When IP Whitelisting Isn't What It Seems: A Real-World Case Study from the Binance API
An architectural trust-boundary issue in the world's largest crypto exchange.
Apr 20, 202610 min read69
Command Palette
Search for a command to run...
Series
Security Research
Technical security write-ups covering malware, abuse, impersonation, supply-chain risks, and real-world trust boundary failures.
Security Warning: Fraudulent GitHub Repository Impersonating UNICORN Binance WebSocket API
Update (2026-04-22): Further analysis indicates that this fraudulent repository is likely one lure within a broader GitHub malware campaign.Across the currently confirmed set, multiple repositories sh
Apr 22, 202611 min read83
nailproxy.space: A Multi-Repository GitHub Malware Campaign
Update (2026-04-22, 13:33): I submitted this case to GitHub Support for campaign-level review. Ticket ID: 4313391. Further update (2026-04-23): I published a deeper technical follow-up covering the
Apr 22, 20269 min read184
From a coffee-in-bed Google search to a StealC-linked campaign — the story behind nailproxy.space
How 19 fake GitHub repositories across 17 accounts led from a Python dropper to a StealC-linked payload chain.
Apr 23, 202616 min read253
I had a fake job interview. It was a malware delivery chain.
A fake recruiter tried to turn VSCode workspace trust into silent code execution. Here is the attack chain, the infrastructure, and the IOCs.
Apr 29, 202617 min read120
The PyPI Package Was Clean. That Was the Problem.
A near-identical clone of my Binance WebSocket library had no payload — but it spoofed identity, shadowed the import path, linked to a 404 repo, and came from the same account as pybotnet.
May 5, 202613 min read26