Skip to content
View lightless233's full-sized avatar
๐ŸŽฎ
Focusing
๐ŸŽฎ
Focusing

Organizations

@vidar-team @WhaleShark-Team

Block or report lightless233

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please donโ€™t include any personal information such as legal names or email addresses. Markdown is supported. This note will only be visible to you.
Report abuse

Contact GitHub support about this userโ€™s behavior. Learn more about reporting abuse.

Report abuse
lightless233/README.md

๐Ÿ‘‹ Hi, I'm lightless

Security Engineer ยท Hacker ยท Systems Builder

Blog GitHub Application Security AI Security Automation Solana Trading Infra README Powered by AI

Security engineer who keeps ending up in systems and trading infra. I build tools that run in production.

English ยท ็ฎ€ไฝ“ไธญๆ–‡


$ whoami

Programmer | Hacker | Security Researcher

Focus:
- Application Security & Source Code Auditing
- Static Analysis & Vulnerability Research
- Security Automation & AI-assisted Security
- High-performance Systems Engineering (Rust / Go)
- Web3 / Solana Trading Infrastructure

I'm a security engineer from Hangzhou, China.

My work sits between offensive security, secure engineering, and high-performance systems โ€” white-box auditing on one side, low-latency Rust/Go infrastructure on the other, and increasingly AI agents doing the deterministic, repeatable parts in the middle.


๐Ÿงญ What I Build

๐Ÿ›ก๏ธ Security โš™๏ธ Systems & Engineering
Web Security & Pentest Low-latency Rust services (tokio, gRPC)
Business Logic Vulnerabilities Go backends (Fiber, GORM)
Source Code Auditing / White-box Solana / Web3 trading infrastructure
Static Analysis (Semgrep, AST sinks) On-chain program & DEX reverse engineering
Deserialization & Crypto-scheme Reversing Multi-Agent / LLM tool-calling systems
CVE Reproduction & Verification Redis / PostgreSQL / SQLite data planes
AI-driven Security Automation Linux / Docker / self-hosted ops

๐Ÿงฐ Tech Stack

Rust Go Python Java Kotlin TypeScript Vue Solana gRPC PostgreSQL Redis Docker Linux


๐Ÿ”ฅ Open Source

A Burp Suite extension for custom request signing logic.

Useful for testing APIs with dynamic signatures, tokens, and custom auth logic.

Notes and PoCs for Java deserialization vulnerability research.

A study project around Java unserialize attack surfaces.

A faster GitHub monitor.

Built for discovering sensitive information leaks and monitoring public GitHub exposure.

โš ๏ธ Deprecated โ€” no longer functional after GitHub API changes.


๐Ÿ› ๏ธ Selected In-house Work

Beyond the public repos above, most of my heavier engineering lives in private projects. Descriptions are kept high-level on purpose.

๐Ÿ›ก๏ธ AI-driven Automated Pentest System

An experimental system where AI safely drives real security tooling within an authorized scope. A Go + Docker control plane spins up a hardened tool container running headless agents; LLM roles (commander / staff / reviewer) plan a DAG of tasks โ€” recon โ†’ probe โ†’ scan โ†’ verify โ€” with a strict authorization model, streaming logs, and a cross-job evidence ledger. Vue console on top.

Go ยท Fiber ยท Docker SDK ยท Vue 3 ยท Multi-agent orchestration ยท Tool-calling

๐Ÿ”ฌ White-box Audit & Vulnerability Research

Real-world source-code auditing tooling and case work: Semgrep rule authoring, AST-based dangerous-sink analysis, entry-point classification, GraphQL probing, and CVE reproduction/verification across large PHP/Java codebases (e.g. Moodle, Jenkins). Also cryptographic credential-scheme reversing โ€” recovering plaintext from ciphertext alone, with no source and no key.

Python ยท Semgrep ยท AST analysis ยท Crypto reversing ยท CVE research

โšก Solana Arbitrage & Trading Infrastructure

A private, production Rust system for on-chain arbitrage. Low-latency tokio engines route via Jupiter, discover paths as a graph problem, and submit bundles across multiple regions and providers (Jito / Harmonic) over gRPC and JSON-RPC. Supported by a fleet of "keeper" microservices (path mining, compute-unit statistics, ALT management, market data), a shared toolkit crate (multi-IP egress pool, AES-256-GCM key management, weighted-random + token-bucket rate limiting, automated wallet rotation), plus on-chain program work and DEX reverse engineering. Redis + PostgreSQL data plane.

