Adam Baldwin
@evilpacket.net
Hacker / Farmer / Builder / Breaker
Prev: Code4rena, Okta, Auth0, GitHub, npm, ^lift, &yet, Symantec.
Pioneered BlindXSS & DVCS Pillaging
npm audit is my fault. More info: https://evilpacket.net
Prev: Code4rena, Okta, Auth0, GitHub, npm, ^lift, &yet, Symantec.
Pioneered BlindXSS & DVCS Pillaging
npm audit is my fault. More info: https://evilpacket.net
Pinned
Adam Baldwin
@evilpacket.net
· Jan 27
Disobey.
Reposted by Adam Baldwin
The best part of those emails for me is the subject is cut off at “… has been re” and I’m waiting for it to be revoked instead of renewed.
January 10, 2026 at 2:52 AM
The best part of those emails for me is the subject is cut off at “… has been re” and I’m waiting for it to be revoked instead of renewed.
Reposted by Adam Baldwin
"What Does That Mean" just sort of wrote itself. "Everyone seems to give a fuck, but they aren't doing a thing."
mikalkhill.bandcamp.com/album/the-cl...
My first solo release since 2019. Single is out on Bandcamp now, full EP next Friday. No release date set for other streaming services.
mikalkhill.bandcamp.com/album/the-cl...
My first solo release since 2019. Single is out on Bandcamp now, full EP next Friday. No release date set for other streaming services.
The Clock Is Ticking EP, by Mikal kHill
4 track album
mikalkhill.bandcamp.com
January 10, 2026 at 1:52 AM
"What Does That Mean" just sort of wrote itself. "Everyone seems to give a fuck, but they aren't doing a thing."
mikalkhill.bandcamp.com/album/the-cl...
My first solo release since 2019. Single is out on Bandcamp now, full EP next Friday. No release date set for other streaming services.
mikalkhill.bandcamp.com/album/the-cl...
My first solo release since 2019. Single is out on Bandcamp now, full EP next Friday. No release date set for other streaming services.
Reposted by Adam Baldwin
I honestly don't see any fits that has me being alive being viable.
I can't get a job, no one even cares to interview me.
and on the off chance I do get an interview it never leads to anything.
im fucking begging for a job.
anything.
fucking please.
my name is on snort.org for dev test.
I can't get a job, no one even cares to interview me.
and on the off chance I do get an interview it never leads to anything.
im fucking begging for a job.
anything.
fucking please.
my name is on snort.org for dev test.
Snort - Network Intrusion Detection & Prevention System
Snort is an open-source, free and lightweight network intrusion detection system (NIDS) software for Linux and Windows to detect emerging threats.
snort.org
January 9, 2026 at 3:10 AM
I honestly don't see any fits that has me being alive being viable.
I can't get a job, no one even cares to interview me.
and on the off chance I do get an interview it never leads to anything.
im fucking begging for a job.
anything.
fucking please.
my name is on snort.org for dev test.
I can't get a job, no one even cares to interview me.
and on the off chance I do get an interview it never leads to anything.
im fucking begging for a job.
anything.
fucking please.
my name is on snort.org for dev test.
Updated porch Gary with hacker winter attire to keep warm in the new year.
January 8, 2026 at 3:31 AM
Updated porch Gary with hacker winter attire to keep warm in the new year.
Thank you! Bonus shot of Pebble.
January 6, 2026 at 10:35 PM
Thank you! Bonus shot of Pebble.
Reposted by Adam Baldwin
Anyone see the news today?
#technology
#news
#hacktivist
#liveonstage
#2026
techcrunch.com/2026/01/05/h...
#technology
#news
#hacktivist
#liveonstage
#2026
techcrunch.com/2026/01/05/h...
Hacktivist deletes white supremacist websites live onstage during hacker conference | TechCrunch
A hacker known as Martha Root broke in and deleted three white supremacist websites at the end of a talk during the annual hacker conference Chaos Communication Congress in Germany.
techcrunch.com
January 5, 2026 at 10:58 PM
Anyone see the news today?
#technology
#news
#hacktivist
#liveonstage
#2026
techcrunch.com/2026/01/05/h...
#technology
#news
#hacktivist
#liveonstage
#2026
techcrunch.com/2026/01/05/h...
Built a a play structure for the goats. They would have been just as happy if I had given up at this stage of the build.
January 6, 2026 at 12:32 AM
Built a a play structure for the goats. They would have been just as happy if I had given up at this stage of the build.
Reposted by Adam Baldwin
Trust Wallet Browser Extension Poisoned via Shai-Hulud NPM Attack, $8.5M in Crypto Drained from 2,596 Users
Trust Wallet Browser Extension Poisoned via Shai-Hulud NPM Attack, $8.5M in Crypto Drained from 2,596 Users - Cyberwarzone
Attackers exploited the Shai-Hulud NPM supply chain attack to leak Trust Wallet developer GitHub secrets, including the Chrome Web Store API key. Using this key, they uploaded a malicious version of Trust Wallet's extension that harvested private keys and seed phrases, draining $8.5 million from 2,596 crypto wallets. The attack shows how compromised credentials eliminate security gatekeepers designed to prevent insider threats.
cyberwarzone.com
January 4, 2026 at 5:20 PM
Trust Wallet Browser Extension Poisoned via Shai-Hulud NPM Attack, $8.5M in Crypto Drained from 2,596 Users
Ahhh. How do computed work again? Gotta remember by tomorrow.
