SShortSingh.
TopTechnologyAI & MLStartupsProgrammingScienceBusinessFinanceCrypto & Web3World
Back to feed
Programming

Two-File Supply Chain Attack Targets npm Package via Rogue Registry Redirect

0
·1 views

A security researcher discovered a malicious pull request submitted to their open-source repository, sebs/etherscan-api, designed to redirect all npm package resolution to an attacker-controlled server. The PR was disguised as a routine refactor, adding a convincing description with bullet points and developer-friendly language to lower the maintainer's guard. The attack used just two file changes: a .npmrc file that silently overrode the default npm registry with a bare IP address on a non-standard port using unencrypted HTTP, and a package.json update adding a fake dependency to justify the .npmrc change. Because the rogue registry handled all package resolution, the attacker could serve trojaned versions of any dependency fetched during installation. The submitting account appeared legitimate, featuring an aged profile, repository history, and GitHub achievement badges, illustrating how modern supply chain attacks rely as much on social engineering as technical exploits.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

DeepSeek's DSpark Grafts Speculative Decoding onto Target Models for Faster LLM Inference

DeepSeek has released a research paper introducing DSpark, a new approach to speculative decoding that attaches draft heads directly onto the target language model rather than training a separate smaller model. The technique reuses the target model's own intermediate representations, reducing layer duplication and architectural overhead associated with traditional speculative decoding setups. DSpark is designed to work alongside Multi-Token Prediction rather than replace it, and the speculative tokens it generates are still validated against the main model in a single forward pass, ensuring output quality remains identical to the original model. In DeepSeek's experiments, the method was tested on top of Step and Qwen 3.6 models, and the paper notes particular efficiency gains on modern hardware such as NVIDIA H100s and DGX Spark. The code and paper have been published openly in the deepseek-ai/DeepSpec GitHub repository, making it immediately accessible to developers working on LLM inference optimization.

0 comments Read more at DEV Community
0
ProgrammingDEV Community ·

Developer Builds AI Tool to Email Hiring Managers Directly, Bypassing Easy Apply

A developer has launched PitchHired, an AI-powered job search platform designed to help candidates reach hiring managers directly rather than relying on standard application portals. The tool assists users in identifying hiring managers, drafting personalized outreach emails, and sending them via Gmail during business hours. Unlike many job search tools, PitchHired focuses on reducing repetitive tasks while keeping candidates in control of their outreach. The platform uses a one-time credit model instead of a recurring subscription, acknowledging the financial pressures job seekers face between roles. The tool is still in development, and the creator is actively seeking feedback from the developer community.

0 comments Read more at DEV Community
0
ProgrammingDEV Community ·

AI Farm Management SaaS Targets Nigeria First, Eyes $1.4T Global Smallholder Market

A developer has built FarmOps Desk, an AI-powered operations SaaS designed for smallholder livestock farmers, launching first in Nigeria before targeting broader markets across Sub-Saharan Africa, Southeast Asia, South Asia, and Latin America. The platform addresses operational challenges common to smallholder farms worldwide, including livestock mortality, feed cost management, water quality monitoring, and financial record-keeping. Nigeria was chosen as the launch market due to its status as the world's fourth-largest poultry producer, its mature digital payment infrastructure, and its English-language business environment. The system was architected for scalability from the outset, with modular payment integration and per-farm language settings allowing rapid expansion into new markets. The UN FAO estimates smallholder farmers produce up to 80% of food in developing countries, representing a $510 billion annual agritech spend according to the World Bank's IFC.

0 comments Read more at DEV Community
0
ProgrammingDEV Community ·

How Developers Are Earning Cash by Solving Open Source GitHub Bounty Issues

GitHub bounties are cash rewards offered by repository maintainers for resolving specific issues, ranging from $50 for minor fixes to $10,000 for complex optimizations. In 2026, the practice is growing rapidly, with platforms like Algora.io dedicated to listing available bounties alongside GitHub's native issue tracker. Developers can find opportunities by searching GitHub Issues with the label 'bounty' or browsing specific repositories such as tenstorrent/tt-metal, which offers $2,500–$10,000 per issue. Best practices include commenting on an issue before starting work, submitting focused pull requests with tests, and responding promptly to code reviews. Beyond earnings, bounty hunting is seen as a practical way to build a portfolio while contributing to real-world codebases.

0 comments Read more at DEV Community
Two-File Supply Chain Attack Targets npm Package via Rogue Registry Redirect · ShortSingh