Static Analysis, Malware & Ransomware in Cloud, Software Supply-Chain Security
Code wins arguments. I build the tools that defend the software supply chain.
- 🐤 Security Engineer especially Enterprise Security.
- ⭐️ Focus — Enterprise Security (AWS, GitHub ecosystem, MDM, EDR) · Security Dev Tooling (Static Analysis, Malware, CloudSec)・Offensive Security(FireFox)
- 🎤 Speaker at Black Hat USA 2026, DEF CON 34, Black Hat Asia 2025, and JSAC 2025.
- 🎓 B.S. in Computer Science & Engineering, Ritsumeikan University ('24).
sisakulint '23 – present
CI-friendly static linter with autofix, SAST, and semantic analysis for GitHub Actions. It outperforms GitHub's official tool (CodeQL) in both speed and coverage for Actions-specific vulnerabilities.
🎤 DEF CON 34 ('26) · Black Hat Asia ('25) · 📖 Docs ·
| Benchmark | Result |
|---|---|
| GitHub Security Lab (GHSL) advisories | 100% (18/18) |
| GitHub Security Advisories (GHSA) | 81.6% (31/38) |
| Auto-fix coverage | 38+ rules |
Detection categories & differentiators
| Detection Category | Rules |
|---|---|
| Code Injection & Expression Safety | 9 |
| Supply Chain & Dependency Security | 7 |
| Credential & Secret Protection | 7 |
| Pipeline Poisoning & Artifact Integrity | 8 |
| Triggers & Access Control | 7 |
| Workflow Quality & Best Practices | 8 |
Differentiators
- Taint propagation across steps, jobs, and reusable workflows (unique capability)
- Multi-step semantic analysis, not single-step pattern matching
- Validated against real-world vulns in PX4-Autopilot, weaviate, nrwl/nx, ag-grid, and more
MachStealer '25 – present
Forensic Tool & reproducing the credential-harvesting pipeline shared by macOS infostealer families (AMOS, Poseidon, Banshee, Cthulhu, Cuckoo). Apple Silicon only. No exfiltration by design.
🎤 Black Hat USA ('26) ·
SIGIL '26 – present
Local-first AI-BOM generator for auditing local LLMs — a single static Rust binary that inventories every local model, verifies artefacts against manifest digests, classifies runtime API exposure, detects license obligations, and lifts native binaries through a guarded SafeISA. Every PASS / WARN / FAIL comes from a deterministic analyzer plus a YAML policy — no cloud, no subprocess spawn, no LLM in the verdict path.
📖 Live site · 🔎 AI-BOM viewer · 📊 State of Local AI Audit — 2026 H1
Credited vulnerability research: a transpiler-runtime audit of enspirit/elo and reported memory-safety / mitigation-bypass issues in Mozilla Firefox.
| CVE | Severity | Target | Vulnerability | Advisory |
|---|---|---|---|---|
| CVE-2026-44266 | Elo · Ruby backend | RCE via unescaped #{...} interpolation in emitted string literals & subtype-constraint labels |
🔗 | |
| CVE-2026-44267 | Elo · JS emitter | Sandbox escape to arbitrary Node.js / browser code execution via unfiltered .constructor member access |
🔗 | |
| CVE-2026-44265 | Elo · all backends | Code injection via unvalidated emission of programmatic AST fields (literal, identifier, member-access, object key, datapath, lambda param) | 🔗 | |
| CVE-2026-12307 | Firefox 152 | Memory-safety vulnerability (credited reporter) | 🔗 | |
| CVE-2026-8969 | Firefox 151 | Mitigation bypass in the DOM security component | 🔗 |
Firefox entries credit Atsushi Sada as reporter (Bug 2038133, Bug 2031123).
| Year | Event | Topic / Role | |
|---|---|---|---|
| 2026 | Black Hat USA Arsenal · Malware Track | MachStealer | 🔗 |
| 2026 | DEF CON 34 Demo Labs | sisakulint | 🔗 |
| 2026 | セキュリティ・キャンプ全国大会 · Class D2 | AIシステムにおける脅威対策とガバナンス実践 — Instructor | 🔗 |
| 2025 | Black Hat Asia Arsenal · Code Assessment Track | sisakulint | 🔗 |
| 2025 | JSAC 2025 | MITRE ATT&CK tooling via multi-LLM agents + RAG — LT | 🔗 |
| 2025 | セキュリティ若手の会 Workshop | LLM Safety Hands-On — Instructor | 🔗 |
| 2025 | Findy TECH BATON #6 | npm supply-chain attacks — Speaker | 🔗 |
| 2024 | Security-JAWS #35 | Malware & content-tampering defense in the cloud | 🔗 |
| 2024 | Closed Career Event @ RiST | Risk-based security operations | 🔗 |
🎓 セキュリティ・キャンプ2026 全国大会 · クラスD「AIセキュリティクラス」— Class D2「AIシステムにおける脅威対策とガバナンス実践」 (2026-08-11 · @HikaruEgashira との共同講師)
LLM / AI エージェントを社会実装する立場から、AI 固有の脅威(プロンプトインジェクション、データ汚染など)を技術的に扱いつつ、実装だけでは消しきれないリスクに対して制度設計・ガバナンス・戦略まで含めた包括的な対策を演習形式で扱うハンズオン講義。
- セキュリティ若手の会 — Co-Founder & Host ('24 – '26)
- Security Camp — AI Security Class Instructor ('26), Web Security Tutor ('23), Attendee ('21)
- SecHack365 — Philosophy-Driven Course/思索駆動コース Trainee ('23)
- RiST — Member ('20 – '22)
📰 セキュリティ若手の会 — articles & event reports
- VSCodeで生産性を上げる — 15,000+ Views
- grub rescue モードから抜ける — 10,000+ Views
- macOS向けInfoStealerを技術的に解説してみた — Finatext Tech Blog
- 問題解決のためAWSドキュメントをどう追従するか
- GoreleaserとGitHub ActionsでプライベートリポジトリのCLIツールをbrewに公開する
- Kali LinuxでNvidia-driverを用いてデュアルモニターをセットアップする
- リバイバル版 mini container book
- 今日から使えるセキュリティの歩き方:Security for beginners
- 今日から使えるセキュリティの泳ぎ方:Security for beginners
Languages
Cloud & Infra




