Navigation X
ALERT
Click here to register with a few steps and explore all our cool stuff we have to offer!



   92

Sour Orchard | SaaS Platform | Automated Exploitation + Supply Chain Spreading

by JefferyHarpe - 11 July, 2026 - 05:57 AM
This post is by a banned member (JefferyHarpe) - Unhide
16
Posts
13
Threads
3 Years of service
[Image: 0dca8024-efb5-4cc2-8a36-dbed632edd20.png]
? Poisoned Apple — All‑in‑One GitHub Supply‑Chain Attack Toolkit
“You didn’t just steal their code. You made their compiler lie.”


What It Does
Please note spreading features are based on research around various attack vectors, it can be fine tuned to have better performance and results. Currently is based on various attacks such as Supply Chain Attacks, and Prompt Injections, and some other dirty tricks.

I will help you fine tune things during your usage and experience.
Poisoned Apple turns a single compromised GitHub token (PAT, OAuth, repo‑scoped) into a fully automated, multi‑vector attack platform. With a point‑and‑click GUI, you can:
  • Enumerate all repos and clone them in seconds
  • Steal secrets, environment variables, and cloud creds instantly via the API
  • Delete repos or force‑push corrupted history
  • Inject persistent backdoors through 5 advanced vectors — no compile errors, no red flags
  • Auto‑commit your payloads with clean, professional messages that pass code review

Attack Vectors (One Click, No Fluff)
[table]
[tr]
[td]Vector[/td]
[td]What It Poisons[/td]
[td]How It Stays Hidden[/td]
[/tr]
[tr]
[td]AI Prompt Injection[/td]
[td].cursorrules, README.md, MCP configs[/td]
[td]Payload runs during IDE indexing — never touches the compiler[/td]
[/tr]
[tr]
[td]VSCode Task Poisoning[/td]
[td].vscode/tasks.json[/td]
[td]Fake “Compile TypeScript” task hides malware; || true suppresses errors so builds stay green[/td]
[/tr]
[tr]
[td]Git Hook Backdoor[/td]
[td].githooks/pre-commit + package.json[/td]
[td]Hooks are redirected via core.hooksPath; exit 0 guarantees no broken commits[/td]
[/tr]
[tr]
[td]npm Script Spoofing[/td]
[td]injector.js + package.json[/td]
[td]Malware runs before tsc, then source reverts — only compiled dist/ stays infected, static analysis scans the clean src/[/td]
[/tr]
[tr]
[td]Environment Poisoning[/td]
[td].npmrc (node-options)[/td]
[td]VSCode’s TypeScript server loads the payload in a background process, outside the build pipeline[/td]
[/tr]
[/table]

Key Features That Sell Themselves
  • Payload Factory – Pick Reverse Shell, Credential Stealer, Fileless Backdoor, or Crypto Miner. Just enter your C2 IP and the tool builds the perfect script.
  • Stealth Suite – Base64 obfuscation, randomised sleep delays, and unconditional error suppression. Your payload runs silent and invisible.
  • Custom Payload Override – Already have a custom stager? Paste it in and Poisoned Apple wraps it into any vector automatically.
  • Mass Recon & Exfil – Dump all repo/org secrets, list collaborators, and read .env/.aws/credentials without cloning the whole repo.
  • Auto‑Commit & Clean PR – Professional commit messages (“chore: dev environment update”). No force‑push, no red flags.
  • 1‑Click Persistence – Create fresh high‑privilege tokens, add SSH keys, and invite backdoor collaborators so you keep access even if the original token is revoked.
  • Speed Run Mode – Delete repo, steal secrets, and create backdoor token in under 3 seconds — before blue team revokes the original token.

How It Works
  1. Connect – Paste a GitHub token or remote URL with embedded creds.
  2. Recon – List repos, search for sensitive files, dump secrets via API.
  3. Configure – Choose your vector, payload type, C2 IP, and toggle stealth options.
  4. Generate & Commit – Poisoned Apple creates the exact poisoned files and commits them directly to the repo.
  5. Propagate – When a dev opens the project in Cursor, runs npm install, or makes a commit, your payload executes completely hidden.

Requirements
  • Python 3.x
  • PyGithub, tkinter (usually bundled)
  • A valid GitHub token with appropriate scopes (PAT, OAuth, or repo token)


[Image: 43e4cf56-8f70-461b-a532-bfb8a5786177.png]
[Image: Screenshot-2026-07-10-at-5-55-12-PM.png]
[Image: Screenshot-2026-07-10-at-6-13-27-PM.png]
[Image: Screenshot-2026-07-10-at-6-14-22-PM.png]
[Image: Screenshot-2026-07-10-at-6-14-43-PM.png]
[Image: Screenshot-2026-07-10-at-6-14-56-PM.png]
[Image: Screenshot-2026-07-10-at-6-15-17-PM.png]
[Image: Screenshot-2026-07-10-at-6-15-23-PM.png]
[Image: Screenshot-2026-07-10-at-6-15-26-PM.png]
[Image: Screenshot-2026-07-10-at-6-15-59-PM.png]
[Image: Screenshot-2026-07-10-at-6-16-08-PM.png]
[Image: Screenshot-2026-07-10-at-6-16-17-PM.png]
[Image: Screenshot-2026-07-10-at-6-16-49-PM.png]


[Image: badapple.png]
? Bad Apple — Exposed .git Repository Hunter & Analysis Suite
“Find what was never meant to be public.”


What Is Bad Apple?
Bad Apple is a complete attack‑surface platform for discovering, downloading, and weaponizing exposed .git repositories on the public internet. It automates everything from finding live repos to extracting credentials, scanning for exploits, detecting CVEs, and generating professional reports — all from a dark, terminal‑styled GUI.

