6mile
@6mile.githax.com
Software Supply Chain Red Team. SourceCodeRED & SecureStack founder, dad, startup OG, snowboarder and hacker. Workin on GitHax tool in my spare time. github.com/6mile
@eastsidemccarty from the bird site.
@eastsidemccarty from the bird site.
Ooooohh, this looks legit!
🤩 Honored to announce that I am part of the Review Committee, along with so many talented folks, for this new conference [Un]prompted, led by @gadievron!
[Un]prompted is an AI security focused conference with several topics to continue to push the […]
[Original post on infosec.exchange]
[Un]prompted is an AI security focused conference with several topics to continue to push the […]
[Original post on infosec.exchange]
December 19, 2025 at 6:06 AM
Ooooohh, this looks legit!
Another day, and another @hacker0x01.bsky.social "researcher" ganking people's AWS keys in a public NPM package (plugin-senna). 🤦♀️
December 17, 2025 at 6:19 AM
Another day, and another @hacker0x01.bsky.social "researcher" ganking people's AWS keys in a public NPM package (plugin-senna). 🤦♀️
As an Australian, my heart hurts today.
December 15, 2025 at 2:23 AM
As an Australian, my heart hurts today.
Reposted by 6mile
We have a special episode of @absoluteappsec.bsky.social today with Paul McCarty @6mile.githax.com who will help us make sense of the last few weeks of npm news. So join Paul @sethlaw.bsky.social and @cktricky.bsky.social at 12 Noon ET here: www.youtube.com/watch?v=UM4F...
December 2, 2025 at 3:02 PM
We have a special episode of @absoluteappsec.bsky.social today with Paul McCarty @6mile.githax.com who will help us make sense of the last few weeks of npm news. So join Paul @sethlaw.bsky.social and @cktricky.bsky.social at 12 Noon ET here: www.youtube.com/watch?v=UM4F...
We knew it was coming, and now it's here: Dynamic payloads have been found in @npmjs.bsky.social packages.
Ouch. 😦
Ouch. 😦
The Safety research team has identified a new NPM based malware we are calling "Integrator-Filescrypt". This campaign uses a unique "cloaking" technique to hide from researchers and cloud providers. It's sneaky & very effective. Read more on our blog: www.getsafety.com/blog-posts/n...
NPM Malware Uses “Cloaking” Technology to Target StandX and Uniswap Users
A NPM malware campaign “Integrator-Filescrypt
www.getsafety.com
November 18, 2025 at 11:58 PM
We knew it was coming, and now it's here: Dynamic payloads have been found in @npmjs.bsky.social packages.
Ouch. 😦
Ouch. 😦
Noice! I think this is the first time my work has been covered by @bleepingcomputer.com
A self-spreading package published on npm spams the registry by spawning new packages every every seven seconds, creating large volumes of junk.
New ‘IndonesianFoods’ worm floods npm with 100,000 packages
A self-spreading package published on npm spams the registry by spawning new packages every every seven seconds, creating large volumes of junk.
www.bleepingcomputer.com
November 14, 2025 at 9:19 PM
Noice! I think this is the first time my work has been covered by @bleepingcomputer.com
I'm on @thehackernews.bsky.social again
November 13, 2025 at 7:31 PM
I'm on @thehackernews.bsky.social again
I've identified a new worm affecting NPM. I'm calling it "IndonesianFoods" based on its internal dictionary. The intent is to generate assets on the Tea Protocol blockchain.
It's dumb, but it's MASSIVE!
Check the link 👉
sourcecodered.com/indonesianfo...
@npmjs.bsky.social @github.com
It's dumb, but it's MASSIVE!
Check the link 👉
sourcecodered.com/indonesianfo...
@npmjs.bsky.social @github.com
November 12, 2025 at 11:30 PM
I've identified a new worm affecting NPM. I'm calling it "IndonesianFoods" based on its internal dictionary. The intent is to generate assets on the Tea Protocol blockchain.
It's dumb, but it's MASSIVE!
Check the link 👉
sourcecodered.com/indonesianfo...
@npmjs.bsky.social @github.com
It's dumb, but it's MASSIVE!
Check the link 👉
sourcecodered.com/indonesianfo...
