alp1n3 🌲
@alp1n3.dev
🔮 AppSec & Go | Ex: ARCYBER
Previously: Malware, Helpdesk, and More 🎉
Previously: Malware, Helpdesk, and More 🎉
Pinned
alp1n3 🌲
@alp1n3.dev
· Nov 13
📍Feel free to give me a follow if you’re into:
- Application Security
- Web App Pentesting
- Bug Bounty Hunting
- Malware Analysis
- Shitposting about F1 🏎️
- Web3 / Crypto & Cybersecurity
I’m always trying to share what I learn along my journey! 📰
- Application Security
- Web App Pentesting
- Bug Bounty Hunting
- Malware Analysis
- Shitposting about F1 🏎️
- Web3 / Crypto & Cybersecurity
I’m always trying to share what I learn along my journey! 📰
Reposted by alp1n3 🌲
Something I observed while manually reviewing every single site on personalsit.es:
Websites built with Next.js very rarely have RSS feeds.
Websites built with React sometimes have RSS feeds.
Completely static sites almost always have RSS feeds.
#RSS
Websites built with Next.js very rarely have RSS feeds.
Websites built with React sometimes have RSS feeds.
Completely static sites almost always have RSS feeds.
#RSS
November 9, 2025 at 4:51 AM
Something I observed while manually reviewing every single site on personalsit.es:
Websites built with Next.js very rarely have RSS feeds.
Websites built with React sometimes have RSS feeds.
Completely static sites almost always have RSS feeds.
#RSS
Websites built with Next.js very rarely have RSS feeds.
Websites built with React sometimes have RSS feeds.
Completely static sites almost always have RSS feeds.
#RSS
Reposted by alp1n3 🌲
To all you AppSec people that are creating your own secure coding guide. Remember that there is this org called OWASP that might have this already. devguide.owasp.org/en/04-design/
It may not contain what you would like it to contain, but that is why it’s open source. Contributions are welcome!
It may not contain what you would like it to contain, but that is why it’s open source. Contributions are welcome!
Overview - OWASP Developer Guide
OWASP Foundation Developer Guide project
devguide.owasp.org
November 9, 2025 at 1:08 PM
To all you AppSec people that are creating your own secure coding guide. Remember that there is this org called OWASP that might have this already. devguide.owasp.org/en/04-design/
It may not contain what you would like it to contain, but that is why it’s open source. Contributions are welcome!
It may not contain what you would like it to contain, but that is why it’s open source. Contributions are welcome!
Reposted by alp1n3 🌲
I wrote a thing, about a project you should knock out when you get 45 minutes free. fly.io/blog/everyon...
You Should Write An Agent
They're like riding a bike: easy, and you don't get it until you try.
fly.io
November 6, 2025 at 8:55 PM
I wrote a thing, about a project you should knock out when you get 45 minutes free. fly.io/blog/everyon...
Reposted by alp1n3 🌲
This is wild. 99% of the code is legit, with just 20 malicious lines buried in thousands of lines of working code.
cc: @campuscodi.risky.biz
cc: @campuscodi.risky.biz
🚨 New from Socket Threat Research: 9 malicious #NuGet packages deliver time-delayed destructive payloads, designed to crash apps and sabotage industrial control systems.
Read the full analysis → socket.dev/blog/9-malic... #dotnet
Read the full analysis → socket.dev/blog/9-malic... #dotnet
9 Malicious NuGet Packages Deliver Time-Delayed Destructive ...
Socket researchers discovered nine malicious NuGet packages that use time-delayed payloads to crash applications and corrupt industrial control system...
socket.dev
November 6, 2025 at 9:41 PM
This is wild. 99% of the code is legit, with just 20 malicious lines buried in thousands of lines of working code.
cc: @campuscodi.risky.biz
cc: @campuscodi.risky.biz
🥲 Still can’t currently recommend getting a Suunto smart watch.
Despite knowing about bugs for 3+ months that wipe watches with each update…
And turning off automatic updates doesn’t work…
I’ve had my watch wiped twice at this point. Just go Garmin / Coros.
Despite knowing about bugs for 3+ months that wipe watches with each update…
And turning off automatic updates doesn’t work…
I’ve had my watch wiped twice at this point. Just go Garmin / Coros.
November 7, 2025 at 9:14 AM
🥲 Still can’t currently recommend getting a Suunto smart watch.
Despite knowing about bugs for 3+ months that wipe watches with each update…
And turning off automatic updates doesn’t work…
I’ve had my watch wiped twice at this point. Just go Garmin / Coros.
Despite knowing about bugs for 3+ months that wipe watches with each update…
And turning off automatic updates doesn’t work…
I’ve had my watch wiped twice at this point. Just go Garmin / Coros.
