osj
Security engineer. Cloud focused. Still mostly just curious.
I work in cloud security during the day. Outside work, I usually end up digging through software supply chain weirdness, tracing package behavior, mapping infrastructure, and writing down what the thread turns into.
This is where I keep the stuff I’m digging into: investigations, small tools, notes, and the occasional sample that’s too interesting to leave alone.
The short version
Investigations
Full archive →★ Pinned research
npm Malware Cluster Uses Hidden README Payloads to Trigger Credential Theft
A suspicious npm package cluster using postinstall execution, credential scanning, hidden README payloads, and GitHub-based delivery attempts.
How My Homemade NPM Hunter Caught a Mini Shai-Hulud Package
A scheduled npm-hunter pipeline surfaced a Mini Shai-Hulud package and proved the lead generator was useful.
ClickFix: A Delivery Method to the Cookie Monster
How a fake CAPTCHA led me 8 layers deep into encrypted shellcode and obfuscated .
The Prince of Nigeria is Dead: AI Phishing Ops
I spent one morning with a free local model.
LinaStealer Unity NSIS Electron Loader: Multi-Stage Infostealer Campaign Analysis
Unity + NSIS + Electron duct-taped together. Creative, honestly.
4 Firebase Projects, 410 Reply Addresses
What started as a pile of weird reply addresses turned into a pretty clear infrastructure story that kept leading back to one VPS.
Analyzing A Recent Agent Tesla Sample
Runtime payload, 15+ app credential harvest, FTP exfil. Noisy but useful.
Tools
Phishing email analyzer. Drop an .eml, get parsed headers, URLs, and a clean export.
Open source detections. Every query from a real investigation. Take them, use them.
Map an npm package and see what it actually drags in. Dependencies, publishers, maintainers, sprawl.
Paste a GitHub Actions or GitLab CI file. Read the shape at a glance. Nothing runs.
Want to trade notes or work on something?
I'm always down to talk shop.