Forem: Peter Nasarah Dashe

🚀 Permi v0.3.0 – Major Improvements to JS Scanning, AI Accuracy, and Speed

Peter Nasarah Dashe — Mon, 11 May 2026 16:24:25 +0000

I just shipped a significant update to Permi. This release tackles the biggest pain points reported by the community: JS scanning that actually works, smarter XSS detection, and much faster scans.

🧠 Smarter AI – Now CSP‑Aware

Permi’s AI filter can now recognize when a target uses a Content‑Security‑Policy (CSP) that blocks inline script execution. This significantly reduces false positives on hardened websites like GitHub, banks, or government portals.

Before: Reflected XSS payload found → flagged as REAL, even if CSP blocked it.
After: AI checks CSP header → marks as harmless unless the policy allows execution.

🌐 Production‑Ready JavaScript Crawling

The new --js flag launches a Playwright headless browser that can render React, Vue, Angular, and other SPAs. It even works behind Cloudflare thanks to playwright-stealth.


bash
permi scan --url https://example.com --js
Reliability: Falls back to static HTML if JS times out (no more zero‑URL scans).
Control: Configurable timeout with --js-timeout 30 (default 20 seconds).
Deep Discovery: Detects XHR/fetch API endpoints via network request interception.
⚠️ Note: JS scanning is still experimental in the community edition. It works well on most sites, but some may require authentication or infinite scroll. Upgrade to Permi Pro (coming soon) for production‑grade crawling.

⚡ Performance Gains
Concurrency: Concurrent SQL + XSS scanning is now roughly 50% faster.
Deduplication: Smarter URL deduplication avoids testing the same parameter signature twice.
Safety: Added a hard crawl timeout so the CLI will never freeze indefinitely.
🐛 Critical Bug Fixes
Exports: Fixed the issue where --export wouldn't actually write files.
Directories: Fixed subfolder creation for --export results/scan.json.
SQLi Logic: Time‑based SQL injection now uses SLEEP() with a 10s cap and a 6s threshold.
Windows Support: Resolved an asyncio deadlock; Playwright now runs in its own thread.
📦 How to Update
pip install --upgrade permi
Then try:

# Scan a static site
permi scan --url https://example.com

# Scan a JavaScript‑heavy SPA (experimental)
permi scan --url https://example.com --js --js-timeout 30

# Scan your local codebase
permi scan --path ./my-project
🙏 Thank You
This release was shaped by feedback from developers who tried Permi and shared what broke. Special thanks to:

BashSnippets for pushing me to improve error handling.
Endura Security for the supply chain insights.
Everyone who opened an issue or DM’d me with raw scan outputs.
Permi is still free, open source, and built for the community. If it saves you time, please star the repo!


  
    
      
      
        Peternasarah
       / 
        permi
      
    
    
      AI-powered vulnerability scanner for Nigerian developers and global SMBs
    
  
  
    


Permi





AI-powered vulnerability scanner for Nigerian developers and global SMBs.

Permi scans live websites and source code for security vulnerabilities, then uses AI to filter out false positives — so you only see findings that actually matter.

Built in Nigeria. For Nigeria. Then for the world.





Two scan modes




--url — Live web scanning


Point Permi at any website. It crawls the pages, tests for SQL injection, XSS, and checks security headers on the running application.


permi scan --url https://yoursite.com





--path — Static source code scanning



Point Permi at a local folder or GitHub repository. It reads your code files, matches vulnerability patterns, and flags issues before they ship.


permi scan --path ./myapp
permi scan --path https://github.com/user/repo




What Permi detects




Web scanning (--url)








SQL Injection — error-based, boolean-based blind, time-based blind



Cross-Site Scripting (XSS) — reflected XSS with context-aware testing



Missing Security Headers — HSTS, CSP, X-Frame-Options, X-Content-Type-Options

…





  


  View on GitHub




Keep building securely. 🔐

What’s the most frustrating false positive you’ve encountered in a security scanner? Let me know in the comments!

The Onslaught: Why Nigeria's Volume of Cyber Attacks Is Overwhelming Defences

Peter Nasarah Dashe — Mon, 11 May 2026 16:19:46 +0000

By Nasarah Dashe

This is Challenge #2 in a series. Read Challenge #1 here.

Imagine waking up to 50 missed calls from your bank. You check your account balance. It is empty.

A SIM‑swap fraudster convinced your telco agent to transfer your number to another SIM card, then used it to reset your mobile banking PIN and drain every kobo.

