Clara Leigh
@clara42.bsky.social
Laravel, VueJS, Cyber Security 🌈
I wrote a research paper on this topic just last month
This issue is entirely preventable. The only reason we keep seeing this style of attack is because our industry keeps repeating the same mistakes over and over again 😔
This issue is entirely preventable. The only reason we keep seeing this style of attack is because our industry keeps repeating the same mistakes over and over again 😔
Malicious NPM Packages Disguised With 'Invisible' Dependencies www.darkreading.com/application-...
Malicious NPM Packages Contain Invisible Dependencies
In the "PhantomRaven" campaign, threat actors published 126 malicious npm packages that have flown under the radar, while collecting 86,000 downloads.
www.darkreading.com
November 4, 2025 at 11:00 PM
I wrote a research paper on this topic just last month
This issue is entirely preventable. The only reason we keep seeing this style of attack is because our industry keeps repeating the same mistakes over and over again 😔
This issue is entirely preventable. The only reason we keep seeing this style of attack is because our industry keeps repeating the same mistakes over and over again 😔
Reposted by Clara Leigh
Whoa this is stunning
November 4, 2025 at 3:53 PM
Whoa this is stunning
✨Microsoft security✨
My first response from VS Marketplace support is requesting supporting additional evidence I have that this listing is malware.
If anyone can publish an extension with admittedly malicious intent with no response, what does that do for the health of the marketplace?
If anyone can publish an extension with admittedly malicious intent with no response, what does that do for the health of the marketplace?
October 27, 2025 at 1:22 PM
✨Microsoft security✨
Reposted by Clara Leigh
With the AWS outage, now‘s as good a time as any to post this old strip.
October 20, 2025 at 10:18 AM
With the AWS outage, now‘s as good a time as any to post this old strip.
Working on Crypto in the #laravel world?
Hit me up, I want to see what you're doing!
I've got solana stablecoin p2p, offramps to banks and more going on over here 😍
Hit me up, I want to see what you're doing!
I've got solana stablecoin p2p, offramps to banks and more going on over here 😍
October 9, 2025 at 4:44 AM
Working on Crypto in the #laravel world?
Hit me up, I want to see what you're doing!
I've got solana stablecoin p2p, offramps to banks and more going on over here 😍
Hit me up, I want to see what you're doing!
I've got solana stablecoin p2p, offramps to banks and more going on over here 😍
Once upon a time, USBs and CDs could auto run. That’s how worms like stuxnet and Agent.BTZ spread everywhere
We learned the hard way and killed autorun
Now we `npm install` 1,000 different dependencies from the internet and consider it “safe”, forgetting that it does the exact same thing
We learned the hard way and killed autorun
Now we `npm install` 1,000 different dependencies from the internet and consider it “safe”, forgetting that it does the exact same thing
October 5, 2025 at 3:55 AM
Once upon a time, USBs and CDs could auto run. That’s how worms like stuxnet and Agent.BTZ spread everywhere
We learned the hard way and killed autorun
Now we `npm install` 1,000 different dependencies from the internet and consider it “safe”, forgetting that it does the exact same thing
We learned the hard way and killed autorun
Now we `npm install` 1,000 different dependencies from the internet and consider it “safe”, forgetting that it does the exact same thing
Reposted by Clara Leigh
Curious what it looks like to implement the new Inertia Infinite Scroll component? Have 3 minutes? That's all it takes.
I whipped up a little demo:
youtu.be/gQB6DdPHzSY
I whipped up a little demo:
youtu.be/gQB6DdPHzSY
Infinite Scrolling with Laravel + Inertia
YouTube video by Laravel
youtu.be
September 30, 2025 at 5:07 PM
Curious what it looks like to implement the new Inertia Infinite Scroll component? Have 3 minutes? That's all it takes.
I whipped up a little demo:
youtu.be/gQB6DdPHzSY
I whipped up a little demo:
youtu.be/gQB6DdPHzSY
Is username enumeration (UE) a real vulnerability?
