Forem: Mariam Reba Alexander

Not able to keep up with tech?

Mariam Reba Alexander — Sun, 05 Apr 2026 19:22:12 +0000

Not able to keep up with tech?

Most developers are.

Between work, deadlines, and life commitments, staying updated on web dev, AI, and security often takes a back seat.

It usually looks like:
• Dozens of tabs open
• Articles saved “for later.”
• Important updates missed

Not because developers don’t care...
But because there simply isn’t enough time.

That’s exactly why Updated Dev exists.

A curated newsletter designed for busy developers who want to stay ahead—even as tech evolves fast.

No overwhelm. Just the updates that actually matter.

Subscribe to receive weekly newsletter
👉 https://www.updateddev.com

Join Updated Dev: High signal feed for busy developers

Mariam Reba Alexander — Sat, 04 Apr 2026 13:07:52 +0000

Join Updated Dev, the newsletter for busy developers who need to cut through the noise and stay sharp.

Get the essential signal on Web Dev, AI, and AppSec delivered straight to your inbox, minus the FOMO.

This week, we dive into critical security challenges and groundbreaking developments that every developer should know about.

🚨Security Roundup:
Widespread supply chain attacks by TeamPCP
Blueprint for Disaster: Claude Code Source Leak Triggers Critical RCE Flaw
Axios Under Siege
Critical Command Injection vulnerability in OpenAI Codex

🧑‍💻Web Development:
The Axios Supply Chain Crisis
TypeScript 6.0 and the Go-Powered Future
The Industry Debate: AI in Node.js Core

🛠️Browser & Tooling Updates:
Temporal API update
Eleventy brand rename
Vite 8.0 release

✨AI roundup:
The Claude Code Leak and Subcommand Bypass
The Release of Gemma 4 and On-Device Agents
Enterprise Expansion for Gemini 1.5 Pro

💡Tips:
Secure from supply chain attacks

Catch up on these stories and more in our latest edition of Updated Dev's Weekly Roundup. Your high-signal feed for staying informed and prepared in the ever-evolving tech landscape.

Reviewing code as human

Mariam Reba Alexander — Sat, 07 Mar 2026 11:07:22 +0000

Recently, during a conversation, I was asked what I look for in a pull request when reviewing code as an experienced software engineer. I mentioned a few criteria, but not all of them came to mind at that moment. It made me think, and I decided to document them, since one of my strengths is spotting issues in others’ code 😜.

Some might wonder whether this is still relevant today, given AI tools like Copilot that review code. While AI does a good job at code review, in my experience it still misses certain nuances and isn’t perfect. Our judgment, based on our knowledge of the product or feature, allows us to determine what to dismiss and what to accept. We assess whether the review is too detailed or too high-level, what is acceptable and what isn’t. We identify what is important versus what is not. Finding the right balance is something AI can’t fully replicate, and this is where our human judgment is invaluable. Additionally, we can give AI instructions to address its gaps.

Here are the key points I look out for during a code review as a frontend developer.

Reusability

Are there repeated pieces of logic in the code?

Could they be extracted to create a reusable component or function? Once extracted, are they properly tested, so they can be reused wherever applicable without having to rewrite or retest them extensively? When there is a future change in logic, you only need to update it in one place, and it will be automatically reflected everywhere. This also helps minimize bugs caused by inconsistent logic when one place is updated and another is not.

Are there any hard-coded, repeated values?

As with logic, these can be stored as constants in a common file and reused wherever applicable. This helps reduce typos when repeatedly using hard-coded strings in multiple places, which can cause unexpected behavior and bugs. Instead, use constants. Today’s IDEs help with accurately autocompleting imported constants, which further reduces typos. Moreover, any future change in the value can be made in one place, avoiding the need to painstakingly update hard-coded strings everywhere and risk missing a few.

Testability

Did previously passing tests or assertions start failing or have to be changed?

If previously passing tests are now failing or require changes, it indicates that the implementation logic has changed. Make sure the change is not caused by an unintended modification, typo, or side effect elsewhere. Instead of fixing the test first, verify that your implementation is correct. Review the git diff carefully to see whether there’s a mistake somewhere, it could be as simple as missing braces, a typo, or a small change you thought was harmless but that breaks tested code.

