Adam Baldwin
@evilpacket.net
Hacker / Farmer / Builder / Breaker
Prev: Code4rena, Okta, Auth0, GitHub, npm, ^lift, &yet, Symantec.
Pioneered BlindXSS & DVCS Pillaging
npm audit is my fault. More info: https://evilpacket.net
Prev: Code4rena, Okta, Auth0, GitHub, npm, ^lift, &yet, Symantec.
Pioneered BlindXSS & DVCS Pillaging
npm audit is my fault. More info: https://evilpacket.net
Narrator he did not make it.
I managed to get enough panels up to dry in the important part of the coop before tomorrow’s rain. I, umm, ran out of screws. Good job past me at that math.
I managed to get enough panels up to dry in the important part of the coop before tomorrow’s rain. I, umm, ran out of screws. Good job past me at that math.
November 10, 2025 at 2:14 AM
Narrator he did not make it.
I managed to get enough panels up to dry in the important part of the coop before tomorrow’s rain. I, umm, ran out of screws. Good job past me at that math.
I managed to get enough panels up to dry in the important part of the coop before tomorrow’s rain. I, umm, ran out of screws. Good job past me at that math.
My pro tip for any coop because you will get old. Make it so you can, without ducking, walk into it to easily clean it.
November 9, 2025 at 11:35 PM
My pro tip for any coop because you will get old. Make it so you can, without ducking, walk into it to easily clean it.
Ty! I’m surprisingly ok. I’m back out here today to get the metal on before rain. 😅
November 9, 2025 at 5:47 PM
Ty! I’m surprisingly ok. I’m back out here today to get the metal on before rain. 😅
Solid advice there, I knew better but was rushing the sunset. My son leveled the ground for me during post incident response, I didn’t know he could move that fast.
November 9, 2025 at 4:51 PM
Solid advice there, I knew better but was rushing the sunset. My son leveled the ground for me during post incident response, I didn’t know he could move that fast.
Won’t see an LLM falling off a ladder, take that AI.
November 9, 2025 at 4:46 PM
Won’t see an LLM falling off a ladder, take that AI.
I’ve got plans to give this dude a hat
If I can find the materials.
If I can find the materials.
November 7, 2025 at 5:55 PM
I’ve got plans to give this dude a hat
If I can find the materials.
If I can find the materials.
Hoggle would like you to drop that in the pasture please.
November 7, 2025 at 2:47 AM
Hoggle would like you to drop that in the pasture please.
What. Wow. This is incredible. I didn’t know lol. So useful.
November 5, 2025 at 3:42 AM
What. Wow. This is incredible. I didn’t know lol. So useful.
I’ve got really solid help from my son. Otherwise it wouldn’t even be this far 😅. Next couple dry days we’ll finish the roof and paint in the Spring.
November 4, 2025 at 5:08 AM
I’ve got really solid help from my son. Otherwise it wouldn’t even be this far 😅. Next couple dry days we’ll finish the roof and paint in the Spring.
This is an in-progress pic but I managed to find the motivation to finally put up the roof trusses this weekend for the second coop. This is a very old/delayed project 😅
November 3, 2025 at 10:30 PM
This is an in-progress pic but I managed to find the motivation to finally put up the roof trusses this weekend for the second coop. This is a very old/delayed project 😅
There seems to be a hole in my memory.
October 31, 2025 at 8:36 PM
There seems to be a hole in my memory.
lol. It's .sfw.config not .swf.config - this is not a skeet about Shockwave.
October 31, 2025 at 8:13 PM
lol. It's .sfw.config not .swf.config - this is not a skeet about Shockwave.
Here is the PoC I recorded during the middle of the development of the exploit. It shows the installation of botbait a "malicious" package despite socket having blocked it.
asciinema.org/a/vSEd699klc...
asciinema.org/a/vSEd699klc...
untitled
Recorded by evilpacket
asciinema.org
October 31, 2025 at 5:24 PM
Here is the PoC I recorded during the middle of the development of the exploit. It shows the installation of botbait a "malicious" package despite socket having blocked it.
asciinema.org/a/vSEd699klc...
asciinema.org/a/vSEd699klc...
