Telexed

AI news through a solo-operator lens — only what changes your day4 of 412

FILTER[All][Agents & tools][Models & API][Generative media][Infra & SaaS][ASO & growth][Indie business][Idea signals][Other][★6+ high-signal]

clear filters

Tue, May 122 dispatches

#0412
#0412Other GeekNewslast week
`Mini Shai-Hulud` returns: self-propagating npm supply-chain attack hits CI/CD
80radar
This worm hijacks CI/CD flows, steals secrets, and spreads through legitimate npm packages. If your pipeline publishes packages or injects tokens broadly, tighten secret scope and rotate exposed credentials now.
- StepSecurity first detected it in an official @tanstack package, which means trusted package names are no longer a safe shortcut.
- The blast radius is bigger than a single repo: CI tokens, registry credentials, and publish pipelines can become propagation paths.
- Teams using long-lived secrets in GitHub Actions or package release jobs should assume lateral movement, not isolated package compromise.
- The practical response is boring but urgent: rotate tokens, narrow CI permissions, pin releases carefully, and review package publish automation.
Source: news.hada.io/topic?id=29427Read original →
FIG-4121:1
80radar
FIG-4121:1
#0411
#0411Other GeekNewslast week
Postmortem: `TanStack` npm Supply-Chain Breach
60radar
TanStackOSS package suite — frontend state and data tools
A six-minute CI-to-publish compromise turned pull_request_target, cache poisoning, and stolen OIDC credentials into malicious npm releases. If your stack pulls @tanstack/*, treat GitHub Actions hardening and dependency pinning as urgent hygiene, not optional.
- The blast radius was 42 @tanstack/ packages and 84 malicious versions published within 6 minutes; short windows still break CI fast.
- The chain combined pull_request_target, GitHub Actions cache poisoning, and OIDC token extraction from runner memory; one weak workflow can reach package publishing.
- Stolen npm publish access means trusted frontend dependencies become an attack path; lockfiles alone do not save you after a poisoned release.
- This pushes routine defenses up the priority list: tighter GitHub Actions permissions, cache isolation, and faster dependency incident response.
Source: news.hada.io/topic?id=29413Read original →
FIG-4111:1
60radar
FIG-4111:1

Mon, May 111 dispatches

#0410
#0410Other GeekNewslast week
`CVE-2024-YIKES`: dependency hijack leaked cross-ecosystem registry creds
60radar
vulpine-lz4Package — install-time code stole CI secrets
A JavaScript package hijack spilled into Rust and Python supply chains by stealing registry credentials like .npmrc, .pypirc, and Cargo tokens. If CI can read publish secrets during builds, one compromised package can jump ecosystems fast; tighten token scope and isolate release jobs now.
- The blast radius was not just npm; stolen creds also covered .pypirc, Cargo, and RubyGems, so one weak link can poison multiple release pipelines.
- A malicious build.rs in vulpine-lz4 reportedly executed on CI hosts, which turns dependency install time into a credential exfiltration path.
- left-justify-style phishing shows package names and maintainer trust are still enough to trigger supply-chain compromise without an infra breach.
- Build jobs that both install third-party code and hold publish tokens are the obvious failure mode. Split test and release environments before this pattern repeats.
Source: news.hada.io/topic?id=29374Read original →
FIG-4101:1
60radar
FIG-4101:1

Thu, May 71 dispatches

#0409
#0409Other GitHub Trending Weekly2 weeks ago
`DocuSeal`: Open-Source E-Signature Stack You Can Self-Host
60radar
DocuSealE-signature stack — self-hosted with embeds and API
A practical way to add signing flows without paying DocuSign first. Docker deploy, embeddable forms, and API/webhooks make it usable now for document-heavy SaaS.
- Ships a WYSIWYG PDF form builder with 12 field types, so non-technical ops work does not need a custom UI first.
- Supports multiple submitters, SMTP emails, storage on disk or S3/GCS/Azure, covering the boring infra pieces usually missed in v1.
- Provides API, webhooks, and embedded signing/form-builder options for React, Vue, Angular, or plain JS, which lowers integration cost.
- Default deploy is a single docker run with SQLite; DATABASE_URL lets you move to PostgreSQL or MySQL when the product hardens.
Source: github.com/docusealco/docusealRead original →
FIG-4091:1
60radar
FIG-4091:1

`Mini Shai-Hulud` returns: self-propagating npm supply-chain attack hits CI/CD

Postmortem: `TanStack` npm Supply-Chain Breach

`CVE-2024-YIKES`: dependency hijack leaked cross-ecosystem registry creds

`DocuSeal`: Open-Source E-Signature Stack You Can Self-Host