Adam Baldwin
@evilpacket.net
Hacker / Farmer / Builder / Breaker
Prev: Code4rena, Okta, Auth0, GitHub, npm, ^lift, &yet, Symantec.
Pioneered BlindXSS & DVCS Pillaging
npm audit is my fault. More info: https://evilpacket.net
Prev: Code4rena, Okta, Auth0, GitHub, npm, ^lift, &yet, Symantec.
Pioneered BlindXSS & DVCS Pillaging
npm audit is my fault. More info: https://evilpacket.net
Pinned
Adam Baldwin
@evilpacket.net
· Jan 27
Disobey.
I guess I’m done with that chore.
November 27, 2025 at 8:26 PM
I guess I’m done with that chore.
George says gobble gobble, happy thanksgiving, and fuck ICE.
November 27, 2025 at 5:40 PM
George says gobble gobble, happy thanksgiving, and fuck ICE.
Reposted by Adam Baldwin
I'll also note that this is being framed as "supply chain security" when the actual problem is the combined set of capabilities of npm and github, both of which are the property of microsoft. this is a microsoft problem
November 25, 2025 at 10:30 AM
I'll also note that this is being framed as "supply chain security" when the actual problem is the combined set of capabilities of npm and github, both of which are the property of microsoft. this is a microsoft problem
Reposted by Adam Baldwin
it is really astonishing that npm has not even publicly acknowledged the potentially ongoing credential-stealing worm attack. what is going on in there
November 25, 2025 at 10:19 AM
it is really astonishing that npm has not even publicly acknowledged the potentially ongoing credential-stealing worm attack. what is going on in there
Reposted by Adam Baldwin
i’m not crying you’re crying
xkcd: Fifteen Years
xkcd: Fifteen Years
Fifteen Years
xkcd.com
November 25, 2025 at 1:58 AM
i’m not crying you’re crying
xkcd: Fifteen Years
xkcd: Fifteen Years
This weekend was not a weekend and I need another one please.
November 24, 2025 at 4:47 AM
This weekend was not a weekend and I need another one please.
Oh I’m sorry AI did I forget to add “without ridiculous stupidness”
to the end of my prompt so you wouldn’t just say “yes, but” with some elaborate unreachable constraints. Get wrecked.
to the end of my prompt so you wouldn’t just say “yes, but” with some elaborate unreachable constraints. Get wrecked.
November 23, 2025 at 5:59 PM
Oh I’m sorry AI did I forget to add “without ridiculous stupidness”
to the end of my prompt so you wouldn’t just say “yes, but” with some elaborate unreachable constraints. Get wrecked.
to the end of my prompt so you wouldn’t just say “yes, but” with some elaborate unreachable constraints. Get wrecked.
Reposted by Adam Baldwin
Nov 22 should be declared a hacker holiday
Happy anniversary to the Max Headroom incident, the greatest example of signal hijacking.
en.wikipedia.org/wiki/Max_Hea...
en.wikipedia.org/wiki/Max_Hea...
November 22, 2025 at 1:49 PM
Nov 22 should be declared a hacker holiday
I need to take a weekend and fix my home network closet wiring. It’s super embarrassing and a pita to work on.
November 20, 2025 at 4:13 AM
I need to take a weekend and fix my home network closet wiring. It’s super embarrassing and a pita to work on.
Huge maple leaf! iWatch for scale.
November 17, 2025 at 2:50 AM
Huge maple leaf! iWatch for scale.
Does anybody know what this button in iOS messages ACTUALLY does?
November 15, 2025 at 4:29 PM
Does anybody know what this button in iOS messages ACTUALLY does?
Reposted by Adam Baldwin
CVE-2025-64726 - External Control of System or Configuration Setting and Uncontrolled Search Path Element in sfw
CVE ID : CVE-2025-64726
Published : Nov. 13, 2025, 8:15 p.m. | 27 minutes ago
Description : Socket Firewall is an HTTP/HTTPS proxy server that intercepts pack...
CVE ID : CVE-2025-64726
Published : Nov. 13, 2025, 8:15 p.m. | 27 minutes ago
Description : Socket Firewall is an HTTP/HTTPS proxy server that intercepts pack...
