Hacking Archives of India – Website Revamp Update I am thrilled to announce a major update to Hacking Archives of India (HAI). My mission has always been to document the history and contributions of the Indian information security community. To better serve that mission, I have completely revamped…

And badges are live on my website now : anantshri.info/badges/#:~:t... and github.com/anantshri/hu... <- theme has support for boinc badges also now.

I wanted a simple JSON API to fetch my BOINC stats and badges for my website. There was no clean endpoint, so I built one. boincstats.apps.anantshri.info It is still scraping, just done once on my side instead of everyone doing it badly. You get clean JSON, updated every 24 hours.

I have been building zero install security tools where the browser is the base. I wrote about the “why” here: blog.anantshri.info/making-secur... I realized many others are building similar browser-first tools, so I made a curated collection: anantshri.github.io/awesome-in-b... PRs & links welcome

SBOMPlay v0.0.7 - Custom SBOM support - Improved SBOM auditor: checks against baselines - EOX detection (EOL and EOS) - Dependency confusion detection - Clear rate limit warnings - Explicit list of outbound hosts for paranoid self-hosting deployment cyfinoid.com/sbomplay-v0-...

Discover Readwise Wrapped, your personalized reading recap with stats, insights, and highlights from your reading journey over the year.

I am assuming people are right now collecting their year wraps. I found it was not available for readwise so i made a tool that can get you a year unwrap for readwise readwise-wrapped.apps.anantshri.info Have a go at it and suggest if you feel something is missing.

Discover Fedi Wrap, the easy tool for generating your year in review report from fediverse mastodon api compatible servers, prioritizing privacy and local analysis. https://blog.anantshri.info/building-fedi-wrap-my-year-in-review-for-the-fediverse/

🚀 3rd Party Tracer v1.0.6 🚀 New features: • Quick scan mode added • More sources added for subdomain enum • Email security dashboard • Batch analysis • JSON Import • Pdf export Try: cyfinoid.github.io/3ptracer/ Star: github.com/cyfinoid/3pt... Client-side only. No data leaves your browser.

All the new 3rd party modules must not be installed immediately, unless its a critical zero day, unless the author informs you to do so, unless a gazillion other exceptions. Infosec needs to make up their mind what should dev/admins do. and ya everyone with buy my product can go to hell.

🚨 BLACK FRIDAY MEGA SALE 🚨 All Cyfinoid security tools are 100% OFF! Get our security tools for the low price of $0.00! SBOM analyzer? FREE 3PTracer? FREE Act fast! This deal expires in... *checks notes* ...never. Because they've always been free cyfinoid.github.io

With cloudflare being down, and as a result, most things I use being down, I came here to say hi 🤭 I guess I will use other AIs than chatgpt today!

New version of #SBoMPlay is available cyfinoid.github.io/sbomplay/ Source code : github.com/cyfinoid/sbo... Bunch of New Features in experimental mode - Aggregate List of authors - Identify version sprawl amongst projects - common dependencies across projects - License changes in package versions

#DEFCON34 Call for #CTF Organizers is OPEN! After four excellent years, Nautilus Institute is retiring from running the official #DEFCON CTF. The search is on for the next team. Is it your turn? Is your crew the future of live hacking competitions? defcon.org/html/links/d...

Final hours for Black Hat EU Early Bird! 🚨 Save £300 today and join my 0wning the Cloud training this December in London. We’ll cover AWS, Azure, GCP, DigitalOcean & Aliyun with hands-on attack + defense labs. 🔗 Register before midnight: www.blackhat.com/eu-25/traini...

We just dropped GH Navigator 🎉 Paired with KeyChecker, it gives full GitHub coverage: Data plane: what can be read Control plane: what can be changed Check out the release post 👉 cyfinoid.com/gh-navigator...

“OpenAI admits AI hallucinations are mathematically inevitable, not just engineering flaws” https://www.computerworld.com/article/4059383/openai-admits-ai-hallucinations-are-mathematically-inevitable-not-just-engineering-flaws.html

Everyone talking about npm hacks. But is it really more attacks or just more visibility? Maybe attackers are piling on npm Maybe the ecosystem is just easier to monitor Maybe sloppy practices make it an easy catch What nags me more: silence in PyPI, RubyGems, Maven. No attacks, or no one looking?

#BSidesLDN205 Call for Workshops is still open! Want to pass on the knowledge you have? Here's your chance: cfp.bsides.london/bsides-londo... Any topic. 2-4hrs long Not a commercial presentation 30 people minimum audience (mixed experienced levels) #Security #BSIdes #London

To all of the people pushing hard to coin the term “vibe security,” the joke is on you. Security has always been about vibes. 😆

Determinism builds trust, non-determinism builds discovery. The art lies in knowing when the world needs certainty - and when it needs the unexpected gift of surprise.

Most say ‘think like a hacker,’ but infosec fights adversaries with goals, not curiosity. Real defense means blending hacker creativity with adversary realism.

My thoughts on how LLM behaviour makes me rethink my own brain’s inner workings. A prediction engine as a mirror for a mind.

🔑 Introducing KeyChecker – a CLI to fingerprint SSH private keys & map them to Git hosting accounts. 📖 Blog: cyfinoid.com/automating-a... 🐍 PyPI: pypi.org/project/keyc... #bugbountytips #ssh #git #github #infosec

Its funny how current ai tooling plays out and a few years ago self help courses use to use this same tactic. We are giving you tool if you dont use it properly it will not give you result. So user pays you for stuff and if it doesnt work its their problem not yours.

