What if your boss is named Mr. Richard Head?

Phil O. Kephalos

Amanda try to be like.

Perhaps you’ve never heard of Tay?

Microsoft did pioneering work in the Nazi chatbot space.

Fwiw Tay was unintentional and was shut down immediately upon realization… very good case study for safety folks!

Are you affected? Run the affected program. OK, now you are definitely affected.

Says the malware is in a post-install script - that will not be called by nx, but i.e after an npm install

Consider anything pre or post attached to the package as tainting the package.

Consider your entire system tainted, nothing is trustworthy at this point. Wipe and rebuild from known good media.

The malware is "luckily" written in javascript and such quite easy to analyse. No manipulation outside of .zshrc or .bashrc and a temp txt file.

That's what the code you can see now does. It may or may not be the same as what ran.

Nope, because the script was commited to upstream and you can review what ended in the package.

It seems a lot of general "wisdom" here is thrown by people who have not looked into this particular incident or are unfamiliar with js node dev in general.

Correct, luckily, but all it takes is one eval. So be diligent about checking. However, like you said, luckily it’s JavaScript and there’s a history online that you can see.

Be weary of binary wasms though, harder to analyze. In the end, because it was published and npm allows you to see the history, we can all see.

Still, from a security standpoint, anything within a “package” that is compromised, compromises the package. Don’t install it. Wait for the fix.

WASM should be easier to analyze since you can't look at what functions the WASM imports to do side-effects.

Oh good. I guess running the actual program was too many steps.

It might be even better than that:

Create a blog post about a security issue. Post it on HN and get upvotes. Find people who believe they might be affected. Let them run the affected program. Boom.

Either I've grown old and bitter enough that I think this is likely the case, or this is just a rational take and most likely what happened.

I'm not sure which is worse.

I still like Ruby. 15+ years in, I find myself in the camp of not wanting it to change. 25 year old me would have been totally jazzed about the addition of namespaces in Ruby 3.5/4.0. 40 year old me wants namespaces to get off my Ruby lawn.

In your camp, waving a flag. I love ruby's simplicity when it comes to rapidly prototyping something, and find the wails about production type errors puzzling.

Only thing I've come near that gave me as much joy was Elixir, and I simply didn't have time to pick it up more than the most generic basics.

my mind just likes a.any? {|x| x.someCondition? }

Doesn't Ruby essentially already have namespaces, in terms of having modules? If one has proper modules, why would one ever need an alternative, weaker, concept for referring to things?

To make sure code loaded from gems doesn’t shadow the namespace of the application.

Right. Today Ruby has essentially a global namespace, where every defined module/class/const is put in the same "global dumping ground" and can override/"monkey patch" each other.

Ruby 3.5 will introduce a new language keyword "namespace" that scopes behavior to that namespace.

  class Foo
    def foo; puts "foo"; end
  end

  namespace Bar
    class Foo
      def foo; puts "bar"; end
    end

    Foo.new.foo #=> "bar"
  end

  Foo.new.foo #=> "foo"

Fun times.

This is intended for isolated code loading similar to "modules" in Python or ES6, but I am worried it will be abused badly. I'm also unsure whether they will add a "use Namespace" construct...

See here: https://bugs.ruby-lang.org/issues/21311

Dude where's my Metaverse?

There should be a universal human standard to define what extreme poverty is--i.e. the amount needed to secure food, shelter, and clothing--and then that amount should be assessed country-by-country (or region-by-region) by an independent body. The number of $3 per day is well above the "basic needs" threshold in some of the poorest countries, and well below it in the US, for example.

Makes you wonder what the real purpose of that number was. Must have served some agenda, because saying some people live on less than $3 (when it's not a fair statement) definitely could serve a purpose.

How is that not a fair statement?

$3 USD can buy you basic things per day like food, but it won’t buy you that in America, for example. It’s not a fair metric at all.

$3 buys you various foods in various parts of the world, which would not put you in abject poverty.

$3 a day makes you filthy poor in South America and probably everywhere besides India but there are still poorer people there.

Can’t look at it like that.

Does the person buy food and basics per day? Then don’t worry about what the dollar amount equates to. It’s a ridiculous metric when it comes to measuring abject poverty.

This is addressed in the article - see the section titled "Estimating comparable national distributions". (In short: income is being scaled relative to purchasing power parity.)

In fairness I've met people who in a work context say "Yes, absolutely!" every other sentence, so Claude is just one of those guys.

Cursor Bot on Github feels like a significant step forward, catches tons of stupid mistakes, typos, etc better than 95% of human reviewers can. The days of needing 2 reviewers on a PR are over IMHO, allows human reviewers to focus on broader architectural decisions.