Supply Chain & Framework
Your code is fine. The 800 packages around it aren't.
Chapter 11 of the roadmap. Work through each walkthrough below, or browse every topic.
-
Supply Chain & AI Rules File Backdoor: Typosquat → Poisoned Skill → Runtime Backdoor
A two-flag chain that walks an attacker from a developer's stray dev-comment, through a typosquatted npm package, into an AI rules file dropped on disk, ending with a runtime backdoor the AI agent silently injected into the application's admin API.
-
React2Shell: Exploiting CVE-2025-55182 in React Server Components
A technical analysis of CVE-2025-55182, demonstrating how React Server Components deserialization leads to remote code execution.