Flux
Axios Maintainer Confirms Social Engineering Attack Behind npm Compromise
Cybersécurité Programmation

Axios Maintainer Confirms Social Engineering Attack Behind npm Compromise

On March 31, two malicious versions of Axios were briefly published to npm, introducing a dependency that installed a remote access trojan across macOS, Windows, and Linux. We covered the initial attack and its scope earlier, as well as a deeper technical analysis of its hidden blast radius and how dependency resolution expanded its impact exponentially. Now, the project’s lead maintainer has shared additional details about how the compromise occurred. A Targeted Social Engineering Attack # In…

Socket
Node.js Drops Bug Bounty Rewards After Funding Dries Up
Cybersécurité Programmation

Node.js Drops Bug Bounty Rewards After Funding Dries Up

The Node.js project has paused its long-running bug bounty program after the funding behind it was discontinued, removing a key security incentive from one of the most widely used JavaScript runtimes. For nearly a decade, Node.js participated in the Internet Bug Bounty (IBB) program through HackerOne, offering monetary rewards to researchers who responsibly disclosed security issues. That program is now on hold, leaving Node.js without a funded bounty structure for the first time since 2016.…

Socket
The Toolkit Pattern
IA

The Toolkit Pattern

This is the third article in a series on agentic engineering and AI-driven development. Read part one here, part two here, and look for the next article on April 15 on O’Reilly Radar. The toolkit pattern is a way of documenting your project’s configuration so that any AI can generate working inputs from a plain-English description. […]

O'Reilly Radar — AI/ML
March 2026 sponsors-only newsletter
IA Programmation

March 2026 sponsors-only newsletter

I just sent the March edition of my sponsors-only monthly newsletter. If you are a sponsor (or if you start a sponsorship now) you can access it here. In this month's newsletter: More agentic engineering patterns Streaming experts with MoE models on a Mac Model releases in March Vibe porting Supply chain attacks against PyPI and NPM Stuff I shipped What I'm using, March 2026 edition And a couple of museums Here's a copy of the February newsletter as a preview of what you'll get. Pay $10/month…

Simon Willison's Weblog
The Hidden Blast Radius of the Axios Compromise
Cybersécurité Programmation

The Hidden Blast Radius of the Axios Compromise

Yesterday, we reported on a supply chain attack targeting Axios that introduced a malicious dependency (plain-crypto-js) into specific npm releases. At first glance, the scope seemed contained: Two compromised Axios versions A short exposure window A malicious dependency that was quickly removed Over the past 24 hours, we’re seeing many teams focus on checking their lockfiles and node_modules directories, but that only captures part of the picture, especially when tools are executed dynamically…

Socket
The Model You Love Is Probably Just the One You Use
IA

The Model You Love Is Probably Just the One You Use

The following article originally appeared on Medium and is being republished here with the author’s permission. Ask 10 developers which LLM they’d recommend and you’ll get 10 different answers—and almost none of them are based on objective comparison. What you’ll get instead is a reflection of the models they happen to have access to, the […]

O'Reilly Radar — AI/ML
Agent responsibly
Programmation Web

Agent responsibly

Vercel shares their internal framework for shipping agent-generated code safely. The core argument: green CI is no longer proof of safety, because agents produce code that looks flawless while remaining blind to production realities. The post outlines how to build systems where agents can act with high autonomy because deployment is safe by default. Read more

Freek Van der Herten