VNVũ Nhật Lâminblog.fiscybersec.com·11h ago · 7 min read"Atomic Arch": 400+ AUR Packages Hijacked to Deliver an eBPF Rootkit and InfostealerExecutive Summary An attacker spoofing a trusted maintainer on the Arch User Repository (AUR) adopted and trojanized more than 408 packages — and according to Sonatype, the figure may have reached rou00
4F404 Foundersin404-founders.com·3d ago · 3 min readMastra npm Packages Compromised: 140+ Packages Target Crypto WalletsSomeone added a malicious dependency to over 140 Mastra AI framework packages on npm. The payload targets cryptocurrency browser extensions and steals wallet credentials. CVE: N/A Severity: High Affec00
MNMohit Nagarajinblog.kubeorch.dev·4d ago · 7 min readWhy I Stopped Using npm Tokens in GitHub ActionsI recently found out about npm's Trusted Publishers, and my immediate reaction was: wait, this is so much cooler than the token method. If you have ever published an npm package from GitHub Actions, y00
OAOlawale Aregbeintheshippinglog.hashnode.dev·Jun 17 · 4 min readThe Shipping Log, Day One: Why I Built Two npm Packages for Nigerian DevelopersI'm Marcus. I write code in Ibadan, Nigeria, and I taught myself most of what I know. No bootcamp. No computer science degree. I'm currently finishing a Business Management degree at Miva Open Univers00
DNDoug Niccuminblog.dniccumdesign.com·Jun 17 · 5 min readStop sharing your variables in SlackOnboarding sucks The delicate balance of providing enough information so an employee feels informed while not having their brain explode from too much data can feel impossible at times. When I onboard10
LTLưu Tuấn Anhinblog.fiscybersec.com·Jun 16 · 11 min readShai-Hulud Returns: When Just One pip install Command Can Steal All Your SecretsOverview of the campaign June 2026 marked a concerning escalation of the malware supply chain campaign named Shai-Hulud, as new variants expanded from the Node.js ecosystem to Python, directly affecti00
CSChintan Shahinchintanshah35.hashnode.dev·May 29 · 7 min readwinston vs pino in 2026: A Production-Tested ComparisonI ran both winston and pino in production Node.js APIs over the past two years. Both are excellent. Both are well-maintained. Both have millions of weekly downloads. But they're built for different pr00
ARAlex Rogovinalexrogov.hashnode.dev·May 29 · 9 min readShipping archkit v0.1: a TypeScript Clean Architecture scaffolder built in one Claude Code sessionI got tired of typing the same boilerplate every time I started a new TypeScript library. Not src/index.ts tired — architect tired. Every new lib starts with two hours of "where does the domain go?", 00
BSBadmus Sulaimoninharyobamy.hashnode.dev·May 20 · 6 min readI Got Tired of Rewriting the Same Crypto Integration Code, So I Built a PackageEvery time I needed to add crypto off-ramp to a Nigerian app, I spent the first two days doing the same thing. Figure out YellowCard's HMAC-SHA256 auth. Read through Quidax's Postman docs. Write rate-00
PMPrajwal Minglitch-guy0.hashnode.dev·May 13 · 8 min readHow to Use Private Git Repositories as Internal npm Packages with Multiple GitHub AccountsWhat We Are Going to Cover In this post, we explore how to manage internal npm packages for your projects without publishing them publicly. We start with the basics of using Git repositories as depend00
