Portfolio V2: PostgreSQL, Admin Panel, and Enhanced Security

A few weeks ago I posted about launching V1 of my portfolio. Since then I've completely rebuilt it from the ground up. 🚀 Same URL, very different site - not in the way you may expect. What changed: 🔹Migrated from SQLite to PostgreSQL 🔹Added a full admin panel with RBAC, audit logging, and server-side session management 🔹Built a blog and project management system with Markdown support 🔹Moved to a self-managed Hetzner VPS with Nginx + Gunicorn 🔹Kept Cloudflare Tunnels, origin IP still never exposed Security was a big focus this time around: 🔹HSTS, CSP, Permissions-Policy headers 🔹Scrypt password hashing, rate limiting, magic bytes image validation 🔹fail2ban, UFW, SSH key-only on a non-standard port 🔹107 automated tests covering auth, CRUD, XSS, and security headers It is not just a portfolio anymore. It is a live project I will keep building on as I work toward running everything from my own home lab. Check it out: www.charles-thomas.dev #python #flask #cybersecurity #homelab #networking #buildinpublic

Excited to announce OpenSIEM Atom v1, an open source SIEM platform I've been quietly building for a while. I built it because I wanted a SIEM that is easy to understand, light on resources, focused on clarity, modularity, practical real‑world detection capabilities and of course, free. What started as a grep on a syslog file turned into something I think is genuinely useful and proud of. OpenSIEM is a self-hosted SIEM. You point your servers at it, it ingests logs, detects threats, fires alerts, and gives you a web UI to manage everything. No vendor lock-in, no per-GB pricing, no black box. 𝗦𝘁𝗮𝗰𝗸: - Python: log ingestion, parsing, correlation engine - PostgreSQL: storage - PHP + vanilla JS: web UI 𝗙𝗲𝗮𝘁𝘂𝗿𝗲𝘀 𝗜'𝗺 𝗽𝗿𝗼𝘂𝗱 𝗼𝗳: - Modular parser system: Adding a new log source is literally one Python file - Multi-step correlation rules: Detect attack sequences, not just single events - IOC/artifact matching: Every log line checked against a threat intel database - Severity levels properly wired: Critical, high, mid, low all the way through the stack - Supports syslog, SSH, auth, Nginx, Apache, UFW, kernel/audit, SELinux, MySQL, PostgreSQL, Cron, and you can add as many as you want - Web dashboard with alerts, artifact hits, correlation rule builder, and reporting It's v1. There are rough edges. Windows support isn't there yet. Some features are sitting on the v2 list. But the core works, I use it, and I think it fills a real gap, a SIEM that's free, self-hosted, and small enough that one person can actually understand the whole thing. -> https://lnkd.in/dWCgvqQE Stars, issues, PRs, and feedback all welcome. Especially the brutal kind. #OpenSource #SIEM #CyberSecurity #BlueTeam #SOC #Python #InfoSec #BuildInPublic #Linux

A single git push was enough to own GitHub’s backend infrastructure. Wiz Research just disclosed CVE-2026-3854 (CVSS 8.7) and the details are worth a close read. The attack: ✦ Unsanitized push option values allowed injection into GitHub’s internal protocol headers ✦ 3 chained injections: override rails_env → hijack custom_hooks_dir → path traversal via repo_pre_receive_hooks ✦ Result: arbitrary RCE as the git service user, with read access to repos across shared storage nodes What makes this stand out: ✦ Wiz used IDA MCP for AI-assisted reverse engineering of closed-source binaries, likely one of the first critical CVEs discovered this way ✦ GitHub patched GitHub.com in under 2 hours. Forensics confirmed zero exploitation before disclosure ✦ ~88% of GitHub Enterprise Server instances remain unpatched as of today If you run GHES, upgrade to 3.19.4+ immediately. The broader lesson: when services written in different languages share an internal protocol, each service’s assumptions about that data become an attack surface. AI is now accelerating vulnerability research in closed-source systems. That’s a shift worth watching. Source: - https://lnkd.in/ecAFrQM3 - https://lnkd.in/eA4PEsvE #GitHub #CVE #CloudSecurity #AppSec #MCP #AIInSecurity #DevSecOps #InfoSec #RCE #CyberSecurity

Your entire CI/CD pipeline just became a backdoor. Here’s how one developer’s npm install turned into a full-scale supply chain breach. The Problem The Bitwarden CLI ` bitwarden/cli 2026.4.0` was compromised via a compromised GitHub Action in the CI/CD pipeline. The malicious code was executed through a preinstall hook. The Agitation This isn’t a simple data leak. The malware: - Steals GitHub/npm tokens, SSH keys, `.env` files, shell history, and cloud secrets. - Targets AI coding tool configurations Claude, Cursor, Codex CLI . - Encrypts stolen data with AES-256-GCM and exfiltrates it to `audit.checkmarx . cx`. - Uses stolen GitHub tokens to inject malicious Actions workflows into repositories. One infected developer token can compromise every CI/CD pipeline it touches. The data is publicly exfiltrated to GitHub repositories, making it accessible to anyone searching. The Solution This attack exploits trusted publishing and supply chain vulnerabilities that most teams overlook. Your immediate actions: - Audit all npm packages for suspicious preinstall hooks. - Rotate all GitHub tokens and npm credentials immediately. - Review GitHub Actions workflows for unauthorized modifications. - Monitor for exfiltration to public repositories with Dune-themed naming patterns. The attack vector is clear: compromised CI/CD pipelines. The defense requires zero-trust for every dependency. How is your team securing your infrastructure against this type of exploitation? Let’s discuss in the comments below. #SupplyChainSecurity #DevSecOps #CICDPipeline

