与「macOS」相关的搜索结果

CodexBar 0.26.0 is live ⚡ Kiro, Antigravity, OpenRouter, Kimi 🧭 calmer menus + keyboard nav 📊 better Codex/Claude limits and cost scoping 📦 named macOS assets, CLI + Homebrew fixes

🚨 node-ipc is compromised again. Three new malicious versions just dropped: 9.1.6, 9.2.3, and 12.0.1. Socket’s AI scanner flagged them as malware within three minutes of publication. The attack vector: a dormant maintainer account (atiertant) was likely taken over via an expired email domain. The attacker registered the lapsed domain, triggered an npm password reset, and gained publish rights to a package with millions of historical downloads. The payload is a credential stealer embedded in the CommonJS entrypoint (node-ipc.cjs). It activates on require(“node-ipc”), not through a postinstall script. Here’s what it does: •Fingerprints the host (OS, arch, hostname, uname) •Harvests 113-127 credential file patterns depending on platform (AWS, GCP, Azure, SSH keys, Kubernetes configs, npm tokens, .env files, shell histories, macOS Keychain databases, and more) •Dumps the entire process.env, capturing every CI secret and cloud credential in memory •Builds a gzip archive in a temp directory •Exfiltrates everything over DNS TXT queries to bt[.]node[.]js, using a bootstrap resolver at sh[.]azurestaticprovider[.]net:443 (a deliberate lookalike of Microsoft’s Azure Static Web Apps domain) The DNS exfiltration is chunked. A 500 KB archive generates roughly 29,400 TXT queries. The body is XOR-encrypted with a SHA-256 keystream, base64-encoded, alphabet-substituted, and split into 31-character chunks before hex-encoding into DNS labels. Header, data, and footer queries use xh, xd, and xf prefixes respectively. The malware forks a detached child process (env var __ntw=1) so credential theft runs silently in the background. It also exposes a __ntRun export, meaning any downstream code that calls require(“node-ipc”).__ntRun() can trigger a second collection/exfiltration cycle. ESM-only consumers using the import path are not affected by the reviewed package metadata. CommonJS consumers are. This is the same package involved in the 2022 protestware incident. It has a history. If you use node-ipc: •Do not install 9.1.6, 9.2.3, or 12.0.1 •Audit your lockfiles for these versions •If you loaded the CommonJS entrypoint, treat all environment variables, SSH keys, cloud credentials, npm tokens, and local secrets as compromised. Rotate immediately. •Hunt for DNS TXT queries to bt[.]node[.]js and sh[.]azurestaticprovider[.]net in your network logs •Check for temp files matching /nt-/.tar.gz Credit to Ian Ahl (@TekDefense) for first publicly identifying the expired-domain account takeover vector. Developing story. Full technical breakdown and IOCs on the Socket blog:

罗永浩来到 X 不到 1 天，已经有 16 万粉丝，但他只关注了 16 个账号，这 16 位大神到底什么来头😂： 1） @sharpmark 程序员转产品经理，专注软件开发和 AI 工具产品。 2）@Carlos_Gong 独立开发者（indie dev），专注 macOS/iOS 应用开发，结合 AI 辅助 coding（vibe-coding）。 3）@hubeiqiao 产品 builder / EdTech 开发者，专注教育工具（尤其是 AI 英语口语练习）。 4）@gongtongfuyudao Web3/加密货币社区运营者（WojakCTO 中文社区 lead，Neiro 项目 believer），科技/手机爱好者。 5） @ayuan1000 科学、文化、环境记者/撰稿人。 发布数据图表+点评（如各国体育转播费、人口趋势、中国社会议题），常带批判视角。 6）@DashHuang 游戏/互联网创业者，心动网络（Xindong）CEO，TapTap（游戏社区）& VeryCD（老牌文件分享）创始人。 7）@jike_collection 即刻 App（中文社交发现平台）内容聚合账号，非官方。 8） @tinyfool 前程序员（20 年经验，已退休），YouTuber，主打英语学习视频和生活闲聊。 9） @kangkang220 个人账号为主，可能涉及畜牧/农业相关（Bio 提及），体育爱好者（巴萨球迷）。 10）@foxshuo 互联网/科技评论人、作家/播客主，长期观察科技、社会、媒体行业。 11）@Fenng 知名科技博主/产品观察者，曾任多家科技公司高管（支付宝/DBA、丁香园 CTO 等），现运营科技相关公司。 12）@NodYoung 产品/交互设计师，专注设计思考（Design Forward），可能涉及 UI/UX、数字产品设计、文化观察等。 13）@ASTND 独立开发者（Indie Dev），专注极简、高效的工作流工具和软件产品。强调“隐形软件”（用户感觉不到工具的存在）、逻辑与简洁。 剩下三个分别是马斯克、媒体账号 @BBCArchive 和他的旧账号 @realluoyonghao

RedactDesk 一款免费开源的 macOS 隐私脱敏工具，基于 OpenAI privacy-filter 模型通过 ONNX Runtime 完全在本地运行。在 Mac 上离线识别并擦除：人名、邮箱、电话、地址、日期、URL、账号、密钥八类隐私信息。

好东西，为 Ghostty 终端提供一个 macOS 侧边栏工具，快速创建、切换和排列终端会话。 通过 Ghostty AppleScript 和 Accessibility API 操控丝滑窗口，可以从浮动面板直接跳到某个会话所在的 Space。支持网格、级联、并排、全屏四种窗口布局。

这个不错，原生 macOS 视频下载工具，在一个应用内完成视频下载、裁剪和管理，背后跑的是 yt-dlp。 粘贴链接，一个 Spotlight 风格的小窗口弹出来，点一下就开始下载。下载完自动转成通用 MP4、复制到剪贴板、存到你选的文件夹，还带缩略图历史。

Codex 现在可以直接在 macOS 和 Windows 上的 Chrome 浏览器中使用。它与 Chrome 中的应用及网站的协作能力得到了进一步提升，并且现在可以在后台跨标签页并行工作，而不会接管您的浏览器。如需开始使用，请在 Codex 应用中安装 Chrome 插件。

Codex now works directly in Chrome on macOS and Windows. It’s even better at working with apps and sites in Chrome, and now works in parallel across tabs in the background without taking over your browser. To get started, install the Chrome plugin in the Codex app.

Today was the most productive coding day I’ve had in 10 years. I spent 1.6k out of the 10k credits Cursor gave me, mainly using Opus 4.7 1M Max and GPT-5.5 Extra High Fast. The takeaway is simple. In Cursor these models feel unusually well tuned, fast, precise, and reliable for real work. Here’s what I got done in a single day: 1. Built the iOS version of MiaoYan from scratch with iPad support, including preview and iCloud sync 2. Fully implemented payments in the Mole macOS client and shipped the V1 website 3. Wrapped up Kaku macOS terminal v0.10, polishing AI chat and many details 4. Shipped a major upgrade to Kami typesetting system, fixing PPT support and many edge cases 5. Upgraded my Luo Chinese font project with a new learning mode and overall improvements 6. Improved Mole CLI with better performance, fallbacks, and a lot of detail work There was also a lot more small work in between. What stood out is strong context handling, solid multi file edits, and stable long chain execution. It feels like a real collaborator. As a long time builder and a TSLA shareholder, I’m excited to see Cursor keep improving. Thanks again @cursor_ai @edwinarbus for the 10k credits, I will keep putting them to good use.