Clara Leigh
@clara42.bsky.social
Laravel, VueJS, Cyber Security 🌈
Reminder folks, chatgpt is designed to agree with you and "solve" issues so it rarely tells you that you're misunderstanding things.
It will absolutely mislead you or say its found the issue when really it's just giving its best guess
Getting tired of seeing low quality github issues hey
It will absolutely mislead you or say its found the issue when really it's just giving its best guess
Getting tired of seeing low quality github issues hey
December 12, 2025 at 12:03 AM
Reminder folks, chatgpt is designed to agree with you and "solve" issues so it rarely tells you that you're misunderstanding things.
It will absolutely mislead you or say its found the issue when really it's just giving its best guess
Getting tired of seeing low quality github issues hey
It will absolutely mislead you or say its found the issue when really it's just giving its best guess
Getting tired of seeing low quality github issues hey
Stay safe friends
A perfect CVSS 10 🧑🏻🍳💋
CVE-2025-55182: Unauthenticated remote code execution vulnerability in React Server Components
The vuln is in versions 19.0, 19.1.0, 19.1.1, and 19.2.0:
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
Upgrade immediately!
CVE-2025-55182: Unauthenticated remote code execution vulnerability in React Server Components
The vuln is in versions 19.0, 19.1.0, 19.1.1, and 19.2.0:
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
Upgrade immediately!
Critical Security Vulnerability in React Server Components – React
The library for web and native user interfaces
react.dev
December 4, 2025 at 11:15 PM
Stay safe friends
My favourite part of the city is the KP cliffs. Absolutely stunning views 😍
Whenever I need time to myself, this is where I go
Whenever I need time to myself, this is where I go
December 1, 2025 at 12:25 AM
My favourite part of the city is the KP cliffs. Absolutely stunning views 😍
Whenever I need time to myself, this is where I go
Whenever I need time to myself, this is where I go
I wrote a research paper on this topic just last month
This issue is entirely preventable. The only reason we keep seeing this style of attack is because our industry keeps repeating the same mistakes over and over again 😔
This issue is entirely preventable. The only reason we keep seeing this style of attack is because our industry keeps repeating the same mistakes over and over again 😔
Malicious NPM Packages Disguised With 'Invisible' Dependencies www.darkreading.com/application-...
Malicious NPM Packages Contain Invisible Dependencies
In the "PhantomRaven" campaign, threat actors published 126 malicious npm packages that have flown under the radar, while collecting 86,000 downloads.
www.darkreading.com
November 4, 2025 at 11:00 PM
I wrote a research paper on this topic just last month
This issue is entirely preventable. The only reason we keep seeing this style of attack is because our industry keeps repeating the same mistakes over and over again 😔
This issue is entirely preventable. The only reason we keep seeing this style of attack is because our industry keeps repeating the same mistakes over and over again 😔
Reposted by Clara Leigh
Whoa this is stunning
November 4, 2025 at 3:53 PM
Whoa this is stunning
✨Microsoft security✨
My first response from VS Marketplace support is requesting supporting additional evidence I have that this listing is malware.
If anyone can publish an extension with admittedly malicious intent with no response, what does that do for the health of the marketplace?
If anyone can publish an extension with admittedly malicious intent with no response, what does that do for the health of the marketplace?
October 27, 2025 at 1:22 PM
✨Microsoft security✨
Reposted by Clara Leigh
With the AWS outage, now‘s as good a time as any to post this old strip.
October 20, 2025 at 10:18 AM
With the AWS outage, now‘s as good a time as any to post this old strip.
Working on Crypto in the #laravel world?
Hit me up, I want to see what you're doing!
I've got solana stablecoin p2p, offramps to banks and more going on over here 😍
Hit me up, I want to see what you're doing!
I've got solana stablecoin p2p, offramps to banks and more going on over here 😍
October 9, 2025 at 4:44 AM
Working on Crypto in the #laravel world?
Hit me up, I want to see what you're doing!
I've got solana stablecoin p2p, offramps to banks and more going on over here 😍
Hit me up, I want to see what you're doing!
I've got solana stablecoin p2p, offramps to banks and more going on over here 😍
Once upon a time, USBs and CDs could auto run. That’s how worms like stuxnet and Agent.BTZ spread everywhere
We learned the hard way and killed autorun
Now we `npm install` 1,000 different dependencies from the internet and consider it “safe”, forgetting that it does the exact same thing
We learned the hard way and killed autorun
Now we `npm install` 1,000 different dependencies from the internet and consider it “safe”, forgetting that it does the exact same thing
October 5, 2025 at 3:55 AM
Once upon a time, USBs and CDs could auto run. That’s how worms like stuxnet and Agent.BTZ spread everywhere
We learned the hard way and killed autorun
Now we `npm install` 1,000 different dependencies from the internet and consider it “safe”, forgetting that it does the exact same thing
We learned the hard way and killed autorun
Now we `npm install` 1,000 different dependencies from the internet and consider it “safe”, forgetting that it does the exact same thing
Reposted by Clara Leigh
Curious what it looks like to implement the new Inertia Infinite Scroll component? Have 3 minutes? That's all it takes.
