Bryan Onel

Today, we're announcing our $33M Series A led by Dawn Capital. Oneleet is ending compliance theater by making companies genuinely secure. Compliance follows automatically. Here's our story. 🧵

Idea: An anonymous “vote to end meeting” button on Teams where if 50% of people press it, the meeting ends immediately.

installing npm packages in 2026

Security things from the last few days: - CopyFail (linux pwn'd) - CopyFail 2/Dirty Frag - 13 advisories in Next.js - Over 70 CVEs addressed in MacOS 26.5 - ~50 CVEs addressed in iOS 26.5 - YellowKey (Windows Bitlocker pwn'd entirely) - GreenPlasma (Windows privilege escalation) - CVE-2026-21510 and CVE-2026-21513 confirmed to be used by Russia for Windows RCE - CVE-2026-32202 separately confirmed to be used by Russia for sensitive document access - Mini-Shai Hulud (over 300 JS and Python packages compromised via GitHub Action cache poisoning) - Google confirms they have identified AI-powered exploitation of zero days in an unidentified "open-source, web-based system administration too" - Canvas (popular LMS used in most schools) pwn'd entirely - PAN-OS (palo alto networks) pwn'd with a 9.3 severity CVE-2026-0300 Are you scared yet?

@aidenybai if you actually want to be secure I'd recommend Oneleet

Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them.

they call them crisps there

@kamilrextin We use @oneleet and I strongly endorse.

Why do people write tweets like this? Where every sentence gets a new line. Sometimes a line might have two sentences. Like this one. But generally speaking, every sentence has a new line, making a tweet look like a long block of text that no one reads. Worse still, such tweets are often repetitive and winding, hammering on the same point over and over again. The writing is often very bad.

What if the EU built GitHub?

I told my gf I can't hang out right now Github is up, so I have to work don't know when I'll get this chance again

Total AI disaster, totally predictable

Here's YC's official advice about being truthful and precise about what is pilot, bookings, revenue and recurring revenue. Founders, particularly first time founders, need to sear this into their brains. Don't mistake one tier for another. Be precise, and always be truthful.

Now who’s laughing

We have a strict zero-trust policy for local admin rights. A graphic designer requested elevation to install a custom font called "Bebas Neue". I replied with the standard Vendor Risk Assessment questionnaire. It's a 40-page Excel document. He asked if this was a joke. He just needs a font for a PDF. I told him all third-party code requires a security audit, a data privacy impact assessment, and VP approval. He said the font is open-source and free. I explained that "free" means we need legal to review the licensing agreement. He asked how long that takes. I said anywhere from four to six months. He sat in silence for a minute. He replied, "I'll just use Arial." I closed the ticket as "Alternative Solution Accepted." I love Arial.

Another customer of troubled startup Delve suffered a big security incident techcrunch.com/2026/04/23/ano…

Anthropic: We've developed Mythos, a next-generation cybersecurity tool that will make security flaws a thing of the past Anthropic [one week later]: We regret to inform you that some hackers stole Mythos

@ZackKorman @KeithRamphal Yeah, that’s what we’re doing at Oneleet, and it’s working really well for us.

@KeithRamphal I think vendors don’t have to do it. Like there’s a way to make noise for your company by calling it out even (what I’m doing). I think a company would earn a lot of trust that way

The only way this gets fixed is if we refuse to work with vendors who feed into it. Too often, people look past it. There’s no consequence, only upside. That has to stop.

holy fuck, a hair dryer at a Paris airport broke Polymarket weather markets & made someone $34,000 richer - polymarket was settling Paris temperature bets on a single Météo France sensor sitting near the Charles de Gaulle runway perimeter - basically unguarded - the guy bought the long-shot outcome (like "22°C" when everyone expected 18°C) for pennies, since nobody thought it'd hit - then he walked up to the probe and briefly heated the air around it with a portable heat source, spiking the reading just long enough to register as the daily max - temperature snapped back to normal in minutes, the market resolved in his favor, and he cashed out - twice, on April 6 and April 15, before Météo France caught on and filed charges hyperstitions.