to AI auto-complete. In five years nobody gonna be auto-completing anything anymore. Waste of effort.
4 months ago
0
0
0
New rule: public github repos cannot have any secrets. Must use private or public-proxy read-only repos (where only owners/contribs can make PRs) for releases and CI stuff. It's obvious github can't get on top of the github actions exfil stuff. Seems like a plausible way to squash that vector?
4 months ago
1
1
1
- Create this random html canvas game - Now create a down sampled terminal renderer for it I love vibe coding.
4 months ago
1
1
0
Hey, it's spring time! Oops.
4 months ago
0
0
0
Impressive. Claude was able to deobfuscate
socket.dev/npm/package/...
completely! Preval tripped over the use of `with()` (I never bothered to support that) so I was hand decoding it. But I figured, why not let Claude try and it delivered. I think it's just another contagious interview tho.
loading . . .
https://socket.dev/npm/package/es-lint-builders/files/1.0.5/test.js
4 months ago
0
1
0
I spent a day perusing the last few months of openvsx packages and digging up worms π Glassworm actually seems to be the only active campaign right now on openvsx (or whatever else is going on is hiding it reaaaal good. Though these are 10mb+ packages so who knows right) The rest are just one offs.
add a skeleton here at some point
4 months ago
0
3
0
So you published their name, basically doxxing them? :slow-clap: Why would you consider that news worthy other than the news event itself? Did the world need to know the artist name? Really? I think you destroyed something under the guise of investigative journalism. Hope you're proud. Pathetic.
4 months ago
0
1
0
Hmmm, Tenko is passing test262 again. All tests except one "staging/sm" where I think spidermonkey is just wrong for backwards compat reasons so I'm ignoring that. It's even prepared for "using", later on. Good maintenance cycle.
4 months ago
0
0
0
You catch more bugs in dark mode. Because it's an edge case, apparently most people develop in light by default, and it's easy to miss contrast issues.
4 months ago
0
0
0
So, you have an AI that writes up a message body that injects my profile, making it look real, but then forget to scrub the emoji clearly designed to catch automation π€¦
4 months ago
0
2
0
One of these days github is going to ban me for putting all that deobfuscated malware into my gists just to share them with the team π
4 months ago
0
0
0
Why is the KLM website always broken? Holy shit and they wonder why business is bad. OOF.
4 months ago
0
0
0
I think we observed hacker-claw do this thing where it compromised a package, post a repo level GHSA for that version, then post another version of the package a little later. They were baiting people to upgrade beyond the bad version. Can't prove whether that was the strat but sure looks like it...
4 months ago
0
1
0
reposted by
Peter van der Zee
Socket
5 months ago
minimatch patched 3 high-severity ReDoS vulnerabilities that can stall the Node.js event loop. Because it's pulled into nearly every corner of the
#NodeJS
ecosystem (~472M weekly downloads), we're releasing free Certified Patches for all three.
socket.dev/blog/minimat...
#JavaScript
loading . . .
minimatch Patches 3 High-Severity ReDoS Vulnerabilities - So...
minimatch patched three high-severity ReDoS vulnerabilities that can stall the Node.js event loop, and Socket has released free certified patches.
https://socket.dev/blog/minimatch-patches-3-high-severity-redos-vulnerabilities
0
5
4
Load more
feeds!
log in