I whipped up a little demo:
youtu.be/gQB6DdPHzSY
I whipped up a little demo:
youtu.be/gQB6DdPHzSY
Infinite Scrolling with Laravel + Inertia
YouTube video by Laravel
youtu.be
September 30, 2025 at 5:07 PM
Curious what it looks like to implement the new Inertia Infinite Scroll component? Have 3 minutes? That's all it takes.
I whipped up a little demo:
youtu.be/gQB6DdPHzSY
I whipped up a little demo:
youtu.be/gQB6DdPHzSY
Is username enumeration (UE) a real vulnerability?
Yes, and it matters more today than it did a few years ago.
As phishing attacks look more legitimate, even smart people are getting tricked
This week I saw a UE+phish lead to an account take over, and the URL in the Phish was a legitimate url
Yes, and it matters more today than it did a few years ago.
As phishing attacks look more legitimate, even smart people are getting tricked
This week I saw a UE+phish lead to an account take over, and the URL in the Phish was a legitimate url
September 30, 2025 at 2:47 AM
Is username enumeration (UE) a real vulnerability?
Yes, and it matters more today than it did a few years ago.
As phishing attacks look more legitimate, even smart people are getting tricked
This week I saw a UE+phish lead to an account take over, and the URL in the Phish was a legitimate url
Yes, and it matters more today than it did a few years ago.
As phishing attacks look more legitimate, even smart people are getting tricked
This week I saw a UE+phish lead to an account take over, and the URL in the Phish was a legitimate url
If there is one thing I've learned in the last year, it's never use a property named "type"
I have lost so many hours debugging this exact bug but alas I am a goldfish just did it again, for the third time this week 😭
I have lost so many hours debugging this exact bug but alas I am a goldfish just did it again, for the third time this week 😭
September 28, 2025 at 3:51 AM
If there is one thing I've learned in the last year, it's never use a property named "type"
I have lost so many hours debugging this exact bug but alas I am a goldfish just did it again, for the third time this week 😭
I have lost so many hours debugging this exact bug but alas I am a goldfish just did it again, for the third time this week 😭
This would have saved me a few hours making some things GDPR compliant!
I've just released v1.1.0 of my Redactable Models package! 🎉
You can now set the hashing algorithm that should be used by the "HashContents" redaction strategy.
In this example, we're SHA256-ing the "name" and "email" fields of users who were soft-deleted over 30 days ago 😄
You can now set the hashing algorithm that should be used by the "HashContents" redaction strategy.
In this example, we're SHA256-ing the "name" and "email" fields of users who were soft-deleted over 30 days ago 😄
September 26, 2025 at 10:40 PM
This would have saved me a few hours making some things GDPR compliant!
“Think like a hacker” is one of my favourite phrases
It leads to the zero trust mindset. Assume a breach will happen and brainstorm what you can do to reduce that risk
Short liven tokens are just one thing that can help. I encourage you to research OIDC tokens, it might just save you one day
It leads to the zero trust mindset. Assume a breach will happen and brainstorm what you can do to reduce that risk
Short liven tokens are just one thing that can help. I encourage you to research OIDC tokens, it might just save you one day
Today I leaned about OIDC tokens and how you can use them to prevent GitHub actions from having access to long lived secrets (like AWS)
While its not yet supported by my main provider, I can certainly clean up my AWS actions and hope others add it to their roadmap 🙏
docs.github.com/en/enterpris...
While its not yet supported by my main provider, I can certainly clean up my AWS actions and hope others add it to their roadmap 🙏
docs.github.com/en/enterpris...
OpenID Connect - GitHub Enterprise Cloud Docs
OpenID Connect allows your workflows to exchange short-lived tokens directly from your cloud provider.
docs.github.com
September 23, 2025 at 12:15 AM
“Think like a hacker” is one of my favourite phrases
It leads to the zero trust mindset. Assume a breach will happen and brainstorm what you can do to reduce that risk
Short liven tokens are just one thing that can help. I encourage you to research OIDC tokens, it might just save you one day
It leads to the zero trust mindset. Assume a breach will happen and brainstorm what you can do to reduce that risk
Short liven tokens are just one thing that can help. I encourage you to research OIDC tokens, it might just save you one day
I love a community that listens!
Securing the supply chain is my current research topic and the more I learn, the more I find we can do
Securing the supply chain is my current research topic and the more I learn, the more I find we can do
🔒 With everything going on with NPM, we're moving all over our Laravel packages over to Trusted Publishing
Now you'll know where the latest release came from and you can verify that it was us.
Now you'll know where the latest release came from and you can verify that it was us.
September 23, 2025 at 12:09 AM
I love a community that listens!
