Advertisement · 728 × 90

Posts by 6mile

Preview
BSides Goldie 2026 BSides Gold Coast returns May 23rd, 2026! This is the second year we are running BSides Goldie and we are expanding the conference for 2026

Tickets to Gold Coast BSides go on sale tomorrow!
events.humanitix.com/bsides-goldi...

2 weeks ago 2 0 0 0
Post image Post image

Heya @steipete.me can you do something about malicious skills in your ClawHub registry? Last night, one user published 200 malicious skills. I am tracking a dozen threat actors all publishing multiple malicious skills into this registry, and I've emailed you about all of them, but got crickets back

2 months ago 1 1 0 0

Some of the most popular packages on the OpenClaw official registry ClawHub are malicious
@openclaw-x.bsky.social

2 months ago 1 1 0 0
Preview
restore automatic task notification prompt, set automatic tasks to false by default by meganrogge · Pull Request #289947 · microsoft/vscode fixes #287073 This restores the notification prompt that asks users to approve automatic tasks before they run, and changes the default behavior to be more secure. Default changed to off Permissio...

FINALLY!!!
github.com/microsoft/vs...

2 months ago 0 1 1 0
Post image

Touche.

3 months ago 1 0 0 0

Ooooohh, this looks legit!

4 months ago 1 0 0 0
Post image

Another day, and another @hacker0x01.bsky.social "researcher" ganking people's AWS keys in a public NPM package (plugin-senna). 🤦‍♀️

4 months ago 0 0 0 0
Post image

Bug bounty peeps, yo

4 months ago 1 0 0 0

As an Australian, my heart hurts today.

4 months ago 0 0 0 0
Advertisement
Promotion for Absolute AppSec episode with Paul McCarty, taking place today Dec 2 at 12 Noon Eastern time. The show livestream link is provided here: https://www.youtube.com/watch?v=UM4Fq6Q_Qpg

Promotion for Absolute AppSec episode with Paul McCarty, taking place today Dec 2 at 12 Noon Eastern time. The show livestream link is provided here: https://www.youtube.com/watch?v=UM4Fq6Q_Qpg

We have a special episode of @absoluteappsec.bsky.social today with Paul McCarty @6mile.githax.com who will help us make sense of the last few weeks of npm news. So join Paul @sethlaw.bsky.social and @cktricky.bsky.social at 12 Noon ET here: www.youtube.com/watch?v=UM4F...

4 months ago 1 2 0 0

We knew it was coming, and now it's here: Dynamic payloads have been found in @npmjs.bsky.social packages.
Ouch. 😦

5 months ago 1 1 0 0

Noice! I think this is the first time my work has been covered by @bleepingcomputer.com

5 months ago 0 0 0 0

I'm on @thehackernews.bsky.social again

5 months ago 1 0 1 0
Post image

I've identified a new worm affecting NPM. I'm calling it "IndonesianFoods" based on its internal dictionary. The intent is to generate assets on the Tea Protocol blockchain.
It's dumb, but it's MASSIVE!
Check the link 👉
sourcecodered.com/indonesianfo...
@npmjs.bsky.social @github.com

5 months ago 0 1 0 0

I suspect a lot of full time BB peeps are doing the same

5 months ago 0 0 0 0
Post image

I like the one-two combo you got going there picklerick

5 months ago 1 0 1 0
Advertisement
Post image

Don't let AI write your payloads for you if you don't know what you're doing. Otherwise, you might end up publishing your API keys, environment variables, and identity to @npmjs.bsky.social

6 months ago 0 1 0 0
Post image Post image Post image

Want to sniff out private bug bounty programs? If you monitor OSV for new malicious packages, you'll get some great intel. Today's example: @npmjs.bsky.social user Paastha published 6 packages targeting @vercel.com. But wait, they don't have a BB program?! Or do they.... 😮💥

6 months ago 1 0 0 0
Post image

Tell me that @v0.dev has a bug bounty program without telling me they have a bug bounty program.
#dependencyconfusion #maliciouspackage

6 months ago 1 1 0 0
Post image

Heya homie, that ain't gonna work.

6 months ago 0 0 0 0

Yes, thanks for follow up

6 months ago 1 0 0 0

I need to talk to someone in the @reversinglabs.com detection team.
Anyone in my network got an intro?

6 months ago 1 1 2 0
YouTube Share your videos with friends, family, and the world

I gave a talk at the FIRST CTI conference in Berlin earlier this year. Here's my presentation in its entirety.
www.youtube.com/live/j23OubE...

6 months ago 0 0 0 0
Post image
7 months ago 2 1 0 0
Advertisement

Thanks mate! Great post pulling the thread.

7 months ago 1 0 0 0
Post image
7 months ago 0 0 0 0
Preview
Tenable Cloud Security (CNAPP) Reduce cloud risk and exposure from faulty configurations and entitlements with our cloud-native application protection platform (CNAPP), Tenable Cloud Security.

Impressed with the Tenable One CSPM demo at the #Tenable #BlackHat booth. Blends vulnerability scanning with cloud security + ASPM features via IaC scanning and Git integrations. Worth checking if you're comparing cloud security solutions: bit.ly/4mbhg3e #BlackHat2025 #CloudSec

8 months ago 1 0 0 0
Post image

See me at 11 am today on the #DEFCON Creator State 4 (room 228). I'm super excited for this, and a big "thank you!" to the #AdversaryVillage team!
#hackersummercamp @github.com

8 months ago 1 0 0 0

Yeah mate, i’ll be there all week.

8 months ago 1 0 0 0
Preview
Threat actor uses AI to create a better crypto wallet drainer Safety’s malicious package detection identified a malicious package that appears to have been written by Claude AI

AI has written its first malicious package! I found an NPM package named @kodane/patch-manager that deploys a well-written persistent JavaScript crypto drainer.
Here's the thing: I'm pretty sure Claude wrote it!
Check out my post: getsafety.com/blog-posts/t...

@anthropic.com @npmjs.bsky.social

8 months ago 1 0 1 0