Sometimes a project at home just needs its config thrown in a text file. Totally support this!
November 3, 2025 at 7:49 PM
Sometimes a project at home just needs its config thrown in a text file. Totally support this!
Reposted by alp1n3 🌲
Why does this “something must be done” attitude never apply to corporate crimes?
Every day I’m shocked that nobody from Fujitsu or Post Office management have gone to prison for accusing post masters of crimes while stealing money from them, actions that led to suicide and wrongful imprisonment?
Every day I’m shocked that nobody from Fujitsu or Post Office management have gone to prison for accusing post masters of crimes while stealing money from them, actions that led to suicide and wrongful imprisonment?
Its the classic 'something must be done'
November 3, 2025 at 8:28 AM
Why does this “something must be done” attitude never apply to corporate crimes?
Every day I’m shocked that nobody from Fujitsu or Post Office management have gone to prison for accusing post masters of crimes while stealing money from them, actions that led to suicide and wrongful imprisonment?
Every day I’m shocked that nobody from Fujitsu or Post Office management have gone to prison for accusing post masters of crimes while stealing money from them, actions that led to suicide and wrongful imprisonment?
The ideal site for daily use:
- Plain, easy to read.
- Logical, following popular *positive* patterns users are used to
- Dark/Light support (ofc)
People hate on UIKits that standardize design, but tbh Etsy or Wayfair would be x100 better if they were pure Shadcn components 😂
- Plain, easy to read.
- Logical, following popular *positive* patterns users are used to
- Dark/Light support (ofc)
People hate on UIKits that standardize design, but tbh Etsy or Wayfair would be x100 better if they were pure Shadcn components 😂
Shame on these well-known companies for using these deceptive user interface patterns. https://hallofshame.design/collection/
Collection of Dark Patterns and Unethical Design
Discover a variety of dark pattern examples, sorted by category, to better understand deceptive design practices.
hallofshame.design
November 3, 2025 at 10:55 AM
The ideal site for daily use:
- Plain, easy to read.
- Logical, following popular *positive* patterns users are used to
- Dark/Light support (ofc)
People hate on UIKits that standardize design, but tbh Etsy or Wayfair would be x100 better if they were pure Shadcn components 😂
- Plain, easy to read.
- Logical, following popular *positive* patterns users are used to
- Dark/Light support (ofc)
People hate on UIKits that standardize design, but tbh Etsy or Wayfair would be x100 better if they were pure Shadcn components 😂
Reposted by alp1n3 🌲
watching someone experienced work is a very underrated way to level up. "tacit knowledge transfer" is how we learn all the little tips and techniques and shortcuts that make experts so dang fast and effective, and it's really, really hard to learn that stuff in other ways
One of the first things I do with new junior engineers is pair with them to show them how I would track down a bug they're working on.
Learning how to problem solve in the codebase is more important than being able to churn out LoC.
Learning how to problem solve in the codebase is more important than being able to churn out LoC.
Like the difference between an entry-level engineer and a senior one might be language fluency, but the difference between a senior one and a distinguished one is the distinguished one knows how to turn 100x 100 hour debugging problems into 4x 30 minute ones
November 3, 2025 at 1:10 AM
watching someone experienced work is a very underrated way to level up. "tacit knowledge transfer" is how we learn all the little tips and techniques and shortcuts that make experts so dang fast and effective, and it's really, really hard to learn that stuff in other ways
Reposted by alp1n3 🌲
I wrote a bit about my sidequest at Earendil: Building Absurd which implements durable execution (𝚞𝚜𝚎 𝚠𝚘𝚛𝚔𝚏𝚕𝚘𝚠, Temporal, Inngest, etc.) on just Postgres. How it works and why I like it. lucumr.pocoo.org/2025/11/3/ab...
Absurd Workflows: Durable Execution With Just Postgres
Durable execution with just postgres.
lucumr.pocoo.org
November 3, 2025 at 8:53 AM
I wrote a bit about my sidequest at Earendil: Building Absurd which implements durable execution (𝚞𝚜𝚎 𝚠𝚘𝚛𝚔𝚏𝚕𝚘𝚠, Temporal, Inngest, etc.) on just Postgres. How it works and why I like it. lucumr.pocoo.org/2025/11/3/ab...
Reposted by alp1n3 🌲
Articles worth reading discovered last week: Passports, WIFI and AI-SAST!
🛂 blog.trailofbits.com/2025/10/31/t...
🛜 pulsesecurity.co.nz/articles/byp...
🧠 parsiya.net/blog/wtf-is-...
🛂 blog.trailofbits.com/2025/10/31/t...
🛜 pulsesecurity.co.nz/articles/byp...
