npm finally fights supply chain attacks with v12 (July 2026) blocking install scripts by default. Here's how to adapt early without breaking your CI 🧵 What's changing: • preinstall/install/postinstall scripts → blocked by default • Git dependencies → blocked by default • Remote URL deps → blocked by default The fix is creating a one-time allowlist per repo: 💻 npm install 💻 npm approve-scripts --all 💻 git commit -m "chore: allowlist install scripts" This snapshots exactly what's trusted today and only new unknown scripts are blocked automatically going forward. CI adaptation playbook: 1. Upgrade to npm 11.16.0 2. Run the approve-scripts commands above 3. Add --strict-allow-scripts to your pipeline Now jobs will fail loudly if anything unreviewed tries to run. Source: github.com/orgs/community/di…

🤯An AI security tool has 1st-place performance on security contests from just 1yr ago. Solidity-auditor v3 is out, FREE & Open Source. Thousands of Solidity developers are using the tool already. Upgrade your security baseline, use the tool🫡 pashov.com/solidity-auditor-…

rant time: people are so fucking obsessed with building more tools, more products, more services, more "security" layers. are you guys all fucking insane?? every single thing you add is more complexity. and complexity is exactly what makes systems _dangerous_. you don't get safer by stacking abstractions on top of abstractions. you just increase the attack surface and pray the whole dependency chain doesn't collapse (hint: it will collapse!!). now you depend on 10, 50, 100 moving parts. all needing updates, all with their own bugs, all potential supply chain failures and we call that "security" like fucking retards. dude, it's the fucking opposite. we're not building safer systems. we're building systems so complex nobody actually understands them anymore. and almost nobody is asking the obvious question: **what can we remove?** everyone wants to add. nobody wants to reduce. that's how you end up in a nightmare system (hint: we're already in that nightmare). not because of one big failure. but because of thousands of tiny dependencies you never should have had in the first place.

software engineering in 2026: - your package manager is compromised - your cloud provider blocks your account - github itself is hacked software is solved

april 2026 defi hack calendar

Kelp rsETH exploit is terrible due to extensive DeFi integrations. Not sure how big the exposure is yet but: - Aave V3: Markets already frozen - SparkLend: Also froze the rsETH market - Lido Earn via Mellow strategy meta-vault. I think it was a leveraged market - Fluid: Frozen market - Compound - Euler - Upshift: Paused High Growth ETH and Kelp Gain vaults - Pendle PT YT tokens - Some Beefy strategies. Yearn? I suppose LayerZero is probably affected too, as rsETH were bridged from L2s, so I wonder if those rsETH on L2s aren't worthless right now. The situation is still developing, so I don't want to FUD any protocol, but it seems there are not many places to hide in DeFi.

SEAL is coordinating an active investigation into the ongoing incident involving Kelp DAO along with all relevant stakeholders. If you have information to share or are able to assist in freezing/recovering funds, please reach out at t.me/seal_911_bot

KelpDAO's rsETH bridge seems to have been exploited for ~$292M. Hacker borrows WETH against stolen rsETH on Aave. Here's what we know.

Link to site: soliditylang.org/survey-2025… Some highlights: - Stack-too-deep is the number 1 pain point - The majority use AI and 45% don't trust the output - Foundry sees continued market gain as dev framework - 70% have not heard of Core Solidity

🆕 Contract Tab Revamp Navigating contract source code used to mean a lot of scrolling. Now you've got a full IDE-style code browser, plus refreshed read/write tabs Here's what's new ⤵️

21 crypto projects are shutting down if you have assets on any of these, move them out 1. Fantasy top (@fantasy_top_) → Core mode sunset ~mid-June 2. Magic Eden ME Wallet (@MagicEden) → x.com/MagicEden/status/20390… 3. Leap Wallet (@leap_wallet) → x.com/leap_wallet/status/203… 4. Dmail (@Dmailofficial) → x.com/Dmailofficial/status/2… 5. Intergaze (@intergaze_xyz) → x.com/intergaze_xyz/status/2… 6. Yupp ai → (@yupp_ai) x.com/pankaj/status/20390100… 7. Tally (@tallyxyz) → x.com/tallyxyz/status/203391… 8. Fey Protocol (@feyprotocol) → x.com/feyprotocol/status/203… 9. Angle Protocol (@AngleProtocol) → x.com/AngleProtocol/status/2… 10. DataHaven_xyz (@DataHaven_xyz) → x.com/DataHaven_xyz/status/2… 11. Step Finance (@StepFinance_) → x.com/StepFinance/status/202… 12. Parsec Finance (@parsec_finance) → x.com/parsec_finance/status/… 13. ZeroLend (@zerolendxyz) → x.com/zerolendxyz/status/202… 14. PolynomialFi (@PolynomialFi) → x.com/PolynomialFi/status/20… 15. Nifty Gateway → x.com/niftygateway/status/20… 16. SlingshotCrypto (@SlingshotCrypto) → x.com/SlingshotCrypto/status… 17. Runiverse Game (@RuniverseGame) → x.com/RuniverseGame/status/2… 18. Soundxyz (@soundxyz_) → x.com/soundxyz_/status/20013… 19. MilkyWay (@milky_way_zone) → x.com/milky_way_zone/status/… 20. Pixiland Social (@pixilandsocial) → x.com/pixilandsocial/status/… 21. Blocto App (@BloctoApp) → x.com/BloctoApp/status/19993… x.com/0xvietnguyen/status/20…

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

The @battlechain testnet is now LIVE. Come enter the ultimate red-team platform. Give us feedback so we can launch mainnet very soon, and fix web3 security.

