The Decloak Journal
Stories from around the web security world, plus release notes and changes to Decloak itself.

Four npm supply chain compromises in four months, including a 100-million-download HTTP client, plus a subdomain takeover disclosed against Anthropic itself. What each incident shares, and what it means for a site you didn't think was affected.

Five real security stories from the last few months, all touching attack surfaces Decloak scans for: a plugin flaw hitting 500,000 WordPress sites, a Supabase misconfiguration that exposed 1.5 million API keys, and a card skimmer hiding inside Google Tag Manager.