pylapp

joined 2 years ago
MODERATOR OF
programmer_humor
opensource
a11y
github
sorted by: new top controversial old
129
Chat Control approved: Certain EU countries will see your private messages. Is yours on the list? (euroweeklynews.com)
9
Shai-Hulud round 2 on GitHub, massive leaks of data and propagation of stealer (about.gitlab.com)
 

Publication croisée depuis https://programming.dev/post/41331208

"Upon execution, the malware downloads and runs TruffleHog to scan the local machine, stealing sensitive information such as NPM Tokens, AWS/GCP/Azure credentials, and environment variables.

The malicious code exfiltrates the stolen information by creating a GitHub Action runner named SHA1HULUD, and a GitHub repository description Sha1-Hulud: The Second Coming.. This suggests it may be the same attacker behind the "Shai-Hulud" attack observed in September 2025.

And now, over 27,000 GitHub repositories were infected."

Other source with list of compromised package available

7
Shai-Hulud round 2 on GitHub, massive leaks of data and propagation of stealer (about.gitlab.com)
 

Publication croisée depuis https://programming.dev/post/41331208

"Upon execution, the malware downloads and runs TruffleHog to scan the local machine, stealing sensitive information such as NPM Tokens, AWS/GCP/Azure credentials, and environment variables.

The malicious code exfiltrates the stolen information by creating a GitHub Action runner named SHA1HULUD, and a GitHub repository description Sha1-Hulud: The Second Coming.. This suggests it may be the same attacker behind the "Shai-Hulud" attack observed in September 2025.

And now, over 27,000 GitHub repositories were infected."

Other source with list of compromised package available

3
Shai-Hulud round 2 on GitHub, massive leaks of data and propagation of stealer (about.gitlab.com)
 

Publication croisée depuis https://programming.dev/post/41331208

"Upon execution, the malware downloads and runs TruffleHog to scan the local machine, stealing sensitive information such as NPM Tokens, AWS/GCP/Azure credentials, and environment variables.

The malicious code exfiltrates the stolen information by creating a GitHub Action runner named SHA1HULUD, and a GitHub repository description Sha1-Hulud: The Second Coming.. This suggests it may be the same attacker behind the "Shai-Hulud" attack observed in September 2025.

And now, over 27,000 GitHub repositories were infected."

Other source with list of compromised package available

5
Shai-Hulud round 2 on GitHub, massive leaks of data and propagation of stealer (about.gitlab.com)
 

Publication croisée depuis https://programming.dev/post/41331208

"Upon execution, the malware downloads and runs TruffleHog to scan the local machine, stealing sensitive information such as NPM Tokens, AWS/GCP/Azure credentials, and environment variables.

The malicious code exfiltrates the stolen information by creating a GitHub Action runner named SHA1HULUD, and a GitHub repository description Sha1-Hulud: The Second Coming.. This suggests it may be the same attacker behind the "Shai-Hulud" attack observed in September 2025.

And now, over 27,000 GitHub repositories were infected."

Other source with list of compromised package available

9
Shai-Hulud round 2 on GitHub, massive leaks of data and propagation of stealer (about.gitlab.com)
 

"Upon execution, the malware downloads and runs TruffleHog to scan the local machine, stealing sensitive information such as NPM Tokens, AWS/GCP/Azure credentials, and environment variables.

The malicious code exfiltrates the stolen information by creating a GitHub Action runner named SHA1HULUD, and a GitHub repository description Sha1-Hulud: The Second Coming.. This suggests it may be the same attacker behind the "Shai-Hulud" attack observed in September 2025.

And now, over 27,000 GitHub repositories were infected."

Other source with list of compromised package available

230
Qualcomm has started enshitification of Arduino (itsfoss.com)
3
GitHub provides feature for immutable releases (docs.github.com)
 

Immutable releases are releases where the assets and associated Git tag cannot be changed after publication. The use of this type of release increases security by blocking supply chain attacks.

Attackers cannot:

  • Inject vulnerabilities or malware into current project releases.
  • Make changes to assets and tags that may break developer workflows.

The releases tags and artefacts can be also cryptographically verified.

14
GitHub provides feature for immutable releases (docs.github.com)
 

Immutable releases are releases where the assets and associated Git tag cannot be changed after publication. The use of this type of release increases security by blocking supply chain attacks.

Attackers cannot:

  • Inject vulnerabilities or malware into current project releases.
  • Make changes to assets and tags that may break developer workflows.

The releases tags and artefacts can be also cryptographically verified.