🧠 parsiya.net/blog/wtf-is-...
The cryptography behind electronic passports
This blog post describes how electronic passports work, the threats within their threat model, and how they protect against those threats using cryptography. It also discusses the implications of usin...
blog.trailofbits.com
November 2, 2025 at 10:51 PM
Articles worth reading discovered last week: Passports, WIFI and AI-SAST!
🛂 blog.trailofbits.com/2025/10/31/t...
🛜 pulsesecurity.co.nz/articles/byp...
🧠 parsiya.net/blog/wtf-is-...
🛂 blog.trailofbits.com/2025/10/31/t...
🛜 pulsesecurity.co.nz/articles/byp...
🧠 parsiya.net/blog/wtf-is-...
Reposted by alp1n3 🌲
Did not see this coming: #Canva made #Affinity free and is investing to revamp it.
Smart growth move and a win for creators... pro-grade tools for free.
First look: www.youtube.com/watch?v=CzPz...
#Design #AffinitySuite
Smart growth move and a win for creators... pro-grade tools for free.
First look: www.youtube.com/watch?v=CzPz...
#Design #AffinitySuite
Meet the new Affinity
YouTube video by Canva
www.youtube.com
November 1, 2025 at 11:20 AM
Did not see this coming: #Canva made #Affinity free and is investing to revamp it.
Smart growth move and a win for creators... pro-grade tools for free.
First look: www.youtube.com/watch?v=CzPz...
#Design #AffinitySuite
Smart growth move and a win for creators... pro-grade tools for free.
First look: www.youtube.com/watch?v=CzPz...
#Design #AffinitySuite
Reposted by alp1n3 🌲
I don't agree with all the points being made here, but this opening sentence really hits home. 👇
blog.pabloecortez.com/its-insultin...
blog.pabloecortez.com/its-insultin...
October 31, 2025 at 1:03 PM
I don't agree with all the points being made here, but this opening sentence really hits home. 👇
blog.pabloecortez.com/its-insultin...
blog.pabloecortez.com/its-insultin...
Reposted by alp1n3 🌲
Some guy got in an argument with me about the impact of AI malware. He cited a MIT paper claiming "80% of ransomware attacks are AI powered". I glanced over it and burst out laughing, but couldn't be bothered to debunk it. My friend on the other hand, could. He roasted it so hard that MIT deleted it
Security Community Slams MIT-linked Report Claiming AI Power...
Experts push back on new claims about AI-driven ransomware, warning that hype and sponsored research are distorting how the threat is understood.
socket.dev
October 31, 2025 at 10:10 PM
Some guy got in an argument with me about the impact of AI malware. He cited a MIT paper claiming "80% of ransomware attacks are AI powered". I glanced over it and burst out laughing, but couldn't be bothered to debunk it. My friend on the other hand, could. He roasted it so hard that MIT deleted it
Reposted by alp1n3 🌲
Reposted by alp1n3 🌲
Happy to see someone outside Google rebuild/verify Go toolchains. Thanks @agwa.name! www.agwa.name/blog/post/ve...
"So far, Source Spotter has successfully reproduced every toolchain since Go 1.21.0, for every architecture and operating system. As of publication time, that's 2,672 toolchains!"
"So far, Source Spotter has successfully reproduced every toolchain since Go 1.21.0, for every architecture and operating system. As of publication time, that's 2,672 toolchains!"
I'm Independently Verifying Go's Reproducible Builds
Introducing Source Spotter, a Go Checksum Database auditor and Go toolchain reproducer
www.agwa.name
October 30, 2025 at 5:15 PM
Happy to see someone outside Google rebuild/verify Go toolchains. Thanks @agwa.name! www.agwa.name/blog/post/ve...
"So far, Source Spotter has successfully reproduced every toolchain since Go 1.21.0, for every architecture and operating system. As of publication time, that's 2,672 toolchains!"
"So far, Source Spotter has successfully reproduced every toolchain since Go 1.21.0, for every architecture and operating system. As of publication time, that's 2,672 toolchains!"
Reposted by alp1n3 🌲
Store from VulnLab released on HackTheBox yesterday. It's got a web decryption known plaintext attack, directory traversal, node inspect, and Chrome debug.
HTB: Store
HTB Store walkthrough: exploiting XOR encryption for arbitrary file read, SFTP tunneling to Node.js debugger, and Chrome webdriver RCE for root access.
0xdf.gitlab.io
October 30, 2025 at 10:00 AM
Store from VulnLab released on HackTheBox yesterday. It's got a web decryption known plaintext attack, directory traversal, node inspect, and Chrome debug.