Later that week, you receive an email from "Flutterwave Support" asking you to verify a suspicious transaction. You click the link. Within seconds, infostealer malware copies your saved passwords, browser cookies, and BVN‑linked credentials to a server in Eastern Europe.

This is not a hypothetical. This is Tuesday in Nigeria's cyber landscape.

The Onslaught Is Real

The sheer volume and variety of attacks targeting Nigerian individuals, fintechs, banks, and government agencies have reached unprecedented levels.

Unlike Challenge #1 (digitisation without maturity), where the problem is structural, this challenge is active—a relentless barrage that shows no signs of slowing.

According to projections:

AI‑powered phishing attacks will intensify by nearly 70% in 2026
Ransomware groups like Phobos have added Nigerian cloud providers to their target lists
Password stealers are up 66% ; spyware up 53%
Banking trojans now specifically hunt for over 40 Nigerian fintech apps

And insider threats are quietly growing as economic pressures push employees toward dangerous compromises.

The question is not whether your organisation will be attacked. It is how you will detect, prioritise, and respond when the flood hits.

The Attack Menu: A Rogues' Gallery

Let me break down what Nigerian defenders are facing right now.

🎣 AI‑Powered Phishing & Social Engineering

Modern phishing uses generative AI to craft perfect impersonations. Voice phishing (vishing) and SMS scams (smishing) have exploded. A single employee clicking a fake "HR payroll update" link can hand over network credentials to an entire organisation.

💣 Ransomware

Banks and telecoms are prime targets because they cannot afford downtime. The Phobos group has been actively scanning Nigerian cloud infrastructure for weak RDP endpoints. Once inside, they encrypt databases and demand millions in crypto.

🆔 Identity & Credential Theft

Infostealer malware like RedLine silently harvests saved logins, credit card details, and session tokens. Those credentials are sold on dark web markets for as little as $5 per account. Add SIM‑swap fraud, and you have a complete account takeover pipeline.

🏦 Banking Trojans & USSD Hijackers

Grandoreiro has been observed targeting over 40 Nigerian banking apps. It overlays fake login screens to steal credentials. USSD‑specific malware intercepts unencrypted session strings, allowing real‑time transaction hijacking.

👤 Insider Threats

An underpaid support agent with database access can sell customer records. A disgruntled developer can leave a backdoor in production code. Poor separation of duties and lack of behaviour analytics mean these actions often go unnoticed for months.

The Overwhelm Problem: Volume Meets Noise

A typical mid‑sized fintech might receive thousands of security alerts per day. Most are false positives or low severity. But buried inside that firehose are the genuine threats.

Traditional vulnerability scanners make this worse. They generate dozens of "critical" findings—most irrelevant. A developer spends hours triaging instead of responding. Meanwhile, the real attack continues.

Attackers are using AI to generate custom phishing lures, polymorphic malware, and adaptive exploits. Defenders are still drowning in spreadsheet after spreadsheet of unvalidated scanner output.

Cutting Through the Noise: A Smarter Detection Philosophy

The solution is not to buy more tools that generate more noise. The solution is to validate threats before they reach human analysts.

Imagine a scanner that does not just flag "potential SQL injection" on every input field. Instead, it uses a lightweight AI model to confirm whether the injection actually worked. If the AI determines it is a false positive, the finding is discarded. The human only sees what is real.

This concept—intelligent false‑positive filtering—is already being implemented in open‑source tools like Permi.

Built by a Nigerian cybersecurity student, Permi scans live websites or source code for common vulnerabilities (SQLi, XSS, missing headers, hardcoded secrets). Then, optionally, it calls an LLM via OpenRouter to validate each finding.

The result: instead of 50 alarms, you get 8 genuine issues. Instead of hours of triage, you get minutes of focused remediation.

Permi also includes rules specifically for Nigerian attack surfaces:

USSD gateway misconfigurations
Exposed Paystack/Flutterwave keys
NDPR‑relevant gaps

For a small fintech with one part‑time security person, that noise reduction is the difference between surviving an attack and becoming a statistic.

