Jason Doyle

i installed OpenClaw on my MacBook. 2 hours later an attacker had full access to my machine and injected a malware that spread itself to every developer who pulled our repo it went undetected for DAYS. I only found it by accident i was debugging a build error, opened babel.config.js. Cursor flagged obfuscated code hiding at the end of the file, past column 300, hidden behind hundreds of invisible spaces. a wall of encrypted JavaScript invisible in every editor we pasted the wall of code into Cursor and said "what is this." it decoded the three layers of obfuscation, 1. string shuffling cipher 2. hidden eval() 3. then the real payload it was a remote access trojan that could run any shell command on the targets computer, the javascript would pull the remote code from deployed code on the blockchain so the attacker could control it anonymously but even more insidious was this: every time a developer pulled main and ran dev, the malware executed on their machine, injected itself into their other repos, and pushed using their credentials. a self-spreading worm. It then modified git history to cover its tracks full forensic breakdown and detection commands: https://t.co/U06knPhdNp

I bypassed MetaMask’s security filter by swapping a decimal value for binary. 🔍 Pentesters, add this evasion technique to your arsenals... JavaScript parsers don’t always normalize all four types of number literals. Decimal and hexadecimal are the most common, but overlooking binary and octal can lead to an exploit. For example, in JS these are all the same number: 1000000 === 1000000; // true (Decimal) 1000000 === 0b11110100001001000000; // true (Binary) 1000000 === 0xF4240; // true (Hexadecimal) 1000000 === 0o3641100; // true (Octal) Substituting these values is exactly how I found a bypass of Blockaid’s security filter inside MetaMask—turning a red phishing alert into a yellow error message. And in a real crypto phishing attack, that’s often the difference between hesitation and clicking "Confirm" on the wallet draining transaction. Here’s a quick video demo from my private report to Blockaid last year—showing how a simple format change prevented Blockaid from recognizing a malicious wallet address. 👇

I bypassed every anti-scam browser extension in Web3 before the scammers could. Pentesters will enjoy this one… Old news, but wallet drainers as a service have been including built-in bypasses for anti-scam extensions like Pocket Universe and Wallet Guard—letting attackers phish users undetected. Instead of waiting for scammers to exploit them, last year I went ahead and found more detection bypass vulnerabilities in over six security extensions, including Blockaid’s integration inside MetaMask—and reported them before they could be weaponized. One particularly interesting bypass in Wallet Guard involved spoofing an invalid chain ID to manipulate detection logic—potentially allowing phishing pages to slip through. Here's a quick clip demoing the proof-of-concept bypass.