
Research
/Security News
11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windows Host-Surveillance Payload
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.
hexo-bluesky-feed
Advanced tools
A Hexo deployer plugin to automatically publish posts to Bluesky when you publish a new blog post.
A Hexo plugin that automatically publishes your newest blog post to Bluesky whenever you generate your site with the --bluesky flag—giving you full control over when updates get posted.
Here is what hexo-bluesky-feed looks like in practise:
Install the package via npm in your Hexo site directory:
npm install hexo-bluesky-feed --save
In your Hexo site's _config.yml, you can add a blueskyFeed section for your Bluesky-related
blueskyFeed:
# The website URL used for constructing post links on Bluesky.
url: "https://yourwebsite.com/"
# The default message for Bluesky posts.
# Use placeholders {title} and {url} for dynamic replacement.
message: "Just published new blog post: {title}. Check it out here: {url}"
To allow the plugin to post updates to your Bluesky account, you only need to provide your Bluesky handle and an app password. Our script uses these credentials to automatically obtain a fresh access token and your DID each time you deploy your Hexo site.
Sign Up: If you haven’t already, sign up for a Bluesky account at https://bsky.app.
Locate Your Handle:
Your handle is your unique identifier on Bluesky, typically in the format username.bsky.social. You can find it on your profile page or in your account settings.
Important: Copy and securely store this app password, as it will be used by the plugin. This value will be set as your BLUESKY_APP_PASSWORD.
In your Hexo project's root directory, create a .env file (and add it to your .gitignore to prevent accidental commits) with the following content:
BLUESKY_HANDLE=<your-username.bsky.social>
BLUESKY_APP_PASSWORD=<your_app_password>
Important: Do not store your app password or tokens in your public repository. Always add your .env file to your .gitignore.
The plugin will use these environment variables to automatically obtain a fresh access token and your DID. You do not need to manually obtain or store a BLUESKY_ACCESS_TOKEN.
After configuring your credentials and updating your _config.yml, simply run:
hexo generate --bluesky
or
hexo g --bluesky
If you run hexo generate without --bluesky, the plugin will skip posting.
Then (if needed) deploy your site via hexo deploy. By default, hexo deploy may generate your site if you have a valid deploy config—but it typically will not forward the --bluesky flag. If you need to post to Bluesky as part of deploy, ensure you pass the flag or generate with --bluesky before deploying.
Follow these steps to publish a new version of hexo-bluesky-feed to npm:
npm login
npm whoami
npm version patch
git add .
git commit -m "Bump version to x.y.z"
git push && git push --tags
npm publish
This project is licensed under the MIT License. See the LICENSE file for details.
FAQs
A Hexo deployer plugin to automatically publish posts to Bluesky when you publish a new blog post.
The npm package hexo-bluesky-feed receives a total of 16 weekly downloads. As such, hexo-bluesky-feed popularity was classified as not popular.
We found that hexo-bluesky-feed demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.

Research
/Security News
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.