6mile
@6mile.githax.com
Software Supply Chain Red Team. SourceCodeRED & SecureStack founder, dad, startup OG, snowboarder and hacker. Workin on GitHax tool in my spare time. github.com/6mile
@eastsidemccarty from the bird site.
@eastsidemccarty from the bird site.
I like the one-two combo you got going there picklerick
October 23, 2025 at 12:06 AM
I like the one-two combo you got going there picklerick
Don't let AI write your payloads for you if you don't know what you're doing. Otherwise, you might end up publishing your API keys, environment variables, and identity to @npmjs.bsky.social
October 16, 2025 at 10:41 PM
Don't let AI write your payloads for you if you don't know what you're doing. Otherwise, you might end up publishing your API keys, environment variables, and identity to @npmjs.bsky.social
Want to sniff out private bug bounty programs? If you monitor OSV for new malicious packages, you'll get some great intel. Today's example: @npmjs.bsky.social user Paastha published 6 packages targeting @vercel.com. But wait, they don't have a BB program?! Or do they.... 😮💥
October 8, 2025 at 9:24 PM
Want to sniff out private bug bounty programs? If you monitor OSV for new malicious packages, you'll get some great intel. Today's example: @npmjs.bsky.social user Paastha published 6 packages targeting @vercel.com. But wait, they don't have a BB program?! Or do they.... 😮💥
Tell me that @v0.dev has a bug bounty program without telling me they have a bug bounty program.
#dependencyconfusion #maliciouspackage
#dependencyconfusion #maliciouspackage
October 8, 2025 at 8:38 AM
Tell me that @v0.dev has a bug bounty program without telling me they have a bug bounty program.
#dependencyconfusion #maliciouspackage
#dependencyconfusion #maliciouspackage
Heya homie, that ain't gonna work.
October 7, 2025 at 9:31 AM
Heya homie, that ain't gonna work.
I need to talk to someone in the @reversinglabs.com detection team.
Anyone in my network got an intro?
Anyone in my network got an intro?
September 28, 2025 at 1:14 AM
I need to talk to someone in the @reversinglabs.com detection team.
Anyone in my network got an intro?
Anyone in my network got an intro?
I gave a talk at the FIRST CTI conference in Berlin earlier this year. Here's my presentation in its entirety.
www.youtube.com/live/j23OubE...
www.youtube.com/live/j23OubE...
YouTube
Share your videos with friends, family, and the world
www.youtube.com
September 20, 2025 at 8:31 PM
I gave a talk at the FIRST CTI conference in Berlin earlier this year. Here's my presentation in its entirety.
www.youtube.com/live/j23OubE...
www.youtube.com/live/j23OubE...
Impressed with the Tenable One CSPM demo at the #Tenable #BlackHat booth. Blends vulnerability scanning with cloud security + ASPM features via IaC scanning and Git integrations. Worth checking if you're comparing cloud security solutions: bit.ly/4mbhg3e #BlackHat2025 #CloudSec
Tenable Cloud Security (CNAPP)
Reduce cloud risk and exposure from faulty configurations and entitlements with our cloud-native application protection platform (CNAPP), Tenable Cloud Security.
bit.ly
August 14, 2025 at 10:31 PM
Impressed with the Tenable One CSPM demo at the #Tenable #BlackHat booth. Blends vulnerability scanning with cloud security + ASPM features via IaC scanning and Git integrations. Worth checking if you're comparing cloud security solutions: bit.ly/4mbhg3e #BlackHat2025 #CloudSec
See me at 11 am today on the #DEFCON Creator State 4 (room 228). I'm super excited for this, and a big "thank you!" to the #AdversaryVillage team!
#hackersummercamp @github.com
#hackersummercamp @github.com
August 9, 2025 at 4:07 PM
See me at 11 am today on the #DEFCON Creator State 4 (room 228). I'm super excited for this, and a big "thank you!" to the #AdversaryVillage team!
#hackersummercamp @github.com
#hackersummercamp @github.com
AI has written its first malicious package! I found an NPM package named @kodane/patch-manager that deploys a well-written persistent JavaScript crypto drainer.
Here's the thing: I'm pretty sure Claude wrote it!
Check out my post: getsafety.com/blog-posts/t...
@anthropic.com @npmjs.bsky.social
Here's the thing: I'm pretty sure Claude wrote it!
Check out my post: getsafety.com/blog-posts/t...
@anthropic.com @npmjs.bsky.social
Threat actor uses AI to create a better crypto wallet drainer
Safety’s malicious package detection identified a malicious package that appears to have been written by Claude AI
getsafety.com
July 31, 2025 at 8:50 PM
AI has written its first malicious package! I found an NPM package named @kodane/patch-manager that deploys a well-written persistent JavaScript crypto drainer.
Here's the thing: I'm pretty sure Claude wrote it!
Check out my post: getsafety.com/blog-posts/t...
@anthropic.com @npmjs.bsky.social
Here's the thing: I'm pretty sure Claude wrote it!
Check out my post: getsafety.com/blog-posts/t...
@anthropic.com @npmjs.bsky.social
The apocalypse is upon us!
July 17, 2025 at 9:19 PM
The apocalypse is upon us!
I'm the first presentation for Adversary Village at @defcon.bsky.social. See me talk about open-source malware at 11 am on Saturday, August 9, in room 228 (creator stage 4)
July 14, 2025 at 12:23 AM
I'm the first presentation for Adversary Village at @defcon.bsky.social. See me talk about open-source malware at 11 am on Saturday, August 9, in room 228 (creator stage 4)
Heya @virginaustralia.bsky.social I just tried to buy tickets for $6903 as advertised, but turns out it's a bait & switch. Real price: $11,617. VA support blames it on "website latency" but that price still on site. Wonder what Australian ACCC will make of VA advertising fares that don't exist?
