Image for post
Image for post
Screenshot of Hackium and the REPL

Introducing Hackium

with shift-refactor and shift-interpreter

I’m super excited to release Hackium, shift-refactor, and shift-interpreter — three tools that I’ve been using to analyze, automate, and manipulate web sites for the past year. These projects have been a long time in the making, they incorporate techniques I started playing with 20+ years ago. Granted, those techniques were little more than a hacky HTTP proxy and dozens of regular expressions, but the spirit was there.

Who is Hackium for?

Do you open devtools frequently, even on sites you don’t actually work on?

How do I use Hackium?

Install Hackium via npm…

$ npm install -g hackium
$ hackium
Image for post
Image for post


I gave a preview of Shift-refactor almost one year ago and we now have a v1 (v2, actually) release. Shift-refactor is a JavaScript transformation library that uses CSS-like selectors and a jQuery-like API to make it simple to cut up and twist JavaScript source.

const $script = refactor(ast);


Shift-interpreter is a JavaScript meta-interpreter that evaluates JavaScript piecemeal. An interpreter instance takes nodes of a JavaScript abstract syntax tree (AST), in any order, and evaluate those nodes individually while retaining awareness of the original scope. This is not common behavior but was the reason I started the project in the first place. This functionality makes it possible to carve out only the portions of source you need without actually rewriting anything.

Better together?

I built these projects as a response to holes I found in my web hacking travels, but each is an independent project that can be used just as well on its own.

You’re a wizard, h̶a̶r̶r̶y̶ hacker

More demos!

I announced these releases last Saturday during my session at Defcon’s AppSec Village.

Image for post
Image for post
Original session during Defcon 28

I write about JavaScript, Reverse Engineering, Security, and Credential Stuffing. Also a speaker, O'Reilly Author, creator of Plato, Director at Shape Security.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store