Flux
Packagist Urges Immediate Composer Update After GitHub Actions Token Leak

Packagist Urges Immediate Composer Update After GitHub Actions Token Leak

Packagist is urgently warning PHP projects to update Composer after a GitHub token format change caused some GitHub Actions tokens to be exposed in CI logs. Composer 2.9.8, 2.2.28 LTS, and 1.10.28 fix a vulnerability where Composer could print the full contents of GitHub Actions-issued GITHUB_TOKEN values or GitHub App installation tokens to stderr when the token failed Composer’s validation check. The issue was triggered by GitHub’s rollout of a new token format that includes a hyphen, which…

Socket
CSP Allow-list Experiment

CSP Allow-list Experiment

Tool: CSP Allow-list Experiment An experiment that shows that you can load an app in a CSP-protected sandboxed iframe (see previous note) and have a custom fetch() that intercepts CSP errors and passes them up to the parent window... which can then prompt the user to add that domain to an allow-list and then refresh the page. I built this one with GPT-5.5 xhigh running in the Codex desktop app. Tags: content-security-policy, iframes, security

Simon Willison's Weblog
GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government

GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government

Socket's threat research team is tracking a suspicious RubyGems campaign we’re calling GemStuffer, involving more than 100 gems that appear to use the RubyGems registry as a data transport mechanism rather than a conventional malware distribution channel. The packages do not appear designed for mass developer compromise. Many have little or no download activity, and the payloads are repetitive, noisy, and unusually self-contained. Instead, the scripts fetch pages from UK local government…

Socket
datasette 1.0a29

datasette 1.0a29

Release: datasette 1.0a29 New TokenRestrictions.abbreviated(datasette) utility method for creating "_r" dictionaries. #2695 Table headers and column options are now visible even if a table contains zero rows. #2701 Fixed bug with display of column actions dialog on Mobile Safari. #2708 Fixed bug where tests could crash with a segfault due to a race condition between Datasette.close() and Datasette.close(). #2709 That segfault bug was gnarly. I added a mechanism to Datasette recently that would…

Simon Willison's Weblog