6mile
@6mile.githax.com
Software Supply Chain Red Team. SourceCodeRED & SecureStack founder, dad, startup OG, snowboarder and hacker. Workin on GitHax tool in my spare time. github.com/6mile
@eastsidemccarty from the bird site.
@eastsidemccarty from the bird site.
I've identified a new worm affecting NPM. I'm calling it "IndonesianFoods" based on its internal dictionary. The intent is to generate assets on the Tea Protocol blockchain.
It's dumb, but it's MASSIVE!
Check the link 👉
sourcecodered.com/indonesianfo...
@npmjs.bsky.social @github.com
It's dumb, but it's MASSIVE!
Check the link 👉
sourcecodered.com/indonesianfo...
@npmjs.bsky.social @github.com
November 12, 2025 at 11:30 PM
I've identified a new worm affecting NPM. I'm calling it "IndonesianFoods" based on its internal dictionary. The intent is to generate assets on the Tea Protocol blockchain.
It's dumb, but it's MASSIVE!
Check the link 👉
sourcecodered.com/indonesianfo...
@npmjs.bsky.social @github.com
It's dumb, but it's MASSIVE!
Check the link 👉
sourcecodered.com/indonesianfo...
@npmjs.bsky.social @github.com
I like the one-two combo you got going there picklerick
October 23, 2025 at 12:06 AM
I like the one-two combo you got going there picklerick
Don't let AI write your payloads for you if you don't know what you're doing. Otherwise, you might end up publishing your API keys, environment variables, and identity to @npmjs.bsky.social
October 16, 2025 at 10:41 PM
Don't let AI write your payloads for you if you don't know what you're doing. Otherwise, you might end up publishing your API keys, environment variables, and identity to @npmjs.bsky.social
Want to sniff out private bug bounty programs? If you monitor OSV for new malicious packages, you'll get some great intel. Today's example: @npmjs.bsky.social user Paastha published 6 packages targeting @vercel.com. But wait, they don't have a BB program?! Or do they.... 😮💥
October 8, 2025 at 9:24 PM
Want to sniff out private bug bounty programs? If you monitor OSV for new malicious packages, you'll get some great intel. Today's example: @npmjs.bsky.social user Paastha published 6 packages targeting @vercel.com. But wait, they don't have a BB program?! Or do they.... 😮💥
Tell me that @v0.dev has a bug bounty program without telling me they have a bug bounty program.
#dependencyconfusion #maliciouspackage
#dependencyconfusion #maliciouspackage
October 8, 2025 at 8:38 AM
Tell me that @v0.dev has a bug bounty program without telling me they have a bug bounty program.
#dependencyconfusion #maliciouspackage
#dependencyconfusion #maliciouspackage
Heya homie, that ain't gonna work.
October 7, 2025 at 9:31 AM
Heya homie, that ain't gonna work.
See me at 11 am today on the #DEFCON Creator State 4 (room 228). I'm super excited for this, and a big "thank you!" to the #AdversaryVillage team!
#hackersummercamp @github.com
#hackersummercamp @github.com
August 9, 2025 at 4:07 PM
See me at 11 am today on the #DEFCON Creator State 4 (room 228). I'm super excited for this, and a big "thank you!" to the #AdversaryVillage team!
#hackersummercamp @github.com
#hackersummercamp @github.com
The apocalypse is upon us!
July 17, 2025 at 9:19 PM
The apocalypse is upon us!
I'm the first presentation for Adversary Village at @defcon.bsky.social. See me talk about open-source malware at 11 am on Saturday, August 9, in room 228 (creator stage 4)
July 14, 2025 at 12:23 AM
I'm the first presentation for Adversary Village at @defcon.bsky.social. See me talk about open-source malware at 11 am on Saturday, August 9, in room 228 (creator stage 4)
Heya @virginaustralia.bsky.social I just tried to buy tickets for $6903 as advertised, but turns out it's a bait & switch. Real price: $11,617. VA support blames it on "website latency" but that price still on site. Wonder what Australian ACCC will make of VA advertising fares that don't exist?
