Hi, I'm Jacob Santos

Senior threat researcher who hunts for emerging threats, builds operational security tools, and shares findings through research and workshops.

LinkedIn · jacobsantos.d@gmail.com · Get in Touch

20+

Blog Articles

15+

Microstories

15+

Tools Built

10+

Talks & Training

Featured Research

Latest published threat analysis and intelligence

View all

Claude Code Packaging Error Remains a Lure in an Active Campaign: What Defenders Should Do

Documented an active campaign in which threat actors exploited the Anthropic Claude Code npm packaging error to distribute Vidar, GhostSocks, and PureLog Stealer via a fake "leaked-claude-code" GitHub repository, with over 533 confirmed payload downloads as of April 7, 2026.

Social EngineeringSupply ChainCredential Theft

Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads

Analyzed a rotating AI-themed lure campaign active since February 2026 that pivoted within 24 hours of Anthropic's Claude Code npm packaging error to distribute Vidar stealer and GhostSocks proxy malware through fake "leaked Claude Code" GitHub repositories, impersonating more than 25 software brands via a single Rust-compiled dropper.

Social EngineeringAI ThreatsCredential Theft

Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client with 100M+ Weekly Downloads

Investigated a supply chain attack in which an attacker hijacked the lead Axios npm maintainer's account and published two malicious versions containing a phantom dependency that deployed a cross-platform RAT on macOS, Windows, and Linux while erasing forensic evidence by replacing itself with clean decoy files.

Supply ChainRATDefense Evasion

Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack

Deep-dive analysis of Warlock (Water Manaul) ransomware operations revealing new TTPs including persistent BYOVD techniques, TightVNC and Yuze remote access tools, and 15-day dwell time before LockBit-derived ransomware deployment.

RansomwareDefense EvasionAPT

What I Do

Combining threat research with automation and intelligence dissemination.

Threat Research

Deep-dive analysis of ransomware families, APT campaigns, and adversary tooling. Published on the company research blog.

Security Tooling

Building production tools adopted team-wide — AI pipelines, threat intel platforms, MCP servers, desktop applications, and Confluence integrations.

Intelligence Dissemination

Delivering advanced threat defense workshops for multinational participants, government agencies, and enterprises across multiple countries.

From the Blog

Practical insights from the field

All posts

Infrastructure Hunting Beyond IOCs

2026-02-05

Moving up the Pyramid of Pain — from hash-based detection to hunting adversary infrastructure through behavioral fingerprints and network patterns.

threat-intelligencesecurity

MCP Servers for Threat Intelligence

2026-01-15

How I set up Model Context Protocol servers to bridge AI assistants with threat intelligence platforms — and what I learned about tool design along the way.

mcpaiautomation

What Ransomware Hunting Actually Looks Like

2025-12-08

The daily reality of proactive ransomware hunting — from YARA triggers and VirusTotal dashboards to naming new families and building attack chains from telemetry.

ransomwarethreat-intelligencesecurity

Let's connect

Open to research collaborations, interesting problems, and new opportunities.

Get in Touch Background & Experience