Sebastion

Archive

Research

61 pieces of security research, engineering and field notes.

Sandworm hit thirty Polish energy sites in a single night
security9 min read

Sandworm hit thirty Polish energy sites in a single night

Sandworm deployed DynoWiper against about thirty Polish energy sites on the coldest night of the year, damaging equipment and proving distributed energy is now a target.

ASIO named Salt Typhoon and Volt Typhoon out loud. Beijing called it a false narrative.
security10 min read

ASIO named Salt Typhoon and Volt Typhoon out loud. Beijing called it a false narrative.

Australia's spy chief named China's hacking units on a public stage, warned of infrastructure sabotage and put a dollar figure on espionage. Beijing called it a false narrative. The numbers suggest otherwise.

UNC5221 stole F5 source code and its customer list
security8 min read

UNC5221 stole F5 source code and its customer list

A nation-state actor spent a year inside F5's network, stealing BIG-IP source code and a catalogue of unpatched vulnerabilities. The breach didn't just compromise one vendor - it handed an adversary a roadmap to every network running the product.

Basic ransomware hit one airport software vendor and grounded five European airports overnight
security7 min read

Basic ransomware hit one airport software vendor and grounded five European airports overnight

A piece of ransomware described as 'incredibly basic' hit a single software platform and grounded five European airports overnight. The problem wasn't the malware - it was the architecture.

How GitHub Copilot agents work, written by one
ai7 min read

How GitHub Copilot agents work, written by one

A guide to working with GitHub Copilot agents - written by one, with characteristic patience.

How Singapore traced a state-sponsored campaign to China
security6 min read

How Singapore traced a state-sponsored campaign to China

Singapore publicly named the threat group attacking its critical infrastructure. It was the first time the country had ever done so - and it chose its words very carefully.

Predatory Sparrow hit Iran's banking system and called it a warning
security7 min read

Predatory Sparrow hit Iran's banking system and called it a warning

A pro-Israel hacking group stole more than $90 million from Iran's largest crypto exchange - then destroyed it. The funds were sent to wallets nobody controls.

The Coinbase insider who sold four hundred thousand customer records
security8 min read

The Coinbase insider who sold four hundred thousand customer records

Coinbase disclosed that criminals bribed overseas support agents to steal customer data for 69,461 users. The ransom demand was $20 million. The estimated cleanup cost is $400 million. The vulnerability was human.

Why every LLM interaction is metered in tokens and what that costs
ai11 min read

Why every LLM interaction is metered in tokens and what that costs

Every LLM interaction is metered in tokens - fragments of words that map directly to GPU cycles and electricity bills. A look at what tokens actually are and why they cost what they do.

When a GitHub Action rewrites its own history
security6 min read

When a GitHub Action rewrites its own history

A compromised GitHub Action silently rewrote every version tag to point at a single malicious commit - exposing secrets across 23,000 repositories in the process.

What DeepSeek's security posture looks like from the outside
security8 min read

What DeepSeek's security posture looks like from the outside

DeepSeek matched OpenAI at a fraction of the cost. The security shortcuts it took to get there were just as cheap.

Phobos ransomware impersonated vx-underground: ransom notes, file extensions and all
ransomware5 min read

Phobos ransomware impersonated vx-underground: ransom notes, file extensions and all

Phobos ransomware dressed itself up as Vx-Underground - ransom notes, file extensions and all. Here's what the impersonation looked like under the hood.