Readability and Understandability

Naming of components, files, variables, and functions:

Are they named according to what they actually do? For example, if something returns a boolean indicating whether to show or hide a button, you might name it isButtonVisible. This name clearly states what it does and removes the need for additional comments. This is helpful for humans reviewing and reading the code, and it also helps AI agents understand the context. It’s a win–win.

Complex logic:

Are there too many if and else statements? Can it be simplified with a switch statement or refactored into smaller functions? This will make the code more readable.

Function arguments:

Are there too many arguments being passed to a function? Can they be passed as a single object with multiple key–value pairs instead? Arguments must be passed in the correct order, and when there are many, we are bound to make mistakes. Optional arguments make this even more complicated. To avoid this confusion, you can pass multiple values in an object. From the keys in the object parameter, one can easily see what is what and not worry about the order.

Comments and business logic:

If it’s difficult to understand what is going on when reading the code, that’s an indication it may need some comments explaining the underlying business logic. This will help you and your team understand why it was done in a certain way later on. Important logic should also be covered by unit tests and end-to-end tests.

Security

Is the code written securely? Nowadays, static code analysis catches most insecure patterns, but it still doesn’t cover everything.

Things to look out for:

Never trust user input. Are all raw user inputs sanitized for unsafe scripts and characters before sending them to the server or rendering them in the browser? This avoids most XSS attacks.
Are all PII (Personally Identifiable Information) fields masked or encrypted before sending them to third-party analytics or monitoring tools?
Are there any exposed API tokens or secrets, or .env files accidentally committed? If anything is exposed, rotate and update the tokens.

Error handling

Are all error scenarios handled carefully?

Are try/catch blocks used where errors are expected, such as around fetch or network requests?

Are we mutating values unintentionally?

For example, suppose you want to display a future date in date-only format in one component and date time format in another. You might accidentally modify the original date object when formatting it for one of these cases. To avoid mutating original values, try to clone or copy them and then modify them as needed. Or use a getter that only reads and returns the original value without modifying it.

Do the error messages shown to users reveal too much information, such as stack traces or server details?

Overly detailed error messages can help attackers gain information about the type of server in use or expose vulnerabilities in your code.

Type safety

Is your code properly typed, especially when you’re manipulating API responses for the UI? If interfaces or types are well defined, there’s less chance of mistakes. For example, you might check whether a key has a particular name before converting its value to uppercase. If you type in the wrong key name, the code will not work as expected. Another issue is when a field is optional; if you don’t know it’s optional, you might skip checking whether it’s defined, causing runtime errors when it’s missing. Having interfaces defined allows your IDE to help you identify the exact key names and avoid mistakes caused by wrong assumptions.

Optimization

I also look for places where lines of code can be optimized. Fewer lines of code often mean fewer opportunities for bugs.

In some cases, you can check if there’s already a utility function with similar logic that can be reused. Look for ways to adapt or slightly extend that utility function so it can support the new implementation.

Do you really need to assign intermediate variables where you could use object mapping or chaining directly? Extra variables can use more memory, often negligible on their own, but small changes like this can add up and improve performance over time.

I am sure there are more things I look for in a PR, but these are the top ones I can think of right now. What's important is that you care about the product, your application's users, yourself, and your teammates. If you care enough, you'll notice most mistakes in the code and try to fix them. That’s what makes us special as human reviewers.

Why faking real browser events doesn't work

Mariam Reba Alexander — Tue, 03 Feb 2026 07:23:21 +0000

Some time ago, I tried to programmatically trigger a typeahead dropdown with JavaScript for a task I was working on, and I hit a complete brick wall.

I wrote the code to dispatch the input events and saw the value appear in the input box, but nothing else happened. The UI just sat there. It didn't trigger the input event that actually updates the state, and it definitely didn't trigger the dropdown.

It turns out I was fighting a core security feature: the isTrusted read-only property.

The Reality Check:

In the Event interface, isTrusted is the browser’s way of knowing if an event is "real."

isTrusted: true – Generated by the User Agent (real human clicks or physical key presses).
isTrusted: false – Dispatched via EventTarget.dispatchEvent().

Because I couldn't manually set isTrusted to true, the dropdown's security logic ignored my "fake" events.

The Workaround: Working with the Framework, not the DOM

I eventually solved this by leaning into Vue's reactive system instead of trying to force the browser to believe a lie. Since I couldn't "fake" the event, I updated the data model directly. Then I updated the typeahead option programmatically. It wasn't about the event anymore; it was about the state.

