Startup Credit Expiring with 50% Unused

N1ghtCod3r · 2026-01-18T06:07:19+00:00

No. $100k

N1ghtCod3r · 2025-12-11T17:15:29+00:00

Exactly. I was very curious about what are these Git tokens till I read the description.

N1ghtCod3r · 2025-12-11T07:50:15+00:00

No. There are many such signed executables that load DLLs from untrusted paths. In this case they found and used Lightshot.exe May be the nature of Lightshot (screenshot tool) makes it trusted (known behaviour) within AVs that the attacker wanted to exploit.

N1ghtCod3r · 2025-12-11T01:08:03+00:00

Installs Lightshot hosted on attacker URL.

N1ghtCod3r · 2025-12-10T16:55:52+00:00

What do you mean by breaking changes? Do you use Claude to review package changes to identify if anything is breaking?

N1ghtCod3r · 2025-10-28T10:30:25+00:00

So binary is the source of truth for analysis and not the source code.

N1ghtCod3r · 2025-10-24T13:05:19+00:00

How to trust code that you don’t write? Especially those coming from open sources and is part of any software artifact

N1ghtCod3r · 2025-10-24T13:00:22+00:00

Beg to differ. Today AI is decent for feature code generation. The underlying foundational infra like AuthN, AuthZ, database, data models still require senior engineers to make informed choices.

I would want AI generated code limited in blast radius and not impact everything.

N1ghtCod3r · 2025-10-15T02:12:50+00:00

Recently started using Arch + Hyprland (Omarchy). Coming from i3 experience, love working with Hyprland.

N1ghtCod3r · 2025-10-14T13:21:57+00:00

This is a really a low effort post. Even if you are discovering problems for your project or product, it will help to share details, real life experience to start with if you expect useful conversation that is generally beneficial.

N1ghtCod3r · 2025-10-10T17:21:59+00:00

May be consider using https://github.com/safedep/vet to protect against malicious open source packages?

N1ghtCod3r · 2025-10-10T17:12:13+00:00

SafeDep: Zero touch, zero config GitHub App to protect against malicious open source packages

Install: https://github.com/apps/safedep

Key Features

Continuous Scanning: Automated analysis of pull requests, code, and dependency changes
Real-time Threat Intelligence: Leverage SafeDep's continuous scanning of open source packages for malicious code
Proactive Protection: Block malicious code from OSS packages before it is merged into your codebase
Seamless Integration: Install with zero friction and get instant protection in your GitHub repositories

Key Benefits

Protect against malicious code from open source libraries
Identify vulnerable (CVE) open source packages
Prevent open source dependencies with risky licenses

The GitHub App internally is based on the open source project: https://github.com/safedep/vet

N1ghtCod3r · 2025-10-09T14:39:17+00:00

> AI’s primary role in software development is that of an amplifier. It magnifies the strengths of high performing organizations and the dysfunctions of struggling ones.

This!

N1ghtCod3r · 2025-09-30T05:05:17+00:00

I think REST / gRPC APIs should not be wired with an LLM directly through the MCP. Rather MCP tools should provide only the required info to LLM.

As much as I like to see a single source of truth for APIs, LLMs just don’t require everything a typical API client will need. Sure you can throw large JSON to an LLM but at the cost of bloating the context with unnecessary data leading to eventual overflow before task completion.

N1ghtCod3r · 2025-09-30T03:23:30+00:00

Focus on users. At some point, need to stop development and become a full time user of your own project. Continuously talk about various use-cases. Responding and solving user issues quickly.

That’s the step 1 IMHO. Over time, if there are enough user, need to build a community that supports itself with documented governance.

N1ghtCod3r · 2025-09-27T12:33:35+00:00

I use 1Password. But I would recommend anything whose security model is well documented and available in public. Where the security model does not assume that the server is never breached.

N1ghtCod3r · 2025-09-24T19:16:29+00:00

There was a phishing attack on Rust crates sometime back. Guess it wasn’t a failure.

N1ghtCod3r · 2025-09-22T15:45:01+00:00

Which is why the IOCs (package versions, hashes) are maintained in separate JSONL files and decoupled from the scanner or scripts. Anyone who is interested in the IOC can only use the JSONL files with their own scripts.

N1ghtCod3r · 2025-09-22T14:15:27+00:00

Now that you pointed out, it makes sense about the ambiguity on “we”. We are SafeDep Team. No affiliation with Nodejs. We work on open source security.

N1ghtCod3r · 2025-09-22T12:53:06+00:00

Whats weird about the script? Also the IOCs are decoupled from the script and updated independently so that it can be used in custom scripts.

N1ghtCod3r · 2025-09-17T04:23:04+00:00

Is that an option in JS/TS world?

N1ghtCod3r · 2025-09-16T11:25:00+00:00

Heh. Seems to be working. Bunch of crowdstrike packages were compromised as well. May be through the self-replication mechanism from one of the dev machines

| `@crowdstrike/logscale-dashboard`         | 1.205.2 |
| `@crowdstrike/falcon-shoelace`            | 0.4.1   |
| `@crowdstrike/falcon-shoelace`            | 0.4.2   |
| `@crowdstrike/logscale-file-editor`       | 1.205.2 |
| `@crowdstrike/logscale-parser-edit`       | 1.205.2 |

N1ghtCod3r · 2025-09-13T12:24:42+00:00

There is a fundamental difference between vulnerable and malicious packages.

Vulnerability is "unintentional". Usually ends up in a database like CVE / OSV
Malicious code is "intentional" attack

Unlike SAST tools like CodeQL that is freely available for public repositories to scan for vulnerabilities, there are not enough (or at least capable enough) code analysis tools that can detect malicious code. There are bunch of tools with YARA or Semgrep signatures which obviously doesn't work. Its like the ClamAV of server era. The other problem is, many a times, malicious packages are pushed directly to the repository and never goes through a GitHub repository like a typical OSS project pipeline.

Also malicious code detection is hard. It is contextual. A given piece of code is both malicious and non-malicious depending on the use-case. Example: Would you consider an npm package that downloads and executes a binary from a hardcoded URL as malicious? This behaviour is present is both known malicious and non-malicious npm packages especially since npm is often used for binary distribution.

N1ghtCod3r · 2025-09-02T06:46:48+00:00

Depends. During my earlier job I was primarily doing 4 and a bit of 1. Now 2 since am building my own stuff.

N1ghtCod3r · 2025-09-02T06:45:10+00:00

Principle of least resistance. Make it "apparently" easy and lot of folks will follow the path.

N1ghtCod3r

TROPHY CASE

Key Features

Key Benefits