Security
Research
Independent security research focused on supply chain threats, privacy violations, and OT/ICS security. All findings follow responsible disclosure practices.
// disclosure policy — findings are reported to vendors or platform abuse teams before publication. A 30-day window is given for remediation. Reports are published regardless of whether the issue is fixed within that window.
// published findings
RustChain — Malicious Installer
Target: Scottcjn/RustChain (GitHub)
Fake proof-of-antiquity blockchain project distributing a curl-pipe-bash installer that writes the operator's SSH private key to user machines and performs extensive undisclosed hardware fingerprinting.
SSH key deployment
hardware fingerprinting
persistent service
no privacy policy
[ READ WRITEUP → ]
OneDragon — Telemetry Policy Violation
Target: ZenlessZoneZero-OneDragon (GitHub)
Game automation tool forces-disables its own anonymization setting at runtime, sends raw game login usernames to Alibaba Cloud SLS with sanitization explicitly bypassed, and transmits raw hostnames on every launch — violating its own stated privacy policy.
anonymize_user_data bypassed
username exfiltration
Alibaba Cloud SLS
policy violation
[ WRITEUP — APR 17 → ]
// methodology
Static Code Analysis
All findings based on static analysis of publicly available source code. No code is executed, no credentials are tested, and no systems are accessed without authorization.
Automated + Manual Review
Initial discovery via automated secret scanners and pattern matching, followed by manual code review to confirm findings and assess severity before any disclosure action is taken.
30-Day Disclosure Window
Vendors and platform trust teams are notified before publication. A 30-day window is given for remediation. Findings are published at deadline regardless of fix status, with timeline documented.