How professional tools handle this:

When you need to scale this for testing, you have to step outside the standard sandbox:
Automation tools like Playwright and Cypress make use of the Chrome DevTools Protocol (CDP) to inject events into the browser's hardware pipeline, making isTrusted true

The Lesson:

If you can’t fake user authority, stop trying to force the DOM. Use a tool like Playwright or Cypress for automation, or work directly with your framework’s native bindings and lifecycle to get the job done.

To those who are left behind in the AI rush

Mariam Reba Alexander — Sat, 31 Jan 2026 21:16:32 +0000

Ever feel overwhelmed by AI posts on every social media and professional platform? And don't understand the AI jargon, buzzwords, and concepts being discussed? Here is a cheat sheet summarizing the key points to help you get up to speed.

Core Concepts

NLP (Natural Language Processing): The broad field of AI that teaches computers to understand, interpret, and generate human language.
LLM (Large Language Model): A type of AI trained on massive amounts of text to predict the next word in a sequence, allowing it to chat, write, and summarize.
LMM (Large Multimodal Model): An advanced version of an LLM that can understand more than just text, such as images, audio, and video.
Foundational Model: A massive, "general purpose" AI model (like GPT-4) trained on huge data that serves as a base to be adapted for many different specific tasks.
Multimodal: The ability of an AI to process and "connect" different types of data (modes) at once, like seeing an image and describing it in text.

Practical Techniques

Prompt Engineering: The art of crafting specific instructions or "prompts" to get the best possible answer from an AI model.
Finetune: Taking a pre-trained model and giving it extra training on a smaller, specific dataset to make it an expert in a particular subject or style.
RAG (Retrieval-Augmented Generation): Connecting an AI to a trusted external database (like your company’s files) so it can look up real-time facts before answering, reducing "hallucinations".
Embedding Model: A tool that converts text or images into a list of numbers (vectors) that represent their meaning, allowing computers to compare how "similar" two ideas are.

Advanced AI & Engineering

AI Engineering: The practice of building complete applications using ready-made AI models (like foundation models). Instead of training a model from scratch, an AI engineer focuses on integrating these models into software, ensuring they are secure, cost-effective, and useful for the user.
ML Engineering (Machine Learning Engineering): A specialized role focused on creating and improving the models themselves. This involves training algorithms from scratch, cleaning data, and optimizing mathematical performance.
Agentic AI: AI that doesn't just talk but can act. It can break a big goal into steps, use tools (like searching the web or booking a flight), and complete tasks autonomously.
MLOps (Machine Learning Operations): The "factory" side of AI; it’s a set of practices to ensure AI models are updated, monitored, and running reliably in the real world.

How the Roles Work Together

In a real-world project (like building a customer support agent), the roles collaborate in a "pipeline":

ML Engineer: Designs and trains the "brain." They might build a custom embedding model from scratch so the company’s specific technical jargon is understood perfectly.
AI Engineer: Connects the brain to the world. They take a foundational model (like GPT-4), set up RAG so it can read private manuals, and use prompt engineering to ensure it stays polite.
MLOps Engineer: Builds the "factory." they ensure that if 10,000 customers use the app at once, the servers don't crash, and they monitor the model to make sure it doesn't start giving wrong answers over time.

Essential AI Engineering Tools

AI Engineers today rely on a specific stack to move fast without building everything from scratch:

Orchestration (Linking things together): LangChain and LlamaIndex are the "glue" used to build complex workflows and Agentic AI.
Vector Databases (For RAG): Pinecone, Weaviate, and Chroma store the embeddings that allow an AI to "search" through your documents.
App Builders & UI: Streamlit and Gradio are used to quickly create chat interfaces or dashboards for the AI.
Evaluation & Observability: LangSmith and Arize Phoenix help engineers "see" into the AI's thoughts to debug why it might be hallucinating.
Local Development: Ollama and LM Studio allow engineers to run powerful LLMs directly on their own laptops for private testing

Catching up on the tools and models in the industry

To help you catch up on the rapid evolution of AI, here is a breakdown of the leading tools and models currently dominating the industry.