Practical Steps to Survive the Onslaught

Implement AI‑aware phishing training – Use real‑time threat intelligence to block suspicious domains. Teach users to verify requests through out‑of‑band channels (e.g., call back a known number).
Prioritise identity hygiene – Enforce MFA everywhere. Treat SIM‑swap as a high‑risk event—require in‑person verification for SIM replacements.
Reduce your alert surface – Uninstall noisy, high‑false‑positive scanners. Replace them with tools that validate findings.
Monitor for infostealer logs – Services like HaveIBeenPwned can alert you when employee credentials appear in stealer logs. Rotate them immediately.
Create an insider threat programme – Limit access to the minimum necessary. Log sensitive database queries. Pay security staff competitively.

The Human Factor: Why Volume Exhaustion Is Real

Security professionals in Nigeria are overworked, underpaid, and often alone. The "japa" brain drain means the few who remain juggle multiple roles.

When every scan returns 50 critical alerts, they stop taking alerts seriously. When ransomware hits despite their best efforts, they blame themselves.

This is not a personal failing. It is a systemic one. Our tools have failed them.

The shift toward intelligent, low‑noise, locally relevant security tooling is not a luxury—it is a survival mechanism.

Looking Ahead: The 2026 Escalation

All projections indicate 2026 will be worse:

AI‑native malware that rewrites itself to evade detection
Autonomous exploits that scan, breach, and pivot without human control
Election‑related cyber attacks
Zero‑trust gaps as organisations rush to cloud

The volume will not decrease. The sophistication will increase. The only variable we can control is our ability to distinguish real threats from noise.

That is why I am cautiously optimistic about grassroots tools like Permi. They represent a different philosophy: small, sharp, honest. They solve one problem—false positives—better than billion‑dollar alternatives.

In a country where every security professional is already outnumbered, that one improvement can be enough to tip the balance.

The Bottom Line

Nigeria is under an active, diverse, and escalating cyber attack. Phishing, ransomware, identity theft, banking trojans, USSD hijacking, and insider threats are not coming—they are here.

The volume is overwhelming defences because our traditional tools generate more noise than signal.

We need a new approach: intelligent validation, local relevance, and ruthless prioritisation of real threats. Open‑source projects like Permi are showing the way forward.

They will not stop every attack, but they will stop the paralysis of false alarms—giving our overstretched defenders a clear, concise, and actionable picture of what actually needs fixing.

The onslaught will not pause. But neither should we.

Let's Discuss

What attack types have hit your organisation hardest? How are you cutting through the alert noise? Drop your experiences in the comments.

Next in this series: Challenge #3 – Unique Vulnerabilities in Fintech & Mobile Money (USSD risks, agent fraud, low digital literacy, and how local tooling can help).

Cover image: [Unsplash or your own]

Permi v0.2.10: Making Security Scans Portable with JSON and Markdown

Peter Nasarah Dashe — Tue, 05 May 2026 13:14:01 +0000

What's new

Based on early user feedback, Permi can now save your vulnerability scan results in three distinct formats to fit your workflow:

--export results.txt – Human-readable plain text for quick reviews.
--export results.json – Structured data designed for scripts and CI/CD automation.
--export results.md – Clean Markdown, perfect for GitHub documentation or internal wikis.

Example

To try out the new export feature, ensure you have the latest version installed:


bash
pip install -U permi
permi scan --path ./src --export report.md
The exported file includes:

Scan metadata: Target path, timestamp, and duration.
AI filter summary: Raw findings vs. real findings and noise reduction percentage.
Detailed findings: Each vulnerability includes the file path, line number, code snippet, confidence score, and the AI's reasoning.
Why this matters
Developers told me they wanted to share results with their teams, attach reports to Jira tickets, or archive scans for compliance. By moving beyond just CLI output, Permi can now live inside your existing project documentation.

What's next
The roadmap is focused on making these scans even more accessible:

VS Code extension: For real-time scanning as you code.
GitHub Action: To automate PR checks using the new JSON export.
Has anyone successfully integrated AI-filtered security scans into their workflow yet?


  
    
      
      
        Peternasarah
       / 
        permi
      
    
    
      AI-powered vulnerability scanner for Nigerian developers and global SMBs
    
  
  
    


Permi





AI-powered vulnerability scanner for Nigerian developers and global SMBs.

Permi scans live websites and source code for security vulnerabilities, then uses AI to filter out false positives — so you only see findings that actually matter.

Built in Nigeria. For Nigeria. Then for the world.





