Congratulations to the team. Knowing some of the folks on the Bun team I can not say I am surprised. They are the top 0,001% of engineers, writing code out of love. I’m hugely bullish on Anthropic, this is a great first acquisition.
Something to understand about the word “leak” is that it implies at some point it was keeping things in. Microsoft security is so underfunded and garbage, it is fundamentally making technology as a whole unsafe.
Example: if Kroger or whatever your supermarket of choice distributed meat that was infected they would get sued to bits. Microsoft distributes thousands of malicious NPM dependencies and underfund the NPM security team - if there is such a thing - resulting in an entire industry of supplychain security companies to exist. No other registry has the issue of malicious packages as badly as NPM since Microsoft acquired Github.
Microsoft just does not know how to handle security, which is why so many security companies exist to fill their gaps. I don’t trust their security practices one bit tbh.
Back at one of my previous employers we had a long internal briefing about why our latest device did not have USB-C when other solutions on the market by then had.
The connector is solid but my god have there been disasters because of USB-C.
1. Power distribution upto high wattage, not always with auto sensing,
2. Wites rated to different data transmission speeds.
3. USB standard data transfers and Thunderbolt over the same connector and wire but most accessories are not rated for Thunderbolt.
Having worked on bot detection in the past. Some really simple old fashioned attacks happened by doing the opposite of what the robots.txt file says.
While I doubt it does much today, that file really only matters to those that want to play by the rules which on the free web is not an awful lot of the web anymore I’m afraid.
While I like the blogpost, I think the use of unexplained acronyms undermines the opportunity of this blogpost to be useful to the wider audience. Small nit: make sure acronyms and jargon is explained.
CEO of c/side here. Sorry to keep you waiting.
Answering a few points here:
1. This is not an ad, or at least it was not intended to be one. We feel like this is a microsite which like most blogs has a little "this is who we are" ending. Same concept as the Cloudflare blog which we all appreciate and love. We noticed vendors in the security space talk about the BA attack but often share misinformation about what happened. Information is scattered among various channels and old news publications but since the court documents were released no one did a proper recap. We care so we managed to buy the domain, which was not hard, but indicates that we are not just a salesy brand we are genuinely deep in client-side security and feel its important to talk about the attacks that happened otherwise companies do not take action and consumers become victims.
2. Yes, this domain name is still flagged on some DNS filter providers. Threat feeds are an outdated concept that create a false sense of security and pollute the web if not kept up to date. Especially in the case of client-side attacks they are grossly ineffective as vendors consume the threat-feeds but don't actively monitor the dataflow or served code meaning targeted attacks fly under the radar. The BAways domain has not been used in an attack for over 5 years. You've all been very helpful in flagging the DNS you use and we'll reach out to those vendors to correct the flagging of the domain. There is no malicious action on this domain anymore, it purely serves as a reminder to educate on the risks of unmonitored client-side executions.
3. To finish: Client-side security is important. When I speak to security engineers, they get it. It's a vital part of the supply-chain and it is overlooked. However, executives are often not aware of the issue and feel it is negligible. This is partly because the world has stopped covering client-side attacks for some reason and put them under umbrella terms like "data leaks". Malicious pop-ups are blocked by most browsers, but those pop-ups often originate from malicious JS. Stealthy attacks are easy to pull off so imagine a small percentage of pop-up's that were blocked stealing user credentials. Between the Polyfill attack, the data leak of Kaiser Permanente and many other attacks over 500K websites were impacted in 2024, millions in fines, millions of user credentials, sensitive information and credit cards leaked. The aim of this blogpost is to get people to talk and understand that posture management means monitoring the entire posture, not just NPM, not just a simple vulnerability scan, not just the server side and internal networking but active monitoring of all bases.
I hope this context helps and thanks for your engagement.
The amount of client-side fetched third party tools fighting for the upper layer is so funny and accurate. Intercom + cookie settings + a newsletter popup + ads…
Cookie banners… the most silly idea made by non technical people mandated upon technical people. Does anyone remember P3P? If that was pushed and managed better it would have solved the entire problem.