GitLab discovers widespread npm supply chain attack
Yet another week; yet another supply chain attack...
We hacked Google’s A.I Gemini and leaked its source code (at least some part) - Lupin & Holmes
Fun read where a group of folk tried to get Google's Gemini to give up some of its source code. I'm not convinced this is such an amazing win, or that the title really matches the facts, but it's a fun ride.
AWS Outage—What Happened And What To Do Next
A review of the great us-east-1 AWS outage of 2025.
Open Source Insights
Handy site, backed by Google, that lets you dive into packages from different ecosystems and see what they depend on and what depends on them, etc.
ctrl/tinycolor and 40+ NPM Packages Compromised - StepSecurity
A pretty impressive and concerning compromise of a lot of JavaScript (and by extension TypeScript) packages.
Supply Chain Security Alert: num2words PyPI Package Shows Signs of Compromise - StepSecurity
Interesting supply chain attack on a Python package.
Content Security Policy - OWASP Cheat Sheet Series
Useful information on content security policy.
Dozens of pro-Indy accounts go dark after Israeli strikes
Sure correlation is not causation but sometimes it's hard not to think it is.
The Line of Death
The most important part of the web browser UI is...
How Broken OTPs and Open Endpoints Turned a Dating App Into a Stalker’s Playground
A pretty amazing and worrying story of one person's exploration of a data app's API.
https://www.bleepingcomputer.com/news/security/supply-chain-attack-on-popular-github-action-exposes-ci-cd-secrets/
Ouch.
securityJustInterferesWithVibes : r/ProgrammerHumor
Poe's law kicks in around here, of course, but this feels very on-brand for what vibe-coding is all about and what it can result in.
https://enrichlead.com
Feds Link $150M Cyberheist to 2022 LastPass Hacks – Krebs on Security
A good reminder of why LastPass is so bad and nobody should be using it any more.
DOGE Teen Owns ‘Tesla.Sexy LLC’ and Worked at Startup That Has Hired Convicted Hackers
I can't even...
The Open Source Foundation for Application Security
All things software security.
Stop macOS 15 Sequoia monthly screen recording prompts
I've not run into the new monthly screen recording prompt yet but I can imagine that when I do it might get annoying. I appreciate Apple being super cautious with security and stuff like this, most of the time, but this feels a bit too much.
It's good to know there is a way to work around it, if you're happy to go "under the hood".
gaining access to anyones browser without them even visiting a website - eva's site
So I’m glad I never got comfortable with Arc, having briefly tried it and not really liked it.
S3 Bucket Namesquatting - Abusing predictable S3 bucket names – One Cloud Please
Given I’m fairly new to AWS, I was surprised to find that S3 has a global namespace. And so of course squatting is a thing.
Git ransom campaign incident report—Atlassian Bitbucket, GitHub, GitLab
Incident report on the "git ransom" attack from earlier on this month.
vim/neovim security vulnerability
Write-up of the rather amazing vulnerability in vim/neovim.
Time to rethink mandatory password changes | Federal Trade Commission
Why forcing users to change their password every N weeks is generally a terrible idea.
warner/magic-wormhole: get things from one computer to another, safely
Handy tool for transferring stuff from one machine to another
Twitter: An update on our security incident
First real update by Twitter on the great bitcoin ownage of 2020 incident.
When you browse Instagram and find former Australian Prime Minister Tony Abbott's passport number
Amusing story on a number of levels; and with a serious message too.
EICAR test QR
Hilarious hack that can mess with all sorts of systems.
The Correct Horse Battery Staple password generator
Fun but also useful password generator, in the style of the famous xkcd strip.
The Apperta Data Breach Fiasco
If you found a leak of data from the NHS and let them know, you'd think they'd be properly happy about being told, right?
About that...
Steam Phishing scam
A common scam I’ve run into, often via Discord.
The logic behind three random words - NCSC.GOV.UK
Keeping this to hand as a useful page to point folk at when they try and teach me about how passwords should be chosen.
IP Geolocation and Threat Intelligence API
How dodgy does your IP address look?