"aes-js and pyaes provide a default IV in their AES-CTR API"
*screams*
Carelessness versus craftsmanship in cryptography
Two popular AES libraries (aes-js and pyaes) provide dangerous default IVs that lead to key/IV reuse vulnerabilities affecting thousands of projects. One maintainer dismissed the issue, while strongSwan's maintainer exemplified proper security response by comprehensively fixing the vulnerability in their VPN management tool.
The Trail of Bits Blog (blog.trailofbits.com)