Two scan modes




--url — Live web scanning


Point Permi at any website. It crawls the pages, tests for SQL injection, XSS, and checks security headers on the running application.


permi scan --url https://yoursite.com





--path — Static source code scanning



Point Permi at a local folder or GitHub repository. It reads your code files, matches vulnerability patterns, and flags issues before they ship.


permi scan --path ./myapp
permi scan --path https://github.com/user/repo




What Permi detects




Web scanning (--url)








SQL Injection — error-based, boolean-based blind, time-based blind



Cross-Site Scripting (XSS) — reflected XSS with context-aware testing



Missing Security Headers — HSTS, CSP, X-Frame-Options, X-Content-Type-Options

…





  


  View on GitHub




📦 GitHub Release Notes (v0.2.10)

🚀 New Feature

Added --export flag supporting .txt, .json, and .md.

🧹 Improvements

Better error handling for AI API timeouts.

Faster JSON parsing in the AI filter logic.

🙏 Thanks

To everyone who sent feedback about the CLI output—you made this happen. Keep it coming.

The Onslaught: Why Nigeria's Volume of Cyber Attacks Is Overwhelming Defences

Peter Nasarah Dashe — Tue, 05 May 2026 11:43:33 +0000

By Nasarah Dashe

This is Challenge #2 in a series. Read Challenge #1 here.

Imagine waking up to 50 missed calls from your bank. You check your account balance. It is empty.

A SIM‑swap fraudster convinced your telco agent to transfer your number to another SIM card, then used it to reset your mobile banking PIN and drain every kobo.

This is not a hypothetical. This is Tuesday in Nigeria's cyber landscape.

The Onslaught Is Real

The sheer volume and variety of attacks targeting Nigerian individuals, fintechs, banks, and government agencies have reached unprecedented levels.

Unlike Challenge #1 (digitisation without maturity), where the problem is structural, this challenge is active—a relentless barrage that shows no signs of slowing.

According to projections:

AI‑powered phishing attacks will intensify by nearly 70% in 2026
Ransomware groups like Phobos have added Nigerian cloud providers to their target lists
Password stealers are up 66% ; spyware up 53%
Banking trojans now specifically hunt for over 40 Nigerian fintech apps

And insider threats are quietly growing as economic pressures push employees toward dangerous compromises.

The question is not whether your organisation will be attacked. It is how you will detect, prioritise, and respond when the flood hits.

The Attack Menu: A Rogues' Gallery

Let me break down what Nigerian defenders are facing right now.

🎣 AI‑Powered Phishing & Social Engineering

💣 Ransomware

🆔 Identity & Credential Theft

🏦 Banking Trojans & USSD Hijackers

👤 Insider Threats

The Overwhelm Problem: Volume Meets Noise

A typical mid‑sized fintech might receive thousands of security alerts per day. Most are false positives or low severity. But buried inside that firehose are the genuine threats.

Attackers are using AI to generate custom phishing lures, polymorphic malware, and adaptive exploits. Defenders are still drowning in spreadsheet after spreadsheet of unvalidated scanner output.

Cutting Through the Noise: A Smarter Detection Philosophy

The solution is not to buy more tools that generate more noise. The solution is to validate threats before they reach human analysts.

This concept—intelligent false‑positive filtering—is already being implemented in open‑source tools like Permi.

The result: instead of 50 alarms, you get 8 genuine issues. Instead of hours of triage, you get minutes of focused remediation.

Permi also includes rules specifically for Nigerian attack surfaces:

USSD gateway misconfigurations
Exposed Paystack/Flutterwave keys
NDPR‑relevant gaps

For a small fintech with one part‑time security person, that noise reduction is the difference between surviving an attack and becoming a statistic.

Practical Steps to Survive the Onslaught

Implement AI‑aware phishing training – Use real‑time threat intelligence to block suspicious domains. Teach users to verify requests through out‑of‑band channels (e.g., call back a known number).
Prioritise identity hygiene – Enforce MFA everywhere. Treat SIM‑swap as a high‑risk event—require in‑person verification for SIM replacements.
Reduce your alert surface – Uninstall noisy, high‑false‑positive scanners. Replace them with tools that validate findings.
Monitor for infostealer logs – Services like HaveIBeenPwned can alert you when employee credentials appear in stealer logs. Rotate them immediately.
Create an insider threat programme – Limit access to the minimum necessary. Log sensitive database queries. Pay security staff competitively.

The Human Factor: Why Volume Exhaustion Is Real

Security professionals in Nigeria are overworked, underpaid, and often alone. The "japa" brain drain means the few who remain juggle multiple roles.

When every scan returns 50 critical alerts, they stop taking alerts seriously. When ransomware hits despite their best efforts, they blame themselves.

