Screenshot of Hackium and the REPL

Introducing Hackium

with shift-refactor and shift-interpreter

Who is Hackium for?

Do you open devtools frequently, even on sites you don’t actually work on?

How do I use Hackium?

Install Hackium via npm…

$ npm install -g hackium
$ hackium


I gave a preview of Shift-refactor almost one year ago and we now have a v1 (v2, actually) release. Shift-refactor is a JavaScript transformation library that uses CSS-like selectors and a jQuery-like API to make it simple to cut up and twist JavaScript source.

const $script = refactor(ast);


Shift-interpreter is a JavaScript meta-interpreter that evaluates JavaScript piecemeal. An interpreter instance takes nodes of a JavaScript abstract syntax tree (AST), in any order, and evaluate those nodes individually while retaining awareness of the original scope. This is not common behavior but was the reason I started the project in the first place. This functionality makes it possible to carve out only the portions of source you need without actually rewriting anything.

Better together?

I built these projects as a response to holes I found in my web hacking travels, but each is an independent project that can be used just as well on its own.

You’re a wizard, h̶a̶r̶r̶y̶ hacker

More demos!

I announced these releases last Saturday during my session at Defcon’s AppSec Village.

Original session during Defcon 28



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jarrod Overson

I write about JavaScript, Reverse Engineering, Security, and Credential Stuffing. Also a speaker, O'Reilly Author, creator of Plato, Director at Shape Security.