🚨 Another reminder that the software supply chain is a real attack surface. Researchers have uncovered 36 malicious npm packages disguised as Strapi plugins. These were not harmless fake packages. They were reportedly designed to: -exploit Redis and PostgreSQL -steal credentials -open reverse shells -maintain persistent access on compromised systems What makes this more dangerous is that the malicious code was hidden in the postinstall script, meaning it could run automatically during installation. That is the part many teams still underestimate. A few hard lessons here: 1.Do not trust packages just because the name looks familiar 2.Verify the publisher and namespace carefully 3.Audit install scripts, especially postinstall 4.Restrict outbound access from build environments 5.Treat developer environments and CI pipelines as high-value targets Attackers are no longer just attacking applications.They are attacking the development pipeline itself. That should worry every engineering and security team. #CybersecurityService #VAPT #SOC #DPDP

🚨 Another reminder that the software supply chain is a real attack surface. Researchers have uncovered 36 malicious npm packages disguised as Strapi plugins. These were not harmless fake packages. They were reportedly designed to: -exploit Redis and PostgreSQL -steal credentials -open reverse shells -maintain persistent access on compromised systems What makes this more dangerous is that the malicious code was hidden in the postinstall script, meaning it could run automatically during installation. That is the part many teams still underestimate. A few hard lessons here: 1.Do not trust packages just because the name looks familiar 2.Verify the publisher and namespace carefully 3.Audit install scripts, especially postinstall 4.Restrict outbound access from build environments 5.Treat developer environments and CI pipelines as high-value targets Attackers are no longer just attacking applications.They are attacking the development pipeline itself. That should worry every engineering and security team. #CybersecurityService #VAPT #SOC #DPDP

A trending GitHub repo. (~100K star) A private key is sitting openly in the code. Nobody noticed. 😶 We scanned it with Relia today. 41 issues. 6 critical. The ones that shocked us most - 🔴 Private key exposed in source code 🔴 Anyone could read any file on the server (path traversal) 🔴 Hardcoded passwords in 10+ files 🔴 Access control is completely bypassable 🔴 A bug that crashes the entire pricing system silently This is not a hobby project. This is something people are actively forking and deploying. Right now. In production. The scariest part? The developer probably has no idea. You write the code. You ship it. You move on. Nobody tells you what's broken until it's too late. That's the gap Relia fills. Paste your repo. Get your full report in minutes. Know before someone else finds it for you. 👇 Full report of this scan in the first comment. See every issue we found - open, detailed, free to read. #GitHub #OpenSource #CodeSecurity #Relia #BuildInPublic #DevTools #CyberSecurity #IndieHackers #Ai #HermesAgent #PublicRepo #Vibecon #Vibecoding

A trending GitHub repo. (~100K star) A private key is sitting openly in the code. Here's the full Relia scan report📄 https://lnkd.in/d4zKQZYE

9 hours and 41 minutes. That's how long it took from CVE disclosure to active exploitation in the wild. CVE-2026-39987 hit Marimo — the Python notebook with 18K GitHub stars and 1M+ monthly downloads — with a 9.3 CVSS pre-auth RCE. The bug is embarrassingly simple. Every endpoint in Marimo calls validate_auth(). Every endpoint except /terminal/ws. That WebSocket just checks your OS platform and hands you a full PTY shell. No token. No session. Nothing. One WebSocket connection = root access to the host. Sysdig's honeypots caught the first exploit attempts before most teams even read the advisory. Complete credential theft took under 3 minutes from initial connection. What makes this worse: versions through 0.20.4 are all vulnerable. The fix isn't in 0.20.5 — it's in 0.23.0. Three full minor versions shipped with this endpoint wide open before anyone added auth to it. CISA added it to the KEV catalog. The federal patch deadline is today, April 11. If you're running Marimo on anything network-accessible — a cloud VM, a shared dev box, even localhost with port forwarding — you need to update right now. Not after standup. Not after lunch. Patch-Tuesday thinking is dead for developer tools exposed to the internet. A 10-hour exploit window doesn't care about your change management process. How many other developer tools are sitting on unauthenticated WebSocket endpoints right now? #CyberSecurity #CVE #Python #DevSecOps #InfoSec

While recently tackling the "Silentium" environment, I hit a wall: two critical vulnerabilities were present, but there were no public PoCs available to bridge the gap from zero access to a shell. Instead of moving on, I decided to build the bridge myself. The Discovery: The first crack was CVE-2025-58434. I identified that the forgot-password endpoint was leaking the tempToken directly in the API response. This allowed for an unauthenticated Account Takeover (ATO) with nothing but a target email address. The Escalation: Once inside, the real challenge began. CVE-2025-59528 exists because user-supplied configurations are passed directly to a JavaScript Function() constructor. By wrapping a reverse shell payload in Base64 to bypass character sanitization, I was able to trigger Remote Code Execution (RCE) via Node.js child_process. The Result: I’ve released a modular Python-based PoC that automates this entire chain: Leak the token. Reset the admin password. Authenticate and extract session cookies. Execute an asynchronous reverse shell. This allows for a full compromise of self-hosted Flowise deployments from a zero-credential starting point. Check out the full PoC here: 🔗 https://lnkd.in/gKSCihH8 #CyberSecurity #RedTeaming #ExploitDev #PenetrationTesting #HTB #Flowise #VAPT