Securing the supply chain is my current research topic and the more I learn, the more I find we can do
Securing the supply chain is my current research topic and the more I learn, the more I find we can do
Reposted by Clara Leigh
🚨 Warning to #PHP package maintainers: We did not email you to change your passwords & 2FA. Emails asking you to update your credentials are a phishing attempt. We had the phishing site & domain taken down. If you got the email and entered your credentials, please contact us. #phpc
September 20, 2025 at 3:32 PM
Today I leaned about OIDC tokens and how you can use them to prevent GitHub actions from having access to long lived secrets (like AWS)
While its not yet supported by my main provider, I can certainly clean up my AWS actions and hope others add it to their roadmap 🙏
docs.github.com/en/enterpris...
While its not yet supported by my main provider, I can certainly clean up my AWS actions and hope others add it to their roadmap 🙏
docs.github.com/en/enterpris...
OpenID Connect - GitHub Enterprise Cloud Docs
OpenID Connect allows your workflows to exchange short-lived tokens directly from your cloud provider.
docs.github.com
September 21, 2025 at 6:12 AM
Today I leaned about OIDC tokens and how you can use them to prevent GitHub actions from having access to long lived secrets (like AWS)
While its not yet supported by my main provider, I can certainly clean up my AWS actions and hope others add it to their roadmap 🙏
docs.github.com/en/enterpris...
While its not yet supported by my main provider, I can certainly clean up my AWS actions and hope others add it to their roadmap 🙏
docs.github.com/en/enterpris...
Today I learned about NPM Provenance, and how it helps prevent some supply chain attacks but it turns out its widely un-used and even some orgs don't use it yet (looking at you @laravel.com)
If you run any NPM repo at all, you should look at implementing it!
docs.npmjs.com/generating-p...
If you run any NPM repo at all, you should look at implementing it!
docs.npmjs.com/generating-p...
Generating provenance statements | npm Docs
Documentation for the npm registry, website, and command-line interface
docs.npmjs.com
September 20, 2025 at 4:51 AM
Today I learned about NPM Provenance, and how it helps prevent some supply chain attacks but it turns out its widely un-used and even some orgs don't use it yet (looking at you @laravel.com)
If you run any NPM repo at all, you should look at implementing it!
docs.npmjs.com/generating-p...
If you run any NPM repo at all, you should look at implementing it!
docs.npmjs.com/generating-p...
Best game I've played in a while, if you have an hour or so to loose
September 18, 2025 at 5:12 AM
Best game I've played in a while, if you have an hour or so to loose
In the past month, I've noticed a huge decrease in quality of code produced by AI.
Coincidentally in the past month, I've also seen a huge jump in external providers shipping broken features and updates
🤔
Coincidentally in the past month, I've also seen a huge jump in external providers shipping broken features and updates
🤔
September 18, 2025 at 3:07 AM
In the past month, I've noticed a huge decrease in quality of code produced by AI.
Coincidentally in the past month, I've also seen a huge jump in external providers shipping broken features and updates
🤔
Coincidentally in the past month, I've also seen a huge jump in external providers shipping broken features and updates
🤔
Another day, another supply chain attack. Stay safe out there
www.bleepingcomputer.com/news/securit...
www.bleepingcomputer.com/news/securit...
Self-propagating supply chain attack hits 187 npm packages
Security researchers have identified at least 187 npm packages compromised in an ongoing supply chain attack. The coordinated worm-style campaign dubbed 'Shai-Hulud' started yesterday with the comprom...
www.bleepingcomputer.com
September 16, 2025 at 11:57 PM
Another day, another supply chain attack. Stay safe out there
www.bleepingcomputer.com/news/securit...
www.bleepingcomputer.com/news/securit...
This week I solved a really hard coding problem which is going to save me about 2hrs a day.
I initially thought it would be impossible, but ~100 lines of regex and ~50 if() statements has solved it!
I’m going to be riding the high from this feat for a while 🥰
I initially thought it would be impossible, but ~100 lines of regex and ~50 if() statements has solved it!
I’m going to be riding the high from this feat for a while 🥰
September 15, 2025 at 2:00 AM
This week I solved a really hard coding problem which is going to save me about 2hrs a day.
I initially thought it would be impossible, but ~100 lines of regex and ~50 if() statements has solved it!
I’m going to be riding the high from this feat for a while 🥰
I initially thought it would be impossible, but ~100 lines of regex and ~50 if() statements has solved it!
I’m going to be riding the high from this feat for a while 🥰
I wish I knew about this laravel helper function earlier 😍
September 5, 2025 at 9:45 AM
I wish I knew about this laravel helper function earlier 😍
I need a tool that lets me easily share code snippets, but also it’ll have auto ai conversions to other code languages, but you can step in and clean it up when it’s not quite right
September 5, 2025 at 1:34 AM
I need a tool that lets me easily share code snippets, but also it’ll have auto ai conversions to other code languages, but you can step in and clean it up when it’s not quite right