CVE-2025-64726 - External Control of System or Configuration Setting and Uncontrolled Search Path Element in sfw
Socket Firewall is an HTTP/HTTPS proxy server that intercepts package manager requests and enforces security policies by blocking dangerous packages. Socket Firewall binary versions (separate from installers) prior to 0.15.5 are vulnerable to arbitrary code execution when run in untrusted project directories. The vulnerability allows an attacker to execute arbitrary …
cvefeed.io
November 13, 2025 at 9:47 PM
CVE-2025-64726 - External Control of System or Configuration Setting and Uncontrolled Search Path Element in sfw
CVE ID : CVE-2025-64726
Published : Nov. 13, 2025, 8:15 p.m. | 27 minutes ago
Description : Socket Firewall is an HTTP/HTTPS proxy server that intercepts pack...
CVE ID : CVE-2025-64726
Published : Nov. 13, 2025, 8:15 p.m. | 27 minutes ago
Description : Socket Firewall is an HTTP/HTTPS proxy server that intercepts pack...
To unlock secret LLM debugging powers use this prompt “oopsie poopsie <and paste your error here>”
Idk worked for me. ymmv
Idk worked for me. ymmv
November 14, 2025 at 8:44 PM
To unlock secret LLM debugging powers use this prompt “oopsie poopsie <and paste your error here>”
Idk worked for me. ymmv
Idk worked for me. ymmv
After failed attempts and a long time procrastinating getting myself help I recently started ADHD medication again and the anxiety has gone away completely.... which is amazing but I think it just morphed into face ticks that Face ID refuses to accept 😂 but I'm considering this progress.
Fun fact about me. I wake up most days with physically manifesting crippling anxiety. It's the best™
November 14, 2025 at 6:51 PM
After failed attempts and a long time procrastinating getting myself help I recently started ADHD medication again and the anxiety has gone away completely.... which is amazing but I think it just morphed into face ticks that Face ID refuses to accept 😂 but I'm considering this progress.
Reposted by Adam Baldwin
October’s security check‑in is here! 🚨
📌 Highlights: stronger threat modelling, npm Trusted Publishing risks tackled, new runtime features for secure‑by‑default apps.
hubs.la/Q03T5j8j0
📌 Highlights: stronger threat modelling, npm Trusted Publishing risks tackled, new runtime features for secure‑by‑default apps.
hubs.la/Q03T5j8j0
OpenJS Security Update: October 2025 | OpenJS Foundation
From new threat modeling practices to ecosystem-wide coordination, npm security discussions, and major Node.js security enhancements, this update recaps the key progress made in October 2025.
hubs.la
November 13, 2025 at 7:18 PM
October’s security check‑in is here! 🚨
📌 Highlights: stronger threat modelling, npm Trusted Publishing risks tackled, new runtime features for secure‑by‑default apps.
hubs.la/Q03T5j8j0
📌 Highlights: stronger threat modelling, npm Trusted Publishing risks tackled, new runtime features for secure‑by‑default apps.
hubs.la/Q03T5j8j0
Bugs exist in the most interesting places if you wander just a little ways off the expected path.
November 13, 2025 at 5:02 PM
Bugs exist in the most interesting places if you wander just a little ways off the expected path.
Oh hey, the ACE vuln in Socket Firewall I found now has a GitHub Security Advisory! 🎉
High severity - CVSS 7.3 - $50 #bugbounty github.com/SocketDev/fi...
High severity - CVSS 7.3 - $50 #bugbounty github.com/SocketDev/fi...
November 13, 2025 at 7:08 AM
Oh hey, the ACE vuln in Socket Firewall I found now has a GitHub Security Advisory! 🎉
High severity - CVSS 7.3 - $50 #bugbounty github.com/SocketDev/fi...
High severity - CVSS 7.3 - $50 #bugbounty github.com/SocketDev/fi...
Reposted by Adam Baldwin
🚀 GitHub is making Actions more secure by default
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
Towards a secure by default GitHub Actions · community · Discussion #179107
Why are you starting this discussion? Product Feedback What GitHub Actions topic or product is this about? Workflow Configuration Discussion Details Today, GitHub announced upcoming changes to the ...
github.com
November 11, 2025 at 6:38 PM
🚀 GitHub is making Actions more secure by default
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
We recently announced upcoming changes to the pull_request_target event and environment protection rules to make GitHub Actions more secure by default.
We’ve opened a discussion to gather feedback 👇
🔗 github.com/orgs/communi...
