6mile
@6mile.githax.com
Software Supply Chain Red Team. SourceCodeRED & SecureStack founder, dad, startup OG, snowboarder and hacker. Workin on GitHax tool in my spare time. github.com/6mile
@eastsidemccarty from the bird site.
@eastsidemccarty from the bird site.
We knew it was coming, and now it's here: Dynamic payloads have been found in @npmjs.bsky.social packages.
Ouch. 😦
Ouch. 😦
The Safety research team has identified a new NPM based malware we are calling "Integrator-Filescrypt". This campaign uses a unique "cloaking" technique to hide from researchers and cloud providers. It's sneaky & very effective. Read more on our blog: www.getsafety.com/blog-posts/n...
NPM Malware Uses “Cloaking” Technology to Target StandX and Uniswap Users
A NPM malware campaign “Integrator-Filescrypt
www.getsafety.com
November 18, 2025 at 11:58 PM
We knew it was coming, and now it's here: Dynamic payloads have been found in @npmjs.bsky.social packages.
Ouch. 😦
Ouch. 😦
Noice! I think this is the first time my work has been covered by @bleepingcomputer.com
A self-spreading package published on npm spams the registry by spawning new packages every every seven seconds, creating large volumes of junk.
New ‘IndonesianFoods’ worm floods npm with 100,000 packages
A self-spreading package published on npm spams the registry by spawning new packages every every seven seconds, creating large volumes of junk.
www.bleepingcomputer.com
November 14, 2025 at 9:19 PM
Noice! I think this is the first time my work has been covered by @bleepingcomputer.com
I'm on @thehackernews.bsky.social again
November 13, 2025 at 7:31 PM
I'm on @thehackernews.bsky.social again
I've identified a new worm affecting NPM. I'm calling it "IndonesianFoods" based on its internal dictionary. The intent is to generate assets on the Tea Protocol blockchain.
It's dumb, but it's MASSIVE!
Check the link 👉
sourcecodered.com/indonesianfo...
@npmjs.bsky.social @github.com
It's dumb, but it's MASSIVE!
Check the link 👉
sourcecodered.com/indonesianfo...
@npmjs.bsky.social @github.com
November 12, 2025 at 11:30 PM
I've identified a new worm affecting NPM. I'm calling it "IndonesianFoods" based on its internal dictionary. The intent is to generate assets on the Tea Protocol blockchain.
It's dumb, but it's MASSIVE!
Check the link 👉
sourcecodered.com/indonesianfo...
@npmjs.bsky.social @github.com
It's dumb, but it's MASSIVE!
Check the link 👉
sourcecodered.com/indonesianfo...
@npmjs.bsky.social @github.com
I like the one-two combo you got going there picklerick
October 23, 2025 at 12:06 AM
I like the one-two combo you got going there picklerick
Don't let AI write your payloads for you if you don't know what you're doing. Otherwise, you might end up publishing your API keys, environment variables, and identity to @npmjs.bsky.social
October 16, 2025 at 10:41 PM
Don't let AI write your payloads for you if you don't know what you're doing. Otherwise, you might end up publishing your API keys, environment variables, and identity to @npmjs.bsky.social
Want to sniff out private bug bounty programs? If you monitor OSV for new malicious packages, you'll get some great intel. Today's example: @npmjs.bsky.social user Paastha published 6 packages targeting @vercel.com. But wait, they don't have a BB program?! Or do they.... 😮💥
October 8, 2025 at 9:24 PM
Want to sniff out private bug bounty programs? If you monitor OSV for new malicious packages, you'll get some great intel. Today's example: @npmjs.bsky.social user Paastha published 6 packages targeting @vercel.com. But wait, they don't have a BB program?! Or do they.... 😮💥
Tell me that @v0.dev has a bug bounty program without telling me they have a bug bounty program.
#dependencyconfusion #maliciouspackage
#dependencyconfusion #maliciouspackage
October 8, 2025 at 8:38 AM
Tell me that @v0.dev has a bug bounty program without telling me they have a bug bounty program.
#dependencyconfusion #maliciouspackage
#dependencyconfusion #maliciouspackage
Heya homie, that ain't gonna work.
October 7, 2025 at 9:31 AM
Heya homie, that ain't gonna work.
I need to talk to someone in the @reversinglabs.com detection team.
Anyone in my network got an intro?
Anyone in my network got an intro?
September 28, 2025 at 1:14 AM
I need to talk to someone in the @reversinglabs.com detection team.
Anyone in my network got an intro?
Anyone in my network got an intro?
I gave a talk at the FIRST CTI conference in Berlin earlier this year. Here's my presentation in its entirety.
www.youtube.com/live/j23OubE...
www.youtube.com/live/j23OubE...
YouTube
Share your videos with friends, family, and the world
www.youtube.com
September 20, 2025 at 8:31 PM
I gave a talk at the FIRST CTI conference in Berlin earlier this year. Here's my presentation in its entirety.
www.youtube.com/live/j23OubE...
www.youtube.com/live/j23OubE...
Impressed with the Tenable One CSPM demo at the #Tenable #BlackHat booth. Blends vulnerability scanning with cloud security + ASPM features via IaC scanning and Git integrations. Worth checking if you're comparing cloud security solutions: bit.ly/4mbhg3e #BlackHat2025 #CloudSec
Tenable Cloud Security (CNAPP)
Reduce cloud risk and exposure from faulty configurations and entitlements with our cloud-native application protection platform (CNAPP), Tenable Cloud Security.
bit.ly
August 14, 2025 at 10:31 PM
Impressed with the Tenable One CSPM demo at the #Tenable #BlackHat booth. Blends vulnerability scanning with cloud security + ASPM features via IaC scanning and Git integrations. Worth checking if you're comparing cloud security solutions: bit.ly/4mbhg3e #BlackHat2025 #CloudSec
See me at 11 am today on the #DEFCON Creator State 4 (room 228). I'm super excited for this, and a big "thank you!" to the #AdversaryVillage team!