Foundational Models: These are general-purpose engines used as the basis for other applications.
- Text & General Reasoning: OpenAI's GPT-4o, Anthropic’s Claude 3.5 Sonnet, Google’s Gemini 1.5 Pro, and Meta’s Llama 3 are examples of text and general reasoning models. Llama 3 is a leader in open-source models.
- Image Generation: Stable Diffusion and Midjourney are examples of image generation models.
- Video Generation: Synthesia (for talking heads) and Google Veo (for cinematic clips) are used for video generation.
AI Applications & Assistants: These are ready-to-use products designed to improve productivity.
- Coding Assistants: GitHub Copilot is a standard tool for real-time coding assistance.
- Meeting Automation: Fireflies.ai records, transcribes, and summarizes meetings automatically.
- Search & Research: Perplexity AI is a conversational search engine that cites sources.
- Workflow Assistants: Lindy can execute multi-step business workflows across different apps.
RAG Tools: These tools help AI interact with private data.
- Frameworks: LlamaIndex specializes in indexing and retrieving data. LangChain is popular for building application logic.
- Vector Databases: Pinecone (managed cloud), Weaviate (open-source), and Chroma store the "mathematical meaning" of documents for search.
- Evaluation: LangSmith and Arize Phoenix help with debugging AI responses.
Agentic AI: These frameworks enable AI to perform autonomous tasks.
- Multi-Agent Teams: CrewAI and Microsoft’s AutoGen allow the creation of AI agent teams with specific roles.
- Complex Workflows: LangGraph provides control over how an agent performs a task, including human-approval steps.
- Autonomous Coding: Goose and Claude Code can edit files and run tests.
Other Important Engineering Tools:
- Local AI Runners: Ollama is a tool for running open-source models like Llama 3 on a personal computer.
- Model Optimization: DSPy optimizes prompts automatically.

Sandboxing AI agents for security

Mariam Reba Alexander — Fri, 23 Jan 2026 07:43:53 +0000

Allowing an AI agent "write access" to your local machine is like giving your car keys to a stranger. 👇Sharing here some sandboxing options for developers to isolate AI agents from exposing sensitive data on your system:

VS Code Dev Containers - https://lnkd.in/e-hs3E_m
A ready-to-use sandbox for local development that works with Docker or in GitHub Codespaces.
Prerequisites: Docker Desktop or Docker Engine, Visual Studio Code with the "Dev Containers" extension (ms-vscode-remote.remote-containers), or use GitHub Codespaces
Daytona.io - https://www.daytona.io/
open-source, elastic infrastructure for running AI-generated code, providing isolated sandbox environments that you can manage using the Daytona SDK to run and control code execution.
The Daytona SDK supports Python and TypeScript interfaces.
E2B (Firecracker MicroVMs) - https://lnkd.in/e-vCVQUr
Ideal for advanced agent workflows where the AI installs third-party libraries or analyzes untrusted files.
Code sandbox - https://codesandbox.io/
Docker sandbox - https://lnkd.in/eRdc_h9c
Together code sandbox - https://lnkd.in/eyFiFvvq
Anthropic Sandbox runtime (srt) - https://lnkd.in/e4X8W2vs

What sandboxing options did you find for coding?

Note: Always review them before using.

What will the future look like with AI?

Mariam Reba Alexander — Thu, 22 Jan 2026 08:03:14 +0000

With the current rate of technological advancement, especially in Artificial Intelligence, I can’t help but imagine what the future world will be like for upcoming generations.

In my creative imagination, these are some events I predict:

Teaching programming languages will become rare. Few, if any, new programming languages will be created, as the need for them will decrease.
Open source contributions and sponsorships will decrease significantly, and the APIs and libraries in use may start to charge for each request to sustain the projects.
After years of AI-generated code, written by people with little real programming experience and no use of Stack Overflow or Reddit for solving edge cases, language models may begin communicating directly with systems in assembly language. There will be no need for intermediate programming languages or frameworks if AI can instruct the computer system directly, and no experienced programmer will be there to thoroughly review the output for mistakes.
There will be a future where AI systems are no longer supervised. They will be blindly trusted and valued more than human opinions.
AI will become so advanced across all fields that people will struggle to compete technically and skill-wise. As a result, there may be an option to implant personalized AI systems into human brains so individuals can contribute and control things using only their thoughts, expressing not just their own ideas, but also what the AI suggests, in both writing and speech.
Running data servers and managing IT infrastructure will be in high demand to keep these systems running and “alive.”
As many people lose their jobs, the economic situation will become challenging. Unable to afford luxury items, people will turn to greater self-sustainability in food, shelter, and small-scale animal farming.
Manual hand skills like electric wiring, plumbing, and masonry work will be in high demand.
Children’s curricula will change, and they will be taught the foundations of AI from a very early age. The schools may include virtual classes taught by AI teaching agents, with a curriculum customised for each student based on their aptitude.