This is not a personal failing. It is a systemic one. Our tools have failed them.

The shift toward intelligent, low‑noise, locally relevant security tooling is not a luxury—it is a survival mechanism.

Looking Ahead: The 2026 Escalation

All projections indicate 2026 will be worse:

AI‑native malware that rewrites itself to evade detection
Autonomous exploits that scan, breach, and pivot without human control
Election‑related cyber attacks
Zero‑trust gaps as organisations rush to cloud

The volume will not decrease. The sophistication will increase. The only variable we can control is our ability to distinguish real threats from noise.

In a country where every security professional is already outnumbered, that one improvement can be enough to tip the balance.

The Bottom Line

Nigeria is under an active, diverse, and escalating cyber attack. Phishing, ransomware, identity theft, banking trojans, USSD hijacking, and insider threats are not coming—they are here.

The volume is overwhelming defences because our traditional tools generate more noise than signal.

We need a new approach: intelligent validation, local relevance, and ruthless prioritisation of real threats. Open‑source projects like Permi are showing the way forward.

They will not stop every attack, but they will stop the paralysis of false alarms—giving our overstretched defenders a clear, concise, and actionable picture of what actually needs fixing.

The onslaught will not pause. But neither should we.

Let's Discuss

What attack types have hit your organisation hardest? How are you cutting through the alert noise? Drop your experiences in the comments.

Next in this series: Challenge #3 – Unique Vulnerabilities in Fintech & Mobile Money (USSD risks, agent fraud, low digital literacy, and how local tooling can help).

Cover image: [Unsplash or your own]

The Digital Tsunami and the Security Hangover: Nigeria's First Cybersecurity Challenge

Peter Nasarah Dashe — Sun, 26 Apr 2026 11:52:24 +0000

By Nasarah Dashe

If you have sent money via USSD, paid for groceries with a mobile wallet, or onboarded a new fintech app in the last 12 months, you have touched Nigeria's digital economy. It is vibrant, relentless, and growing faster than almost anywhere else in the world.

Between 2020 and 2025, Nigeria saw an explosion in fintech startups, mobile banking agents, and cashless payment channels. The Central Bank's cashless policy, combined with a young, tech-savvy population, pushed transaction values into the trillions of Naira. USSD codes like *737# or *894# became household commands. Mobile wallets replaced physical banks for millions of unbanked citizens.

This is progress. This is inclusion. This is the future.

But there is a shadow beneath the speed.

The very force driving Nigeria's digitisation—rush, competition, and pressure to onboard users—has left a critical gap wide open: security maturity. We are building a ten-lane highway while still using paper maps and wooden guardrails. And attackers have already found the exits.

Let me walk you through the anatomy of this challenge, because until we name it honestly, we cannot fix it.

The Explosion: What Rapid Digitisation Looks Like on the Ground

Walk into any bustling market in Lagos, Kano, or Port Harcourt. You will see small traders with point-of-sale (POS) terminals powered by mobile apps. You will see customers dialling USSD codes on feature phones to transfer airtime or pay bills. Behind the scenes, APIs link these tiny transactions to large switching hubs, banks, and fintech processors like Paystack, Flutterwave, Moniepoint, and OPay.

The numbers are staggering. According to the Nigeria Inter-Bank Settlement System (NIBSS), mobile money transactions alone have grown by over 200% in some quarters year-on-year. USSD still processes billions of Naira monthly, especially for users without smartphones. Fintech startups have raised hundreds of millions of dollars in funding, promising to "unbank the unbanked."

But here is the uncomfortable truth: many of these systems—whether legacy banking infrastructure repurposed for mobile, or fast-built fintech MVPs—lack modern security protections.

Why? Because speed to market was the priority. Security was a checklist, not a culture.

The Attack Surface: What We Have Exposed

Every new digital channel is a door. Every API endpoint is a window. Every USSD gateway is a potential back alley. When you digitise rapidly without corresponding security maturity, you do not just expand access—you expand vulnerability.

Consider the typical Nigerian mobile money ecosystem:

USSD interfaces that communicate in plain text over SS7 networks, vulnerable to interception and session hijacking.
Mobile wallets that store user credentials on devices with weak encryption or no runtime protection.
Agent banking apps with hardcoded API keys or poor authentication logic, exposed in public repositories.
Legacy core banking systems wrapped in modern APIs but never audited for modern threats like injection or broken access control.

