Security Researchers Spot 150,000 Function-less npm Packages in Automated ‘Token Farming’ Scheme
An anonymous reader shared this report from The Register:

Yet another supply chain attack has hit the npm registry in what Amazon describes as “one of the largest package flooding incidents in open source registry history” — but with a twist. Instead of injecting credential-steal … ⌘ Read more

The average Australian wedding is $34,000. Polly and Riley’s choice starts at $480
In a year when Jeff Bezos’ wedding was slammed for its excess, registry weddings are on the rise. ⌘ Read more

The US Do Not Call registry is offline
Comments ⌘ Read more

How to find, install, and manage MCP servers with the GitHub MCP Registry
Learn how to bring structure and security to your AI ecosystem with the GitHub MCP Registry, the single source of truth for managing and governing MCP servers.

The post How to find, install, and manage MCP servers with the GitHub MCP Registry appeared first on … ⌘ Read more

Our plan for a more secure npm supply chain
Addressing a surge in package registry attacks, GitHub is strengthening npm’s security with stricter authentication, granular tokens, and enhanced trusted publishing to restore trust in the open source ecosystem.

The post Our plan for a more secure npm supply chain appeared first on The GitHub Blog. ⌘ Read more

The Windows Registry Adventure #7: Attack surface analysis
Comments ⌘ Read more

@anth@a.9srv.net happy birthday, “youngster!”

Domain Name: NETBROS.COM
Registry Domain ID: 1193243_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.cloudflare.com
Registrar URL: https://www.cloudflare.com
Updated Date: 2025-03-29T04:08:33Z
Creation Date: 1998-04-29T04:00:00Z

My Hypothesis for why registries didn’t work and why they still won’t really work today is because the bend the rules of “true” decentralization a bit. Users have to pick one or more registries to “register” to. Why would they want to do this? What is their incentive to do so? Then on the other hand, users need a client that has registry support, but now which registry or sets of registries do you choose?

@prologic@twtxt.net yes.. But have I? And all the other pods and registries?

Hi, So i made a little MVP registry crawler tool for twtxt. It now has a basic UI to play with. It has a somewhat full history back to about 2018-ish. Plus some interesting bits that were timestamped to earlier.

Find it here: https://watcher.sour.is

Code base is found here: https://git.sour.is/sour-is/xt

Registry format is its own thing. It takes the regular feed and appends nick \t uri \t to it. Its something that existed before yarn got big. There is still a bit of work but I will put together a ui for it to make it easier to view and navigate.

@eapl.me@eapl.me I am currently working on Implementing a registry that is also a crawler. It finds any feeds that are mentioned or in the follows header.

https://watcher.sour.is/api/plain/twt

https://watcher.sour.is/api/plain/users

I think @prologic@twtxt.net is also working on one.

@eapl.me@eapl.me this “directory” is actually named registry. You can see users at https://registry.twtxt.org/api/plain/users and his twts at https://registry.twtxt.org/api/plain/tweets

Hmm so looking at the swagger of the registry spec client it seems to just take a “page”.. That seems worse than doing an offset. Lol.

https://github.com/DracoBlue/twtxt-registry/blob/master/src/swagger.json

I’m not much a fan of registry limit/offset paging. I think I prefer the cursor/count method. And starting at zero for first and max for latest.

I need to import my yarn cache. It’s sitting at about 1.5G in registry format. That should make things interesting…

Why not just use registry? It can be personal or hosted by someone like registry.twtxt.org. Just need to be adapt to support hashes

@andros@twtxt.andros.dev Sorry I missed your messages to #twtxt on IRC. There are people there, but it can take several hours to get a response. E.g. I check it every day or two. I recommend using an IRC bouncer. To answer your question about registries, I used a couple of registries when I first started out, to try to find feeds to follow, but haven’t since then. I don’t remember which ones, but they were easy to find with web searches.

@david@collantes.us Thanks, that’s good feedback to have. I wonder to what extent this already exists in registry servers and yarn pods. I haven’t really tried digging into the past in either one.

How interested would you be in changes in metadata and other comments in the feeds? I’m thinking of just permanently saving every version of each twtxt file that gets pulled, not just the twts. It wouldn’t be hard to do (though presenting the information in a sensible way is another matter). Compression should make storage a non-issue unless someone does something weird with their feed like shuffle the comments around every time I fetch it.

@prologic@twtxt.net I believe you when you say registries as designed today do not crawl. But when I first read the spec, it conjured in my mind a search engine. Now I don’t know how things work out in practice, but just based on reading, I don’t see why it can’t be an API for a crawling search engine. (In fact I don’t see anything in the spec indicating registry servers shouldn’t crawl.)

(I also noticed that https://twtxt.readthedocs.io/en/latest/user/registry.html recommends “The registries should sync each others user list by using the users endpoint”. If I understood that right, registering with one should be enough to appear on others, even if they don’t crawl.)

