KevivLabs
@kevivlabs.bsky.social
Security by day,Memes by night, All day !!
Reposted by KevivLabs
I wrote a blog post about how I use Claude Code (and other models) in my work: invicti.com/blog/securit...
Security Research in the Age of AI Tools
Learn how AI tools can support security researchers in investigating vulnerabilities and designing security checks to detect them.
invicti.com
December 3, 2025 at 2:33 PM
I wrote a blog post about how I use Claude Code (and other models) in my work: invicti.com/blog/securit...
If you want to just reverse the order use
tac /etc/passwd
Yes "tac" is an inbuilt command :D reverse of cat @agarri.fr
tac /etc/passwd
Yes "tac" is an inbuilt command :D reverse of cat @agarri.fr
A little command-line trick... 🛠️ 🤓
You can use `rev` twice in order to process something from right to left. For example, in order to sort /etc/passwd by shell:
cat /etc/passwd | rev | sort | rev
You can use `rev` twice in order to process something from right to left. For example, in order to sort /etc/passwd by shell:
cat /etc/passwd | rev | sort | rev
November 24, 2025 at 6:06 AM
If you want to just reverse the order use
tac /etc/passwd
Yes "tac" is an inbuilt command :D reverse of cat @agarri.fr
tac /etc/passwd
Yes "tac" is an inbuilt command :D reverse of cat @agarri.fr
Finally got around to reading all the MCP security blog posts by @lirantal.com highly recommend it, if you are working on MCP related stuff
www.nodejs-security.com/tag/mcp/
www.nodejs-security.com/tag/mcp/
Posts by tag 'mcp'
www.nodejs-security.com
November 15, 2025 at 11:06 AM
Finally got around to reading all the MCP security blog posts by @lirantal.com highly recommend it, if you are working on MCP related stuff
www.nodejs-security.com/tag/mcp/
www.nodejs-security.com/tag/mcp/
Reposted by KevivLabs
this is a really well written article on why Cross-site Scripting (XSS) vulnerabilities still exist today flatt.tech/research/pos...
November 14, 2025 at 4:01 PM
this is a really well written article on why Cross-site Scripting (XSS) vulnerabilities still exist today flatt.tech/research/pos...
Good read
Turns out you can communicate across containers via 63-bits of available space in a shared lock you acquire on /proc/self/ns/time that all processes have access to.
No networking required. The post has a demo of a chat app communicating across unprivileged containers.
h4x0r.org/funreliable/
No networking required. The post has a demo of a chat app communicating across unprivileged containers.
h4x0r.org/funreliable/
November 13, 2025 at 7:20 AM
Good read
Excited to announce that I started a new $job.
Haven't had much time recently to read on all new research and blogs. Hoping to be back on track by December :)
Haven't had much time recently to read on all new research and blogs. Hoping to be back on track by December :)
November 10, 2025 at 7:04 AM
Excited to announce that I started a new $job.
Haven't had much time recently to read on all new research and blogs. Hoping to be back on track by December :)
Haven't had much time recently to read on all new research and blogs. Hoping to be back on track by December :)
Reposted by KevivLabs
I generated 20k vibe-coded web applications using various models via the OpenRouter API and analyzed them for security issues.
The apps are available for download if anyone wants to take a look.
www.invicti.com/blog/securit...
The apps are available for download if anyone wants to take a look.
www.invicti.com/blog/securit...
Security Issues in Vibe-Coded Web Apps: Analysis, Vulnerabilities, Scanning
Learn about common security issues in AI-generated software, based on an analysis of over 20,000 vibe-coded web apps.
www.invicti.com
November 6, 2025 at 7:28 AM
I generated 20k vibe-coded web applications using various models via the OpenRouter API and analyzed them for security issues.
The apps are available for download if anyone wants to take a look.
www.invicti.com/blog/securit...
The apps are available for download if anyone wants to take a look.
www.invicti.com/blog/securit...