Yes, and it matters more today than it did a few years ago.
As phishing attacks look more legitimate, even smart people are getting tricked
This week I saw a UE+phish lead to an account take over, and the URL in the Phish was a legitimate url
Yes, and it matters more today than it did a few years ago.
As phishing attacks look more legitimate, even smart people are getting tricked
This week I saw a UE+phish lead to an account take over, and the URL in the Phish was a legitimate url
September 30, 2025 at 2:47 AM
Is username enumeration (UE) a real vulnerability?
Yes, and it matters more today than it did a few years ago.
As phishing attacks look more legitimate, even smart people are getting tricked
This week I saw a UE+phish lead to an account take over, and the URL in the Phish was a legitimate url
Yes, and it matters more today than it did a few years ago.
As phishing attacks look more legitimate, even smart people are getting tricked
This week I saw a UE+phish lead to an account take over, and the URL in the Phish was a legitimate url
If there is one thing I've learned in the last year, it's never use a property named "type"
I have lost so many hours debugging this exact bug but alas I am a goldfish just did it again, for the third time this week 😭
I have lost so many hours debugging this exact bug but alas I am a goldfish just did it again, for the third time this week 😭
September 28, 2025 at 3:51 AM
If there is one thing I've learned in the last year, it's never use a property named "type"
I have lost so many hours debugging this exact bug but alas I am a goldfish just did it again, for the third time this week 😭
I have lost so many hours debugging this exact bug but alas I am a goldfish just did it again, for the third time this week 😭
This would have saved me a few hours making some things GDPR compliant!
I've just released v1.1.0 of my Redactable Models package! 🎉
You can now set the hashing algorithm that should be used by the "HashContents" redaction strategy.
In this example, we're SHA256-ing the "name" and "email" fields of users who were soft-deleted over 30 days ago 😄
You can now set the hashing algorithm that should be used by the "HashContents" redaction strategy.
In this example, we're SHA256-ing the "name" and "email" fields of users who were soft-deleted over 30 days ago 😄
September 26, 2025 at 10:40 PM
This would have saved me a few hours making some things GDPR compliant!
“Think like a hacker” is one of my favourite phrases
It leads to the zero trust mindset. Assume a breach will happen and brainstorm what you can do to reduce that risk
Short liven tokens are just one thing that can help. I encourage you to research OIDC tokens, it might just save you one day
It leads to the zero trust mindset. Assume a breach will happen and brainstorm what you can do to reduce that risk
Short liven tokens are just one thing that can help. I encourage you to research OIDC tokens, it might just save you one day
Today I leaned about OIDC tokens and how you can use them to prevent GitHub actions from having access to long lived secrets (like AWS)
While its not yet supported by my main provider, I can certainly clean up my AWS actions and hope others add it to their roadmap 🙏
docs.github.com/en/enterpris...
While its not yet supported by my main provider, I can certainly clean up my AWS actions and hope others add it to their roadmap 🙏
docs.github.com/en/enterpris...
OpenID Connect - GitHub Enterprise Cloud Docs
OpenID Connect allows your workflows to exchange short-lived tokens directly from your cloud provider.
docs.github.com
September 23, 2025 at 12:15 AM
“Think like a hacker” is one of my favourite phrases
It leads to the zero trust mindset. Assume a breach will happen and brainstorm what you can do to reduce that risk
Short liven tokens are just one thing that can help. I encourage you to research OIDC tokens, it might just save you one day
It leads to the zero trust mindset. Assume a breach will happen and brainstorm what you can do to reduce that risk
Short liven tokens are just one thing that can help. I encourage you to research OIDC tokens, it might just save you one day
I love a community that listens!
Securing the supply chain is my current research topic and the more I learn, the more I find we can do
Securing the supply chain is my current research topic and the more I learn, the more I find we can do
🔒 With everything going on with NPM, we're moving all over our Laravel packages over to Trusted Publishing
Now you'll know where the latest release came from and you can verify that it was us.
