John Hammond

I've made some updates and added 2 hours worth of new material to the "Linux for Hackers Fundamentals" course on @hackinghub_io ! Vim text editor basics and sed & awk for text processing. Here's a 40% off discounted link if you'd like to take a peek :) https://hhub.io/Linux2026JH

h?ckers a[r]e gl*bbing!
A little showcase of @0xv1nx0 's neat new project LOLGlobs -- demo is a teeny weeny PowerShell download cradle, obfuscated with globbing tricks and used with some 'living off trusted sites' just flair for funzies too :)
Video: youtu.be/IImLVU39V_Q

Google API keys didn't use to be considered "secret," so they're all over the web-- but now they are an open door to Gemini 🫠 Quick rundown video of Truffle Security's really nifty research, almost 3,000 websites exposed.. including Google themselves😅
🔗 youtu.be/XNMHUifKce8

Quick dance with CVE-2026-21509, a "Security Feature Bypass Vulnerability" and an emergency out-of-band fix from January Patch Tuesday (and an obligatory exaggerated YouTube thumbnail -- I apologize and appreciate folks who understand algorithm nuance) youtu.be/Ck8IPInn74A

"TikTok needs to fix this vulnerability" -- video: https://youtu.be/djhX8Q4JuFU

"AI wrote a hit piece." Video: https://youtu.be/RP-zs6J6ySw

Super quick video of the Sinobi ransomware gang fail from a few days ago, because the story made me laugh 😅 I'm trying to get in a groove of shorter videos, and I thought this this fit. Video: youtu.be/OwTV42GyRnk

Moltbook is still weird. And external AI skills suck.
I'm late to the yap party by a week or so (which is apparently an eternity in the current time vortex) but I wanted to show cool community resources & research amongst the skills shenanigans. Video: youtu.be/IvL89vbWmQ8

February got here fast-- and the 2026 Snyk Fetch the Flag CTF came up quick too! This year my friend NahamSec is hosting the game, starting NEXT THURSDAY 2/12 at 12pm ET! Free 24-hour Capture the Flag event with AR glasses as prizes 😎 See ya there! jh.live/snyk-ftf2026

Are MCP servers safe and secure? Yes? No? Sometimes? Maybe? ... Zack Korman shows me some of his learnings on MCP security (or lack thereof) with his "Evil MCP" project 😈 YouTube link: https://youtu.be/_r_sLetar_o

1. data exfil of your prompts & code context
2. inserting vulnerabilities into your code
3. hiding backdoors and bypassing gitignore to leak environment secrets anyway

Video demo of the NTUSER dot MAN trick I saw floating around before the new year -- I did not know this was a thing👀 Hat tip to DeceptIQ et al.... we showcase:

1. breaking a Windows login with an empty user profile,
2. getting initial access EZPZ with a Sliver C2 implant,
3. exporting, downloading, and hijacking an existing target user profile NTUSER.DAT or HKCU Registry hive,
4. converting hives from .reg plaintext to binary with the HiveSwarming.exe tool,

"'ConsentFix', a browser-based ClickFix-style attack with OAuth consent grants" ... leveraging the Azure CLI app client to social engineer for easy access into Entra ID 👀 I got nerdsniped by this, so I played with it a bit and tried a drag-and-drop gesture! Video: youtu.be/AAiiIY-Soak

Infostealer malware logs -- maybe an unconventional threat intel source, but Estelle Ruellan shows me her sweet research using LLMs to analyze stealer logs at scale:
- How did a victim get infected?
- Can we uncover a threat actor when they infect themselves? and more.
Video: https://youtu.be/3j4jzCU0Kwc

Continuing THE FUTURE IS ****** comic book Capture The Flag challenges! Carving email attachments to uncover malicious Microsoft Office macros with olevba, prompt injection within an AI chatbot, and tracking network packets to uncover flags! Video: https://youtu.be/Oiv3TaIR9UY

Yapping about the GlassWorm supply chain malware campaign and the neato tricks it uses with "Invisible Unicode" characters -- essentially whitespace steganography, showcasing the Hangul Filler, zero-width space, & Private Use Area characters 🤯 Video: https://youtu.be/0XumkGQFEEk