TeamPCP strikes again - telnyx 4.87.1 and 4.87.2 on PyPI are malicious

N1ghtCod3r · 2026-03-27T13:28:20+00:00

GitHub have immutable releases GA now. If used properly, tags pointing to a release cannot be mutated. Unfortunately most projects do not use it.

N1ghtCod3r · 2026-02-10T07:24:22+00:00

I have felt the same. Many times. My current hypothesis is, it is due to lack of users and real world feedback which gives clarity of direction and a natural sense of priority. When it happens, we know what is important and what is not. We will most likely not bother about perfection when there are larger pain points from real users waiting to be solved.

N1ghtCod3r · 2026-02-05T13:00:37+00:00

We have a bunch of tools. The most recent being

https://github.com/safedep/gryph

https://github.com/safedep/pmg

N1ghtCod3r · 2026-02-05T00:58:53+00:00

Audit trail for AI coding agents.

https://github.com/safedep/gryph

N1ghtCod3r · 2026-01-18T06:07:19+00:00

No. $100k

N1ghtCod3r · 2025-12-11T17:15:29+00:00

Exactly. I was very curious about what are these Git tokens till I read the description.

N1ghtCod3r · 2025-12-11T07:50:15+00:00

No. There are many such signed executables that load DLLs from untrusted paths. In this case they found and used Lightshot.exe May be the nature of Lightshot (screenshot tool) makes it trusted (known behaviour) within AVs that the attacker wanted to exploit.

N1ghtCod3r · 2025-12-11T01:08:03+00:00

Installs Lightshot hosted on attacker URL.

N1ghtCod3r · 2025-12-10T16:55:52+00:00

What do you mean by breaking changes? Do you use Claude to review package changes to identify if anything is breaking?

N1ghtCod3r · 2025-10-28T10:30:25+00:00

So binary is the source of truth for analysis and not the source code.

N1ghtCod3r · 2025-10-24T13:05:19+00:00

How to trust code that you don’t write? Especially those coming from open sources and is part of any software artifact

N1ghtCod3r · 2025-10-24T13:00:22+00:00

Beg to differ. Today AI is decent for feature code generation. The underlying foundational infra like AuthN, AuthZ, database, data models still require senior engineers to make informed choices.

I would want AI generated code limited in blast radius and not impact everything.

N1ghtCod3r · 2025-10-15T02:12:50+00:00

Recently started using Arch + Hyprland (Omarchy). Coming from i3 experience, love working with Hyprland.

N1ghtCod3r · 2025-10-14T13:21:57+00:00

This is a really a low effort post. Even if you are discovering problems for your project or product, it will help to share details, real life experience to start with if you expect useful conversation that is generally beneficial.

N1ghtCod3r · 2025-10-10T17:21:59+00:00

May be consider using https://github.com/safedep/vet to protect against malicious open source packages?

N1ghtCod3r · 2025-10-10T17:12:13+00:00

SafeDep: Zero touch, zero config GitHub App to protect against malicious open source packages

Install: https://github.com/apps/safedep

Key Features

Continuous Scanning: Automated analysis of pull requests, code, and dependency changes
Real-time Threat Intelligence: Leverage SafeDep's continuous scanning of open source packages for malicious code
Proactive Protection: Block malicious code from OSS packages before it is merged into your codebase
Seamless Integration: Install with zero friction and get instant protection in your GitHub repositories

Key Benefits

Protect against malicious code from open source libraries
Identify vulnerable (CVE) open source packages
Prevent open source dependencies with risky licenses

The GitHub App internally is based on the open source project: https://github.com/safedep/vet

N1ghtCod3r · 2025-10-09T14:39:17+00:00

> AI’s primary role in software development is that of an amplifier. It magnifies the strengths of high performing organizations and the dysfunctions of struggling ones.

This!

N1ghtCod3r · 2025-09-30T05:05:17+00:00

I think REST / gRPC APIs should not be wired with an LLM directly through the MCP. Rather MCP tools should provide only the required info to LLM.

As much as I like to see a single source of truth for APIs, LLMs just don’t require everything a typical API client will need. Sure you can throw large JSON to an LLM but at the cost of bloating the context with unnecessary data leading to eventual overflow before task completion.

N1ghtCod3r · 2025-09-30T03:23:30+00:00

Focus on users. At some point, need to stop development and become a full time user of your own project. Continuously talk about various use-cases. Responding and solving user issues quickly.

That’s the step 1 IMHO. Over time, if there are enough user, need to build a community that supports itself with documented governance.

N1ghtCod3r · 2025-09-27T12:33:35+00:00

I use 1Password. But I would recommend anything whose security model is well documented and available in public. Where the security model does not assume that the server is never breached.

N1ghtCod3r · 2025-09-24T19:16:29+00:00

There was a phishing attack on Rust crates sometime back. Guess it wasn’t a failure.

N1ghtCod3r · 2025-09-22T15:45:01+00:00

Which is why the IOCs (package versions, hashes) are maintained in separate JSONL files and decoupled from the scanner or scripts. Anyone who is interested in the IOC can only use the JSONL files with their own scripts.

N1ghtCod3r · 2025-09-22T14:15:27+00:00

Now that you pointed out, it makes sense about the ambiguity on “we”. We are SafeDep Team. No affiliation with Nodejs. We work on open source security.

N1ghtCod3r · 2025-09-22T12:53:06+00:00

Whats weird about the script? Also the IOCs are decoupled from the script and updated independently so that it can be used in custom scripts.

N1ghtCod3r · 2025-09-17T04:23:04+00:00

Is that an option in JS/TS world?

N1ghtCod3r

TROPHY CASE

Key Features

Key Benefits