A few things that I've been carefully about: - Separate dev machine. This has agentic infrastructure. Should soon be replaced by dev boxes - Dev machine has no passwords, gpg keys, ssh keys. - all cli tools are scope with PAT with RO permissions. - github/bitbucket/gitlab use scoped PATs - use yarn v4 or uv which allows you to exclude *new packages* - If you *really* need passwords, then store it in apple keychain. But I would recommend avoiding it. - Separate browsing machine where you don't install random binaries, this can have passwords. Yes, this is draconian but this is the only way to stay safe.
Feross
@feross
North Korea is targeting npm maintainers -- not for crypto, but for write access to packages downloaded trillions of times a year.
Several Socket engineers were targeted in this campaign -- myself, @ljharb, @jdalton, and others. None of us fell for the bait. Unfortunately, the
From Twitter
Disclaimer: The content above is only the author's opinion which does not represent any position of Followin, and is not intended as, and shall not be understood or construed as, investment advice from Followin.
Like
Add to Favorites
Comments
Share
Relevant content