Attackers love this chaos. They do not need zero-day exploits. They just need one misconfigured server, one forgotten debug endpoint, one USSD session token sent in the clear.

And because Nigeria's digitisation happened in waves—each provider layering new features on old foundations—the attack surface is not a straight line. It is a tangle of protocols, versions, and forgotten services.

Real Consequences: When Speed Meets Exploitation

This is not a theoretical risk. We have seen the results.

Fintech breaches involving credential exposure have led to billions of Naira in unauthorised transfers. USSD session hijacking has allowed fraudsters to drain accounts while victims sleep. SIM-swap attacks, amplified by poor verification at telecom agents, have handed over mobile money accounts to criminals.

The common thread in many of these incidents? Not sophisticated hacking. Exploitable gaps left open because security was bolted on after launch, not built in from the start.

One example: a popular mobile lending app left its API completely open, exposing user loan details, BVNs, and phone numbers. No authentication. No rate limiting. It was discovered by a security researcher—not by the company's own team. That is the symptom of maturity lag.

Why Traditional Scanners Fail the Maturity Test

So how do organisations defend themselves? Many turn to automated vulnerability scanners. They run a tool, get a report, and "fix" the red items. But here is where the maturity gap creates a second-order problem.

Most traditional scanners—even expensive ones—are built for idealised environments. They assume clean configurations, standard frameworks, and English-language error messages. They also suffer from a crippling flaw: false positives.

A typical scan against a Nigerian fintech portal might return 50 "critical" findings. After hours of triage, a developer realises that 42 of them are false alarms: outdated rule sets, misinterpretations of custom code, or generic warnings that don't apply. The remaining 8 are real—but now the team is exhausted, frustrated, and less likely to trust future scans.

When security tools waste your time, you stop using them properly. And when you stop using them, the gap between digitisation and maturity grows even wider.

A Smarter Path Forward: Local Solutions for Local Problems

The answer is not to stop digitising. That would be like asking a race car to brake suddenly on a highway. The answer is to match speed with intelligence—specifically, the intelligence to separate real threats from noise.

Imagine a tool that scans live websites or source code for the same vulnerabilities (SQL injection, XSS, missing headers, hardcoded secrets) but then uses an optional AI layer to validate each finding. Instead of drowning in 50 alerts, you see only the 8 that actually matter. You save hours. You fix what is broken. You move on.

That tool exists. It is called Permi. It is open-source, free, and built by a Nigerian cybersecurity student who got tired of traditional scanners crying wolf. Permi understands local contexts: it can check for USSD gateway misconfigurations, flag exposed Paystack or Flutterwave keys, and even nod to NDPR compliance requirements—all while running in offline mode if you prefer.

But here is the deeper point: tools like Permi embody the exact mindset Nigeria needs. Not expensive, imported black boxes with generic rule sets. Lightweight, developer-first, locally relevant software that respects your time and your budget. It does not pretend to be a complete security operations centre. It simply says: "Here are your real vulnerabilities. Ignore the noise."

That is what matching security maturity to digitisation looks like. Not perfect. Not over-engineered. Just honest and actionable.

What Organisations Can Do Right Now

While policymakers and regulators work on frameworks (the new 2026 NITDA guidelines are a start), individual organisations cannot wait. Here are three immediate steps to close the maturity gap:

Audit your USSD and mobile wallet integrations – Treat them as high-risk channels. Check for unencrypted sessions, weak authentication flows, and excessive logging of sensitive data.
Run regular, low-noise scans – Use tools that prioritise accuracy over volume. Permi is one example, but the principle matters more: false positives are not harmless; they burn team morale.
Build security into the deployment pipeline – Do not scan only once a quarter. Automate lightweight scans every time code is pushed. Catch the hardcoded secret before it reaches production.

The cost of ignoring this gap grows every day. Attackers are not slowing down. They are automating their attacks with AI—while many Nigerian systems still rely on manual, reactive defences.

The Bottom Line

Rapid digitisation without matching security maturity is not a bug in Nigeria's tech story. It is a feature of the speed we chose. And that choice has brought prosperity to millions. But the feature has become a liability.

We cannot rewind the clock. We can, however, stop pretending that generic scanners and annual compliance checklists are enough. We need practical, local, intelligent tools that help developers and small teams actually see what is broken—without wasting their time.

Permi is one small example of that new wave. It will not solve every problem. But it points the way: away from noise, toward signal. Away from imported irrelevance, toward homegrown relevance. Away from panic, toward calm, methodical improvement.

