Traces how the integrity attribute verifies a third-party script against a cryptographic hash, what a compromised CDN it stops, the dynamic-resource gap it cannot close, and why adoption stayed in single digits.
A single-incident deep dive into the June 2024 Polyfill.io attack: the February domain sale, the conditional payload injected into hundreds of thousands of sites, the evasion logic that hid it, and the takedown that followed.
Two npm supply-chain cases dissected: the 2018 event-stream maintainer handoff that smuggled a Copay wallet stealer through flatmap-stream, and the 2022 node-ipc protestware that wiped files in Russia and Belarus.
A single-incident deep dive into CVE-2024-3094: the multi-year social engineering of the xz maintainer, the obfuscated build-time backdoor planted into sshd, and the 500-millisecond timing anomaly that exposed it.
How Alex Birsan's 2021 research turned the name of a private package into remote code execution at 35 companies, why installers prefer the higher public version, and the scoping defenses that close the gap.
Traces how injected JavaScript skimmers lift card data from checkout pages, what the British Airways and Newegg code actually did, the third-party-script vectors, and the SRI, CSP, and PCI DSS 4.0 defenses.