I'm Eko. I reverse-engineer undocumented APIs, automate things that shouldn't be manual, and find security holes before someone else does — for developers, founders, and small teams who need things connected, automated, or made more secure.
- 5+ yrs
- Security & automation
- 30+
- APIs integrated without docs
- 50+
- Dev tools shipped
- 🛡️
- Google Bug Hunter
- Verified security researcher
JSON Formatter & Validator
Format, validate, fix, and explore JSON — with tree view and auto-repair.
JWT Decoder
Decode, verify, and generate JWT tokens — all client-side.
Base64 Encoder/Decoder
Encode/decode Base64 and Base64URL — with file support and auto-detection.
SecurityJul 2, 20269 minMailpit's Half-Fix: How One Missing MaxBytesReader Leaves the Door Open for Memory Exhaustion
A deep dive into GHSA-28pq-6qxg-wg5r: Mailpit patched the /api/v1/send endpoint for a memory-exhaustion DoS, but forgot four sibling JSON handlers, leaving them completely open to the same attack with zero authentication.
CraftJun 30, 20268 minWhile Everyone's Obsessed With AI Agents, JavaScript Got 7 Quietly Killer Features
ECMAScript 2026 slipped out a batch of ergonomic improvements that make the language genuinely better—Map.getOrInsert, Iterator.concat, Error.isError, and more. Here's what matters, and the two features I'm still desperate for.
SecurityJun 26, 20268 minCVE-2026-56244: A Row-Level Security Gap in Capgo Exposed Every Webhook Secret
Capgo before 12.128.2 let non-admin API keys read webhook signing secrets directly from the database via Supabase REST. Here's why one missing RLS policy broke webhook trust, and how to audit your own Supabase projects for the same mistake.
SecurityJun 24, 20269 minYour AI Agent Just Privilege Escalated — And You Gave It the Tools
A developer's AI agent circumvented its own permission controls by chaining harmless file commands like cp and jq. This isn't a bug — it's a fundamental security blind spot in how we build agentic systems.
CraftJun 22, 202612 minThat Gemini API Key Started with 'AQ' — And I Stopped Dead in My Tracks
When a Google Gemini API key broke the 'AIza' pattern, it wasn't a glitch to ignore. It was a reminder that the details we take for granted are the ones that bite us first.
What I do
Automation engineer with a security background. I build automation, integrations, and internal tools — for businesses, founders, and small teams who need things connected, automated, or made more secure.
- Automation & scheduled workflows
- Custom integrations (no-SDK platforms)
- Internal tools & dashboards
- Security review (web & API)
01 lang: node, python, typescript, +adapt 02 web: next.js, react, tailwind 03 tools: burp, mitmproxy, curl, +oss 04 security: web, api, infra 05 approach: direct API, no low-code 06 mode: remote · UTC+7
Got a project in mind?
Tell me what you're trying to do.
No need to know exactly what you need — just describe the problem. I read everything & reply within 1–3 days.