Open Source
What CVE-2025-13465 Teaches Us About Prototype Pollution in JavaScript
CVE-2025-13465 is a prototype pollution vulnerability in Lodash that illustrates why not all prototype pollution issues are created equal. Rather than stemming from a generic misuse of __proto__, this vulnerability emerged from a specific API behavior and the assumptions built around it. By walking through the underlying problem, a practical proof of concept, and the reasoning behind a non-generic fix, this article uses CVE-2025-13465 as a case study to explain how prototype pollution works in practice—and how to evaluate its real impact more accurately in modern JavaScript applications.
Eight Teams, One LLM, and Real Data: Our First Prompting Kata
Code katas are well-known in the development world: practical exercises that help you improve specific skills in a controlled context. But prompting katas are relatively unexplored territory. Search for “code kata” and you’ll find millions of results, entire repositories dedicated to the topic, specialized platforms. Search for “prompting kata” on Google and you’ll find little […]
npm Package Attacks: An AI-Driven Paradigm Shift
Over the past few weeks, several npm package compromises have revealed a significant paradigm shift: attackers have evolved toward more targeted and sophisticated techniques. These campaigns combine spear-phishing, token theft and abuse, prompt injection techniques against AI-powered tools, and payloads designed for persistence and asset theft (such as crypto transfers)—even incorporating worm-like propagation capabilities. This […]