kidk retweeted
A clean package.json is no longer evidence that nothing runs.
The mere presence of binding.gyp is enough for code to run at install time. No scripts block needed. Payloads can hide under any field name, at any depth. The sandbox around it can be escaped. And node-gyp pulls in files automatically that nothing even points to.
The latest Miasma variant used binding.gyp. We dug deeper and found it goes much further.
1
18
56
4,376
Why would you go after uptime? To make money? No, no, no. If you show people 99% uptime, they’ll ask 'why not 99.9%?'. And it will never be enough. But if you have no uptime, you can say you’re pre-stable, and you’re a potential pure play
1
34
That's why I add a sleep after every string compare
May 29
Timing attacks are real, and most devs don't protect against them.
When you compare two strings with === or strcmp(), #PHP stops at the first different byte. If the first character matches, it takes slightly longer than if it doesn't.
An attacker can measure response times to guess a secret character by character. HMAC token, API key, CSRF token... byte by byte, statistically.
hash_equals() was added in PHP 5.6 specifically for this. It always compares ALL bytes, regardless of where the first mismatch is. Constant time.
Same applies to #golang: use crypto/subtle.ConstantTimeCompare().
Same in #nodejs: crypto.timingSafeEqual().
If you're comparing secrets with == or ===, you may be leaking information through time!
2
3
412
Why tho
May 21
SpaceX: "The Starlink team is exploring using Starlink to enable high bankdwith connectivity around the Moon; Traditionally, deep space comms have relied on radio frequency transmission. This new design would use lasers to relay data back to Earth. Deploying that technology around the Moon could connect it with hundreds of terabits of capacity. This could enable Gigabit connectivity anywhere on the lunar surface."
🤯
38
lol wat
May 21
Deleting a Google API key doesn't revoke it immediately.
Our research found successful authentications up to 23 minutes after deletion across Google's infrastructure. During that window, attackers with a leaked key can still access enabled APIs, including Gemini.
Google closed our report as "won't fix."
1
76
kidk retweeted
May 14
Aikido Intel is your earliest warning for supply chain threats.
Our engine detects malware and vulnerabilities in open-source ecosystems within minutes.
Built by our team of security researchers & AI engineers.
Bookmark it: intel.aikido.dev/
5
17
70
58,663
Got something weighing you down? Shake it off (like Curiosity)!
The Martian explorer unintentionally picked up a rock while drilling a recent sample, but the team was able to dislodge it by having the rover move its robotic arm and vibrate the drill until the rock fell off.
179
717
8,112
606,250
Fact checked 😂
1 Nov 2025
The Bible is the most studied, scrutinized & fact-checked book in history. It has 340,000 cross references spanning thousands of years and dozens of authors, all telling the same story.
No archaeological find has ever disproven the Bible.
The Bible is real.
83
"Is GDP a good way to measure quality of life"?
21 Nov 2024
1
241
Just to let you know @geerlingguy You have the power to break my production in so many ways. Have you thought about bitcoin mining?
1
2
278
kidk retweeted
29 Aug 2024
🚀version 0.1.5 was just released on itch.io 🚀kidk00.itch.io/hospitalityty…
Upgraded engine to Godot 4.3 and code signing on Mac OS. The game should now run independently from the Itch.io client on Mac OS.
1
63
kidk retweeted
20 May 2024
A device to keep you fresh in the summer by waving your shirt
[📹 KAZUYA SHIBATA]
944
759
7,925
7,647,483