@dreamsofcode_io: Really good time to consider putting your SSH Keys on a hardware security key, such as a Yubikey.
Summary
A tweet recommends using hardware security keys like Yubikey for SSH keys, referencing an active cross-ecosystem supply chain attack (TrapDoor) on npm, PyPI, and Crates.io involving malicious packages and crypto-stealing malware.
View Cached Full Text
Cached at: 05/26/26, 02:47 AM
Really good time to consider putting your SSH Keys on a hardware security key, such as a Yubikey.
Socket (@SocketSecurity): 🚨 BREAKING: Active supply chain attack across npm, PyPI, and Crates.io.
Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems.
TrapDoor targets
Similar Articles
@altryne: PSA: If you are un-aware of the latest supply-chain attacks, or aware but complacent and didn't do anything, especially…
A PSA about a series of supply-chain attacks targeting AI developer tools (Hermes, OpenClaw) via npm and PyPI, specifically the 'Mini-Shai Hulud' worm that self-replicates and steals credentials, API keys, and browser sessions. The post advises sandboxed execution and restricting package age to mitigate risks.
@RhysSullivan: just enabled a minimum age on npm package installs for my machine, should've done this sooner but if you haven't either…
A developer shares a tip to configure a minimum release age for package installs to mitigate supply-chain attacks.
Stop MITM on the first SSH connection, on any VPS or cloud provider
A new technique using cloud-init to inject temporary SSH host keys, protecting the first SSH connection to a new VM from man-in-the-middle attacks on any cloud provider. Includes a hardened open-source script implementation.
@tan_stack: SECURITY ADVISORY — TanStack npm packages A supply-chain compromise affecting 42 @tanstack/* packages (84 versions tota…
A high-severity supply-chain compromise affected 42 TanStack npm packages, exfiltrating cloud credentials and SSH keys. Users are advised to rotate credentials and reinstall from clean lockfiles if they installed packages during the attack window.
'No way to prevent this,' says only package manager where this regularly happens
Satirical article highlighting the recurring supply chain attacks in the npm registry, contrasting with more secure ecosystems like Go and Rust, and mocking the JavaScript community's acceptance of such vulnerabilities.