Today is a big day for @socket.dev. We raised a $60M Series C at a $1B valuation, led by Thrive Capital. 20,000+ orgs, 1.5M repos protected, 1,000+ supply chain attacks blocked per week. 3/5 FAANG companies are customers. We're just getting started.

🚨 node-ipc is compromised again. Three malicious versions (9.1.6, 9.2.3, 12.0.1) published via expired-domain account takeover. Payload steals credentials, SSH keys, cloud tokens, .env files and exfils over DNS. Socket flagged them as malware within 3 min. Details: socket.dev/blog/node-ip...

. @socket.dev just acquired @secureannex.com, the extension security company built by @johntuckner.me. John is joining Socket. John built Secure Annex as a solo founder into a product that security teams at Reddit, Brave, Torq, and Movable Ink depend on.

I tried this out again recently. It’s a cool feature but it requires EVERY dep to be exceeding well behaved and defined. It also relies on NODE_PATH and has weird issues with esm. Unfortunately something like this needs a runtime solution to work generally.

Anyone publishing rel-alternate type-text/markdown link tags to their sites? `<link rel=”alternate” type=”text/markdown” href=”foo.md” />` Would enable discovery of a #markdown representation of the same content. /cc @bret.io

@pnpm.io's experimental global virtual store is brilliant. The install performance gains are a game-changer for git flows. You get near-zero per-worktree overhead and instant installs for new worktrees as packages are already in the global store. @kochan.io can't stop making pnpm better 🤌

And this is what that app contained. (Thankfully I never ran it)

Axios maintainer confirms the npm compromise was caused by a targeted social engineering attack that led to full access to his GitHub and npm accounts. Open source maintainers continue to be high-value targets in supply chain attacks. socket.dev/blog/axios-m...

If it’s anything like what they attempted with me then a new modus operandi is to create social credibility and even group pressure, then have a planned video call on a faked version of a real streaming service, then show credible errors and urge to download a native app. This is what I got:

Buy my graphics card! www.ebay.com/itm/29816448...

Whats your favorite SaaS subscriptions/billing/invoicing reference implementation?

Good thing I posted this because a 1st party preact adapter released 3 days later lol

Small tutorial post on using @tanstack.com with @preactjs.com bret.io/blog/2026/si...

+1 to all this. More-or-less the same experience even. Very open to things. If anyone is hiring.

Pulled it off

Good reference. Thanks for sorting that out in one place.

I mini-racked my network. Next step is to fit the orange case into 1U somehow.

Why doesn’t anyone sell a charging cubby optimized for horizontal slots. They are all vertical.

Anyone have old Mac minis they have sitting around and want to sell me?

We’re system architects at core. We built a decentralized network so you could run your own moderation, but beyond that our upcoming healthy discourse project is taking some swings at the interaction model that drives these dynamics on Bluesky. Excited to start seeing it in action.

Recognition for Sarah! So deserved! @sarahgooding.bsky.social

Maintainer compromises used to be rare. Now they’re happening at an alarming rate, as seen in recent attacks. Today we’re giving developers a new layer of defense with Socket Firewall, a free tool that blocks malicious dependencies at install time.

🚨 Open source supply chain attacks are exploding. Starting today, that ends. We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI. Just run: npm i -g sfw sfw npm install lodash Works for: npm, yarn, pnpm, pip, uv, and cargo.

Anyone know a good leader election library that either uses pg or redis on the backed? Basically, in a horizontally deployed service, I need one instance to do something unique, and something else to take over when it disappears.

Gigantic OOOOOF on this one.

Reminder that the major thing that made GitHub succeed over Google Code, Sourceforge etc is to be found in its initial tagline: “Social coding” GitHub added a social network on top of the code – highlighting the people rather than just the lines Any successor to it needs to solve the social layer

Didn't know @pfrazee.com was moonlighting at openai

You can now view and edit your auth tokens in your account page. More auth token features like a CRUID ui and old token cleanup coming soon. Sorry for the slow pace of development lately, just trying to get core features implemented correctly.

Y'all don't sleep on ls-mcp It's a quick access CLI to detect and list all MCP servers across your AI tools stack

I ported the Tron Legacy theme to @zed.dev

Is there such a thing as a userQueryState hook? Basically use state but reactive in and out of the query string.

One million sites 🎉

deploy-to-neocities helping deploy 1k personal websites! Glad to see it!

Is there any good domain registrar left? (Independently run, well made, decent prices?) seems iwantmyname sold out recently.

I think it may finally be time to drop .io domains. These stupid things cost $100/yr!

This is just going to get worse with AI, when people finally realize the only things these create are derivative ripoffs of original work. Goes for code too!

Looking for prior art: dissecting GitHub repos into sub-projects, specifically in monorepos.

I finally posted my writeup on my Steam Machine project bret.io/blog/2025/yo...

Technology is a fractal for which we are stuck in an ever narrowing corridor

Why we built a new Kafka client for Node.js The Node.js world needs better tools. Here’s what you need to know: Apache Kafka is vital for real-time data. It powers many businesses, especially in Fintech and Media. These fields see heavy data usage and need reliable solutions.

Anyone recommend a good image viewer component? Doesn't need to be react

goversion/v2 is out. Turns out maybe people were right: major versioning in go is a super big headache. Not only do you have to update the go.mod file, but also every self reference in every .go file. AND pkg.go.dev and docs. goversion updates go.mod and .go now too github.com/bcomnes/gove...

Me subscribing to one more RSS feed

Is there a DockKit gimbal that works with the Apple TV FaceTime?

We just bought a company. Why? Because vulnerability scanning is fundamentally broken. And I’m tired of pretending it’s fine. We acquired Coana, the best reachability analysis engine on the planet.

Funny enough, the LLMs I consulted around go project layout weighed heavily the golang-standards/project-layout reference. However I guess the training data didn't parse out rsc's comment regarding that effort: github.com/golang-stand...

I wrote another new go tool called goversion. It's like npm version for go, and it works with the new go tool directive. github.com/bcomnes/gove...

I wrote another new go tool called goversion. It's like npm version for go, and it works with the new go tool directive. github.com/bcomnes/gove...

FINALLLLYYYY!!! YUSSS