Blog
Supply chain security, developer tools, and technical deep dives.
AES-256-GCM in Node.js: Encrypting PII the Right Way
AES-256-GCM in Node.js: Encrypting PII the Right Way Most AES-GCM code on the internet is wrong. Not "suboptimal" wrong. Not "could be better" wrong. Wrong in ways that silently destroy your encryption guarantees and turn your PII protection into theater. I've seen production codebases using 16-byte IVs instead of 12, hex-encoding keys and halving their effective length, and importing crypto-js -- a package that's been deprecated since October 2023 and was literally used as a supply chain atta
Timing-Safe String Comparison: Why Your Auth Is Probably Leaking Data
I'll write this post now. Timing-Safe String Comparison: Why Your Auth Is Probably Leaking Data Your == operator is a snitch. Every time your code compares a password hash, API key, or webhook signature using standard string equality, it leaks information. Not a lot. Maybe 5 nanoseconds per character. But in 2024, James Kettle proved that timing differences as small as 200 microseconds are exploitable on live targets -- and he did it against 30,000 real websites on DEF CON's conference WiFi.
Writing a Browser Extension That Works on Chrome, Firefox, and Safari
Writing a Browser Extension That Works on Chrome, Firefox, and Safari You want to ship one extension to three browsers. You've read that WebExtensions is a "standard." You've been lied to. Chrome, Firefox, and Safari all claim WebExtensions compatibility. In practice, you're dealing with three different namespace conventions, two manifest versions, incompatible sidebar APIs, and Safari demanding you wrap everything in an Xcode project. It's harder than cross-platform mobile development, and no
OSV.dev: The Free Vulnerability Database You Should Be Using
NVD is drowning in backlog. OSV.dev aggregates 24 sources, tracks malicious packages, and doesn't need a government contract to stay alive.
How We Deploy SvelteKit with Zero Downtime on a Single Linode
I'll write this post now based on the research brief and ground truth. How We Deploy SvelteKit with Zero Downtime on a Single Linode You don't need Kubernetes. I know that's a spicy opener for a deployment post, but hear me out. kief.dev runs SvelteKit 2 with Svelte 5, Tailwind 4, and adapter-node. It serves 12 free developer tools, the Vekt supply chain scanner, and a blog you're reading right now. The whole thing runs on a single Linode VPS. Deploys take about 8 seconds. Users never see a
The 10 npm Packages Most Likely to Get Compromised Next
I'll write the full blog post now based on the research brief and voice guidelines. The 10 npm Packages Most Likely to Get Compromised Next Your node_modules folder has 1,200 packages in it. You wrote maybe 15 of them. The rest were written by strangers, maintained by volunteers, and installed because some package you actually wanted pulled them in three levels deep. One of those strangers got phished in September 2025. That single compromised account gave attackers publish access to debug,
Every CVE in lodash, Ranked by How Much You Should Actually Care
Good, I have everything I need. Writing the post now. Every CVE in lodash, Ranked by How Much You Should Actually Care Your scanner just lit up red again. lodash. Prototype pollution. CVSS 9.1. Critical. You've seen this alert before. Probably dozens of times. And you're not sure if you should drop everything or just close the tab. Here's the thing: lodash has exactly 10 CVEs across its entire history. Some of them are genuinely dangerous. Most of them are noise. And the CVSS scores are act
What Free Dependency Scanners Actually Check (And What They Miss)
I'll write this post now -- heavy research brief, clear angle, Brian's voice. What Free Dependency Scanners Actually Check (And What They Miss) You run npm audit. It screams at you. 47 vulnerabilities. 12 critical. You spend an hour investigating. Three of them are in dev dependencies that never ship. Eight are in transitive dependencies your code never calls. The rest require major version bumps that would break your build. You run npm audit fix --force and it downgrades React to a version
How to Read SSL Certificate Chains (And Why You Should)
How to Read SSL Certificate Chains (And Why You Should) Your site works in Chrome on your laptop. The padlock is green. Everything looks fine. Then a webhook fails. A mobile user gets a security warning. Your API integration throws SSL: CERTIFICATE_VERIFY_FAILED and you spend the next four hours learning what a certificate chain actually is. This is the most common way developers discover that their TLS setup is broken. Not from a pentest. Not from monitoring. From a customer complaint. The
Your Lockfile Is a Liability: How Attackers Exploit What You Don't Read
Your Lockfile Is a Liability: How Attackers Exploit What You Don't Read You haven't opened package-lock.json in years. Neither has anyone on your team. GitHub collapses it by default in every PR review, and your brain learned to scroll past "12,847 changed lines" about six months into your career. Attackers know this. They've been counting on it. In 2025, 454,648 malicious npm packages got published. Over 99% of all open-source malware now targets npm. And the file you stopped reading a decad
Supply Chain Attacks in 2026: The Year Typosquatting Got Serious
Supply Chain Attacks in 2026: The Year Typosquatting Got Serious On March 31, a maintainer account got popped and axios@1.14.1 shipped to npm with a trojanized dependency called plain-crypto-js. Axios does 100 million downloads a week. The malicious versions lived on the registry for about three hours. Three hours is enough. If you had "axios": "^1.14.0" in a package.json and ran npm install during that window, you pulled a remote access trojan. If you had a pinned lockfile and npm ci --ignor
What Happens When You Scan Every npm Package for Malicious Code
What Happens When You Scan Every npm Package for Malicious Code In 2025, 454,648 malicious npm packages were published. The registry has about 10 million packages total. That means roughly 4.5% of everything published last year was weaponized. You are not downloading from a library anymore. You are downloading from a warehouse where 1 in 22 boxes might be a bomb. Sonatype reports that over 99% of open-source malware now targets npm specifically. They blocked 120,612 malware attacks in Q4 2025