Security Researcher | HTB CPTS | Penetration Tester | Open To Work
Joined October 2021
- Tweets 272
- Following 129
- Followers 246
- Likes 1,014
29 Photos and videos
I have just completed the Attacking GraphQL module on HTB Academy!
Short yet perfect module. ;)
academy.hackthebox.com/achieβ¦
#hackthebox @hackthebox_eu #webhacking
21
637
π¨ CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages.
The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise.
This is textbook supply chain installer malware. axios has 100M weekly downloads. Every npm install pulling the latest version is potentially compromised right now.
Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that:
β’Β Deobfuscates embedded payloads and operational strings at runtime
β’Β Dynamically loads fs, os, and execSync to evade static analysis
β’Β Executes decoded shell commands
β’Β Stages and copies payload files into OS temp and Windows ProgramData directories
β’Β Deletes and renames artifacts post-execution to destroy forensic evidence
If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.
541
4,026
16,171
12,403,343
Mar 21
Quick tip for bug bounty hunters:
Use github.com/Rezy-Dev/Endpointβ¦ to quickly extract interesting endpoints with a single click. Itβs especially useful for finding API endpoints in large JavaScript files.
#BugBounty #BugBountyTips
2
47
286
15,138
Mar 14
Just found a simple Cloudflare WAF bypass π
<img src=x onerror=alert()> β blocked by Cloudflare
<Img Src=OnXSS OnError=alert(document.domain)> β bypasses the WAF and triggers the alert.
#BugBounty #BugBountyTips #WAFBypass
2
21
230
7,691
Mar 10
If you haven't sent 200 modified requests, you haven't tested anything yet.
#BugBounty
1
1
48
2,155
Feb 21
Another fun web hacking challenge I made for @hackinghub_io
Chain and pwn. :)
Link:
app.hackinghub.io/hubs/esh-sβ¦
10
340
Feb 10
I just published a new Web CTF challenge: SmallMart π
Itβs all about source code review β find the bug β exploit it.
Try it on @hackinghub_io: app.hackinghub.io/hubs/smallβ¦
1
1
8
492
Jan 11
Building a web-centric recon framework to automate my long-used bash workflow. The main goal is reproducibility. Since everything is Dockerized, I can spin it up on any VPS without wasting hours reinstalling tools or reconfiguring API keys.
3
2
219
Jan 11
Below is a incomplete workflow diagram showing how it works. s3scanner integration is currently in progress.
2
127
5
235
13 Dec 2025
I just published a Web CTF challenge on @hackinghub_io!
Try it at: app.hackinghub.io/hubs/dailyβ¦
Thank you @BuildHackSecure for the help!
#WebHacking #WebSecurity #BugBounty #PenetrationTesting #CTF
2
3
16
1,693
4 Dec 2025
I created my own admin account on a production, and yes, it was as bad as it sounds.
CVSS Score: "CRITICAL"
Full write-up: raunak-neupane.com.np/writeuβ¦
#BugBounty #HackerOne #SecurityResearch #BugBountyTips
1
3
30
1,830
7 Nov 2025
Before reporting any kind of API leak bug, make sure to take a snapshot on Web Archive. Once the bug is fixed, wait a few days and then report it again if the archived version still leaks the API key. Most of the time, developer forget to rotate the API Key.
#BugBounty #InfoSec
1
8
310