9
A web portal to find projects registered to Hacktoberfest (finder.usmans.me)
 

The portal helps to find a project participating to Hacktoberfest and searchable with its programming languages.

Hope it helps!

76
We need to talk about your Github addiction (ploum.net)
 

Publication about the monopoly of GitHub and the fact developers should move elsewhere if they care about their freeedom and the freedom of FLOSS projects

8
Kotlin 2.2.20 Released (blog.jetbrains.com)
KeepassXC-compatible password manager that supports passkeys on mobile? in c/privacy@programming.dev
[–] pylapp@programming.dev 3 points 3 months ago (1 children)

If you use iOS Strongbox does support passkeys.

Programming.dev instance: Sponsors needed in c/programming@programming.dev
[–] pylapp@programming.dev 2 points 4 months ago

We should support our fediverse admins and instances 💪 Support by sending money (for people who can), moderating content, submitting issues or helping the team and project ✌️

libxml2 maintainer ends embargoed vulnerability reports, citing unsustainable burden in c/opensource@programming.dev
[–] pylapp@programming.dev 2 points 5 months ago

So abandon open source and move to “post open source” or ethical source might be a (sad) solution.

What is the best way to create an android app in 2025? in c/android@lemmy.world
[–] pylapp@programming.dev 5 points 7 months ago* (last edited 7 months ago) (1 children)

Anticipate technical debt and follow what Google recommends. In few words, use Kotlin and Compose.

However you should really have a look on Google guidelines. In more worlds:

  • by default Kotlin and Compose
  • if some logic to share between other projects in other environments: Kotlin Multi Platform (KMP)
  • if shared UI: Flutter (but Google reduced Flutter teams and KMP is being better and better, so we can suppose Flutter will join the Google Graveyard
Which collaborative localization service would you recommend? in c/opensource@programming.dev
[–] pylapp@programming.dev 2 points 7 months ago

I do not know if the solutions I listed below are open source ; however as an open source contributor I am used to work with some tools depending to choice of the projects:

About credits, I don’t think these tools exposes in some automated way the contributors identities. However, nothing prevents you to use these web UI tools to find who contributed and list people for example in your CONTRIBUTORS files. Another way could be to edit the automated commits these tools submit to your Git repos by adding credits to the translators (with for example Co-authored-by field).

What Keepass client do you use? in c/android@lemmy.world
[–] pylapp@programming.dev 1 points 7 months ago* (last edited 7 months ago)

Yep, it seems it is, but it can manage KDBX files. Just wanted to share 😄

Edit: sorry, didn’t see this thread is in Android community, my comment is not relevant for this platform.

What Keepass client do you use? in c/android@lemmy.world
[–] pylapp@programming.dev 0 points 7 months ago* (last edited 7 months ago) (2 children)

You can use also for example Strongbox (https://github.com/strongbox-password-safe)

Edit: sorry, didn’t see this thread is in Android community, my comment is not relevant for this platform. For Android I am used to Keepass2Android (https://github.com/PhilippC/keepass2android). Simple, still maintained, under libre licence GPL 3.0.

Liste of non-AI licenses in a GitHub repository in c/opensource@programming.dev
[–] pylapp@programming.dev 3 points 10 months ago

Not sure of that, maybe we need some case law or update on existing copyleft licenses. Source code generated with GenAI tool, even if their model have been trained with corpora of copyleft sources, are not (yet) considered as derivative works. What a pitty.

Liste of non-AI licenses in a GitHub repository in c/opensource@programming.dev
[–] pylapp@programming.dev 3 points 10 months ago

Could be interesting. Non-free and current GenAI tools violate copyright, we may consider some evolutions of copyfarleft licenses to forbid such use of source code in these types of tools.

Liste of non-AI licenses in a GitHub repository in c/opensource@programming.dev
Liste of non-AI licenses in a GitHub repository in c/opensource@programming.dev
[–] pylapp@programming.dev 4 points 10 months ago (2 children)

Just wanted to share for the common knowledge and the debate as I already saw here some “post open source” and content about rubbish licenses like SSPL or BSL 😉

How do i ask for contributors to my open source projects? in c/programming@programming.dev
[–] pylapp@programming.dev 6 points 11 months ago (1 children)

Be sure also the issues you have in your project have the suitable labels to help future contributors to pick easily some of them, i.e. labels like “help wanted” or “good first issue”.

You can also refer to best practices listed and explained for example in Advent of Open Source so as to have a nice and user-friendly repo: https://adventofopensource.com/

view more: next ›