These are some of the things I imagined would happen.

What do you think will happen?

New era of software engineering

Mariam Reba Alexander — Tue, 20 Jan 2026 10:36:12 +0000

Software engineers, including me are now slowly coming in terms of the fact that the era of writing code as we know it is ending, that doesn’t mean you are replaceable. This is the best time to increase your humics i.e your human skills, critical thinking, your unique creativity, orchestration, architectural and system design skills.

Imagine you were a factory worker doing all the manual work, and suddenly you are promoted to manager or supervisor of an entire unit. You now have to perceive it from a different angle, acquire different skills for that job, but your previous job skills will still be relevant in order for you to oversee the process or give a solution when a problem arises.

This is what is now happening to software engineers with the AI shift, you have now been taken many levels up, you have more power with AI. You can oversee coding agents do their job while you review their output. We can fix problems when they occur because of our previous experience. We are at such an advantage over a complete beginner. We can scale, we can steer it, and create super-powerful systems from our imagination and mastery.

I remember this story: A large factory’s vital engine fails, and none of the current staff can fix it. They call in an expert with 40 years of experience. The expert inspects the engine briefly, reaches into his bag, and pulls out a small hammer. He gently taps a specific part of the engine, and it immediately roars back to life. A week later, the factory owner receives a bill for $10,000. Outraged at the high cost for such a simple act, the owner demands an itemized invoice. The expert responds with the following breakdown:
Tapping with a hammer: $2.00
Knowing where to tap: $9,998.00

The lesson of the story is the value of expertise and experience. It shows that you don’t pay a professional for the few minutes they spend doing a task, but for the years of study and practice that enable them to do it so efficiently. This principle applies to software engineers; AI is a tool in your expert hands, and you can choose when, what, and how to use it. That makes you valuable. Enhance that value. Don’t chase every new fancy tool out there; that’s an endless race and impossible task. As technology evolves so rapidly, you’ll be chasing shadows. Instead, focus on improving your ability to adapt and change with whatever tools come your way, build your fundamentals, master techniques, and think about the bigger picture.

This LinkedIn course by Pascal Bornet sums it up on how to be irreplaceable https://lnkd.in/eDPknKbN

Here are some of the key notes from the course that stood out

Set Concrete Goals: Implement three AI tools that will save you five hours weekly. Prioritize efficiency over effort to create more value with less volume.
Identify Automation Candidates: Use the 20% rule to find tasks that consume 80% of your time but deliver minimal value. Research AI tools to automate these repetitive tasks.
Manage Digital Life: Turn off non-essential notifications and schedule specific times for checking email and social media to minimize distractions.
Develop Humics: Dedicate 30 minutes daily to developing uniquely human abilities such as genuine creativity, critical thinking, or social authenticity. Set specific daily exercises like creative writing or practicing active listening.
Build AI Literacy: Allocate 15% of your workday to learning about AI. Listen to AI podcasts, subscribe to AI newsletters, and experiment with one new AI tool weekly.
High-Value Activities: Identify the 20% of activities that generate 80% of your impact and explore how AI can elevate these activities. Test an AI tool on one task and measure the improvement.
Digital Footprint: Review and update your digital accounts' privacy settings and create a schedule to regularly clean your digital footprint.
Extend Practices to Teams and Family: Implement irreplaceable practices within your teams and family. Create technology-free zones at home and teach children to use AI as a learning tool.
Community Engagement: Join or create a community to share irreplaceable practices. Schedule learning sessions with colleagues to exchange AI discoveries and human skill development techniques.

Change can be difficult, but it can bring out a whole new, enriched version of you.

