𝑭𝒓∆𝒏𝒄𝒊𝒔

10 free tools every hacker uses that nobody talks about. (Bookmark this. You'll thank me later.) 🧵

If you're serious about cybersecurity… don’t scroll past this.I just found a folder that can literally change your career. drive.google.com/drive/folders/… Save this before it disappears.

A HARVARD psychologist says: “if you’ve achieved nothing by 25, you’ve avoided the most destructive illusion of youth”

everything is programming

A couple of months ago, I told a friend about bug bounty and encouraged him to give it a try. I kept checking in on him here and there, sharing whatever I knew even though I was still a beginner myself. A few days ago, he landed his first bounty Seeing your friends win hits different. It’s a whole other kind of happiness.

Is hacking an addiction?

just grep. the stuff that actually gets you domain admin or a critical finding on a real engagement isn't always a zero-day it's the basics executed thoroughly while everyone else is running noisy automated tools and missing what's right in front of them slow down. grep it !!

a password in a .env that never got rotated. strings app.jar | grep -i "pass|key|secret|token" grep -ri "password" /var/www/html find / -name "*.env" 2>/dev/null | xargs grep -i "secret" no CVE. no exploit chain.

unpopular opinion: grep and strings have closed more real engagements than any fancy scanner clients pay for full pentest reports and the finding that hurts them most is always the simple one. a hardcoded credential in a config file. an API key sitting in a binary. .

built a simple evidence collection tool that would show when and evidence has bee tampered with

Always pray for grace and wisdom 🙏🏾

if ppl could stop communicating with threat actors, that would be really great

Axios was just compromised on npm. 100 million weekly downloads. A RAT silently dropped on macOS, Windows & Linux. Here's exactly what happened and what you need to do right now 🧵

Axios. 100 million downloads a week. Compromised. The attacker didn't hack the code. They hacked the maintainer's account, swapped the email to ProtonMail, and pushed a RAT to every OS silently. Within 2 seconds of npm install it was already calling home. Check your lockfiles.

very surgical

Supply chain attacks are the new frontier. You can patch your systems all day. But if you blindly trust every npm install you're one dependency away from a breach. RT this to every dev you know. Lives ( prod servers) depend on it. Follow @kallBackk for more real-time breakdowns

This wasn't luck. It was surgical. Three payloads pre-built for three operating systems. Both release branches poisoned within 39 minutes of each other. Every artifact designed to self-destruct. Someone planned this carefully.