Does yarnd provide an API for finding twts? Is it similar?

@prologic@twtxt.net I guess I thought they were search engines. Anyway, the registry API looks like a decent one for searching for tweets. Could/should yarn.social pods implement the same API?

@prologic@twtxt.net What’s the difference between search.twtxt.net and the /api/plain/tweets endpoint of a registry? In my mind, a registry is a twtxt search engine. Or are registries not supposed to do their own crawling to discover new feeds?

@prologic@twtxt.net How does yarn.social’s API fix the problem of centralization? I still need to know whose API to use.

Say I see a twt beginning (#hash) and I want to look up the start of the thread. Is the idea that if that twt is hosted by a a yarn.social pod, it is likely to know the thread start, so I should query that particular pod for the hash? But what if no yarn.social pods are involved?

The community seems small enough that a registry server should be able to keep up, and I can have a couple of others as backups. Or I could crawl the list of feeds followed by whoever emitted the twt that prompted my query.

I have successfully used registry servers a little bit, e.g. to find a feed that mentioned a tag I was interested in. Was even thinking of making my own, if I get bored of my too many other projects :-)

@prologic@twtxt.net Yes, fetching the twt by hash from some service could be a good alternative, in case the twt I have does not @-mention the source. (Besides yarnd, maybe this should be part of the registry API? I don’t see fetch-by-hash in the registry API docs.)

Bringing npm registry services to GitHub Codespaces
The npm engineering team recently transitioned to using GitHub Codespaces for local development for npm registry services. This shift to Codespaces has substantially reduced the friction of our inner development loop and boosted developer productivity.

The post Bringing npm registry services to GitHub Codespaces appeared first on [The GitHub Blog] … ⌘ Read more

I’ve added myself to the registries at registry.twtxt.org and twtxt.tilde.institute. I wonder if there’s a list of registries. #meta

GitHub Enterprise Server 3.5 is now generally available
GitHub Enterprise Server 3.5 is available now, including access to the Container registry, the addition of Dependabot, enhanced administrator capabilities, and features for GitHub Advanced Security. ⌘ Read more

Enhanced 2FA experience for your npm account
Late last year, in response to an unprecedented series of account takeovers resulting from the compromise of developer accounts without 2FA enabled, we committed to a variety of enhancements to the npm registry to make two-factor authentication (2FA) adoption easier for developers. Today, we are launching a public beta for a significantly improved 2FA experience […] ⌘ Read more

Though twtxt registries never really took off gemini://warmedal.se/~antenna/twtxt.txt presents the last 7 days of twts known by Antenna in the registry format. It’s intended to be a help in discovering twt feeds in geminispace (there aren’t very many yet).

Enrolling all npm publishers in enhanced login verification and next steps for two-factor authentication enforcement
Today we’re introducing enhanced login verification to the npm registry, and we will begin a staged rollout to maintainers beginning Dec 7. ⌘ Read more

GitHub’s commitment to npm ecosystem security
We’re sharing details of recent incidents on the npm registry, our investigations, and how we’re continuing to invest in the security of npm. ⌘ Read more

The npm registry is deprecating TLS 1.0 and TLS 1.1
Beginning October 4, 2021, all connections to npm websites and the npm registry, including for package installation, must use TLS 1.2 or higher. ⌘ Read more

GitHub Packages Container registry is generally available ⌘ Read more…

Securing the open source supply chain by scanning for package registry credentials ⌘ Read more…

Introducing GitHub Container Registry ⌘ https://github.blog/2020-09-01-introducing-github-container-registry/

https://registry.twtxt.org << certificate has expired

http://twtxt.tildeverse.org new twtxt registry! Enjoy!

http://twtxt.tildeverse.org new twtxt registry! Enjoy!

We probably should put that in the registry spec. I use /tweets/by/$twturl but /tweets?by=$twturl would probably be more correct.

@kas@enotty.dk, @dracoblue@dracoblue.net You’re right we should really use robots.txt for twtxt registries. Maybe i even add this as a option to #txtnix.

It’s running since last night, supports the twtxt registry api and crawls the feed for new urls. #roster

You can even just call txtnit register to register at your friendly neighborhood’s registry.

#txtnix now has support for all registry endpoints, you can query tags, tweets, mentions and users.

@reednj@reednj.com Would you mind adding this functionality to your registry?

If you’re registered with reednj, would you mind being automatically added the a registry? Is reednj just the registry that won? :)

Already registered with ?

Does anybody have an opinion about https://github.com/DracoBlue/twtxt-registry/issues/4?

Now i just have to figure out how to change my url at the registry… :)

txtnix v0.03 now has support for mentions via registries. Now, if just more users would use registries…

@dracoblue@dracoblue.net It doesn’t seem to matter what page i request, the result is always the same? #registry