Stepping into agentic coding

Mariam Reba Alexander — Tue, 20 Jan 2026 09:56:24 +0000

So far, I have mainly used GitHub Copilot for inline edits and PR reviews, letting my brain do most of the thinking, but I decided to dip my toes into giving full control to an AI agent. I redesigned (through code refactor) my colorful and cheeky portfolio website to a modern one using Copilot agent, and was very impressed with the results. https://mariamreba.com/. Let me know which design appeals to you more 🙂

Using Claude Haiku 4.5, the agent closely followed the framework's syntax and my coding style, ensuring my core component structure and code design remained intact. It only made a few minor syntax errors, such as poorly closed tags, which I could easily fix. I should admit that generated code gave better results with full context of the code rather than inline edits or PR edits for review comments.

As a guardrail, I limited the agent's ability to execute terminal commands and instructed it to check for security vulnerabilities in the codebase, which it detected and fixed a couple of them, which was nice. What I specially liked is that it gave a neatly structured documentation of what it did for every iteration.

Next time, I would look into using a sandboxed environment for local development to provide extra safety and prevent an agent from running code directly on my local machine.

For Non-Technical Users, I would recommend

Never grant an agent "Auto-Merge" rights to your production system, always require manual review and approval before deploying changes
Be cautious with the information you share in prompts. Avoid sharing customer lists, passwords, or private API keys

As the AI coding pandora's box is now unleashed across the dev world, I plan to study agent security more in depth and share my learnings on the way.

What action should one take to prevent and mitigate the recent npm supply chain attack

Mariam Reba Alexander — Sun, 21 Sep 2025 12:25:06 +0000

Your response to the Shai-Hulud supply chain attack - DEV Community

I am sure you have heard about the recent supply chain attack on npm packages. Many news outlets and...

dev.to

Your response to the Shai-Hulud supply chain attack

Mariam Reba Alexander — Sun, 21 Sep 2025 12:24:06 +0000

I am sure you have heard about the recent supply chain attack on npm packages. Many news outlets and blogs are explaining the attack and the immediate and intermediate actions you can take to mitigate and prevent falling victim to this attack. If you are already affected, there are some recommendations you should follow.

For those who don’t know about this attack, the malicious packages contain a worm that activates after npm installation, scanning the environment for sensitive credentials such as .npmrc files, environment variables, and config files targeting GitHub PATs and cloud API keys (AWS, GCP, Azure). These credentials are exfiltrated to an attacker-controlled endpoint. The malware creates a public GitHub repository named "Shai-Hulud" under the victim's account to host stolen secrets. It also uses the compromised npm token to access the npm registry, infect other packages maintained by the developer, and publish malicious updates, enabling rapid, autonomous spread.

The basic steps to prevent this include following cautious procedures before npm installation, such as verifying all dependencies in your package and package-lock files, whether in your local development environment or your CI/CD pipelines, and enforcing MFA on your GitHub and npm accounts. If compromised, check your GitHub repositories for the presence of the Shai-Hulud repository and exposed public tokens.

Npm safe check

While there are general recommendations, if you are affected by the malware, you may need some detailed steps and guidance. During my internet search, I found several good detailed guidelines like the blog from Socket and StepSecurity and tried to consolidate all those points. I also looked for a database of all the identified vulnerabilities and didn’t find a ready-to-use format, so I created a json file here. Additionally, I developed a ready-to-use script in a repository that you can run locally or in your CI/CD pipelines to check the installed packages against the list of vulnerable ones. It can also be run before the next install to verify whether the packages you're about to install are safe. While the list may grow in the future, npm installations should be performed with caution. For example, follow npm ci with the --ignore-scripts flag to prevent any post-installation script execution from unknown vulnerable packages.

npmSafeCheck repository provides a script to check for known malicious npm packages (eg: related to the Shai-Hulud supply chain attack) before installing or upgrading dependencies. It also detects if any compromised packages are already installed in your project. It helps mitigate the risk of supply chain attacks by verifying package versions against a list of compromised packages identified as of 20th Sept 2025.

Usage

Clone this repository or download the npmSafeCheck.sh script and npmMalwareChecklist.json file.
Place the script and JSON file in your project root directory.
Run the script BEFORE executing npm install or npm update:

   sh npmSafeCheck.sh

or you can run it as a npm script by adding the following to your package.json:

    "scripts": {
        "safe-check": "sh npmSafeCheck.sh"
        }

If the script detects any known malicious packages, it will flag and provide guidance on mitigation steps.
You can also refer to a database of known compromised packages instead of the local JSON file.
An example of how to integrate this script into a CI/CD pipeline is provided in the .github/workflows/ci.yml file.