The digital tsunami is here. It is time to build guardrails that actually work.

What has been your experience with security maturity gaps in Nigeria's fintech or mobile money space? Share your thoughts below. Let's talk solutions, not just problems.

Next in this series: Challenge #2 – High Volume of Common & Sophisticated Attacks (phishing, ransomware, identity theft, and the tools that can help cut through the noise). Watch out for next series.

Malware-Based Attacks: The Undying Threat of the Computer Virus

Peter Nasarah Dashe — Tue, 14 Apr 2026 20:54:37 +0000

When most people hear "hacking," they picture a hooded figure pounding a keyboard. In reality, some of the most devastating breaches start with a single, silent, self-replicating line of code: the computer virus.

Unlike a ransomware gang that announces its presence, a virus is the ultimate insider threat—because it becomes part of the insider.

1. Clearly Defined: What Is a Computer Virus?

A computer virus is a type of malicious software (malware) that, when executed, replicates itself by modifying other computer programs and inserting its own code. The name is biological for a reason: just as a biological virus hijacks a host cell to reproduce, a computer virus hijacks legitimate files or systems to spread.

Key distinction: A virus requires human action to spread (e.g., opening an infected attachment). A worm, by contrast, spreads automatically without human help.

2. How It Works (The Infection Chain)

Understanding the mechanics is your first line of defense.

Entry & Execution: You download an infected attachment, run a cracked piece of software, or boot from a contaminated USB drive. The malicious code executes.
Replication: The virus scans your system for uninfected executable files (.exe, .scr, .dll) or boot sectors. It attaches its code to them, often compressing or encrypting itself to avoid detection.
Persistence: It adds itself to startup sequences, registry keys, or scheduled tasks. Even if you "clean" the active file, the virus reloads on reboot.
Payload Delivery: This is the "why." The payload could trigger immediately (delete files), wait for a specific date (logic bomb), or phone home to a command server.

Polymorphic viruses rewrite their own code each time they replicate, making signature-based antivirus almost useless.

3. A Brief History (From Floppies to Cloud)

1971 (Theoretical): Creeper – an experimental self-replicating program on ARPANET.
1986 (The Wild): Brain – the first IBM-compatible virus, created by two Pakistani brothers to track pirated medical software.
1999 (Global Panic): Melissa – a macro virus in Word docs that spread via email, crashing corporate mail servers worldwide.
2000 (Devastation): ILOVEYOU – a Visual Basic script disguised as a love letter. It caused an estimated $10 billion in damages and infected 10% of all internet-connected computers at the time.
Today: Viruses now target firmware, IoT devices, and cloud container images.

4. Why Attackers Use Viruses (The Strategic Advantage)

Attackers don't just "want chaos." Viruses offer specific tactical benefits:

Persistence without presence: Unlike a hacker who needs a live connection, a virus works autonomously.
Lateral movement: Once inside your network, a virus can infect shared drives and servers before any manual breach is detected.
Supply chain infection: Infect one vendor's software update tool, and you compromise thousands of clients (e.g., the 2017 NotPetya attack).
Deniability: Attributing a virus is notoriously difficult due to its self-replicating nature.

5. Real-World Example: The "ILOVEYOU" Virus (2000)

This is the gold standard of virus destruction.

How it worked: Victims received an email with a subject line "ILOVEYOU" and an attachment "LOVE-LETTER-FOR-YOU.txt.vbs". Windows hid the final .vbs extension.

What it did: Upon opening, it overwrote image, music, and document files (JPG, MP3, DOC) with its own code, then sent copies of itself to every contact in the user's Outlook address book.

The damage:

The Pentagon, CIA, and British Parliament shut down their email systems.
500,000+ infected systems globally.
Total economic losses: $10–15 billion (in 2000 dollars).

6. How to Spot a Virus Infection (Early Warning Signs)

You won't always see a skull-and-crossbones popup. Look for these subtle indicators:

Signal	What it looks like
Performance decay	Suddenly slow file saves, program launches, or boot times.
File anomalies	Files disappear, reappear, or have weird double extensions (e.g., `invoice.pdf.exe`).
Disk thrashing	Hard drive or SSD activity when you're doing nothing.
Strange popups	Fake "antivirus" warnings urging you to call a number.
Disabled tools	Task Manager, Registry Editor, or CMD won't open.
Unusual outbound traffic	Network activity spikes when you're offline or idle.

