It’s no secret that Autodesk Forge uses AWS. But now they made it explicit. Some of the API will be exposing AWS services – in particular S3 – directly.
Oh dear. Yet another npm author went rouge. This time it appears that the npm package deletes files for users with Russian/Belarus IP addresses. Time to take package pinning more seriously.
This week, the developer of the popular npm package ‘node-ipc’ released sabotaged versions of the library in protest of the ongoing Russo-Ukrainian War. The ‘node-ipc’ package, which gets downloaded over a million times weekly, began deleting files on developer’s machines, in addition to creating new text files with “peace” messages.
Previously we had attackers using hijacked npm libraries to steal credentials. In this case the libraries or the maintainer wasn’t compromised. In fact it was the maintainer who deliberately introduced bugs into his libraries, thereby breaking thousands of apps that depends on it. There’s no easy solution to this dependency problem. For now use pinned versions and manually approve upgrades.
Users of popular open-source libraries ‘colors’ and ‘faker’ were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking. Some surmised if the NPM libraries had been compromised, but it turns out there’s more to the story.
log4j is a common logging library for Java applications. This vulnerability is extremely easy to exploit, and allows the attacker to run arbitrary code in the server. IOW, very bad. For now, set
log4j.formatMsgNoLookups=true to mitigate the issue, until an official patch is out.
Given how ubiquitous this library is, the impact of this vulnerability is quite severe. Learn how to patch it, why it’s bad, and more in this post.
Do you know that you can do this? No API key or token is required to do simple geocoding via OpenMap API.
Notice the response returns LONGTITUDE and LONGITUDE containing the same values. This is due a misspelling in the earlier API and a decision not to break the earlier API.
Find out more here: https://www.onemap.gov.sg/docs/#onemap-rest-apis
One of the FBI website had a web form that allowed arbitrary content to be sent from a legitimate FBI domain – passing all DMARC, DKIM, SPF. This isn’t even a hack – anyone could have done it using their web browser. But it could have serious consequences had the attacker had more nefarious motives.
The Federal Bureau of Investigation (FBI) confirmed today that its fbi.gov domain name and Internet address were used to blast out thousands of fake emails about a cybercrime investigation. According to an interview with the person who claimed responsibility for…
Earlier, we had a group which abuse Unicode bi-directional mechanism to deceive the reader about the actual ordering of source code, leading to clever hiding of backdoor in plain sight.
Now we have yet another novel method to include a backdoor in source codes. The attack vector makes use of Unicode characters that are invisible, but which are valid characters in variables names.
The attack requires the IDE/text editor (and the used font) to correctly render the invisible characters. At least Notepad++ and VS Code render it correctly (in VS Code the invisible character is slightly wider than ASCII characters). The script behaves as described at least with Node 14.
This looks super impressive and is potentially game-changing. Auto-completion has been around for ages, since the early days of Visual Assist, to Visual Studio Autocomplete. This is another level. It works like GPT-3 in that it tries to suggest whole section of code or a complete function based on comments and other signals. This will be something that companies will pay for. Based on HN comments, alpha testers gave it rave reviews. It’s currently in technical preview. Can’t wait for general availability.
GitHub Copilot works alongside you directly in your editor, suggesting whole lines or entire functions for you.
ARM-based Graviton2 consistently outperforms Intel x86-based processors in PostgreSQL test by Percona, and it’s 25% cheaper. If your workload is not x86-specific there’s no reason not to switch.
The rise of ARM-based processor is gaining momentum and it seems like Intel is seriously playing catch-up here.
With the second gen of Graviton2 instances announced, we decided to take a look at the price/performance from the standpoint of running PostgreSQL.
Yet another potentially breaking change on the web. This time round it involves cookie handling (in the upcoming Chrome 80). The objective is to close off a class of attacks known as CSRF (cross-site request forgery). Expect other browsers to follow suit.
… any websites you’re responsible for that are passing cookies around cross domain by POST request and don’t already have a SameSite policy are going to start misbehaving pretty quickly