Practical cybersecurity & IT, explained.
Building a physical security monitoring system — and what it taught me about SOC work
Physical security and cybersecurity are usually treated as separate disciplines. One involves cameras and locks, the other involves SIEMs and firewalls. But after designing and deploying a full surveillance system at a regional nonprofit, I came away with a clearer understanding of how tightly the two connect — and how much the operational challenges of physical security monitoring mirror the work of a SOC analyst. The deployment The system covers LRDA’s facility — a building with around 40 rooms across three entrances (front, rear, and side), with coverage both inside and outside. ...
TeamPCP published their own malware on GitHub — with an instruction manual
On May 12, 2026 — one day after the TanStack npm attack — the threat group TeamPCP posted the complete source code for their Shai-Hulud credential-stealing worm to GitHub. Not accidentally. On purpose. With a README that included deployment instructions. The message in the repository read: “Shai-Hulud: Open Sourcing The Carnage. Is it vibe coded? Yes. Does it work? Let results speak. Change keys and C2 as needed. Love – TeamPCP.” ...
How a poisoned VS Code extension breached GitHub — and the npm attack that started it all
This week GitHub confirmed that roughly 3,800 of its internal repositories were breached after an employee installed a malicious VS Code extension. The extension was live on the official Visual Studio Marketplace for 18 minutes. That was enough. The breach didn’t come out of nowhere. It’s the latest escalation in a coordinated supply chain campaign by a threat group called TeamPCP — and it connects back to a sophisticated npm attack that happened ten days earlier. Here’s how the whole thing fits together. ...
How I built this site for free (and how you can too)
This site costs nothing to run. No hosting fees, no WordPress subscription, no website builder. It’s built with Hugo, hosted on GitHub Pages, and served on a custom domain I pay about $12 a year for. If you’re in cybersecurity or IT and want a blog that doubles as a portfolio, this is the stack I’d recommend. Here’s how to build one from scratch — even if you’ve never used a terminal before. ...
How to actually make a strong password (and why most advice is wrong)
Most people have been taught the same password advice: use uppercase letters, numbers, and symbols. Make it at least 8 characters. Change it every 90 days. Almost all of that is wrong, or at least badly incomplete. This post breaks down what actually determines password strength, how attackers approach cracking, and what you should actually do. What “password strength” really means A password is strong if it takes an attacker an impractical amount of time to guess it. That’s it. Strength isn’t about how complicated it looks — it’s about how long an exhaustive search takes. ...