GraphMaker for easy graph building: describe in English what nodes and edges you want, and it handles the rest via OpenAI's help. Support for trees, DAGs, styling, saving in multiple formats etc. Work in progress, please send @CRGenovese and me feedback!.

Direct link to post:

On the @stdlibjs blog, we just published my take on @METR_Evals's surprising study: AI tools made experienced developers 19% slower (expectation: 40% faster!)🤯.I dive into the why, where AI coding tools actually help, and how I've shifted from handholding AI to async delegation.

Read more:

Undocumented Protestware.We found hidden functionality in 28+ npm packages that disables UI for Russian-language users visiting .ru or .by domains. No CVEs. No advisories. No documentation. Just behavior-based disruption quietly copied into packages and shipped to production.

Full story on the blog:

North Korean XORIndex Campaign.The latest "Contagious Interview" wave includes 67 new malicious packages with a previously unknown malware loader, accumulating over 17,000 downloads. These state-backed attackers are evolving quickly, using multiple loader variants in parallel.

Two major npm supply chain discoveries this week from the Socket Research Team highlight a critical gap in traditional security approaches. Both threats would slip past security tools that rely on vulnerability databases or metadata alone.

These packages, disguised as "the cheapest Cursor API," install backdoors that steal credentials and modify crucial files. In total, sw-cur, sw-cur1, and aiide-cur have been downloaded 3,200+ times before discovery. Read more on the Socket blog: .

🚨 With vibe coding being on everyone's minds and AI code generations seemingly becoming ubiquitous, it is not surprising that this attracts also malicious actors. Kirill Boychenko just uncovered three malicious npm packages targeting Cursor users on macOS.

Over the last few months, I have been picking up Cursor again after finding it not substantially improving my productivity when I tried it last year. It, and the LLMs powering AI code completions, have gotten so much better that I now really enjoy its agent workflow.

The attack takes advantage of the open nature of Go's ecosystem, where it is challenging to distinguish authentic packages from malicious ones due to namespace ambiguity. Check out our detailed analysis, IOCs, and protective measures: #CyberSecurity

The Socket research team discovered a supply chain attack involving obfuscated Go modules that come with devastating disk-wiping payloads. With just one line of code, these modules retrieve and run a script that zeros out storage devices, rendering data recovery impossible.

The threat actor started publishing these packages in 2021, consistently employing comparable strategies while remaining undetected. Full technical analysis here:.

These packages use embedded credentials to connect to Gmail's SMTP server, relay signals to emails under the control of attackers, and initiate WebSocket connections that can bypass firewalls since the connection starts from within the network.

The Socket research team discovered seven "Coffin-Codes" packages that leveraged Gmail's SMTP protocol to create covert channels for extracting data and executing commands.

Remember: If any code asks for your seed phrase, there's no salvation - it's not a feature, it's a scam. Full research here:

With over 8,000 combined downloads, these digital highwaymen use Google Analytics and Telegram for exfiltration - truly where the wild roses grow. While Socket is celebrating our launch week and Coana acquisition, the bad actors never take a break.

Uncovering "The Bad Seeds" in Package Registries. We have identified three malicious npm and PyPI packages that, like their namesake, are doing the devil's work - harvesting crypto wallet credentials while posing as innocent developer tools.

RT @feross: We just bought a company. Why? Because vulnerability scanning is fundamentally broken. And I’m tired of pretending it’s fine.….

What makes these attacks concerning is that they. target business-critical workflows.use sophisticated disguises that implement legitimate functionality.execute at specific runtime events, not installation. The malicious packages have been reported and are removed. Stay vigilant!.