Blog

What's happening at boring.tools

Updates on development, security insights, and everything supply chain security.

The jscrambler compromise shows why install-time code execution is dangerous
supply-chainsecuritynpmmalwaredeveloper-tools

The jscrambler compromise shows why install-time code execution is dangerous

A compromised jscrambler npm release used a preinstall hook to run hidden native binaries before application code ever loaded.

boring.tools teamboring.tools team·
npm 12 makes install scripts opt-in by default
supply-chainsecuritynpmdeveloper-toolscicd

npm 12 makes install scripts opt-in by default

npm 12 turns lifecycle scripts, Git dependencies, and remote tarballs into explicit choices. That is a meaningful shift for JavaScript supply-chain security.

boring.tools teamboring.tools team·
Phantom squatting turns AI hallucinations into supply-chain risk
supply-chainsecurityaideveloper-toolsphishing

Phantom squatting turns AI hallucinations into supply-chain risk

LLMs can invent plausible domains, API endpoints, and portals. Unit 42's research shows attackers can register those hallucinations and turn trusted AI output into a delivery path.

boring.tools teamboring.tools team·
GitHub Action tags are part of your software supply chain
supply-chainsecuritygithubcicdgithub-actions

GitHub Action tags are part of your software supply chain

The codfish semantic-release-action compromise shows why CI/CD actions need the same inventory, pinning, and secret-scoping discipline as packages.

boring.tools teamboring.tools team·
PolinRider shows why supply-chain response has to cross ecosystems
supply-chainsecuritynpmgithubdeveloper-tools

PolinRider shows why supply-chain response has to cross ecosystems

Socket linked PolinRider to 162 malicious artifacts across npm, Packagist, Go modules, and Chrome extensions. Here's what defenders should check.

boring.tools teamboring.tools team·
Mastra npm packages were backdoored through an easy-day-js typosquat
supply-chainsecuritynpmtyposquatai

Mastra npm packages were backdoored through an easy-day-js typosquat

A compromised @mastra publish added a dayjs-looking dependency across 140+ packages. Here's what happened, how to check exposure, and what to do next.

boring.tools teamboring.tools team·
Automated SBOM generation with Git integration
sbomgitgithubforgejoautomation

Automated SBOM generation with Git integration

Connect your GitHub or Forgejo repositories to boring.tools and generate CycloneDX SBOMs automatically on every commit. No CI changes, no manual steps.

boring.tools teamboring.tools team·
OWASP API Security Top 10 2023: What every developer should know
owaspapi-securityweb-securityapiauthenticationauthorization

OWASP API Security Top 10 2023: What every developer should know

APIs are the backbone of modern applications — and the primary attack surface. The OWASP API Security Top 10 2023 maps the most critical risks, from broken authorization to unsafe consumption of third-party APIs.

boring.tools teamboring.tools team·
OWASP Top 10 CI/CD Security Risks: What every pipeline needs to know
owaspcicdsupply-chainsecuritydevops

OWASP Top 10 CI/CD Security Risks: What every pipeline needs to know

From Poisoned Pipeline Execution to Dependency Chain Abuse — the OWASP Top 10 CI/CD Security Risks framework maps the attack vectors threatening modern software delivery. Here's what each risk means and how to defend against them.

boring.tools teamboring.tools team·
Software supply chain attacks: what they are and how to defend against them
supply-chainsecurityvulnerability-management

Software supply chain attacks: what they are and how to defend against them

axios. TanStack. event-stream. Supply chain attacks have become one of the most effective ways to compromise software at scale. Here's how they work and what you can actually do about them.

boring.tools teamboring.tools team·
VS Code now waits 2 hours before auto-updating extensions — and your package manager probably should too
supply-chainsecuritydeveloper-tools

VS Code now waits 2 hours before auto-updating extensions — and your package manager probably should too

Microsoft added a two-hour delay to VS Code's extension auto-updates to reduce supply chain risk. The same idea is already built into Bun, npm, pnpm, and Yarn. Here's how it works and why it matters.

boring.tools teamboring.tools team·
What is an SBOM and why should developers care?
sbomsecuritybasics

What is an SBOM and why should developers care?

A Software Bill of Materials sounds like compliance paperwork. It isn't. Here's what an SBOM actually is, what CycloneDX and SPDX look like in practice, and why knowing your dependencies matters more than ever.

boring.tools teamboring.tools team·
Miasma: the self-spreading npm worm that targets your AI coding tools
supply-chainsecuritynpmworm

Miasma: the self-spreading npm worm that targets your AI coding tools

The Miasma worm compromised 57 npm packages, 73 Microsoft GitHub repositories, and began spreading to PyPI — all in under two weeks. Here's how it works and what you need to check.

boring.tools teamboring.tools team·
The EU Cyber Resilience Act: what it actually means for your software
compliancecrasbomsupply-chain

The EU Cyber Resilience Act: what it actually means for your software

The CRA is law. By December 2027 every product with digital elements sold in the EU needs an SBOM, secure-by-design engineering, and a vulnerability process. Here's what that means in practice — without the legal fog.

boring.tools teamboring.tools team·
Introducing boring.tools: Supply Chain Security, Simplified
announcementsbomsecurity

Introducing boring.tools: Supply Chain Security, Simplified

Today we're announcing boring.tools — a platform that helps you generate SBOMs, track CVEs, and understand your software supply chain without the complexity.

boring.tools teamboring.tools team·