"Perfect randomness". Some years ago they would probably call that "Pure magic". In some years they'll call it "Primary school education" or "duh". I don't believe in factual randomness. We just don't know how it works, yet.

@baggerspion.bsky.social open up your dms you doodoo

An aspect I like about current code assists is the freeform that still just works. You can dump large debug blobs and say "fix this" before it or after it and it can distinct the mechanical output from the user request. And it works in various contexts, very efficiently. Almost flawlessly so.

I want a `git lock` which locks the git status to a read-only state under a pincode. Goal is to allow an AI to read the state but not to make changes to it. They're too snap happy to just checkout or commit or whatever and I don't have an easy way of allowing read-only only. Any tips?

Rest of my Sunday is cooking

More like breaking my Sunday afternoon. So what I don't get having done this research is: why would an actor go through all this trouble only to put their malware research and code PUBLIC together WITH the actual c2 infra. Like, wtf? You can't be stupid to have come this far. But at the same time...

Weee are night and day 🎵

I'm not sure how we're not going to have a mass forced credential roll at this point tbh. github, aws, gcp, ai vendors, and anything in between should just force a roll event of credentials on their customers, sooner than later. disruptive? yes. but so is getting hacked. so...

Socket raised a C round! (Maybe we should be SoCket now! ok eeew no) All I can see on my part is that I've been having an awesome time working on AI and with AI, detection, and what not. Lucky to be part in the right place at the right time :D bsky.app/profile/fero...

'using' is probably the biggest change in a while that will be visible in code bases very quickly. It's just sugar but I like it, slightly awkward keyword notwithstanding

I wish these llm benchmarks would include a chess elo :D

Works or b0rks? ``` console.log(delete undefined); console.log(delete null); ```

Was a good morning to roll out our @socket.dev firewall integration which had these packages blocked in ~6min from publish.

This phrasing makes sense to me tbh

Works or B0rks? ``` const a = {[-NaN]:1}; console.log('a:', a[-NaN], a["-NaN"]); const b = {"-NaN":1}; console.log('b:', b[-NaN], b["-NaN"]); const c = {-NaN:1}; console.log('c:',c[-NaN], c["-NaN"]); ``` Will it hit (1) or is -NaN the same as NaN and so it fails? What if it were a map or a set?

The google maps moment will be when some vendor offers free gpt/claude level AI (yeah, with all the same pro's and cons)

Damn, what a day. What a week. How am I supposed to get any work done this way.

I wonder if an AI assistant actually "understands" it when I say there's a "mikado effect" when you have to start to untangle a mess top to bottom in a particular order. Like, it's obvious for us, even looking at a picture of the game if you've somehow never played it. But for an AI?

dangit, school system not writing with proper punctuation caps and syntax actually proves you're human! the bots could never lower themselves to write invalid sentences!

try { } catch (x) rethrow A,B { } "but not A,B", "ignoring A,B", "dont catch A,B", "catch (x) if A,B", I dunno... Seems like an AbortError is a viable real world common candidate to get this treatment (arguably, that's "abusing" the throw mechanic as a side channel, but that ship has sailed)

Anyone know of a chess book that teaches you an opening by like puzzles and steps you through lines for a particular opening and explains most of them into the middle game, but also the ideas behind it, why certain moves are bad, etc? Maybe a bit modern? I'm not finding books that hit the spot :/

The axios compromise blast radius is much much much bigger than people seem to suspect. The secret: transitive dependencies with open ranges making it extremely obscure and difficult to detect whether you were affected, after the fact.

Dog ate my homework -> Claude rimraffed me, sir.

Arguably, it's okay to reduce your phantom opaque rate limits down to borderline useless when your users still won't hit these new limits (either) anyways, right? Because you can't reach rate limits WHEN THE PRODUCT HAS AN INCIDENT/OUTAGE ALL THE TIME :smart: oof.

Yikes. socket.dev/blog/axios-n...

Wtf? Just sitting in a semi public book case. For like, casual reading?

45min was more like uhhh 10h Terraria board game. Game was ok, price way too high for the low replay value. No unlocks or anything and little variation is kind of disappointing for 2026? We only spawned one (unavoidable) boss, missed the others due to rng. Focused on the wrong game components imo.

