Blog
Supply chain security, developer tools, and technical deep dives.
Supply Chain Attacks in 2026: The Year Typosquatting Got Serious
Supply Chain Attacks in 2026: The Year Typosquatting Got Serious On March 31, a maintainer account got popped and axios@1.14.1 shipped to npm with a trojanized dependency called plain-crypto-js. Axios does 100 million downloads a week. The malicious versions lived on the registry for about three hours. Three hours is enough. If you had "axios": "^1.14.0" in a package.json and ran npm install during that window, you pulled a remote access trojan. If you had a pinned lockfile and npm ci --ignor
What Happens When You Scan Every npm Package for Malicious Code
What Happens When You Scan Every npm Package for Malicious Code In 2025, 454,648 malicious npm packages were published. The registry has about 10 million packages total. That means roughly 4.5% of everything published last year was weaponized. You are not downloading from a library anymore. You are downloading from a warehouse where 1 in 22 boxes might be a bomb. Sonatype reports that over 99% of open-source malware now targets npm specifically. They blocked 120,612 malware attacks in Q4 2025
The fs@0.0.1-security Package Isn't What You Think
Here's the full blog post: The fs@0.0.1-security Package Isn't What You Think Run npm ls fs in any non-trivial Node.js project. Go ahead, I'll wait. If you see fs@0.0.1-security in that tree, your security scanner is probably losing its mind right now. AWS Inspector calls it CVSS 9.8 -- critical malware. Your SIEM is lighting up. Someone on your team just opened a Jira ticket with "URGENT" in the title. Here's the thing: that package is empty. Literally empty. npm's security team put it the
Why npm audit Is Broken and What We Built Instead
Good, I've got the voice and format dialed in. Here's the post: Why npm audit Is Broken and What We Built Instead Run npm audit on any non-trivial project and you'll get a wall of red. Critical vulnerabilities. High severity. Dozens of them. Now go read the actual advisories. That "critical" in nth-check? It's a regex DoS in a CSS selector engine used by your test runner. Never touches production. That "high" in semver? It's in a transitive dependency of your linter's linter. Your users will
DNS Lookup Deep Dive: What Every Record Type Actually Means
I'll write this post directly. DNS is a topic where the kief.dev DNS Lookup tool is a natural fit, and the research has strong material. DNS Lookup Deep Dive: What Every Record Type Actually Means You set up DNS once, mass-pasted some records your hosting provider told you to add, and never looked again. That was fine in 2020. It's not fine now. 17% of all emails fail to reach recipients because of DNS misconfigurations. Google and Microsoft permanently reject non-compliant bulk mail at the
We Scanned 70,000 Packages Across 221 Lockfiles -- Here's What We Found
We Scanned 70,000 Packages Across 221 Lockfiles -- Here's What We Found Last month we pointed Vekt at every lockfile across our client portfolio. 221 lockfiles. 69,419 packages. 6 ecosystems. One Rust binary and a pot of coffee. Here's what came back. The Setup Vekt reads lockfiles. That's it. No agents crawling your node_modules, no background daemon phoning home. You point it at a directory, it finds every lockfile it recognizes, resolves the full dependency tree, and checks each package