Developer Builds Static Scanner to Catch Supply-Chain Malware Before Code Runs

·1 views

A developer created a static repository scanner after being targeted by a fake job interview repo designed to steal credentials and API keys. The tool analyzes repositories without cloning, installing, or executing any code, since malicious scripts embedded in npm lifecycle hooks like postinstall can run automatically during npm install. The scanner checks for three key threat categories: dangerous build-time execution hooks, dependencies in package.json that resolve to unexpected or non-registry URLs in the lockfile, and obfuscation patterns such as eval of decoded strings or long hex literals. The attack that inspired the tool exploited a mismatch between a trusted-looking package name and a malicious tarball URL hidden in the lockfile. By keeping analysis logic free of any I/O and testable against known-malicious fixtures, the scanner can flag suspicious combinations of signals before any harm is done.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

AI Answer Engines Are Reshaping How Content Gets Discovered Online

The rise of AI-powered answer engines like ChatGPT, Claude, and Perplexity is fundamentally changing how people find information online, shifting discovery away from traditional search engines. Unlike conventional search, these tools synthesize and deliver direct answers, meaning a website can go entirely unvisited even as its ideas reach readers. Writer and technologist Ken W. Alger illustrated this shift by demonstrating that AI models could accurately define, attribute, and contextualize his original terminology — without ever rendering his website. This has given rise to the concept of Generative Engine Optimization (GEO), which prioritizes conceptual clarity, consistent naming, and well-defined ideas over traditional tactics like keyword density and backlinks. The core argument is that in the AI discovery era, being understood and accurately represented by a model matters as much as ranking on a results page.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Tech Giants Launch Akrites Under Linux Foundation to Secure Open-Source Software

Anthropic, Google, Microsoft, OpenAI, AWS, and 15 other organizations launched Akrites on Thursday under the Linux Foundation to address AI-era vulnerabilities in critical open-source software. The initiative establishes a shared Security Incident Response Team to replace the fragmented approach where multiple organizations independently scan the same libraries, file duplicate vulnerability reports, and overwhelm maintainers. Akrites enforces a patch-first, disclose-second policy, holding findings confidential until fixes are tested, and provides fallback maintainer coverage for unmaintained projects. The effort is funded by Alpha-Omega, an OpenSSF project with an annual budget exceeding $7 million backed by the founding members. The coalition was formed in response to AI tools dramatically accelerating vulnerability discovery, with Endor Labs CEO Varun Badhwar noting thousands of AI-surfaced open-source flaws in recent months, fewer than 5% of which have been patched.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Waggy Labs releases Yumekit v0.5 with 51 components and 60 themes, no dependencies

Waggy Labs has released version 0.5 of Yumekit, its dependency-free web component UI toolkit, originally launched in beta in May. The update expands the library from 36 to 51 components, adding new layout, data, navigation, and utility elements such as a datagrid, paginator, popover, and drag-and-drop list. The toolkit now includes over 60 themes drawn from nine open-source design systems, all built directly into the library with no external stylesheets required. Yumekit works across web frameworks out of the box and can be loaded via CDN or installed through NPM. Waggy Labs developed the toolkit primarily for internal tooling and client projects, aiming to reduce CSS overhead and configuration time.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

How to Prompt AI for Contrarian Content Angles That Drive Engagement

A piece published on DEV Community argues that AI-generated content tends to be safe, neutral, and forgettable because most users prompt tools like ChatGPT to summarize rather than to find friction points in an argument. The author draws on a 2012 Journal of Marketing Research study by Jonah Berger and Katherine Milkman, which found that high-arousal emotions such as surprise and contradiction make content significantly more shareable than agreeable, informative writing. The core claim is that large language models are trained to reward thoroughness and avoid controversy, making their default output structurally similar to countless other summaries. To counter this, the author proposes a specific prompt framework that instructs the AI to adopt a content strategist persona and extract viewpoints that run against widely held assumptions of a target audience. The goal, the author emphasizes, is not to manufacture outrage but to interrupt predictable reading patterns and produce angles that feel genuinely novel.

0 comments Read more at DEV Community