January 1, 2026 at 9:15 PM
Ahhh. How do computed work again? Gotta remember by tomorrow.
Have always wanted to go. Hope it’s a wonderful time.
December 26, 2025 at 3:36 PM
Have always wanted to go. Hope it’s a wonderful time.
lol the 8 port switch in my barn is full. 😅
December 25, 2025 at 4:47 AM
lol the 8 port switch in my barn is full. 😅
Reposted by Adam Baldwin
I made something new: an eslint plugin to validate your npm ecosystem lockfiles! It supports npm, pnpm, yarn, bun, and vlt, and it's already helped find a supply chain security attack vector inside a fortune 500 tech company. www.npmjs.com/package/esli...
www.npmjs.com
December 22, 2025 at 7:16 AM
I made something new: an eslint plugin to validate your npm ecosystem lockfiles! It supports npm, pnpm, yarn, bun, and vlt, and it's already helped find a supply chain security attack vector inside a fortune 500 tech company. www.npmjs.com/package/esli...
Things we started together
- nGenuity (We did one of the first GitHub pentests together)
- DC509
- Psychoholics
Fun memories
- "not camping"
- pool and pbr at the pub
- competing in many contests together
- long distance gongs at the range
- drank all the booze & hacked all the things
so much more.
- nGenuity (We did one of the first GitHub pentests together)
- DC509
- Psychoholics
Fun memories
- "not camping"
- pool and pbr at the pub
- competing in many contests together
- long distance gongs at the range
- drank all the booze & hacked all the things
so much more.
December 22, 2025 at 4:49 PM
Things we started together
- nGenuity (We did one of the first GitHub pentests together)
- DC509
- Psychoholics
Fun memories
- "not camping"
- pool and pbr at the pub
- competing in many contests together
- long distance gongs at the range
- drank all the booze & hacked all the things
so much more.
- nGenuity (We did one of the first GitHub pentests together)
- DC509
- Psychoholics
Fun memories
- "not camping"
- pool and pbr at the pub
- competing in many contests together
- long distance gongs at the range
- drank all the booze & hacked all the things
so much more.
Against my better judgement I watched my LinkedIn year in review. My first connection was a friend I said goodbye to this year and it brings me to tears still.
We had fallen out a bit recent years (my fault) but we did some amazing things together and he taught me a lot.
RIP flirzan nazrilf.
We had fallen out a bit recent years (my fault) but we did some amazing things together and he taught me a lot.
RIP flirzan nazrilf.
December 22, 2025 at 4:07 PM
Against my better judgement I watched my LinkedIn year in review. My first connection was a friend I said goodbye to this year and it brings me to tears still.
We had fallen out a bit recent years (my fault) but we did some amazing things together and he taught me a lot.
RIP flirzan nazrilf.
We had fallen out a bit recent years (my fault) but we did some amazing things together and he taught me a lot.
RIP flirzan nazrilf.
Reposted by Adam Baldwin
THC Release 💥: The world’s largest IP<>Domain database: ip.thc.org
All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free.
Updated monthly.
Try: curl ip.thc.org/1.1.1.1
Raw data (187GB): ip.thc.org/docs/bulk-da...
(The fine work of messede 👌)
All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free.
Updated monthly.
Try: curl ip.thc.org/1.1.1.1
Raw data (187GB): ip.thc.org/docs/bulk-da...
(The fine work of messede 👌)
December 17, 2025 at 1:33 PM
THC Release 💥: The world’s largest IP<>Domain database: ip.thc.org
All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free.
Updated monthly.
Try: curl ip.thc.org/1.1.1.1
Raw data (187GB): ip.thc.org/docs/bulk-da...
(The fine work of messede 👌)
All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free.
Updated monthly.
Try: curl ip.thc.org/1.1.1.1
Raw data (187GB): ip.thc.org/docs/bulk-da...
(The fine work of messede 👌)
Reposted by Adam Baldwin
Bet that’s gonna taste amazing!
December 19, 2025 at 10:15 PM
Bet that’s gonna taste amazing!
Sorry, my Bridge Troll certification is expired.
December 16, 2025 at 9:09 PM
Sorry, my Bridge Troll certification is expired.
Anybody hiring for cave hermit?
December 16, 2025 at 8:01 PM
Anybody hiring for cave hermit?
Reposted by Adam Baldwin
To recap, NPM allows 2FA TOTP token reuse within the token’s validity window.
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
Seems that NPM too allows TOTP reuse within the time-step window. Seen a similar issue in multiple services over the years.
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
Per RFC 6238, a TOTP (Time-based One-Time Password) should be single-use. Allowing reuse, even within the short-ish time window, is not ideal (shoulder surfing, phishing etc.)
December 12, 2025 at 1:08 PM
To recap, NPM allows 2FA TOTP token reuse within the token’s validity window.
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
I reported this and was told it’s a “known low-risk issue” and that they “don’t consider this to present a significant security risk.”
So, let’s look at how this seemingly small issue could be leveraged by a phisher. 1/
All gas, all brakes.
Today. Again. We bet you'll hear some Hot Takes.
a man wearing sunglasses holds a credit card and says " mmmmm "
Alt: a man wearing sunglasses holds a credit card and says " mmmmm tell me more "
media.tenor.com
December 14, 2025 at 3:57 AM
All gas, all brakes.
