An application platform honed by attackers

I’ve been heads down for a long time and I’m finally able to come up for air. World, meet Vino Technologies, Inc. We’re building a composable application platform. A platform that gives back what you put in and makes us all faster the more we use it.

Photo by Asa Rodger

Every day we use a programming pattern that makes software needlessly expensive to build and maintain. It causes countless bugs and security vulnerabilities. It needs constant refactoring. It’s difficult to test, it’s tedious to document, and it’s flexibility makes every implementation a unique snowflake that leads to unending code duplication.

It’s the function.

More specifically, it’s the interface we expose which is commonly a collection of functions.

A few weeks ago I decided to take PTO to focus on understanding the current state of Rust and Web Assembly (WASM), two promising technologies that look completely unrelated. Rust is a language designed for systems programming, WASM is a bytecode standard designed for web browsers to be an alternative runtime to JavaScript.

On the surface, WASM looks immature, niche, and barely usable. You can’t even send text strings between a WASM guest and host, only numbers. Below that surface is a community on fire. Teams are sprinting at breakneck speeds to create runtimes, host environments, cloud solutions, system bindings…

Screenshot of Hackium and the REPL

with shift-refactor and shift-interpreter

I’m super excited to release Hackium, shift-refactor, and shift-interpreter — three tools that I’ve been using to analyze, automate, and manipulate web sites for the past year. These projects have been a long time in the making, they incorporate techniques I started playing with 20+ years ago. Granted, those techniques were little more than a hacky HTTP proxy and dozens of regular expressions, but the spirit was there.

Hackium is a command line tool, a browser, and a framework. That’s the elevator pitch, anyway. Technically, Hackium is a nodejs library that extends puppeteer to control a bundled version of Chromium…

Puppeteering for fun and outerwear

I wouldn’t say I have a problem. I have an inclination. I like to take things apart and change how they work. As a kid I’d stay on the computer all night poking at bits in memory trying to change a program’s behavior. Most programs would just break. Sometimes you’d hit the right bit and be rewarded with infinite cash in a computer game.

Fast forward a few decades and this inclination led to a career in software development and web security. Websites are perfect for the curious. You can view source code, inspect every request, and tweak an app…

The result of one week of deepfake experimentation

How easy is it to create a deepfake?

This is my experience getting started with deepfakes using DeepFaceLab. This article chronicles the general steps I went through to create a deepfake video to demonstrate how advanced the technology has gotten and how simple it is to use. This is not a step-by-step tutorial but it will point you to where you need to go.


I am beyond fascinated with deepfakes. From the videos of celebrity mashups like Jim Carrey’s face transferred onto Alison Brie’s body…

…to the implications fake video and audio will have on the world in general…

Why? We’ve all seen The Avengers or…

Photo by Samuel Zeller on Unsplash

Get started with Node & GCP

The serverless trend is the latest evolution of network application architecture. You no longer need to think about the hardware, the OS, or even the running application. Deploy nothing more than the lines of code you need to run wrapped in a node.js function.

Deploying serverless functions to Google’s Cloud Platform (GCP) is not difficult but it requires using and understanding the gcloud command line tool. The gcloudtool enables you to administer your Google Cloud setup via the command line.

Install the gcloud command line tool by downloading the Google Cloud SDK. Make sure the executables are located in your…

Transform, manipulate, and deobfuscate JavaScript with shift-refactor

For the last few weeks I have live streamed several reverse engineering and deobfuscation sessions. In these sessions I’ve been using an up-til-now unpublished library.

Today I am publishing a preview version of shift-refactor that you can install via npm:

$ npm install shift-refactor

What does shift-refactor do?

shift-refactor is a general purpose JavaScript manipulation and refactoring tool. It provides many common methods you’d want to use when dealing with source code. Methods that allow you do things like rename variables, delete statements, or insert helper code before a line. Transforming JavaScript source is nothing new but it’s never been something many would…

Image courtesy of

An attacker allegedly gained access to an npm user account and published modules that broke dependents. But why?

On July 12th Harry Garrood posted a personal blog entry outlining deliberate sabotage aimed at the PureScript installer. Two separate dependencies, both owned by a user who goes by @shinnn, targeted the npm package purescript-installer with malicious code using techniques that I've seen in exploits by other attackers. Shinnn claims his account was compromised and that these packages were published without his knowledge.

How to use parsers and other tools to analyze JavaScript

Over 20 years after its creation, JavaScript is the most used language in the world. It is the only language that runs on the most popular platform (the web), it is more frequently the technology behind native applications (Visual Studio Code, Discord, and Slack), and powers critical mobile apps (Facebook, Skype, Tesla). Do you know what’s also grown popular? Bug bounty programs and discovering vulnerabilities that result in cold hard cash.

Any stereotypical hacker scene shown in a movie or on TV will, 100% of the time, show someone sitting in front of a terminal typing out cryptic commands on…

Jarrod Overson

I write about JavaScript, Reverse Engineering, Security, and Credential Stuffing. Also a speaker, O'Reilly Author, creator of Plato, Director at Shape Security.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store