Now you'll know where the latest release came from and you can verify that it was us.
September 23, 2025 at 12:09 AM
I love a community that listens!
Securing the supply chain is my current research topic and the more I learn, the more I find we can do
Securing the supply chain is my current research topic and the more I learn, the more I find we can do
Reposted by Clara Leigh
🚨 Warning to #PHP package maintainers: We did not email you to change your passwords & 2FA. Emails asking you to update your credentials are a phishing attempt. We had the phishing site & domain taken down. If you got the email and entered your credentials, please contact us. #phpc
September 20, 2025 at 3:32 PM
Today I leaned about OIDC tokens and how you can use them to prevent GitHub actions from having access to long lived secrets (like AWS)
While its not yet supported by my main provider, I can certainly clean up my AWS actions and hope others add it to their roadmap 🙏
docs.github.com/en/enterpris...
While its not yet supported by my main provider, I can certainly clean up my AWS actions and hope others add it to their roadmap 🙏
docs.github.com/en/enterpris...
OpenID Connect - GitHub Enterprise Cloud Docs
OpenID Connect allows your workflows to exchange short-lived tokens directly from your cloud provider.
docs.github.com
September 21, 2025 at 6:12 AM
Today I leaned about OIDC tokens and how you can use them to prevent GitHub actions from having access to long lived secrets (like AWS)
While its not yet supported by my main provider, I can certainly clean up my AWS actions and hope others add it to their roadmap 🙏
docs.github.com/en/enterpris...
While its not yet supported by my main provider, I can certainly clean up my AWS actions and hope others add it to their roadmap 🙏
docs.github.com/en/enterpris...
Today I learned about NPM Provenance, and how it helps prevent some supply chain attacks but it turns out its widely un-used and even some orgs don't use it yet (looking at you @laravel.com)
If you run any NPM repo at all, you should look at implementing it!
docs.npmjs.com/generating-p...
If you run any NPM repo at all, you should look at implementing it!
docs.npmjs.com/generating-p...
Generating provenance statements | npm Docs
Documentation for the npm registry, website, and command-line interface
docs.npmjs.com
September 20, 2025 at 4:51 AM
Today I learned about NPM Provenance, and how it helps prevent some supply chain attacks but it turns out its widely un-used and even some orgs don't use it yet (looking at you @laravel.com)
If you run any NPM repo at all, you should look at implementing it!
docs.npmjs.com/generating-p...
If you run any NPM repo at all, you should look at implementing it!
docs.npmjs.com/generating-p...
Best game I've played in a while, if you have an hour or so to loose
September 18, 2025 at 5:12 AM
Best game I've played in a while, if you have an hour or so to loose
In the past month, I've noticed a huge decrease in quality of code produced by AI.
Coincidentally in the past month, I've also seen a huge jump in external providers shipping broken features and updates
🤔
Coincidentally in the past month, I've also seen a huge jump in external providers shipping broken features and updates
🤔
September 18, 2025 at 3:07 AM
In the past month, I've noticed a huge decrease in quality of code produced by AI.
Coincidentally in the past month, I've also seen a huge jump in external providers shipping broken features and updates
🤔
Coincidentally in the past month, I've also seen a huge jump in external providers shipping broken features and updates
🤔
Another day, another supply chain attack. Stay safe out there
www.bleepingcomputer.com/news/securit...
www.bleepingcomputer.com/news/securit...
Self-propagating supply chain attack hits 187 npm packages
Security researchers have identified at least 187 npm packages compromised in an ongoing supply chain attack. The coordinated worm-style campaign dubbed 'Shai-Hulud' started yesterday with the comprom...
www.bleepingcomputer.com
September 16, 2025 at 11:57 PM
Another day, another supply chain attack. Stay safe out there
www.bleepingcomputer.com/news/securit...
www.bleepingcomputer.com/news/securit...
