John Stawinski IV

Making Hacking Accessible

Featured Articles:

Playing with Fire – How We Executed a Critical Supply Chain Attack on PyTorch

Worse Than SolarWinds: Three Steps to Hack Blockchains, GitHub, and ML through GitHub Actions

2023 OSCP Study Guide (New Exam Format)

Latest from the Blog

Agent of Chaos: Hijacking NodeJS’s Jenkins Agents

When multiple DevOps platforms work together to execute pipelines for a single GitHub repository, it begs the question: Do these platforms get along? Node.js, the most popular JavaScript runtime in the world, uses a set of triplets to execute its CI/CD pipelines: a GitHub App, GitHub Actions workflows, and Jenkins pipelines. Like many children, parenting…

CodeQLEAKED – Public Secrets Exposure Leads to Supply Chain Attack on GitHub CodeQL

A potential supply chain attack on GitHub CodeQL started simply: a publicly exposed secret, valid for 1.022 seconds at a time. In that second, an attacker could take a series of steps that would allow them to execute code within a GitHub Actions workflow in most repositories using CodeQL, GitHub’s code analysis engine trusted by…

Living as a Digital Nomad in Innsbruck, Austria

In July 2022, I stepped off the train in Innsbruck, Austria, during a six-week backpacking trip. I stared at the spiny, massive mountains over the arch that guards the Old Town. I turned to my brother and said, “I’m going to live here someday.” A pic of the arch and the mountains from my first…