osj
Security engineer. Cloud focused. Still mostly just curious.
I work in cloud security during the day. Outside work, I usually end up pulling apart phishing kits, tracing delivery chains, mapping infrastructure, and writing down what the thread turns into.
This is where I keep the stuff I’m digging into: investigations, small tools, notes, and the occasional sample that’s too interesting to leave alone.
The short version
Investigations
Full archive →★ Pinned research
npm Malware Cluster Uses Hidden README Payloads to Trigger Credential Theft
A suspicious npm package cluster using postinstall execution, credential scanning, hidden README payloads, and GitHub-based delivery attempts.
How My Homemade NPM Hunter Caught a Mini Shai-Hulud Package
A scheduled npm-hunter pipeline surfaced a Mini Shai-Hulud package and proved the lead generator was useful.
ClickFix: A Delivery Method to the Cookie Monster
How a fake CAPTCHA led me 8 layers deep into encrypted shellcode and obfuscated .
The Prince of Nigeria is Dead: AI Phishing Ops
I spent one morning with a free local model.
LinaStealer Unity NSIS Electron Loader: Multi-Stage Infostealer Campaign Analysis
Unity + NSIS + Electron duct-taped together. Creative, honestly.
4 Firebase Projects, 410 Reply Addresses
What started as a pile of weird reply addresses turned into a pretty clear infrastructure story that kept leading back to one VPS.
Analyzing A Recent Agent Tesla Sample
Runtime payload, 15+ app credential harvest, FTP exfil. Noisy but useful.
Tools
Phishing email analyzer. Drop an .eml, get parsed headers, URLs, and a clean export.
Open source detections. Every query from a real investigation. Take them, use them.
Map an npm package and see what it actually drags in. Dependencies, publishers, maintainers, sprawl.
Want to trade notes or work on something?
I'm always down to talk shop.