@npmjs.bsky.social @github.com
I suspect a lot of full time BB peeps are doing the same
November 5, 2025 at 1:28 PM
I suspect a lot of full time BB peeps are doing the same
I like the one-two combo you got going there picklerick
October 23, 2025 at 12:06 AM
I like the one-two combo you got going there picklerick
Don't let AI write your payloads for you if you don't know what you're doing. Otherwise, you might end up publishing your API keys, environment variables, and identity to @npmjs.bsky.social
October 16, 2025 at 10:41 PM
Don't let AI write your payloads for you if you don't know what you're doing. Otherwise, you might end up publishing your API keys, environment variables, and identity to @npmjs.bsky.social
Want to sniff out private bug bounty programs? If you monitor OSV for new malicious packages, you'll get some great intel. Today's example: @npmjs.bsky.social user Paastha published 6 packages targeting @vercel.com. But wait, they don't have a BB program?! Or do they.... 😮💥
October 8, 2025 at 9:24 PM
Want to sniff out private bug bounty programs? If you monitor OSV for new malicious packages, you'll get some great intel. Today's example: @npmjs.bsky.social user Paastha published 6 packages targeting @vercel.com. But wait, they don't have a BB program?! Or do they.... 😮💥
Tell me that @v0.dev has a bug bounty program without telling me they have a bug bounty program.
#dependencyconfusion #maliciouspackage
#dependencyconfusion #maliciouspackage
October 8, 2025 at 8:38 AM
Tell me that @v0.dev has a bug bounty program without telling me they have a bug bounty program.
#dependencyconfusion #maliciouspackage
#dependencyconfusion #maliciouspackage
Heya homie, that ain't gonna work.
October 7, 2025 at 9:31 AM
Heya homie, that ain't gonna work.
Yes, thanks for follow up
September 30, 2025 at 6:41 PM
Yes, thanks for follow up
I need to talk to someone in the @reversinglabs.com detection team.
Anyone in my network got an intro?
Anyone in my network got an intro?
September 28, 2025 at 1:14 AM
I need to talk to someone in the @reversinglabs.com detection team.
Anyone in my network got an intro?
Anyone in my network got an intro?
I gave a talk at the FIRST CTI conference in Berlin earlier this year. Here's my presentation in its entirety.
www.youtube.com/live/j23OubE...
www.youtube.com/live/j23OubE...
YouTube
Share your videos with friends, family, and the world
www.youtube.com
September 20, 2025 at 8:31 PM
I gave a talk at the FIRST CTI conference in Berlin earlier this year. Here's my presentation in its entirety.
www.youtube.com/live/j23OubE...
www.youtube.com/live/j23OubE...
Thanks mate! Great post pulling the thread.
September 16, 2025 at 7:27 PM
Thanks mate! Great post pulling the thread.
Impressed with the Tenable One CSPM demo at the #Tenable #BlackHat booth. Blends vulnerability scanning with cloud security + ASPM features via IaC scanning and Git integrations. Worth checking if you're comparing cloud security solutions: bit.ly/4mbhg3e #BlackHat2025 #CloudSec
Tenable Cloud Security (CNAPP)
Reduce cloud risk and exposure from faulty configurations and entitlements with our cloud-native application protection platform (CNAPP), Tenable Cloud Security.
bit.ly
August 14, 2025 at 10:31 PM
Impressed with the Tenable One CSPM demo at the #Tenable #BlackHat booth. Blends vulnerability scanning with cloud security + ASPM features via IaC scanning and Git integrations. Worth checking if you're comparing cloud security solutions: bit.ly/4mbhg3e #BlackHat2025 #CloudSec
See me at 11 am today on the #DEFCON Creator State 4 (room 228). I'm super excited for this, and a big "thank you!" to the #AdversaryVillage team!
#hackersummercamp @github.com
#hackersummercamp @github.com
August 9, 2025 at 4:07 PM
See me at 11 am today on the #DEFCON Creator State 4 (room 228). I'm super excited for this, and a big "thank you!" to the #AdversaryVillage team!
#hackersummercamp @github.com
#hackersummercamp @github.com
Yeah mate, i’ll be there all week.
August 1, 2025 at 8:01 PM
Yeah mate, i’ll be there all week.