Node-gyp Supply Chain Compromise: Install-Time Execution Through binding.gyp
Why malicious npm packages can execute during installation without using traditional lifecycle scripts
Featured
The June 2026 Node-gyp supply chain compromise highlights how malicious npm packages can abuse binding.gyp and node-gyp to trigger install-time execution outside the usual package.json lifecycle script model.
CategorySupply Chain Security
EcosystemJavaScript
DifficultyAdvanced
FikreSekhel Research12 min readJun 08, 2026
Research Notes
Verification Is Not Interpretation: A Common Failure Pattern In Authentication Systems
Why Security Failures Frequently Emerge After Successful Cryptographic Validation
Featured
Many modern authentication systems correctly verify signatures yet still make incorrect trust decisions. This lesson examines why verification and interpretation are distinct security operations and how architectural gaps between them create fail-open conditions.
CategorySecurity Architecture
EcosystemMulti-Ecosystem
DifficultyAdvanced
FikreSekhel Research12 min readJun 04, 2026
Research Notes
Scanner Signal vs Reachable Exploitability in Dependency Intelligence
Why a vulnerable dependency in the graph is not the same thing as a reachable security flaw in the application runtime
Featured
A technical research note explaining how vulnerability intelligence must separate dependency-level scanner findings from validated exploitability, using Axios and Twilio as a practical case study.
CategoryVulnerability Intelligence
EcosystemJavaScript
DifficultyAdvanced
FikreSekhel Research12 min readJun 03, 2026
Research Notes
Trust Boundary Analysis of MCP Tool Schema Propagation in LangChain.js
How Remote MCP-Provided Schemas Traverse Tool Conversion Pipelines Without Prototype Pollution but With Full Schema Preservation
Featured
A research note examining how Model Context Protocol (MCP) tool schemas propagate through LangChain.js conversion pipelines, preserving special JSON property names such as __proto__ and constructor.prototype across trust boundaries without demonstrating prototype pollution.