July 6, 2025 at 6:51 AM
Heya @virginaustralia.bsky.social I just tried to buy tickets for $6903 as advertised, but turns out it's a bait & switch. Real price: $11,617. VA support blames it on "website latency" but that price still on site. Wonder what Australian ACCC will make of VA advertising fares that don't exist?
You can't make this shit up! The NIST NVD database has been down all day, so no one can look up CVEs via NVD. @shodanhq.bsky.social reports that one of the two ec2 instances serving up the NVD website reports a "402 Payment Required".
Did DOGE dipshits break our national vulnerability database?!
Did DOGE dipshits break our national vulnerability database?!
April 2, 2025 at 5:24 AM
You can't make this shit up! The NIST NVD database has been down all day, so no one can look up CVEs via NVD. @shodanhq.bsky.social reports that one of the two ec2 instances serving up the NVD website reports a "402 Payment Required".
Did DOGE dipshits break our national vulnerability database?!
Did DOGE dipshits break our national vulnerability database?!
January 14, 2025 at 8:45 AM
Quickest turnaround in MONTHS from NPM as they've taken down the marked-cs and marked-ps malicious packages in less than a day! Woot!
@npmjs.bsky.social #softwaresupplychain #npm
@npmjs.bsky.social #softwaresupplychain #npm
January 14, 2025 at 12:47 AM
Quickest turnaround in MONTHS from NPM as they've taken down the marked-cs and marked-ps malicious packages in less than a day! Woot!
@npmjs.bsky.social #softwaresupplychain #npm
@npmjs.bsky.social #softwaresupplychain #npm
Did a security researcher at Snyk really just publish malicious packages to NPM targeting Cursor.com?
January 8, 2025 at 9:48 AM
Did a security researcher at Snyk really just publish malicious packages to NPM targeting Cursor.com?
If you are using crypto/web3 libraries be aware that many npm packages that claim to be a part of @solana.com or @walletconnect.bsky.social ecosystems are malicious. For example, the solanacore, walletcore-gen and solana-login @npmjs.bsky.social packages drop infostealers on hosts and exfil data.
January 6, 2025 at 9:39 PM
If you are using crypto/web3 libraries be aware that many npm packages that claim to be a part of @solana.com or @walletconnect.bsky.social ecosystems are malicious. For example, the solanacore, walletcore-gen and solana-login @npmjs.bsky.social packages drop infostealers on hosts and exfil data.
Attackers compromised the popular rspack/core & rspack/cli NPM packages owned by @bytedance.bsky.social. The attackers published version 1.1.7 for both packages, which deployed the xmrig crypto miner & sent all tokens to the IP 80[.]78.28.72. These packages are downloaded thousands of times a week
December 19, 2024 at 11:07 PM
Attackers compromised the popular rspack/core & rspack/cli NPM packages owned by @bytedance.bsky.social. The attackers published version 1.1.7 for both packages, which deployed the xmrig crypto miner & sent all tokens to the IP 80[.]78.28.72. These packages are downloaded thousands of times a week
BREAKING NEWS! Six packages were just published to the NPM registry, delivering a new MacOS malware. Do not install these packages!
#softwaresupplychain #malware @npmjs.bsky.social
#softwaresupplychain #malware @npmjs.bsky.social
December 18, 2024 at 9:33 AM
BREAKING NEWS! Six packages were just published to the NPM registry, delivering a new MacOS malware. Do not install these packages!
#softwaresupplychain #malware @npmjs.bsky.social
#softwaresupplychain #malware @npmjs.bsky.social
A @npmjs.bsky.social package named discord-json-scaller was published on 12/7 & removed on 12/12. It contained an elegant Discord injection attack written by the same author of hackirby/skuld. It intercepts login, registration & 2FA requests, email & password changes, credit card payments & more.
December 13, 2024 at 8:46 PM
A @npmjs.bsky.social package named discord-json-scaller was published on 12/7 & removed on 12/12. It contained an elegant Discord injection attack written by the same author of hackirby/skuld. It intercepts login, registration & 2FA requests, email & password changes, credit card payments & more.
Woot! My first three CFP/CFT submissions for 2025 have come back accepted! Stoked!
December 11, 2024 at 9:19 PM
Woot! My first three CFP/CFT submissions for 2025 have come back accepted! Stoked!