Just some notes, stored on GitHub instead of a blog.
I am not a native English speaker, so please excuse any language mistakes.
- Gathering weak npm credentials (2017-06-21)
- Improper markup sanitization in popular software (2017-04-13)
- Short-term package manager wishlist (2016-11-03)
- On npmjs.com tokens visibility, XSS, and clickjacking (2016-10-18)
- Stealing Travis secure variables (2016-07-07)
- Let's fix Buffer API (2016-01-15)
- Buffer knows everything (2016-01-14)
- Do not underestimate credentials leaks (2015-12-04)