Security

Our response to a recent security incident The noteworthy thing about this news to me is how it can serve as an example of how not to disclose a security incident. The post is incredibly vague and doesn’t make clear what actually happened like what systems were exposed or how or the scale of the “incident”. The most specific they get is “detected a smishing campaign”, which feels like an intentional use of jargon that doesn’t add much value… why not just say “phishing” as it’s not that important that it was via SMS instead email especially since they don’t even say who the campaign targeted (internal or end users?). They do mention they “Performed global password resets for all Mixpanel employees” which sounds like an attacker used social engineering to compromise employee credentials and exfiltrate user data. That’s kinda the definition of a data breach yet they only refer to it as a vague “security incident”. ...

Over 100 VS Code Extensions Exposed Developers to Hidden Supply Chain Risks VS Code users are advised to limit the number of installed extensions, scrutinize extensions prior to downloading them, and weigh the pros and cons of enabling auto-updates This is the approach I’ve been taking and being more selective with what I install in general. This also applies to browser extensions.

Security Alert | NX Compromised to Steal Wallets and Credentials | Semgrep Another day, another supply chain compromise… What’s interesting about this incident, aside from how popular Nx is, is the use of AI. First, the code that allowed Nx to be compromised was generated by Claude Code and reviewed by an AI bot. You can see the PR that introduced the vulnerability was meant to enforce PR titles follow convention, but it just takes the arbitrary text from the PR on the public internet and throws it into bash without any sanitization. So there’s a good chance it wasn’t actually reviewed by a person. Secondly, the malware that was later run on devs’ machines, tries to use tools like Claude Code to help it find secrets. ...

Passkeys for Normal People This is a pretty good overview of the current state of passkeys with some nice examples of the various ways sites might implement them.

Even Troy Hunt (a well-known security researcher and creator of Have I Been Pwned) fell for a phishing email. He wrote all about it on his blog: A Sneaky Phish Just Grabbed my Mailchimp Mailing List I found it a valuable read, not only for the lessons learned, but it’s also a reminder that it could have happened to any of us. The email looks fairly well crafted and I appreciated his analysis of the factors that led to him falling victim. It’s important to remember that even the most security-minded people can make mistakes and that security is hard. ...

Today I learned that there is a Content-Security-Policy (CSP) directive connect-src that you can use to restrict all outgoing requests from your website to only the domains that you specify. This is a powerful mitigation against any kind of script injection attacks since no data can then be exfiltrated from your page. It applies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. CSP is an HTTP response header for enhancing the security of a site and there are of course several other directives you might want to enable. ...