All Posts

Jscrambler’s npm Package Got Backdoored. The Malware Ran Before Your App Ever Started.
Jscrambler npm 8.14.0 shipped a Rust infostealer via preinstall hook, targeting cloud keys, wallets, and AI tool configs. Full technical breakdown and IOCs

Dutch Intelligence Got Caught Feeding Citizen Data Into Its Own AI, and It’s Not Even the First Time
A Dutch oversight report reveals AIVD and MIVD illegally accessed bulk citizen data, some bought from breach markets, and may now be training AI models on it

Which messaging app actually protects you? A LINDDUN threat model breakdown
The most secure messaging apps for 2026, scored with a LINDDUN privacy threat model across linkability, metadata, and data disclosure. Full rank

Beginner’s Guide to Conquering Paperwork on Hack the Box
Conquer Paperwork on Hack The Box like a pro with the beginner's HTB writeup. Dominate this challenge and level up your cybersecurity skills

Wi-Fi Networks (802.11): The Complete Guide for Penetration Testers
Complete 802.11 pentesting guide: WPA2 handshake capture, PMKID attacks, WPS cracking, and Evil Twin setup with aircrack-ng commands

How VPN Detection Works and the Protocol Stack Built to Outrun It
Governments are increasingly targeting VPNs after age verification laws. Learn how Deep Packet Inspection works and why Shadowsocks etc are needed

GhostLock (CVE-2026-43499): a fifteen-year-old rtmutex bug just handed root to anyone with a shell
GhostLock (CVE-2026-43499) is a 15-year rtmutex use-after-free giving root to any local Linux user. Full technical breakdown of the exploit chain

Accenture, 888, and the Anatomy of a Believable Breach Claim
Threat actor "888" claims 35GB of Accenture source code, SSH keys, and Azure tokens. A technical breakdown of the claim, the credentials, and what's actually verified

The blog is getting a video series. First one drops next week
The first video in a new cybersecurity and networking course series is free and ad supported. Full library access requires membership. Watch it next week

GitHub’s “Verified” Commit Isn’t Unique, and Its AI Agent Will Leak Your Private Repos If You Ask Nicely
New CMU research shows GitHub's Verified commit badge isn't a unique fingerprint, plus how GitLost tricks GitHub's AI agent into leaking private repos