July 6, 2025 at 6:51 AM
Heya @virginaustralia.bsky.social I just tried to buy tickets for $6903 as advertised, but turns out it's a bait & switch. Real price: $11,617. VA support blames it on "website latency" but that price still on site. Wonder what Australian ACCC will make of VA advertising fares that don't exist?
You can't make this shit up! The NIST NVD database has been down all day, so no one can look up CVEs via NVD. @shodanhq.bsky.social reports that one of the two ec2 instances serving up the NVD website reports a "402 Payment Required".
Did DOGE dipshits break our national vulnerability database?!
Did DOGE dipshits break our national vulnerability database?!
April 2, 2025 at 5:24 AM
You can't make this shit up! The NIST NVD database has been down all day, so no one can look up CVEs via NVD. @shodanhq.bsky.social reports that one of the two ec2 instances serving up the NVD website reports a "402 Payment Required".
Did DOGE dipshits break our national vulnerability database?!
Did DOGE dipshits break our national vulnerability database?!
New infostealer targets Exodus crypto wallets. The author wrote this malware in a little-known language to evade detection. Read my write-up here: sourcecodered.com/npm-package-...
NPM package targeting crypto wallets uses new language to evade detection
A new software supply chain attack is targeting Exodus wallet files with a new custom malware that uses a unique evasion technique
sourcecodered.com
February 17, 2025 at 11:43 PM
New infostealer targets Exodus crypto wallets. The author wrote this malware in a little-known language to evade detection. Read my write-up here: sourcecodered.com/npm-package-...
I wrote a post about the 3 most common myths I run into when talking to developers or infosec teams about malicious packages. Devs aren't familiar with malicious packages & security teams assume that existing security tools will find malware (spoiler: they don't).
sourcecodered.com/three-myths-...
sourcecodered.com/three-myths-...
3 myths about npm based threats
Npm-based threats are not well-understood, so I wrote a blog post addressing the 3 most common "myths" that I see from with engineering teams
sourcecodered.com
February 11, 2025 at 10:33 PM
I wrote a post about the 3 most common myths I run into when talking to developers or infosec teams about malicious packages. Devs aren't familiar with malicious packages & security teams assume that existing security tools will find malware (spoiler: they don't).
sourcecodered.com/three-myths-...
sourcecodered.com/three-myths-...
I've identified an NPM package named "arcus-cmd-utils" that deploys a Chrome-based infostealer to infected computers. You can read my blog post complete with technical details and IOCs. @npmjs.bsky.social @github.com #softwaresupplychain #devsecops
sourcecodered.com/malicious-ar...
sourcecodered.com/malicious-ar...
Malicious NPM package infects developers with new infostealer malware
A malicious package named arcus-cmd-utils was published January 12, 2025 to npm registry which deploys a Windows based infostealer malware
sourcecodered.com
January 28, 2025 at 10:17 PM
I've identified an NPM package named "arcus-cmd-utils" that deploys a Chrome-based infostealer to infected computers. You can read my blog post complete with technical details and IOCs. @npmjs.bsky.social @github.com #softwaresupplychain #devsecops
sourcecodered.com/malicious-ar...
sourcecodered.com/malicious-ar...
January 14, 2025 at 8:45 AM
Quickest turnaround in MONTHS from NPM as they've taken down the marked-cs and marked-ps malicious packages in less than a day! Woot!
@npmjs.bsky.social #softwaresupplychain #npm
@npmjs.bsky.social #softwaresupplychain #npm
January 14, 2025 at 12:47 AM
Quickest turnaround in MONTHS from NPM as they've taken down the marked-cs and marked-ps malicious packages in less than a day! Woot!
@npmjs.bsky.social #softwaresupplychain #npm
@npmjs.bsky.social #softwaresupplychain #npm
Two malicious packages were published to the NPM registry named "marked-cs" & "marked-ps". They take advantage of naming inconsistencies in the popular marked-js library & deploy modified gh0strat implants when you install the malicious packages. @npmjs.bsky.social
sourcecodered.com/npm-packages...
sourcecodered.com/npm-packages...
Malicious NPM packages target marked-js library
Two malicious packages were published to the NPM registry on January 7th. These packages target legitimate marked-js users to deploy malware.
sourcecodered.com
January 13, 2025 at 10:24 PM
Two malicious packages were published to the NPM registry named "marked-cs" & "marked-ps". They take advantage of naming inconsistencies in the popular marked-js library & deploy modified gh0strat implants when you install the malicious packages. @npmjs.bsky.social
sourcecodered.com/npm-packages...
sourcecodered.com/npm-packages...
Guess who's gonna be presenting at the @first.org CTI conference on April 23rd in Berlin? That's right, me! Woot!
We will discuss how enterprise organisations can add #softwaresupplychain #threatintel to their existing #CTI and #threathunting workflows.
www.first.org/conference/f...
We will discuss how enterprise organisations can add #softwaresupplychain #threatintel to their existing #CTI and #threathunting workflows.
www.first.org/conference/f...
Program Agenda: 2025 FIRST Cyber Threat Intelligence Conference
www.first.org
January 12, 2025 at 3:18 AM
Guess who's gonna be presenting at the @first.org CTI conference on April 23rd in Berlin? That's right, me! Woot!
We will discuss how enterprise organisations can add #softwaresupplychain #threatintel to their existing #CTI and #threathunting workflows.
www.first.org/conference/f...
We will discuss how enterprise organisations can add #softwaresupplychain #threatintel to their existing #CTI and #threathunting workflows.
www.first.org/conference/f...
