There's a long history of people trying to build software that detects bad software. It's known as Antivirus software. It doesn't work very well, because you're up against fundamental truths of computational theory (the halting problem).
that framing is too broad for what npm supply chain attacks actually look like.
Antivirus deals with arbitrary binaries on a general purpose OS. npm attacks are much more constrained. The code has to run during install or import, steal credentials, send them over the network, and hide inside a package that claims to do something ordinary. That narrows the space.
I am not solving “is this code malicious?” in the abstract. I am checking concrete violations of behavioral invariants. A CSS library importing child_process. A utility suddenly adding obfuscated network calls in a patch release. A package reading .ssh keys during postinstall. Those patterns are not theoretical edge cases. They are how real attacks work.
No, you cannot catch everything. But every major npm supply chain incident in 2025 used the same playbook: install script abuse, credential theft, network exfiltration. That is highly detectable. The goal is not perfection. It is raising the cost of attack in a space where most attackers are currently not even trying to evade detection.
If the rest of the world wants to still have an industry once we finally decide to seriously use green technology, they should quickly catch up to China - if that's still possible.
While China is still very reliant on fossil-fuels, and particularly dirty coal, they're at the same time working on dominating the post-fossil age at astonishing speed. After they already dominate solar and batteries, they're working on doing the same for a number of other future green industries. They are already dominating future technologies like Green Methanol that most people in Europe or the US have never heard of.
That can't be true, right? I mean, Google broke Adblockers in Chrome to prevent this very issue. And it had absolutely nothing to do with Google's Ad business.
So it's completely impossible that such malicious extensions still exist.
I used to create a number of simple web pages in XHTML back in the days when we believed XHTML was the future. Recently, while going through and restructuring some of my old "online stuff", I learned that XHTML really isn't in a state that I'd want to use it any more:
* XHTML 1.0 and 1.1 are officially deprecated by the W3C.
* XHTML5 exists as a variant of HTML5. However, it's very clear that it's absolutely not a priority for the HTML5 working groups, and there's a statement that future features will not necessarily be supported by the XHTML5 variant.
* XHTML5 does not have a DTD, so one of the main advantages of XHTML - that you can validate its correctness with pure XML functionality - isn't there.
* If you do a 'view source' in Firefox on a completely valid XHTML 1.0/1.1 page, it'll redline the XML declaration like it's something wrong. Not sure if this is intended or possibly even a bug, but it certainly gives me a 'browser tells me this is not supposed to be there' feeling.
It pretty much seems to me XHTML has been abandoned by the web community. My personal conclusion has been that whenever I touch any of my old online things still written in XHTML, I'll convert them to HTML5.
> If you do a 'view source' in Firefox on a completely valid XHTML 1.0/1.1 page, it'll redline the XML declaration like it's something wrong
Is the page actually being served as "application/xhtml+xml"? Most xhtml sites aren't, in which case the browser is indeed interpreting those as invalid declarations in a regular old html document
Those red squiggles on view-source: pages in Gecko all have title text with diagnostics. The message (errProcessingInstruction) in recent-ish releases is given as:
> Saw “<?”. Probable cause: Attempt to use an XML processing instruction in HTML. (XML processing instructions are not supported in HTML.)
Okay, story time: back in 2018, the German government's foreign ministry was hacked.
At the time, a colleague of mine (we were both working for the German IT news magazine Golem) found a web page by a government-associated university that was offline with a message that it's been taken down due to a security issue.
Putting a few hints together, we figured out that Ilias was hosted therer, and that this was how the attack on the government initially started.
We weren't able to figure out which vulnerability was used, but had some ideas what it might've been. (Older versions had a default password for the admin account.)
One wonders: there's an Open Source software that's widely used by universities, even by government-associated universities. It's been the cause of a high-profile attack on a government before. One wonders why that doesn't trigger sufficient funding for regular, high-quality security audits of that software.
I'm certainly a lay person here, so take this with a grain of salt. But my understanding is that this is part of the problem, or more the issue that people criticize.
I think it's largely uncontroversial that the math in string theory could be useful in other areas. But if that's your argument for the legitimacy of string theory then the question arises what string theory is and if it is still part of physics. Because physics has, of course, the goal of describing the real world, and, my understanding is, string theory failed to do that, despite what many people have hoped.
If string theory is "just a way of developing math that can be useful in totally unrelated areas", it's, well, part of mathematics. But I don't think that's how the field sees itself.
And why would that be a reason to attack people who don't care at all about the physics, but acknowledge that the mathematical ideas they use originated in string theory? Should they omit that just because the physics side of string theory has been more or less fruitless?
There's a long history of people trying to build software that detects bad software. It's known as Antivirus software. It doesn't work very well, because you're up against fundamental truths of computational theory (the halting problem).
reply