The Decloak Journal
Stories from around the web security world, plus release notes and changes to Decloak itself.

Four npm supply chain compromises in four months, including a 100-million-download HTTP client, plus a subdomain takeover disclosed against Anthropic itself. What each incident shares, and what it means for a site you didn't think was affected.

Every domain accumulates subdomains nobody remembers: old staging environments, abandoned marketing pages, test deployments. Most were never meant to be public, and almost nobody audits them.

Five real security stories from the last few months, all touching attack surfaces Decloak scans for: a plugin flaw hitting 500,000 WordPress sites, a Supabase misconfiguration that exposed 1.5 million API keys, and a card skimmer hiding inside Google Tag Manager.

Source maps make debugging easier by linking minified code back to the original files. Left enabled in production, they hand an attacker your app's entire uncompiled source, comments and all.

Missing Content-Security-Policy headers show up in the vast majority of the sites we scan. Here's what CSP actually protects against, why it gets skipped, and how to add a working policy without breaking your site.

Row Level Security is off by default in Supabase. That one setting is behind the most common security failure we see in AI-built apps - and it takes about 30 seconds to check whether yours is affected.