The Decloak Journal

Security news &
platform updates.

Stories from around the web security world, plus release notes and changes to Decloak itself.

Uncloaked: The Software Supply Chain Had a Brutal Few Months (And It's Not Over)
News16 July 2026

Uncloaked: The Software Supply Chain Had a Brutal Few Months (And It's Not Over)

Four npm supply chain compromises in four months, including a 100-million-download HTTP client, plus a subdomain takeover disclosed against Anthropic itself. What each incident shares, and what it means for a site you didn't think was affected.

The Staging Subdomain You Forgot About Is Still Online (And Still Logged In)
Guide14 July 2026

The Staging Subdomain You Forgot About Is Still Online (And Still Logged In)

Every domain accumulates subdomains nobody remembers: old staging environments, abandoned marketing pages, test deployments. Most were never meant to be public, and almost nobody audits them.

Uncloaked: WordPress Takeovers, Supabase Leaks, and a Skimmer Hiding in Plain Sight
News9 July 2026

Uncloaked: WordPress Takeovers, Supabase Leaks, and a Skimmer Hiding in Plain Sight

Five real security stories from the last few months, all touching attack surfaces Decloak scans for: a plugin flaw hitting 500,000 WordPress sites, a Supabase misconfiguration that exposed 1.5 million API keys, and a card skimmer hiding inside Google Tag Manager.

Your Production Site Might Be Shipping Its Own Source Code (And Not Telling You)
Guide7 July 2026

Your Production Site Might Be Shipping Its Own Source Code (And Not Telling You)

Source maps make debugging easier by linking minified code back to the original files. Left enabled in production, they hand an attacker your app's entire uncompiled source, comments and all.

The Security Header Almost Nobody Sets: What Content-Security-Policy Actually Does
Guide4 July 2026

The Security Header Almost Nobody Sets: What Content-Security-Policy Actually Does

Missing Content-Security-Policy headers show up in the vast majority of the sites we scan. Here's what CSP actually protects against, why it gets skipped, and how to add a working policy without breaking your site.

Why Your Supabase Database Might Be Publicly Readable (And How to Check in 30 Seconds)
Guide2 July 2026

Why Your Supabase Database Might Be Publicly Readable (And How to Check in 30 Seconds)

Row Level Security is off by default in Supabase. That one setting is behind the most common security failure we see in AI-built apps - and it takes about 30 seconds to check whether yours is affected.