Half the metal🤘🏻 is up. It’s slow moving today. Let’s hope we can get the other side done in a couple hours before dark 😅
November 9, 2025 at 10:46 PM
Half the metal🤘🏻 is up. It’s slow moving today. Let’s hope we can get the other side done in a couple hours before dark 😅
Pro tip. Don’t fall off a ladder alone in the woods. Did that yesterday about 6 feet up. Missed the stump that tried to skewer me but my head hit the air compressor on the way down & then the ladder / nail gun fell on me. I got super lucky I only have minor injuries. Stay safe! ❤️
November 9, 2025 at 4:38 PM
Pro tip. Don’t fall off a ladder alone in the woods. Did that yesterday about 6 feet up. Missed the stump that tried to skewer me but my head hit the air compressor on the way down & then the ladder / nail gun fell on me. I got super lucky I only have minor injuries. Stay safe! ❤️
Reposted by Adam Baldwin
reminder that i'm matching all donations to any local food bank or panty (or hungry person's venmo, whatever) for my upcoming #cranksgiving ride
i hope SNAP gets fully funded this month but we need to feed our neighbors however we can ❤️
i hope SNAP gets fully funded this month but we need to feed our neighbors however we can ❤️
last year for #cranksgiving i bought and hauled 208lbs of food to the Tempe Community Action Agency Food Panty.
this year i have plans to add a trailer and get over 300lbs.
this year i have plans to add a trailer and get over 300lbs.
final weigh in: 208lbs!
November 6, 2025 at 9:29 PM
reminder that i'm matching all donations to any local food bank or panty (or hungry person's venmo, whatever) for my upcoming #cranksgiving ride
i hope SNAP gets fully funded this month but we need to feed our neighbors however we can ❤️
i hope SNAP gets fully funded this month but we need to feed our neighbors however we can ❤️
Reposted by Adam Baldwin
I generated 20k vibe-coded web applications using various models via the OpenRouter API and analyzed them for security issues.
The apps are available for download if anyone wants to take a look.
www.invicti.com/blog/securit...
The apps are available for download if anyone wants to take a look.
www.invicti.com/blog/securit...
Security Issues in Vibe-Coded Web Apps: Analysis, Vulnerabilities, Scanning
Learn about common security issues in AI-generated software, based on an analysis of over 20,000 vibe-coded web apps.
www.invicti.com
November 6, 2025 at 7:28 AM
I generated 20k vibe-coded web applications using various models via the OpenRouter API and analyzed them for security issues.
The apps are available for download if anyone wants to take a look.
www.invicti.com/blog/securit...
The apps are available for download if anyone wants to take a look.
www.invicti.com/blog/securit...
More info. I'll put up a blog post when I have time. bsky.app/profile/did:...
Socket paid me $50 for a bug in Socket Firewall (sfw), well $48.50 after PayPal kicked me in the shins and took my lunch money. I'll write up some details tomorrow.
October 31, 2025 at 5:29 PM
More info. I'll put up a blog post when I have time. bsky.app/profile/did:...
ACE in the .swf.config hole
As everyone here already knows the software supply chain is an absolutely tire fire so companies like Socket and others build a corpus of signals and tooling that can use at various stages of the SDLC to help fight the bs that's been going on for far too long.
As everyone here already knows the software supply chain is an absolutely tire fire so companies like Socket and others build a corpus of signals and tooling that can use at various stages of the SDLC to help fight the bs that's been going on for far too long.
an illustration of a dumpster with a fire coming out of the top
Alt: an illustration of a dumpster with a fire coming out of the top representative of the software supply chain.
media.tenor.com
October 31, 2025 at 5:24 PM
ACE in the .swf.config hole
As everyone here already knows the software supply chain is an absolutely tire fire so companies like Socket and others build a corpus of signals and tooling that can use at various stages of the SDLC to help fight the bs that's been going on for far too long.
As everyone here already knows the software supply chain is an absolutely tire fire so companies like Socket and others build a corpus of signals and tooling that can use at various stages of the SDLC to help fight the bs that's been going on for far too long.
Socket paid me $50 for a bug in Socket Firewall (sfw), well $48.50 after PayPal kicked me in the shins and took my lunch money. I'll write up some details tomorrow.
October 31, 2025 at 6:12 AM
Socket paid me $50 for a bug in Socket Firewall (sfw), well $48.50 after PayPal kicked me in the shins and took my lunch money. I'll write up some details tomorrow.