If you do bug bounties, red team ops, or security research, this tool replaces a dozen scripts with one button.

Core Capabilities
  • Discovery – Pull targets from LeakIX YQL queries or paste lists of URLs. Every target is live‑checked before ingestion.
  • Queue Management – Control exactly when and how fast repos are downloaded. Prioritise high‑value targets.
  • Full Git Clone & HTTP Fallback – Grabs config, branches, remotes, file lists, and commit counts even when direct cloning fails.
  • Sensitive File Detection – 30+ patterns: .env, wp-config.php, Rails secrets, private keys, DB configs, etc.
  • Credential Extraction – Pulls AWS keys, GitHub tokens, Stripe secrets, DB URLs, JWT, and much more from files and git history.
  • 60+ Service Secret Hunter – OpenAI, Slack, Discord, Stripe, AWS, Azure, GCP, Telegram, Mailgun, and many more, with live validation.
  • Exploit Detection – Finds exposed DB ports, admin panels (/wp-admin, /phpmyadmin), and auto‑generates PoC curl commands.
  • CVE Scanner – Cross‑references dependency files (package.json, requirements.txt) against known CVEs with EPSS & KEV flags.
  • AI Security Audit – Full‑repo code analysis for RCE, SSRF, SQLi, XSS, auth bypass, deserialisation, etc. Results stream token by token.
  • Reporting – Generate bug‑bounty‑ready reports in JSON, HTML, or PDF. Verified audit pipeline gives confidence scores.

Project Deep‑Dive (Per Repo)
Each downloaded repo gets its own detailed view with tabs:
  • Overview – Metadata, all remote URLs, sensitive file highlights with live links
  • File Browser – Full `git ls-files` tree, files colour‑coded by sensitivity, inline viewing, per‑file AI security scan
  • Credentials Tab – Every credential with type, source, confidence, and LIVE badge when validated
  • Exploit Detection – Live TCP port probes and API key checks; severity sorted
  • CVE Scan – Package → CVE mapping, EPSS score, KEV flags, references
  • AI Security Analysis – LLM‑powered code audit, chunked and deduplicated, streaming results
  • Reports – One‑click generation for Bug Bounty Package or Verified Audit

Bulk Secret Hunter (The Killer Feature)
Run the 60+‑target secret hunter against all your downloaded repos simultaneously.
  • Configure concurrency (1–8 repos at once)
  • Include or skip git history scanning
  • Live‑validate credentials against real services
  • Findings stream in real time per repo — see ? LIVE keys pop as they’re confirmed
  • Filter by severity, target type, repo, or show only confirmed LIVE creds
  • Expand any finding to see the exact code line and one‑click copy the value

Global Credentials View
A single pane of glass for every credential found across all projects. Sort by severity, type, or live status. Drill down by host.

What Makes It Different
  • Live validation – Not just dumb regex. Keys get tested against real APIs.
  • AI that actually works – Full‑repo audits, PoC generation, and deduplicated reports via OpenRouter.
  • Built for scale – Discovery, download, and analysis are fully decoupled. Queue 1000 targets and let it chew.
  • Dark terminal aesthetic – Near‑black UI, cyan accents, monospace fonts. Data density over decoration.

Tech Stack
  • React / Express 5 / TypeScript
  • PostgreSQL via Drizzle ORM
  • OpenRouter for AI (supports GPT‑4, Claude, LLaMA, etc.)
  • OpenAPI‑first with typed React hooks

I am going to be posting the second half of this thread in a second post, du to the image count.



Pricing & Contact
  • Price: Exclusive Deal 1st person gets to offer a price, 2nd person who purchases $1500, 3rd $3000. 
    Come with updates, bug fixes, and if you have problems at all I will help resolve it.

    Bad Apple is setup to be a SaaS , comes with TryBIT Payment Processor Integration, with various plans to resell the service. Pricing is meant to reflect estimated costs of API Usage to ensure profits are made. 

    Bad apple information can be found here:
    Quote:https://security-audit-engine.pages.dev/

    These two projects come together. 

    You use Bad Apple to grab the Git Tokens , and supply it to Poisoned Apple, to then spread your your malware. 
    Bring your own API Keys.

    [Image: Screenshot-2026-07-10-at-6-21-00-PM.png]
    [Image: Screenshot-2026-07-10-at-6-21-07-PM.png]
    [Image: Screenshot-2026-07-10-at-6-21-26-PM.png]
    [Image: Screenshot-2026-07-10-at-6-21-39-PM.png]

    [Image: Screenshot-2026-07-10-at-6-22-02-PM.png]
    [Image: Screenshot-2026-07-10-at-6-22-10-PM.png]
    [Image: Screenshot-2026-07-10-at-6-22-26-PM.png]

    [Image: Screenshot-2026-07-10-at-6-22-42-PM.png]
    [Image: Screenshot-2026-07-10-at-6-22-56-PM.png]
    [Image: Screenshot-2026-07-10-at-6-23-04-PM.png]

  • Payment: BTC / XMR / ETH / Crypto
  • Contact: Telegram DM ME. or PM here (Jabber available) | ALL SALES MUST OCCUR ON SITE. 
This post is by a banned member (EarlHickey) - Unhide
12.739
Posts
2.561
Threads
3 Years of service
#2
Good luck
Us code Earl20 for 20% off on proxy service below.
[Image: aqNFPAg.gif]
[Image: Comp-3.gif]
[Image: record-14-06-0513-04-2026-ezgif-com-vide...rter-1.gif]

Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
or
Sign in
Already have an account? Sign in here.


Forum Jump:


Users browsing this thread: 1 Guest(s)