Immediate actions guidance

If you have already installed or upgraded packages and suspect that your project may be affected by the Shai-Hulud attack, take the following immediate actions:

Delete node_modules and lockfiles having malicious versions

rm -rf node_modules package-lock.json yarn.lock

Clean npm cache

npm cache clean --force

do a dry-run to check what packages will be installed , this will not run any install scripts but will show what packages will be installed

npm install --dry-run --ignore-scripts

reinstall safe packages only using npm install with --ignore-scripts flag

npm install --ignore-scripts <safe-package>@<safe-version>

Avoid commands like npm audit fixand npm upgrade as they also install packages under the hood
pin to known-good versions using package-lock.json
and use npm ci for future installs

npm ci --ignore-scripts

Search for repos or worklows or branches with name Shai-Hulud in your public GitHub repositories and indicators of compromise, like bundle.js hash, suspicious network calls, function calls or process executions.
Clean infected repositories('shai-hulud' branches and workflows). Referenced from: https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised#immediate-actions-required

# Check for and remove the backdoor workflow
rm -f .github/workflows/shai-hulud-workflow.yml

# Look for suspicious 'shai-hulud' branches in all repositories
git ls-remote --heads origin | grep shai-hulud

# Delete any malicious branches found
git push origin --delete shai-hulud

Audit environments (CI/CD agents, developer laptops) that installed the affected versions for unauthorized publishes or credential theft.
Rotate npm tokens and other exposed secrets if these packages were present on machines with publishing credentials.
Turn on multifactor authentication on GitHub and npm.
Audit Cloud Infrastructure for Compromise
Monitor network logs for active exploitation.
Monitor logs for unusual npm publish or package modification events.
Verify Package provenance https://docs.npmjs.com/viewing-package-provenance, https://github.blog/security/supply-chain-security/introducing-npm-package-provenance/

Further guidance's and references: https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised#immediate-actions-required
https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages
https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again

Other preventive solutions I found are https://www.npmjs.com/package/@aikidosec/safe-chain and https://github.com/danielroe/provenance-action.

I am curious to know what more the developer community is doing to mitigate and prevent this, and how they are doing it.

Linux: Search, Filter and Output

Mariam Reba Alexander — Mon, 28 Apr 2025 18:43:59 +0000

On some occasions, one may need to filter through the contents of large files. For this, Linux has several commands to read the files and filter their contents simultaneously. Let's go through some examples.

Reading through a file in the command line

When reading through a file using the cat command, you usually see the last line of the file displayed before the next command prompt, requiring you to scroll backward to view the previous content.

With the more and less commands, the content fits on the screen, and you can scroll down to see the rest of it.

Try the following to see the difference.

cat /etc/passwd
cat /etc/passwd | more
cat /etc/passwd | less

Sometimes you may only want to read the beginning or end of a large file. For that, you can use the head or tail command, which will display the first 10 lines and the last 10 lines, respectively. Of course, you can specify a different number of lines with their options.

Use the man command to see the rest of the options.

Searching and filtering contents in a file

Using the grep command, one can search for matching strings or patterns in the contents of a file.

# displays matching lines containing the string "bin" in the file
cat /etc/passwd | grep "bin"
# displays matching lines that don't contain the string "false"
cat /etc/passwd | grep -v "false"
# Show all lines that match the regex pattern
cat /etc/ssh/sshd_config | grep -E "^[^#]"

Outputting the results of a file

Linux manages input and output operations using references or identifiers called file descriptors. The file descriptors for the input data stream are 0, for output, 1, and for error, 2.

Suppose you want to store the output in a file. (By default, the standard output (STDOUT - FD1) is redirected to the file, even if you don't specify the file descriptor 1.)

find /etc/ -name *.conf 1>results.txt
find /etc/ -name *.conf > results.txt

The file will be created if it doesn't exist.

Suppose you want to discard all the errors into a null device before storing or displaying the results.

find /etc/ -name shadow 2>/dev/null > results.txt

Here you specify the file descriptor 2 for the standard error (STDERR - FD2)

You can also log the error to a file.

find /etc/ -name shadow 2> stderr.txt

If you want to append to the already existing file, use >> instead of >

find /etc/ -name shadow 2>> stderr.txt