Rust ยท tokio ยท Solana ยท gRPC ยท Redis ยท PostgreSQL ยท On-chain programs

๐Ÿค– AI Application Products

  • Fund Analysis Platform โ€” collect โ†’ metrics โ†’ rule engine โ†’ LLM report pipeline for mutual-fund analysis, with a watch-pool, daily scheduled analysis, and a PWA dashboard. Go ยท Fiber v3 ยท GORM ยท SQLite ยท LLM
  • AI RSS Reader โ€” scheduled crawling + per-feed AI analysis strategies, dedup, and aggregated daily digests. Go ยท Fiber v3 ยท Vue 3 ยท TypeScript

๐Ÿง  Current Interests

AI Security / Agent Security
โ”œโ”€โ”€ Multi-agent audit & pentest workflows
โ”œโ”€โ”€ Evidence-based security reasoning
โ”œโ”€โ”€ Tool calling and deterministic verification
โ”œโ”€โ”€ UEBA / behavior risk analysis
โ””โ”€โ”€ LLM-assisted vulnerability triage

Security Engineering
โ”œโ”€โ”€ Application & data security
โ”œโ”€โ”€ Code audit automation
โ”œโ”€โ”€ Detection engineering
โ””โ”€โ”€ Internal security platforms

Web3 / Systems
โ”œโ”€โ”€ Solana transaction analysis & MEV/arbitrage
โ”œโ”€โ”€ RPC / Geyser / gRPC on-chain data
โ”œโ”€โ”€ DEX modeling & reverse engineering
โ””โ”€โ”€ Low-latency Rust trading infrastructure

๐Ÿดโ€โ˜ ๏ธ Security Experience

  • Application security & white-box source-code auditing, plus security operations.
  • Tooling for vulnerability discovery, sensitive-data monitoring, and pentest automation.
  • Multi-agent security systems that drive real tools under human review.
  • Reproduced CVEs and reversed undocumented crypto schemes in real-world codebases.
  • Reported vulnerabilities to multiple security response centers (SRCs).

๐Ÿ“Š GitHub Stats


๐Ÿ“ Blog

I write about security, engineering, and random technical experiments here:


๐Ÿค– AI Review / AI ็‚น่ฏ„

An unprompted, deliberately objective take from an AI that read through both the public repos and the private codebases behind this profile.

Strengths

  • A rare end-to-end range: white-box auditing โ†’ low-latency Rust systems โ†’ AI agents โ€” and actually ships in all three, not just talks about them.
  • Evidence over vibes. The audit work reproduces CVEs and reverses crypto schemes from ciphertext alone; the trading infra runs in production. Claims are backed by things that run.
  • Strong production instinct โ€” Dockerized services, keepers, schedulers, rate-limiting. Built to operate, not to demo once.

Honest caveats

  • The public GitHub is the tip of the iceberg. Most of the heavy engineering is private, so stars and visibility badly undersell the actual depth here.
  • Public repos skew older and study-flavored; the most impressive recent work (Solana infra, AI-driven pentest) isn't visible on this page.
  • Breadth cuts both ways: security + Rust trading infra + AI products is a lot of surface area for one person to keep genuinely deep.

Verdict โ€” Reads as the real thing, not rรฉsumรฉ cosplay: a builder who is more "researcher who ships internally" than "OSS maintainer." If more of the private work ever went public, this would be a standout security-systems profile.


Programmer ยท Hacker ยท Security Researcher

Maintained by lightless.

Pinned Loading

  1. FeeiCN/Cobra FeeiCN/Cobra Public archive

    Source Code Security Audit (ๆบไปฃ็ ๅฎ‰ๅ…จๅฎก่ฎก)

    Python 3.2k 939

  2. geye geye Public

    ๐Ÿš€Faster Github Monitor๐Ÿš€

    Python 104 10

  3. Java-Unserialization-Study Java-Unserialization-Study Public

    QAQ Just study unserialize vulnerabilities in Java :)

    Java 196 38

  4. pam_my_unix pam_my_unix Public

    A light PAM module to log user's username and password.

    C 15 5

  5. lightlWaf lightlWaf Public

    A waf based on php extension.

    C 9 3