TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

100% Positive

Analyzed from 302 words in the discussion.

Trending Topics

#https#deno#security#supply#chain#com#email#where#singapore#didn

Discussion (7 Comments)Read Original on HackerNews

Muromec18 minutes ago
I had an email like that last week, where sender claimed to be from Singapore, but the company and the person were not searchable on the blue site and their interview scheduling link didn't match Singapore timezone, while the domain was registered through an Indian registrar. The email didn't sound right somehow.

I almost scheduled a call with them and even self-explained that of course they would be on Pacific time, it's where the money is.

I do have some npm packages under my name and they found me through github, so here is that.

ThreatSystemsabout 2 hours ago
I run training courses on developer security to broaden their understanding of threat surface from their behaviour, day-to-day tooling, the repositories they work on and broader supply chain. One of the modules covers this exact scenario, it's amazing how many people do these exercises on corporate machines let alone their personal device!

There are mitigations you can put in place by using containers, virtual machines or even the execution environment e.g. Deno's ability to block/whitelist network calls[0], Bun's --ignore-scripts [1] and supply chain package managers have made some strides here like pnpm [2]. But it's knowing your threat surface and how to use your tooling which can be quite overbearing on cognitive load, especially in fast paced scenarios like "job of a lifetime offer!" from linked in.

Easiest way by default is to use ephemeral VMs / Sandbox Containers for such tasks which don't have mounted directories to your system etc. Or spin up a cheap EC2 / VPS to work on them in a short period of time.

[0] - https://deno.com/blog/deno-protects-npm-exploits and https://docs.deno.com/runtime/fundamentals/security/

[1] - https://bun.com/docs/pm/lifecycle

[2] - https://pnpm.io/supply-chain-security

[2] - https://

tptacekabout 3 hours ago
I snagged right away at "the kind of low-level reliability judgment that most teams only notice when something breaks." Real people don't talk like the J. Peterman catalog.
bobkbabout 2 hours ago
This type of attack is going on for few years now. I had 2 in my credit.

Some details https://freebird.in/malicious-code-source-code-shared-via-jo...

timfsuabout 3 hours ago
Wow, this is pretty scary. LLMs have made phishing attempts look so much more legit, and the damage they can do so much greater.