A grey hoodie with text which reads: “Buy a man eat fish, He day, teach fish man To a lifetime.”
Wise words
27.02.2026 23:53
👍 7946
🔁 1900
💬 157
📌 141
A grey hoodie with text which reads: “Buy a man eat fish, He day, teach fish man To a lifetime.”
Wise words
Not that this is very surprising. But people are using these things for everything, so it'd probably be good to be aware of this sort of behavior.
Well, I'll be!
Within three to six months, 9000% of all new code will be written by AI.
New @react.dev patches released today for CVE-2026-23864. Fixes for DoS issues reported by several people, including Yours Truly 🙂
The blog post at react.dev/blog/2025/12... has been updated with the new info.
O(n²) works great until n+1.
me: move fast and break things
my dentist: what
scoreboard
The way you handled my semi-coherent devalue reports only reinforced my already high opinion of the Svelte team.
Huge props to the @svelte.dev team for an exceptionally well-handled vulnerability process, despite my terrible timing of reporting the devalue issues just before New Year’s Eve 🙂
A graph by National Agriculture Statistics service: "Actual and Trend Yields for Corn" (with the years 1886-2022 crudely crossed over).
AND THEY EXPECT US TO BELEIVE THIS IS "JUST A COINCIDENCE" ?? !?
Two graphs, the first one being "Preact.js downloads over time" 2015-2025, the other being "UFO sightings over time" 1940-2015, showing a vaguely similar increasing trend over time.
OPEN YOU'RE EYES 👁️👄👁️
◉‿◉
Meta's "Want to subscribe or contibue using our Producs free of charge with ads?" dialog that forces you to choose between subscribing for 5.99€/month and having your data being processed for ads.
Pretty cool that you have to create a Facebook account to file a vulnerability report to Meta.
VSCode Settings tab with chat.disableAIFeatures feature toggled on.
TIL there's a VSCode setting called chat.disableAIFeatures.
Wishing you all an Extralight Semibold New Year! soundcloud.com/extralight-s...
Merry Glutmas! ✨
A screenshot of the gym app telling "your strongest muscle group is glutes", accompanied by a diagram highlighting those muscles.
Turns out that the gym app has a Year in Review feature, and I'm now contemplating a side hustle as a part-time nutcracker.
Merriam-Webster’s human editors have chosen ‘slop’ as the 2025 Word of the Year.
Last month was one of those years that feel like a decade.
A quote from RFC 6238: "The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP."
In the end, it would be best if NPM just blocked TOTP reuse.
TOTP stands for “Time-based One-Time Password,” after all. The “one-time” property is important enough to account for 50% of the acronym. 🙂
Even the spec explicitly calls for blocking reuse: datatracker.ietf.org/doc/html/rfc... 6/6
What should you do as a package maintainer?
I’d argue that “don’t get phished” isn’t very constructive advice. To err is human.
Upgrading to phishing-resistant 2FA methods such as passkeys is a good idea. See docs.npmjs.com/configuring-...
But this would require all maintainers to act. 5/
So, with a single phished NPM TOTP token + password combo, a well-prepared (automated?) attacker can quickly list your packages, downgrade some of their publishing requirements, and then create a granular token.
This extends the attacker's window for publishing nasty versions of your packages. 4/
The “require 2FA for publishing” setting can’t be downgraded without a 2FA check.
But the attacker can reuse the phished TOTP code to perform a downgrade and allow publishing with “a granular access token with bypass 2FA enabled.”
Granular access tokens can be created without any 2FA checks. 3/
In NPM, a package can be configured to require 2FA for publishing (“Require two-factor authentication and disallow tokens”).
However, if an attacker phishes your password and a valid TOTP code, they can reuse them to publish packages in your name.
But at least the time window is limited, right? 2/
To recap, NPM allows 2FA TOTP token reuse within the token’s validity window.
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
Update on React Server Components CVE-2025-55182: over 165K IPs & 644K domains with vulnerable code found on 2025-12-08 after scan targeting improvements!
See: dashboard.shadowserver.org/statistics/c...
Check for compromise & patch!
Thank you to Validin & LeakIX for the collaboration!
From the thread: "Attacks from bot compromised Next.js assets spiked on 2025-12-05 from the usual 100 IP baseline to close to a 1000."
If you're not 100% sure you're NOT vulnerable, you should patch your Next.js apps ASAP.
And if you're 100% sure... patch anyway.
Super Mario style warp pipe, with two feet sticking out of it.
I must go, my people need me.
(Nintendo Museum, Kyoto)
There are things I will not let go of, but I also don't want to become one of those permanently aggrieved people whose personality has been wholly replaced by three grudges in a trenchcoat.