Making Security Tools Accessible: Why I Chose the Browser Tired of tools that need Docker to read a JSON file? I built browser-native, client-side tools like SBOMPlay and 3ptracer to prove you don’t need servers, tracking, or setup. Just open index.html and go. Minimalist, secure, and surprisingly…

Updates and plan for HackerSummerCamp USA 2025

Vibe coding with AI feels magical until your project spirals into chaos. This guide explores how to stay grounded while building with AI tools; covering minimalism, context limits, testing, & code hygiene. A practical read for developers navigating the fine line between productivity & hallucination.

If anyone here is already on @peerlist.bsky.social connect with me and if you are not signup here peerlist.io/anantshri/si... seems like a fun place especially if you want to be connected to builders.

Introducing SBOM Play: A Privacy-First SBOM Explorer with Vulnerability & License Insights cyfinoid.com/introducing-... A fully client side browser based SBoM Explorer. more details on the link. #SBoM

As i finalize my "Attack and Defend Software Supply Chain" Training. I am sprinkling newer content and one of the thing would be AI supply chain attacks. Join me @ Defcon 2025 : training.defcon.org/collections/... for a deep dive into the amazing world of software supply chain security.

The Contribute page is now live at hackingarchivesofindia.com/contribute/ 🚨 Submit your talks, tools, or fix missing data. This archive is built by the Indian hacker community : now it can grow with it. And yeah, you can now ☕ or 💖 support it too. #infosec #india #hackingarchives #cybersecurity

Why i love chiptunes. Short story My first computer had lots of limitations like mp3 files could be played but limited ram and buffer meant it will stop after few seconds for buffering. Wav was too big file size to store on tiny disks Speakers were not great; Midi came as life saver & left a mark

It has happened multiple times now. Every single time i use ai based coding assistents i am reminded that they are lowest cost typing assistents thst are coding lingo aware which means most proper logics are to be defined by me and left alone their own coding has very convaluted logic

Teammate Leonid discovered a leaked credential that allowed anyone unauthorized access to all Microsoft tenants of orgs that use Synology's "Active Backup for Microsoft 365" (ABM), including sensitive data like Teams channel messages. 🤓 #synology #disclosure #modzero modzero.com/en/blog/when...

I tell people to build their website and put it on a domain. I think i need to add another line. Buy a domain that you can safely renew top tlds com/net/org/info rule here and remember to bloody damn renew it yearly.

Many thanks to @anantshri.info for presenting his talk:"You Secured Your Code Dependencies, Is That Enough?" at the #OWASPLondon Chapter meetup last week. The video recording of the talk is now available to watch 📺 on our YouTube channel (please subscribe!): 👇 youtu.be/b4hghhSYqqM?...

Presented at @owasplondon.bsky.social Chapter "You secured your code dependencies, is that enough?" Focus is on things other then SBOM / code imports that will and have in past result in compromises and you should have awareness about. slides.anantshri.info/dzKZn9/you-s...

🤖 Council of Bots – Get feedback on your ideas from multiple AI personas. Boardrooms. Hackers. Friends. Or build your own mix. 👉 aibotcouncil.anantshri.info Playing around with LLM Models, Do give your feedback if you like the idea.

The next OWASP London Chapter in-person Meetup will take place on Thursday 26th June 2025 kindly hosted by ThoughtMachine and kindly sponsored by Phoenix Security. Talks from @anantshri.info and Francesco Cipollone - Register to attend here: 👇 www.meetup.com/owasp-london...

My short impulse presentation from Cycon is online: youtu.be/qllU_B_Rmis?...

A strange usage of this new ai llm world. I as an individual can dabble quickly into a new domain and am suddenly faced with issues that people face deep in domain as basic grunt work is automated and i can then make a judgement call if i want to keep exploring this domain or not. #failfast

enuf said #promptengineering P.S. Image made by chatgpt

Dev? CI/CD? Cloud? Everything’s fine… Until that one tiny dependency takes it all down. 🔥 Learn to attack & defend your software supply chain. 📍 @defcon.bsky.social Trainings, Vegas 📅 Aug 11–12 💸 Early bird ($1600) ends May 30! 🔗 training.defcon.org/collections/... #DEFCON #SupplyChainSecurity

This is interesting. I can see how a lot of actions of infosec communities can be deemed immoral. It would also be funny if a apt group is vibe coding and authorities of that country get a message with clear ip and other details of possible future activities (minority report future prediction).

I think we are very near a scenario where we would prefer running these agentic systems inside vms as there is a value in exposing them to whole system but not enough that i would want them to steal my stuff or do stuff that i dont explicitly allow

Had a great discussion with a friend about AI/LLMs yesterday. I think AI will be to mental fitness as sugar has been to physical. We evolved in an environment in which sugar is much more rare. When it was suddenly easily available we had to exercise discipline to not gorge ourselves.

Back @blackhatofficial.bsky.social with my flagship #cloud security class: 0wning the Cloud - AWS, Azure, GCP, DigitalOcean, Aliyun 🗓 2-3 Aug: www.blackhat.com/us-25/traini... 🗓 4-5 Aug: www.blackhat.com/us-25/traini... 🎯 80% hands-on 🎯 Real-world API & IAM attacks 🔥 Early bird closes May 23!

After months immersed in organising @blackhatevents.bsky.social and a clutch of other conferences, one conclusion is stark: many talks would serve us better as properly argued articles. Conference fatigue is eroding the craft of the blog post and the long-form paper. A good blog post is useful

Google unveils Gemini in Chrome, which initially works across just two tabs but will eventually support many and be agentic, for Google AI Pro and Ultra users (Jay Peters/The Verge) Main Link | Techmeme Permalink