Reposted by KevivLabs
The release candidate of the OWASP Top 10 2025 has been released
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
Introduction - OWASP Top 10:2025 RC1
OWASP Top 10:2025 RC1
owasp.org
November 7, 2025 at 12:19 PM
The release candidate of the OWASP Top 10 2025 has been released
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
Reposted by KevivLabs
is anyone using Deno and the secure-by-default permissions system and this saved them please raise your hand I want to chat and learn more
I appreciate Deno and Node.js (less comprehensive) for this but I'm unconvinced this helps against supply chain security attacks
I appreciate Deno and Node.js (less comprehensive) for this but I'm unconvinced this helps against supply chain security attacks
October 14, 2025 at 3:00 PM
is anyone using Deno and the secure-by-default permissions system and this saved them please raise your hand I want to chat and learn more
I appreciate Deno and Node.js (less comprehensive) for this but I'm unconvinced this helps against supply chain security attacks
I appreciate Deno and Node.js (less comprehensive) for this but I'm unconvinced this helps against supply chain security attacks
Reposted by KevivLabs
🐍 New on the blog: PEP 810 adds 'lazy import' syntax to defer module loading until first use, cutting startup time by 50–70%. Already sparking debate: an HN thread hit 350+ points and ~200 comments in <24 hrs. #Python
Read More → socket.dev/blog/pep-810-proposes-explicit-lazy-imports-for-python-3-15
Read More → socket.dev/blog/pep-810-proposes-explicit-lazy-imports-for-python-3-15
PEP 810 Proposes Explicit Lazy Imports for Python 3.15 - Soc...
An opt-in lazy import keyword aims to speed up Python startups, especially CLIs, without the ecosystem-wide risks that sank PEP 690.
socket.dev
October 4, 2025 at 4:09 PM
🐍 New on the blog: PEP 810 adds 'lazy import' syntax to defer module loading until first use, cutting startup time by 50–70%. Already sparking debate: an HN thread hit 350+ points and ~200 comments in <24 hrs. #Python
Read More → socket.dev/blog/pep-810-proposes-explicit-lazy-imports-for-python-3-15
Read More → socket.dev/blog/pep-810-proposes-explicit-lazy-imports-for-python-3-15
I have also moved to full devcontainer flow for local dev.
I should try this with local password manager like Keepass.
I should try this with local password manager like Keepass.
New write-up on how to remove the risk of supply chain attacks for developers: 1Password + DevContainers and I have a recipe here for it:
Mitigate Supply Chain Security with DevContainers and 1Password for Node.js Local Development
How-to setup an isolated Node.js local development environment with VS Code DevContainers and 1Password to keep secrets out of your filesystem and avoid supply chain security incidents like shai-hulud, qix maintainer compromise and others.
www.nodejs-security.com
October 6, 2025 at 7:23 AM
I have also moved to full devcontainer flow for local dev.
I should try this with local password manager like Keepass.
I should try this with local password manager like Keepass.
Reposted by KevivLabs
The npx -p with a which flag is so incredibly useful if you manage multiple Node.js versions and I only recently discovered that I actually need it, more npm commands too here:
Mastering NPX: A Cheatsheet for npm and Node.js Power Users
Explore unknown npx commands and tips to enhance your Node.js workflow. This cheatsheet covers everything from running packages without global installs to finding executable paths and using npx with specific Node versions.
www.nodejs-security.com
October 3, 2025 at 3:01 PM
The npx -p with a which flag is so incredibly useful if you manage multiple Node.js versions and I only recently discovered that I actually need it, more npm commands too here:
If you deal with terminal apps, you need to use github.com/alexellis/ar... by @alexellis.bsky.social
GitHub - alexellis/arkade: Open Source Marketplace For Developer Tools
Open Source Marketplace For Developer Tools. Contribute to alexellis/arkade development by creating an account on GitHub.
github.com
October 2, 2025 at 4:35 AM
If you deal with terminal apps, you need to use github.com/alexellis/ar... by @alexellis.bsky.social
Using vibe coding to change a front end from pyqt to React.
Harder than I expected but fun.
Harder than I expected but fun.
October 2, 2025 at 4:20 AM
Using vibe coding to change a front end from pyqt to React.
Harder than I expected but fun.
Harder than I expected but fun.
Nice !!! @feross.bsky.social
🚨 Open source supply chain attacks are exploding.
Starting today, that ends.
We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.
Just run:
npm i -g sfw
sfw npm install lodash
Works for: npm, yarn, pnpm, pip, uv, and cargo.
Starting today, that ends.