Disclosure timeline
- Oct 13, 2025 Initial report submitted
- Oct 13, 2025 Report ack by Socket security team
- Oct 14, 2025 Vulnerability confirmed as valid
- Oct 14, 2025 Mitigations deployed
- Oct 15, 2025 $50 bounty awarded
- Oct 31, 2025 Public disclosure
- Oct 13, 2025 Initial report submitted
- Oct 13, 2025 Report ack by Socket security team
- Oct 14, 2025 Vulnerability confirmed as valid
- Oct 14, 2025 Mitigations deployed
- Oct 15, 2025 $50 bounty awarded
- Oct 31, 2025 Public disclosure
October 31, 2025 at 5:24 PM
Disclosure timeline
- Oct 13, 2025 Initial report submitted
- Oct 13, 2025 Report ack by Socket security team
- Oct 14, 2025 Vulnerability confirmed as valid
- Oct 14, 2025 Mitigations deployed
- Oct 15, 2025 $50 bounty awarded
- Oct 31, 2025 Public disclosure
- Oct 13, 2025 Initial report submitted
- Oct 13, 2025 Report ack by Socket security team
- Oct 14, 2025 Vulnerability confirmed as valid
- Oct 14, 2025 Mitigations deployed
- Oct 15, 2025 $50 bounty awarded
- Oct 31, 2025 Public disclosure
Socket was quick to respond to the report and fix the issue releasing binary v0.13.9 despite informing me that what I found and reported was a bit outside of the threat model for the tool and that they plan to clarify this in documentation.
October 31, 2025 at 5:24 PM
Socket was quick to respond to the report and fix the issue releasing binary v0.13.9 despite informing me that what I found and reported was a bit outside of the threat model for the tool and that they plan to clarify this in documentation.
The first pass loads the .swf.config as a config file setting KEY=VALUE into the env which points a require statement back to itself this time executing the file as javascript.
October 31, 2025 at 5:24 PM
The first pass loads the .swf.config as a config file setting KEY=VALUE into the env which points a require statement back to itself this time executing the file as javascript.
So if you ran sfw npm install on an untrusted repo with a config like this well you can see what would happen.
/*
NODE_OPTIONS='--require ./.sfw.config'
*/
const { exec } = require('child_process');
exec(`say "Hack the Planet!"`, err => {});
console.log('=== HACK THE PLANET ===')
/*
NODE_OPTIONS='--require ./.sfw.config'
*/
const { exec } = require('child_process');
exec(`say "Hack the Planet!"`, err => {});
console.log('=== HACK THE PLANET ===')
a man in a car is screaming and says hack the planet
ALT: a man in a car is screaming and says hack the planet
media.tenor.com
October 31, 2025 at 5:24 PM
So if you ran sfw npm install on an untrusted repo with a config like this well you can see what would happen.
/*
NODE_OPTIONS='--require ./.sfw.config'
*/
const { exec } = require('child_process');
exec(`say "Hack the Planet!"`, err => {});
console.log('=== HACK THE PLANET ===')
/*
NODE_OPTIONS='--require ./.sfw.config'
*/
const { exec } = require('child_process');
exec(`say "Hack the Planet!"`, err => {});
console.log('=== HACK THE PLANET ===')
If we can do that we can execute code before the rest of the application.
The proof of concept I put together ended up being kind of a fun polyglot so the config and the malicious payload could both reside in the .swf.config file!
The proof of concept I put together ended up being kind of a fun polyglot so the config and the malicious payload could both reside in the .swf.config file!
October 31, 2025 at 5:24 PM
If we can do that we can execute code before the rest of the application.
The proof of concept I put together ended up being kind of a fun polyglot so the config and the malicious payload could both reside in the .swf.config file!
The proof of concept I put together ended up being kind of a fun polyglot so the config and the malicious payload could both reside in the .swf.config file!
Here is some useful info for the rest of the story and the docs for a fun trick.
nodejs.org/api/single-e...
nodejs.org/api/cli.html...
If we can tamper env variables we can use NODE_OPTIONS to pass in arguments to the node process and if we can do that we can pass in --require...
nodejs.org/api/single-e...
nodejs.org/api/cli.html...
If we can tamper env variables we can use NODE_OPTIONS to pass in arguments to the node process and if we can do that we can pass in --require...
Single executable applications | Node.js v25.1.0 Documentation
nodejs.org
October 31, 2025 at 5:24 PM
Here is some useful info for the rest of the story and the docs for a fun trick.
nodejs.org/api/single-e...
nodejs.org/api/cli.html...
If we can tamper env variables we can use NODE_OPTIONS to pass in arguments to the node process and if we can do that we can pass in --require...
nodejs.org/api/single-e...
nodejs.org/api/cli.html...
If we can tamper env variables we can use NODE_OPTIONS to pass in arguments to the node process and if we can do that we can pass in --require...