This week I solved a really hard coding problem which is going to save me about 2hrs a day.
I initially thought it would be impossible, but ~100 lines of regex and ~50 if() statements has solved it!
I’m going to be riding the high from this feat for a while 🥰
I initially thought it would be impossible, but ~100 lines of regex and ~50 if() statements has solved it!
I’m going to be riding the high from this feat for a while 🥰
September 15, 2025 at 2:00 AM
This week I solved a really hard coding problem which is going to save me about 2hrs a day.
I initially thought it would be impossible, but ~100 lines of regex and ~50 if() statements has solved it!
I’m going to be riding the high from this feat for a while 🥰
I initially thought it would be impossible, but ~100 lines of regex and ~50 if() statements has solved it!
I’m going to be riding the high from this feat for a while 🥰
I wish I knew about this laravel helper function earlier 😍
September 5, 2025 at 9:45 AM
I wish I knew about this laravel helper function earlier 😍
I need a tool that lets me easily share code snippets, but also it’ll have auto ai conversions to other code languages, but you can step in and clean it up when it’s not quite right
September 5, 2025 at 1:34 AM
I need a tool that lets me easily share code snippets, but also it’ll have auto ai conversions to other code languages, but you can step in and clean it up when it’s not quite right
My niece is an amazing young lady who loves helping others
Her absent prick of a father tried to stop her volunteering with a special school over in Malaysia but she won in court!
If you have some spare change, pls consider supporting her great work gofundme.com/f/klang-special-school-in-malaysia
Her absent prick of a father tried to stop her volunteering with a special school over in Malaysia but she won in court!
If you have some spare change, pls consider supporting her great work gofundme.com/f/klang-special-school-in-malaysia
Donate to A Journey to Empower Special Kids – Your Support Matters, organized by Millie Wilson
Wow, I just want to say a huge thank you to everyone who has do… Millie Wilson needs your support for A Journey to Empower Special Kids – Your Support Matters
www.gofundme.com
September 4, 2025 at 7:02 AM
My niece is an amazing young lady who loves helping others
Her absent prick of a father tried to stop her volunteering with a special school over in Malaysia but she won in court!
If you have some spare change, pls consider supporting her great work gofundme.com/f/klang-special-school-in-malaysia
Her absent prick of a father tried to stop her volunteering with a special school over in Malaysia but she won in court!
If you have some spare change, pls consider supporting her great work gofundme.com/f/klang-special-school-in-malaysia
Some of y'all still need to do this!
I just found a site running the vulnerable version of livewire. Update now fools!
I just found a site running the vulnerable version of livewire. Update now fools!
This is your reminder to: `composer audit` and `npm audit` your projects
Remember, most breaches come from known vulnerabilities. Save yourself a future headache <3
Remember, most breaches come from known vulnerabilities. Save yourself a future headache <3
September 3, 2025 at 9:11 AM
Some of y'all still need to do this!
I just found a site running the vulnerable version of livewire. Update now fools!
I just found a site running the vulnerable version of livewire. Update now fools!
Reposted by Clara Leigh
We just added a whole lot of new profiles to the Larabelles directory. 83 in total right now! 🎉
Go and learn about some of our incredible members. We all come from different paths of life, have different interests and stories, but together we are making the tech industry better.
💪
Go and learn about some of our incredible members. We all come from different paths of life, have different interests and stories, but together we are making the tech industry better.
💪
September 2, 2025 at 10:24 AM
We just added a whole lot of new profiles to the Larabelles directory. 83 in total right now! 🎉
Go and learn about some of our incredible members. We all come from different paths of life, have different interests and stories, but together we are making the tech industry better.
💪
Go and learn about some of our incredible members. We all come from different paths of life, have different interests and stories, but together we are making the tech industry better.
💪
The feast was a success 🔥
August 28, 2025 at 4:54 AM
The feast was a success 🔥