We’re releasing Socket Firewall — FREE, zero-config, CLI that blocks malware before it lands on your laptop or CI.
Just run:
npm i -g sfw
sfw npm install lodash
Works for: npm, yarn, pnpm, pip, uv, and cargo.
October 1, 2025 at 4:56 AM
Nice !!! @feross.bsky.social
If you want to test AWS locally @localstack.cloud is the way to go . Simulate all services with one docker container
September 28, 2025 at 9:55 AM
If you want to test AWS locally @localstack.cloud is the way to go . Simulate all services with one docker container
Looking at supply chain security. This is a good diagram explaining how the whole thing is put together
September 26, 2025 at 5:03 AM
Looking at supply chain security. This is a good diagram explaining how the whole thing is put together
Yet again another nice writeup.
TIL even if there is no stored procedure, we can call inbuilt pg functions via SQLI
Bit obvious after reading
" but you only know, what you dont know after knowing what you know "
TIL even if there is no stored procedure, we can call inbuilt pg functions via SQLI
Bit obvious after reading
" but you only know, what you dont know after knowing what you know "
new MCP Server vulnerability I reported now publicly disclosed... try to avoid these insecure code conventions please: github.com/executeautom...
Improper Access Control results in bypassing a "read-only" mode for executeautomation's mcp-database-server MCP Server
The MCP Server provided by ExecuteAutomation at https://github.com/executeautomation/mcp-database-server provides an MCP interface for agentic workflows to interact with different kinds of database...
github.com
September 25, 2025 at 5:24 AM
Yet again another nice writeup.
TIL even if there is no stored procedure, we can call inbuilt pg functions via SQLI
Bit obvious after reading
" but you only know, what you dont know after knowing what you know "
TIL even if there is no stored procedure, we can call inbuilt pg functions via SQLI
Bit obvious after reading
" but you only know, what you dont know after knowing what you know "
September 19, 2025 at 1:33 PM
https://www.aikido.dev/blog/bugs-in-shai-hulud-debugging-the-desert
t.co
September 19, 2025 at 1:32 PM
mathspp.com/blog/uv-chea... Good cheat sheet to keep in hand cc @mathsapp.bsky.social
uv cheatsheet
Cheatsheet with the most common and useful uv commands to manage projects and dependencies, publish projects, manage tools, and more.
mathspp.com
September 18, 2025 at 4:26 AM
mathspp.com/blog/uv-chea... Good cheat sheet to keep in hand cc @mathsapp.bsky.social
POV: Solo Security engineer one hour into the NPM supply chain crisis meeting with various PM . But the whole code base is in Java and C.
a man with a ring on his finger is smiling with his hand on his chin
ALT: a man with a ring on his finger is smiling with his hand on his chin
media.tenor.com
September 17, 2025 at 6:04 PM
POV: Solo Security engineer one hour into the NPM supply chain crisis meeting with various PM . But the whole code base is in Java and C.
Reposted by KevivLabs
We'll continue to post updates here: socket.dev/blog/tinycol...
Popular Tinycolor npm Package Compromised in Supply Chain At...
Malicious update to @ctrl/tinycolor on npm is part of a supply-chain attack hitting 40+ packages across maintainers
socket.dev
September 16, 2025 at 3:10 AM
We'll continue to post updates here: socket.dev/blog/tinycol...
Reposted by KevivLabs
Snyk is hiring in Zurich 🇨🇭
If you're following me as a TS / JavaScript dev then Senior Managers with TypeScript could still be considered for the job with strong system design skills.
Apply to the open role via QR or DM me your CV and I'll push it internally as a referral
If you're following me as a TS / JavaScript dev then Senior Managers with TypeScript could still be considered for the job with strong system design skills.
Apply to the open role via QR or DM me your CV and I'll push it internally as a referral
September 16, 2025 at 6:00 PM
Snyk is hiring in Zurich 🇨🇭
If you're following me as a TS / JavaScript dev then Senior Managers with TypeScript could still be considered for the job with strong system design skills.
Apply to the open role via QR or DM me your CV and I'll push it internally as a referral
If you're following me as a TS / JavaScript dev then Senior Managers with TypeScript could still be considered for the job with strong system design skills.
Apply to the open role via QR or DM me your CV and I'll push it internally as a referral