Adam Baldwin
@evilpacket.net
Hacker / Farmer / Builder / Breaker
Prev: Code4rena, Okta, Auth0, GitHub, npm, ^lift, &yet, Symantec.
Pioneered BlindXSS & DVCS Pillaging
npm audit is my fault. More info: https://evilpacket.net
Prev: Code4rena, Okta, Auth0, GitHub, npm, ^lift, &yet, Symantec.
Pioneered BlindXSS & DVCS Pillaging
npm audit is my fault. More info: https://evilpacket.net
Pinned
Adam Baldwin
@evilpacket.net
· Jan 27
Disobey.
lol the 8 port switch in my barn is full. 😅
December 25, 2025 at 4:47 AM
lol the 8 port switch in my barn is full. 😅
Reposted by Adam Baldwin
I made something new: an eslint plugin to validate your npm ecosystem lockfiles! It supports npm, pnpm, yarn, bun, and vlt, and it's already helped find a supply chain security attack vector inside a fortune 500 tech company. www.npmjs.com/package/esli...
www.npmjs.com
December 22, 2025 at 7:16 AM
I made something new: an eslint plugin to validate your npm ecosystem lockfiles! It supports npm, pnpm, yarn, bun, and vlt, and it's already helped find a supply chain security attack vector inside a fortune 500 tech company. www.npmjs.com/package/esli...
Against my better judgement I watched my LinkedIn year in review. My first connection was a friend I said goodbye to this year and it brings me to tears still.
We had fallen out a bit recent years (my fault) but we did some amazing things together and he taught me a lot.
RIP flirzan nazrilf.
We had fallen out a bit recent years (my fault) but we did some amazing things together and he taught me a lot.
RIP flirzan nazrilf.
December 22, 2025 at 4:07 PM
Against my better judgement I watched my LinkedIn year in review. My first connection was a friend I said goodbye to this year and it brings me to tears still.
We had fallen out a bit recent years (my fault) but we did some amazing things together and he taught me a lot.
RIP flirzan nazrilf.
We had fallen out a bit recent years (my fault) but we did some amazing things together and he taught me a lot.
RIP flirzan nazrilf.
Reposted by Adam Baldwin
THC Release 💥: The world’s largest IP<>Domain database: ip.thc.org
All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free.
Updated monthly.
Try: curl ip.thc.org/1.1.1.1
Raw data (187GB): ip.thc.org/docs/bulk-da...
(The fine work of messede 👌)
All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free.
Updated monthly.
Try: curl ip.thc.org/1.1.1.1
Raw data (187GB): ip.thc.org/docs/bulk-da...
(The fine work of messede 👌)
December 17, 2025 at 1:33 PM
THC Release 💥: The world’s largest IP<>Domain database: ip.thc.org
All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free.
Updated monthly.
Try: curl ip.thc.org/1.1.1.1
Raw data (187GB): ip.thc.org/docs/bulk-da...
(The fine work of messede 👌)
All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free.
Updated monthly.
Try: curl ip.thc.org/1.1.1.1
Raw data (187GB): ip.thc.org/docs/bulk-da...
(The fine work of messede 👌)
Reposted by Adam Baldwin
Anybody hiring for cave hermit?
December 16, 2025 at 8:01 PM
Anybody hiring for cave hermit?
Reposted by Adam Baldwin
To recap, NPM allows 2FA TOTP token reuse within the token’s validity window.
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
Seems that NPM too allows TOTP reuse within the time-step window. Seen a similar issue in multiple services over the years.
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
December 12, 2025 at 1:08 PM
To recap, NPM allows 2FA TOTP token reuse within the token’s validity window.
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
All gas, all brakes.
Today. Again. We bet you'll hear some Hot Takes.
a man wearing sunglasses holds a credit card and says " mmmmm "
Alt: a man wearing sunglasses holds a credit card and says " mmmmm tell me more "
media.tenor.com
December 14, 2025 at 3:57 AM
All gas, all brakes.
Can’t wait to see everyone at Hushcon tomorrow. Unfortunately I won’t be at the thing tonight.
December 11, 2025 at 9:38 PM
Can’t wait to see everyone at Hushcon tomorrow. Unfortunately I won’t be at the thing tonight.
Reposted by Adam Baldwin
refuse to be monetized
December 10, 2025 at 2:36 PM
refuse to be monetized
Reposted by Adam Baldwin
Worked my ass off in the dirt for the last week to improve the property; water, power, and security and now I have to figure out how computers work again tomorrow 😅
December 8, 2025 at 1:43 AM
Worked my ass off in the dirt for the last week to improve the property; water, power, and security and now I have to figure out how computers work again tomorrow 😅
Reposted by Adam Baldwin
This part.
December 5, 2025 at 12:20 AM
This part.
15 years ago this next March. This was one of the first npm related security incidents I was involved in gist.github.com/jashkenas/20...
Build software better, together
GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.
gist.github.com
December 4, 2025 at 2:10 AM
15 years ago this next March. This was one of the first npm related security incidents I was involved in gist.github.com/jashkenas/20...
Reposted by Adam Baldwin
who decided to call it Secret Santa when Nondisclosure Claus was right there
December 1, 2025 at 10:55 PM
who decided to call it Secret Santa when Nondisclosure Claus was right there
Reported a leaked cred Feb 4th 2020... Solid turn around time on this one. #bugbounty
December 1, 2025 at 5:54 PM
Reported a leaked cred Feb 4th 2020... Solid turn around time on this one. #bugbounty
Welcome to December. The end of the year and winter are coming. I am so behind… 😅
a cartoon of snoopy laying on a sleigh in the snow with the words it 's snowing below him
ALT: a cartoon of snoopy laying on a sleigh in the snow with the words it 's snowing below him
media.tenor.com
December 1, 2025 at 2:57 PM
Welcome to December. The end of the year and winter are coming. I am so behind… 😅
I guess I’m done with that chore.
November 27, 2025 at 8:26 PM
I guess I’m done with that chore.
George says gobble gobble, happy thanksgiving, and fuck ICE.
November 27, 2025 at 5:40 PM
George says gobble gobble, happy thanksgiving, and fuck ICE.
Reposted by Adam Baldwin
I'll also note that this is being framed as "supply chain security" when the actual problem is the combined set of capabilities of npm and github, both of which are the property of microsoft. this is a microsoft problem
November 25, 2025 at 10:30 AM
I'll also note that this is being framed as "supply chain security" when the actual problem is the combined set of capabilities of npm and github, both of which are the property of microsoft. this is a microsoft problem
Reposted by Adam Baldwin
it is really astonishing that npm has not even publicly acknowledged the potentially ongoing credential-stealing worm attack. what is going on in there
November 25, 2025 at 10:19 AM
it is really astonishing that npm has not even publicly acknowledged the potentially ongoing credential-stealing worm attack. what is going on in there
Reposted by Adam Baldwin
i’m not crying you’re crying
xkcd: Fifteen Years
xkcd: Fifteen Years
Fifteen Years
xkcd.com
November 25, 2025 at 1:58 AM
i’m not crying you’re crying
xkcd: Fifteen Years
xkcd: Fifteen Years
This weekend was not a weekend and I need another one please.
November 24, 2025 at 4:47 AM
This weekend was not a weekend and I need another one please.