@bad-at-computer.bsky.social
Coding @ github.com/qix-, making an operating system @ github.com/oro-os
Lrrr from Omicron Persei 8 (Futurama)
it's true what they say; 8 comes from 010, false comes from Norway
03.10.2025 22:34 β π 7 π 0 π¬ 0 π 0From your perspective, what's the most painful part of deploying or managing such systems?
03.10.2025 22:19 β π 0 π 0 π¬ 0 π 0Come to Germany, we have pumpkin everything here
02.10.2025 11:19 β π 1 π 0 π¬ 0 π 0Yes. You should. But also there's nothing wrong with this, either.
28.09.2025 22:36 β π 1 π 0 π¬ 0 π 0Honestly start with Unity. It might not be your "forever engine" but it's super approachable, easy to learn, and C# is probably one of the softer introductions to programming that there is. Much of what you learn there will be transferrable knowledge to other engines.
21.09.2025 09:08 β π 0 π 0 π¬ 0 π 0Hugops going out to everyone affected by the worm today. Ping me to DM and AMA if you've been affected. Will guide and assist as best as I can.
16.09.2025 13:26 β π 4 π 0 π¬ 0 π 0That's wild. Alt would have been kind of fun.
16.09.2025 06:34 β π 1 π 0 π¬ 0 π 0Also shoutout to the GH employee that reviewed the CVE request in minutes; I assume that was a real human doing that. Thank you.
15.09.2025 19:24 β π 5 π 0 π¬ 0 π 0(and sorry for taking so long, I didn't quite know how to go about doing anything like this at this scale before. I will definitely document this for others to get an idea, hopefully it saves some headache later)
15.09.2025 19:22 β π 7 π 0 π¬ 1 π 0debug: CVE-2025-59144
error-ex: CVE-2025-59330
color-string: CVE-2025-59142
backslash: CVE-2025-59140
is-arrayish: CVE-2025-59331
simple-swizzle: CVE-2025-59141
color: CVE-2025-59143
color-convert: CVE-2025-59162
color-name: CVE-2025-59145 <pending publication>
Chalk pkgs still pending; bear with.
Would be curious to know which parts are recognizable from early Rust.
15.09.2025 16:44 β π 0 π 0 π¬ 1 π 0I have the NPM logs. Not much unexpected except an IP address that wasn't previously known.
It seems clear it was indeed an MITM via the known IP that's out there, followed by account actions via a private IPv6 address.
Hi, I missed error-ex in the publishing spree the other day, will publish a new version shortly. My apologies, been another round of busy days/weekend.
15.09.2025 14:47 β π 1 π 0 π¬ 0 π 0Still waiting for access to account logs for the post mortem. Trying to get it out ASAP, sorry to those who need it. Doing my best to get it done.
15.09.2025 07:47 β π 3 π 1 π¬ 0 π 0It's called a tracker, usually software for writing music for retro consoles and the like. You can usually google "<console name> tracker software" and find what you're looking for.
14.09.2025 16:13 β π 1 π 0 π¬ 1 π 0Fantastic work, thank you for sharing it!
14.09.2025 11:27 β π 1 π 0 π¬ 0 π 0This is the most beautiful arrangement of this piece I've ever heard. Did you arrange this yourself?
14.09.2025 06:45 β π 1 π 0 π¬ 1 π 0That's what I thought at first too, but the GitHub staff and others have asked me to do so. CWE type is 506 (Embedded Malicious Code), and there *is* a specific version that is malicious. Fits all the criteria for a CVE.
13.09.2025 19:53 β π 2 π 0 π¬ 1 π 0All packages have been published over. Please let me know if I broke you somehow and I'll get it fixed ASAP.
Security advisories drafted and CVEs requested; not sure if they should be published immediately without the CVE yet so have held off until I get some guidance (or they're alloc'd).
Half of the packages have been published now, slowly working through them. If you see anything messed up please let me know.
13.09.2025 16:38 β π 2 π 0 π¬ 0 π 0Took the first real break last night in a week. Highly necessary. Thanks to those who reached out for npm contacts, sounds like things will get handled today.
13.09.2025 14:17 β π 9 π 0 π¬ 0 π 0Sent you a DM :)
12.09.2025 17:55 β π 0 π 0 π¬ 0 π 0Post mortem is still on hold until I can get everyone secure again. Npm has not been helpful and I'm currently blocked.
I'm sorry for the continued delay, I'd like to be done with this more than anyone else, believe me.
Does anyone have a contact at npm who can contact me directly? This is getting silly.
Non sequiturs and hours between responses is so unprofessional I'm getting irritated.
People are still affected by cached versions with malware and once again there's nothing I can do to help them.
Hi, something still isn't right with my account configuration. Going to hold off on the package updates until I can receive a response from npm.
There is no threat or continued breach, but I'm not able to publish in a way I'm confident will be secure quite yet. Please bear with.
Yesterday, @advocatemack.bsky.social and I sat down with @bad-at-computer.bsky.social to discuss the incident that occurred on Monday, in which popular packages like debug and chalk were compromised. Here's my take on it, along with the entire ~45-minute conversation.
www.aikido.dev/blog/we-got-...
Forgot to mention, they will be identical to the current (non-compromised) versions, released as <compromised_version + 1 patch>.
12.09.2025 13:38 β π 0 π 0 π¬ 0 π 0β οΈ Heads Up: New patch versions of all affected repositories will be going out today. Please expect that.
Will start in the next hour and will be taking things very slowly.
Chalk repositories are not included in this, as Sindre has already taken care of them.
I am terrified, lmk if I mess up.
Yes definitely a preventative measure for sure, and I'll include that in a "once you have access again" section. FWIW the npm account is now MFA'd with a u2f key, which should have been on it for a long time now.
12.09.2025 11:20 β π 2 π 0 π¬ 0 π 0Keeping in mind that a post mortem is on the way and that new package versions will be pushed today, if you have any process improvements you think should be included, (aside from "don't get phished"), I'd love to hear them - even if you're not a security professional.
12.09.2025 10:51 β π 0 π 0 π¬ 1 π 0