#hackersummercamp @github.com
#hackersummercamp @github.com
August 9, 2025 at 4:07 PM
See me at 11 am today on the #DEFCON Creator State 4 (room 228). I'm super excited for this, and a big "thank you!" to the #AdversaryVillage team!
#hackersummercamp @github.com
#hackersummercamp @github.com
AI has written its first malicious package! I found an NPM package named @kodane/patch-manager that deploys a well-written persistent JavaScript crypto drainer.
Here's the thing: I'm pretty sure Claude wrote it!
Check out my post: getsafety.com/blog-posts/t...
@anthropic.com @npmjs.bsky.social
Here's the thing: I'm pretty sure Claude wrote it!
Check out my post: getsafety.com/blog-posts/t...
@anthropic.com @npmjs.bsky.social
Threat actor uses AI to create a better crypto wallet drainer
Safety’s malicious package detection identified a malicious package that appears to have been written by Claude AI
getsafety.com
July 31, 2025 at 8:50 PM
AI has written its first malicious package! I found an NPM package named @kodane/patch-manager that deploys a well-written persistent JavaScript crypto drainer.
Here's the thing: I'm pretty sure Claude wrote it!
Check out my post: getsafety.com/blog-posts/t...
@anthropic.com @npmjs.bsky.social
Here's the thing: I'm pretty sure Claude wrote it!
Check out my post: getsafety.com/blog-posts/t...
@anthropic.com @npmjs.bsky.social
The apocalypse is upon us!
July 17, 2025 at 9:19 PM
The apocalypse is upon us!
I'm the first presentation for Adversary Village at @defcon.bsky.social. See me talk about open-source malware at 11 am on Saturday, August 9, in room 228 (creator stage 4)
July 14, 2025 at 12:23 AM
I'm the first presentation for Adversary Village at @defcon.bsky.social. See me talk about open-source malware at 11 am on Saturday, August 9, in room 228 (creator stage 4)
Heya @virginaustralia.bsky.social I just tried to buy tickets for $6903 as advertised, but turns out it's a bait & switch. Real price: $11,617. VA support blames it on "website latency" but that price still on site. Wonder what Australian ACCC will make of VA advertising fares that don't exist?
July 6, 2025 at 6:51 AM
Heya @virginaustralia.bsky.social I just tried to buy tickets for $6903 as advertised, but turns out it's a bait & switch. Real price: $11,617. VA support blames it on "website latency" but that price still on site. Wonder what Australian ACCC will make of VA advertising fares that don't exist?
You can't make this shit up! The NIST NVD database has been down all day, so no one can look up CVEs via NVD. @shodanhq.bsky.social reports that one of the two ec2 instances serving up the NVD website reports a "402 Payment Required".
Did DOGE dipshits break our national vulnerability database?!
Did DOGE dipshits break our national vulnerability database?!
April 2, 2025 at 5:24 AM
You can't make this shit up! The NIST NVD database has been down all day, so no one can look up CVEs via NVD. @shodanhq.bsky.social reports that one of the two ec2 instances serving up the NVD website reports a "402 Payment Required".
Did DOGE dipshits break our national vulnerability database?!
Did DOGE dipshits break our national vulnerability database?!
New infostealer targets Exodus crypto wallets. The author wrote this malware in a little-known language to evade detection. Read my write-up here: sourcecodered.com/npm-package-...
NPM package targeting crypto wallets uses new language to evade detection
A new software supply chain attack is targeting Exodus wallet files with a new custom malware that uses a unique evasion technique
sourcecodered.com
February 17, 2025 at 11:43 PM
New infostealer targets Exodus crypto wallets. The author wrote this malware in a little-known language to evade detection. Read my write-up here: sourcecodered.com/npm-package-...
I wrote a post about the 3 most common myths I run into when talking to developers or infosec teams about malicious packages. Devs aren't familiar with malicious packages & security teams assume that existing security tools will find malware (spoiler: they don't).
sourcecodered.com/three-myths-...
sourcecodered.com/three-myths-...
3 myths about npm based threats
Npm-based threats are not well-understood, so I wrote a blog post addressing the 3 most common "myths" that I see from with engineering teams
sourcecodered.com
February 11, 2025 at 10:33 PM
I wrote a post about the 3 most common myths I run into when talking to developers or infosec teams about malicious packages. Devs aren't familiar with malicious packages & security teams assume that existing security tools will find malware (spoiler: they don't).
sourcecodered.com/three-myths-...
sourcecodered.com/three-myths-...
I've identified an NPM package named "arcus-cmd-utils" that deploys a Chrome-based infostealer to infected computers. You can read my blog post complete with technical details and IOCs. @npmjs.bsky.social @github.com #softwaresupplychain #devsecops
sourcecodered.com/malicious-ar...
sourcecodered.com/malicious-ar...
Malicious NPM package infects developers with new infostealer malware
A malicious package named arcus-cmd-utils was published January 12, 2025 to npm registry which deploys a Windows based infostealer malware
sourcecodered.com
January 28, 2025 at 10:17 PM
I've identified an NPM package named "arcus-cmd-utils" that deploys a Chrome-based infostealer to infected computers. You can read my blog post complete with technical details and IOCs. @npmjs.bsky.social @github.com #softwaresupplychain #devsecops
sourcecodered.com/malicious-ar...
sourcecodered.com/malicious-ar...
January 14, 2025 at 8:45 AM