Technical Blog

This post is part of the Before Your Code Runs series, cataloguing the hidden, implicit code execution surfaces in programming language runtimes and toolchains. Node.js and npm sit underneath a huge chunk of the modern web. It’s the runtime that made JavaScript a “real” backend language, and npm is the largest package registry in the world. That’s a lot of trust in a lot of code. Here’s roughly what happens when Node starts:...

This post is part of the Before Your Code Runs series, cataloguing the hidden, implicit code execution surfaces in programming language runtimes and toolchains. Python is probably the most beloved language in the world right now. It’s everywhere: data science, web backends, DevOps glue, AI/ML pipelines, you name it. And because it’s everywhere, attackers love it too. The thing is, most Python developers think execution starts when you type python app....

If you use a YubiKey for one-time passwords (OTP), you’ve probably done it at least once: you meant to type something, touched the key, and a long modhex string landed in Slack, a commit message, or an email. Annoying for everyone, and worse, it’s a real security risk. This post pulls together practical ways to reduce accidental triggers and what to do when a code gets out, plus how YubiOTP compares to TOTP so you can use both wisely....

I’ll be honest with you: I attempted to read the Yellow Paper four times before I actually finished it. The first three times, I opened the PDF, saw equations like Υ(σ, T) ≡ σ', and promptly closed it, convinced it was written for people far smarter than me. The fourth time, I changed my approach entirely. Instead of trying to understand it linearly, I treated it like - “I don’t have an option but to understand this”....

In the last two blogs, we looked at the pieces that make a blockchain work and how the network agrees on what is true. In here, we will look at how all those pieces sit together as layers, how blockchains are structured, and how Layer 1 and Layer 2 actually differ in practice. Once we know what each layer is responsible for, concepts like rollups, sequencers, proofs and scaling start making sense....

Decentralization sounds simple until you realise every node acts on its own. In a blockchain each node holds its own copy of the ledger and processes data independently. Nodes see transactions at different times, some go offline, some behave incorrectly and some may try to cheat. Without a way to agree the network would split into a thousand truths. Consensus is what keeps all those independent nodes and all those independent ledgers marching in the same direction....

If you’re still asking ‘Why do I even need to learn Blockchain security?’ No worries. I wrote this blog to answer exactly that. Give it a read, then come back and we’ll dive into Blockchain 101 together. Now that you are here, let’s start by understanding what is Blockchain? But wait, a bit of warning, there is way too much text in the entire blog - I tried putting some AI generated images (which make sense for the blog), but they also were not able to do much, so all the best!...

In the world of AI, I’m gonna go rebel and talk about Blockchains. Why? Because I’ve been learning and tinkering with it, and I thought it’d be fun to share. Honestly, this is as much for my own notes as it is for anyone reading. Blockchain isn’t as shiny as AI right now, but it’s still a big deal. Here’s the thing: blockchain is too important to ignore, but too risky to approach without understanding security....

Most shell scripts start innocent, just a few lines to glue things together. Blink twice, and it’s deploying infrastructure, rotating secrets, restarting servers, and possibly provisioning a small nation-state. It’s doing things for the people, by the people, held together by echo. This isn’t another “bash scripting 101” tutorial. You already know how to loop over a list and grep things. This is about writing scripts that survive real-world conditions: bad input, missing dependencies, flaky networks, and humans....

This issue complicates the open source and supply chain security space. For attacks like xz, such strategies can be used by attackers to build “fake” trust among fellow OSS community members. A few days ago, this discussion ignited in the OSSF Slack , which talked about the issue of credibility farming in several open source repositories. So, the issue revolves around GitHub (or equivalent platforms) accounts approving or commenting on old pull requests and issues that were already resolved or closed, where these meaningless contributions show up prominently on the user’s profile and activity feed, making their involvement seem more significant than it actually is, without closer look....