Oldschool JS, is that code from like two years ago?

Ok good think we didn't reassign tab to AI auto-complete. In five years nobody gonna be auto-completing anything anymore. Waste of effort.

New rule: public github repos cannot have any secrets. Must use private or public-proxy read-only repos (where only owners/contribs can make PRs) for releases and CI stuff. It's obvious github can't get on top of the github actions exfil stuff. Seems like a plausible way to squash that vector?

- Create this random html canvas game - Now create a down sampled terminal renderer for it I love vibe coding.

Hey, it's spring time! Oops.

Impressive. Claude was able to deobfuscate socket.dev/npm/package/... completely! Preval tripped over the use of `with()` (I never bothered to support that) so I was hand decoding it. But I figured, why not let Claude try and it delivered. I think it's just another contagious interview tho.

I spent a day perusing the last few months of openvsx packages and digging up worms 😅 Glassworm actually seems to be the only active campaign right now on openvsx (or whatever else is going on is hiding it reaaaal good. Though these are 10mb+ packages so who knows right) The rest are just one offs.

So you published their name, basically doxxing them? :slow-clap: Why would you consider that news worthy other than the news event itself? Did the world need to know the artist name? Really? I think you destroyed something under the guise of investigative journalism. Hope you're proud. Pathetic.

Hmmm, Tenko is passing test262 again. All tests except one "staging/sm" where I think spidermonkey is just wrong for backwards compat reasons so I'm ignoring that. It's even prepared for "using", later on. Good maintenance cycle.

You catch more bugs in dark mode. Because it's an edge case, apparently most people develop in light by default, and it's easy to miss contrast issues.

So, you have an AI that writes up a message body that injects my profile, making it look real, but then forget to scrub the emoji clearly designed to catch automation 🤦

One of these days github is going to ban me for putting all that deobfuscated malware into my gists just to share them with the team 😅

Why is the KLM website always broken? Holy shit and they wonder why business is bad. OOF.

I think we observed hacker-claw do this thing where it compromised a package, post a repo level GHSA for that version, then post another version of the package a little later. They were baiting people to upgrade beyond the bad version. Can't prove whether that was the strat but sure looks like it...

minimatch patched 3 high-severity ReDoS vulnerabilities that can stall the Node.js event loop. Because it's pulled into nearly every corner of the #NodeJS ecosystem (~472M weekly downloads), we're releasing free Certified Patches for all three. socket.dev/blog/minimat... #JavaScript

Oh, is "await using" not actually part of the spec yet because it was promoted to stage 4 too late and has to wait for the ES2026 release? I think I've been chasing my own tail here :/

🚨 We detected 26 malicious npm packages using Pastebin steganography and Vercel staging to deploy a multi-stage credential stealer targeting developers. We’re tracking this campaign as “StegaBin.” Full research ↓ socket.dev/blog/stegabi... #NodeJS #JavaScript

test262 is great. in the era of AI that test suite is all you need to make a pixel perfect parser with AI without worrying too much about introducing regressions. Which, apparently, I have quite a few of in the private fields implements. Oops.

If you ship obfuscated code in packages you're just hurting the security of your package, your users, the ecosystem at large, and making your package look more suspicious by default. And to what end? We CAN deobfuscate it regardless. Leave obfuscation to malware so we can more easily identify them.

Ah shucks. this is the thing I found too. kmsec.uk/blog/dprk-te... :clap: I mean, I went a bit deeper than that but the steganography was the cool part about this whole thing. the rest is "boring" (okay, well there's some interesting stuff still...)

Meanwhile, back in the lab: huh, what?? Again?? 🤯

Okay. Resolved all outstanding issues, squashed bunch of bugs (actually kind of sad that there were that many), brought compliance up to ES2025, and um I guess that's it Going to cut a new release for Tenko soon. Not expecting anyone to really care. I just had enough of parse failures in preval (:

Okay. I think Tenko now supports everything up to ES2025, bugs notwithstanding. There were some outstanding reported bugs that I'll squash too. Probably release a new version later this week. Maybe. But it's all on git. And nobody but me uses it anyways so who cares :D