CI/CD

Attackers hijacked an axios maintainer's npm account to publish malicious versions (1.14.1, 0.30.4) that install a hidden dependency, plain-crypto-js. This payload executes a cross-platform RAT dropper, contacts a C2 server, and self-cleans to evade detection. Compromised users are urged to rotate credentials immediately and downgrade to secure versions (1.14.0 or 0.30.3).

Migrating repositories from GitHub to Codeberg is simplified by built-in import tools and the familiarity of Forgejo Actions. Users can replicate GitHub workflows, use codeberg.page for hosting, and handle CI transitions by self-hosting runners. The process involves archiving old repositories and managing mirrors to maintain a smooth transition for existing contributors.

The author, a veteran of numerous CI systems, argues that GitHub Actions creates significant operational friction for engineering teams. Issues include a slow, unstable log viewer, complex and limiting YAML syntax, opaque marketplace dependencies, and inadequate compute control. The author recommends Buildkite for its superior logs, better compute ownership, and cleaner pipeline architecture.

Astral details its rigorous security strategy for open-source tools like Ruff and uv. The approach focuses on hardening GitHub Actions via hash-pinning, permission reduction, and trigger restrictions, while leveraging Trusted Publishing, Sigstore attestations, and dependency management to secure the software supply chain. Their model promotes isolation, multi-party approvals, and proactive risk mitigation.

On March 31, 2026, compromised versions of axios (1.14.1 and 0.30.4) were published to npm via a hijacked maintainer account. The attacker injected a malicious dependency, plain-crypto-js, which executes an obfuscated postinstall payload. This script downloads platform-specific RATs for Windows, macOS, and Linux, bypassing standard CI/CD and SLSA provenance checks. Users should pin axios to safe versions and rotate credentials.

Floci is a lightweight, open-source AWS emulator designed as a high-performance, drop-in alternative to LocalStack. Released under the MIT license, it offers unlimited CI/CD support, rapid startup times, and low memory usage without requiring authentication or feature gates. It supports over 20 AWS services, ensuring full compatibility with existing AWS SDKs for local development.

RISE has launched free, managed GitHub Actions runners providing open source projects with direct access to physical RISC-V hardware. By eliminating the reliance on emulators for testing, this platform helps maintainers catch architecture-specific bugs. Users simply install a GitHub App and update their CI workflow to run jobs on bare-metal RISC-V servers.

Orange Juice is a browser extension for Hacker News that enhances the user experience with features like in-thread replies, unread tracking, keyboard navigation, and custom feeds. Developed with transparency and GPLv3 licensing, it improves productivity and flow for daily users without fundamentally changing the platform's core interface.

Finalizing a software project requires going beyond functional code to ensure it is ready for real-world usage. This 'sealing' process involves essential tasks like maintaining a comprehensive README, managing branch hygiene, implementing release tags, defining branch rulesets, writing clear release notes, auditing task trackers, licensing, verifying CI/CD health, and ensuring artifact reproducibility.

Fyrox 1.0.0, a stable Rust-based game engine, has been released after seven years of development. It features a native editor for 2D and 3D games, a new project export CLI for CI/CD, improved UI widgets, and refactored scene loading. The team plans to focus on stability and bug fixes for the coming months.