Web3 companies are posting jobs on jobs.ashbyhq.com Here is how to find them 1. Google "site:jobs.ashbyhq.com defi" 2. Filter by date (last month) Replace "defi" with other keywords Positions I found gist.github.com/t4sk/faed549… Good luck

Source Code Intelligence is now live in EVM Chronicle. Variables are now inline-clickable in source view, so you can inspect live storage instantly. Functions are now simulatable directly from code, with inputs and execution traces in one flow. From source → state → execution, without leaving the page.

Keeping up with Web3 hacks is chaotic You need to monitor: - @CertiKAlert - @SlowMist_Team - @realScamSniffer - @CyversAlerts - @Phalcon_xyz - @HypernativeLabs - @guardrailai - @blockthreat - @RektHQ - dozens of security researchers on X Everything is scattered. So we built QuillMonitor. An AI agent that tracks security alerts across the ecosystem and pushes real-time hack alerts into one feed. Each alert includes: • exploit summary • impacted contracts • mitigation notes • links to the original researchers / alert sources All discoveries are credited to the original researchers. QuillMonitor simply aggregates signals into one place. 🚨 t.me/QuillMonitor / @ QuillMonitor

A few words about my condition, my health, and how my treatment is going. The initial diagnosis of a brain tumor was not confirmed (although benign cysts were found), but I am continuing treatment for POTS, asthma, lymphadenitis, tachycardia attacks, and hypertension. I have already spent almost $50,000 on treatment, which is almost all of my savings. I am also waiting for another MRI to double-check my brains. I would like to share my story, hoping to find people with similar symptoms and learn a little more about treatment so I can ask my doctor about it. I'll start with the fact that on June 24, 2024, I suddenly started to suffocate (air hunger) and feel oxygen deprivation. It was terrible. I thought I was going to die. My palms were cold, my heart was racing (up to 160 bpm), and my stomach hurt. I managed to call an ambulance, and when they arrived, they did an ECG and measured my oxygen saturation. They said that I apparently had vegetative-vascular dystonia and a panic attack. They recommended that I take glycine. They also took me to the hospital, where I had a CT scan of my lungs, and then they sent me home. After that, I went to see a neurologist, who diagnosed me with somatoform disorder. Then I developed a terrible feeling of anxiety that still haunts me to this day. I developed restless legs syndrome, I am very afraid for the future, and I am very afraid that I will suffocate again. Anyway... I went to other private doctors, a cardiologist, a pulmonologist, an endocrinologist... They found asthma, gastritis, and some other problems that, in theory, couldn't cause such symptoms. I spent a huge amount of money on all the doctors and had a CT scan of my lungs, an ultrasound of my heart and neck vessels, and a huge number of tests... It's just awful... I should mention that I'm only 27 years old and was 26 when these symptoms started. Since I had recently had COVID-19, I thought I might have a blood clot or POTS... So I had an X-ray and other tests done. Cardiologist tested me and determined that my resting heart rate was 65-70, but when I stand up, it reaches 110-120. So, I was diagnosed with POTS. However, as treatment, they prescribed cytoflavin and meldonium which has no scientific evidence of its effectiveness. I think my doctor doesn't really believe in this diagnosis, so he sent me to a psychiatrist when he heard from me that I was afraid of forgetting how to breathe and similar things. I went to the psychiatrist and he prescribed me escitalopram and diagnosed me with depression and CPTSD. He also advised me to do EMDR, which I have just started. On June 23, 2024, I was a perfectly healthy 26-year-old guy, but by June 25, I felt like I had lost almost all of my health. It was just awful. I want to do a few more tests to find out for sure whether there are any blood clots in my lungs (although the CT scan showed that there aren't any) using rarer diagnostic methods such as lung scintigraphy through inhalation of radioactive gas. But anyway, time is passing... And the anxiety remains. If you have acquaintances who have experienced similar symptoms, or if you yourself have encountered them, please DM me... perhaps I am overlooking something. Also, if you would like to help me with a donation, I would be very grateful and will return all the money once I finally overcome my illness, whatever it may be. I hope to return to my work schedule, write articles, and do more scientific work.

We are seeing a new BIG wave of Telegram accounts takeovers (thousands hacked daily). We are highly suspicious but can not prove it yet, that this is happening because SMS with auth codes sent by Twilio are being intercepted by multiple threat actors at the Tiers level (as we discovered in march 2025). - In the meanwhile, the way to protect from this is very simple: Settings > Privacy and Security > Two-Step verification: turn it on, write it down and configure a secure email. - If your Telegram account is hacked, you are NOT gonna get it back and also all your contacts and conversations are gone forever (unless you are a high-profile). Stay safe

Claude Code skill files for smart contract auditing @pashov: github.com/pashov/skills @trailofbits: github.com/trailofbits/skill… @cyfrin: github.com/Cyfrin/solskill @0xkaden: github.com/kadenzipfel/scv-s… @QuillAudits_AI: github.com/quillai-network/q… @archethect: github.com/Archethect/sc-aud… Did I miss any? 🧐

🚨Ethereum Developers: you can now install your first AI Auditor in 1 minute - fully autonomous, available 24/7, with multiple sub-agent helpers. Open Source. FREE to use (with your AI model) and already finding vulnerabilities in smart contracts. Link below🫡