diff --git a/pkg/node/bundle.go b/pkg/node/bundle.go
index 2a65c97..a92504a 100644
--- a/pkg/node/bundle.go
+++ b/pkg/node/bundle.go
@@ -10,8 +10,6 @@ import (
 	"io"
 	"os"
 	"path/filepath"
-	"strings"
-
 	"forge.lthn.ai/Snider/Borg/pkg/datanode"
 	"forge.lthn.ai/Snider/Borg/pkg/tim"
 )
@@ -291,7 +289,8 @@ func extractTarball(tarData []byte, destDir string) (string, error) {
 		}
 
 		// Reject paths that escape the destination directory
-		if strings.HasPrefix(cleanName, ".."+string(os.PathSeparator)) || cleanName == ".." {
+		parentPrefix := ".." + string(os.PathSeparator)
+		if bytes.HasPrefix([]byte(cleanName), []byte(parentPrefix)) || cleanName == ".." {
 			return "", fmt.Errorf("invalid tar entry: path traversal attempt: %s", header.Name)
 		}
 
@@ -300,7 +299,8 @@ func extractTarball(tarData []byte, destDir string) (string, error) {
 		fullPath = filepath.Clean(fullPath)
 
 		// Final security check: ensure the path is still within destDir
-		if !strings.HasPrefix(fullPath, absDestDir+string(os.PathSeparator)) && fullPath != absDestDir {
+		destDirPrefix := absDestDir + string(os.PathSeparator)
+		if !bytes.HasPrefix([]byte(fullPath), []byte(destDirPrefix)) && fullPath != absDestDir {
 			return "", fmt.Errorf("invalid tar entry: path escape attempt: %s", header.Name)
 		}