Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Visual Studio Code is a common text editor used by developers. Because of this, downloading repositories and viewing the content in the repo is common.

By setting the npm.bin key of a project in the settings.json to a malicious script, viewing the package.json will execute whatever we point it to, such as a bash script. This vulnerability is bad because it breaks the assumption that source is safe to read.

Although this requires downloading a repo and opening a specific file, this attack could have been used in targeted attacks, such as the one against security researchers recently. Being able to control scripts being ran while just viewing code is a serious threat.