nopcorn

Follow

🤘

nopcorn nopcorn

🤘

Follow

I’m an Offensive Security Engineer that likes to research interesting security topics and break stuff.

27 followers · 14 following

Achievements

Achievements

nopcorn/README.md

Github Security Research

CVE-2025-32953: Exposure of the GITHUB_TOKEN in workflow run artifact in udo-munk/z80pack
CVE-2025-32958: Adept exposed the GITHUB_TOKEN in workflow run artifact in AdeptLanguage/Adept
CVE-2025-46820: phpgt/Dom exposes the GITHUB_TOKEN in Dom workflow run artifact in phpgt/Dom
GHSA-h4c9-2c5c-fwfc: Github Token Compromise in Pex Repository in pex-tool/pex
GHSA-h6rw-378w-jf2v: Leaking of High Permission GITHUB_TOKEN in Workflow Artifact in openebs/mayastor
GHSA-w4f2-8vv5-2338: Leaking of High Permission GITHUB_TOKEN in Workflow Artifact in openebs/mayastor-control-plane
GHSA-8ffm-p88r-g625: pending
GHSA-535w-4488-jc7p: pending
GHSA-35g9-52wf-83hw: pending
GHSA-q656-gjrm-9mh5: pending
GHSA-f78v-x25j-8x42: pending
Apache Security Team Credit
nginx/F5 Credit

Pinned Loading

DuckDuckC2 DuckDuckC2 Public

A proof-of-concept C2 channel through DuckDuckGo's image proxy service

Python 74 6
CuteRAT CuteRAT Public

CuteRAT is a stealthy remote access tool without any dependencies

Python 16
RascalRunner RascalRunner Public

A red team tool to leverage Github workflows and self-hosted runners

Python 6
githubaudit githubaudit Public

Uses a Github PAT to assess the security configuration of repositories and provides a report

Python 1