Reposted by alp1n3 🌲
I’ve also been experimenting with this this term and it’s crazy how much it immediately improves classroom discussion
Important update from two months into my “experiment” (lol) assigning college juniors and seniors to read whole physical books and then having a seminar where they use the physical book and physical notebooks and their ideas and questions to fill three hours of class time:
It rules
It rules
October 25, 2025 at 1:54 PM
I’ve also been experimenting with this this term and it’s crazy how much it immediately improves classroom discussion
Reposted by alp1n3 🌲
All of our issues are now chilling together in the 100k+ downloads club 🎉🥳. Thank you for reading and sharing them!
You can find all of them here: pagedout.institute?page=issues....
You can find all of them here: pagedout.institute?page=issues....
Paged Out!
Deeply technical zine. And it's free.
pagedout.institute
October 27, 2025 at 8:14 AM
All of our issues are now chilling together in the 100k+ downloads club 🎉🥳. Thank you for reading and sharing them!
You can find all of them here: pagedout.institute?page=issues....
You can find all of them here: pagedout.institute?page=issues....
Reposted by alp1n3 🌲
Things that not every product needs:
- push notifications
- chat
- a perky AI assistant
Jus’ sayin
- push notifications
- chat
- a perky AI assistant
Jus’ sayin
October 25, 2025 at 9:41 PM
Things that not every product needs:
- push notifications
- chat
- a perky AI assistant
Jus’ sayin
- push notifications
- chat
- a perky AI assistant
Jus’ sayin
Making me feel better about my decision to stick with a manual Miele.
Love it!
Love it!
Reversing a smart vacuum and making it work without access to the Internet 🤖
codetiger.github.io/blog/the-day...
codetiger.github.io/blog/the-day...
The Day My Smart Vacuum Turned Against Me
Would you allow a stranger to drive a camera-equipped computer around your living room? You might have already done so without even realizing it.
The Beginning: A Curious Experiment
It all started ...
codetiger.github.io
October 26, 2025 at 11:47 AM
Making me feel better about my decision to stick with a manual Miele.
Love it!
Love it!
Reposted by alp1n3 🌲
A new Microsoft Teams feature will let organizations track employees based on nearby WiFi networks.
According to privacy experts, the new feature will allow companies to crack down on workers who dodge return-to-office mandates.
www.microsoft.com/en-us/micros...
According to privacy experts, the new feature will allow companies to crack down on workers who dodge return-to-office mandates.
www.microsoft.com/en-us/micros...
October 26, 2025 at 9:15 AM
A new Microsoft Teams feature will let organizations track employees based on nearby WiFi networks.
According to privacy experts, the new feature will allow companies to crack down on workers who dodge return-to-office mandates.
www.microsoft.com/en-us/micros...
According to privacy experts, the new feature will allow companies to crack down on workers who dodge return-to-office mandates.
www.microsoft.com/en-us/micros...
Reposted by alp1n3 🌲
LLMs are not a labor replacement technology, we've seen this come out of every study on their use in business contexts.
They've been falsely marketed as such, though, and therein lies the problem for all of us, from job seekers to the cos. pushing the tech as it causes myriad internal issues.
They've been falsely marketed as such, though, and therein lies the problem for all of us, from job seekers to the cos. pushing the tech as it causes myriad internal issues.
October 24, 2025 at 4:16 PM
LLMs are not a labor replacement technology, we've seen this come out of every study on their use in business contexts.
They've been falsely marketed as such, though, and therein lies the problem for all of us, from job seekers to the cos. pushing the tech as it causes myriad internal issues.
They've been falsely marketed as such, though, and therein lies the problem for all of us, from job seekers to the cos. pushing the tech as it causes myriad internal issues.
Reposted by alp1n3 🌲
Reposted by alp1n3 🌲
NEW: an a16z-backed startup called Doublespeed promises clients can “orchestrate actions on thousands of social accounts through both bulk content creation and deployment.”
Essentially an AI-powered bot service in violation of all major social media platforms
www.404media.co/a16z-backed-...
Essentially an AI-powered bot service in violation of all major social media platforms
www.404media.co/a16z-backed-...
a16z-Backed Startup Sells Thousands of ‘Synthetic Influencers’ to Manipulate Social Media as a Service
Andreessen Horowitz is funding a company that clearly violates the inauthentic behavior policies of every major social media platform.
www.404media.co
October 24, 2025 at 6:14 PM
NEW: an a16z-backed startup called Doublespeed promises clients can “orchestrate actions on thousands of social accounts through both bulk content creation and deployment.”
Essentially an AI-powered bot service in violation of all major social media platforms
www.404media.co/a16z-backed-...
Essentially an AI-powered bot service in violation of all major social media platforms
www.404media.co/a16z-backed-...