7. What to Do If You've Already Been Attacked (IR Steps)

Do not panic. Do not shut down immediately (that can destroy forensic evidence). Follow this sequence:

Immediate (First 10 minutes):

Disconnect from the network – Unplug Ethernet, disable Wi-Fi. This stops spread.
Do not reboot – Some viruses are "memory-resident only" until a reboot writes them to disk.
Document everything – Take photos of error messages, unusual files, and timestamps.

Containment (First hour):

Run a trusted offline scan – Boot from a read-only USB antivirus (e.g., Windows Defender Offline, Kaspersky Rescue Disk).
Change all credentials – From a clean device, change passwords for email, banking, and remote access.
Identify patient zero – Which user and file triggered it? Check email logs and download history.

Recovery (24–48 hours):

Nuke from orbit – The only reliable way to remove a complex virus: wipe the drive and restore from a known clean backup (from before the infection).
Patch and update – Update BIOS, firmware, and all software before reconnecting.

8. The Final Word (For Business Leaders)

Here is the uncomfortable truth: Antivirus alone is dead against modern viruses. Signature-based tools miss polymorphic and fileless variants. Your real defenses are:

Application whitelisting (only approved executables can run).
User education (the virus can't execute if the user doesn't click).
Immutable backups (offline, write-once storage).

A virus doesn't hack your technology. It hacks your user's decision-making. Train that, and you've built the strongest wall.

9. The Extra Section: The Legal & Compliance Nightmare

Everyone focuses on technical recovery. But after a virus attack, your legal obligations begin.

Data breach notification laws: If the virus exfiltrated data (even temporarily), you may have 72 hours (GDPR) or 30 days (CCPA) to notify regulators and affected individuals. Failure = fines up to €20M or 4% of global revenue.
Chain of custody: If you reboot or tamper with an infected machine before forensics, you may destroy evidence needed for insurance claims or lawsuits.
Cyber insurance voidance: Most policies require "reasonable security measures" (e.g., MFA, patching within 30 days). If a virus exploited a 6-month-old known vulnerability, your claim could be denied.
Third-party liability: Did your infected system send virus-laden emails to clients? You could be liable for their downtime and recovery costs.

Action item: Add your legal counsel and cyber insurer to your incident response plan before the virus hits. Not after.

📚 Further Reading & Resources

Full cybersecurity insights and tools: peternasarah.github.io/permi

Over to you: Have you ever experienced a virus outbreak at work? What was the "patient zero" file? Let’s discuss in the comments. 👇

Tags: #CyberSecurity #Malware #InfoSec #IncidentResponse #DataBreach #DevCommunity

Most security tools still use 20-year-old rules. That's why I built Permi.

Peter Nasarah Dashe — Sun, 12 Apr 2026 13:24:10 +0000

The Problem

Old-school vulnerability scanners work like this:

If response matches pattern → safe
Else → unsafe

That logic was fine in the early 2000s. But modern systems are dynamic, complex, and full of legitimate edge cases. Those same tools now flood you with false positives.

You run a scan. It says 50 "critical" issues. You spend hours filtering. Only 8 are real. That's not security—that's a productivity killer.

What Permi Does Differently

Permi is an AI-powered vulnerability scanner built for today's development workflow.

Reduces false positives with intelligent filtering.
Works where you code – CLI now, VS Code & GitHub actions coming soon.
One command to scan websites or source code.


bash
pip install permi
permi scan --url https://your-site.com

##Early stage, honest feedback needed
Permi is still in early development. It's stable, but you might find rough edges. If something is confusing, broken, or missing:

Comment below or DM me.
Open an issue on GitHub.
Your feedback will directly shape Permi into the tool developers actually need.


  
    
      
      
        Peternasarah
       / 
        permi
      
    
    
      AI-powered vulnerability scanner for Nigerian developers and global SMBs
    
  
  
    


Permi





AI-powered vulnerability scanner for Nigerian developers and global SMBs.

Permi scans live websites and source code for security vulnerabilities, then uses AI to filter out false positives — so you only see findings that actually matter.

Built in Nigeria. For Nigeria. Then for the world.





Two scan modes




--url — Live web scanning


Point Permi at any website. It crawls the pages, tests for SQL injection, XSS, and checks security headers on the running application.


permi scan --url https://yoursite.com





--path — Static source code scanning



Point Permi at a local folder or GitHub repository. It reads your code files, matches vulnerability patterns, and flags issues before they ship.


permi scan --path ./myapp
permi scan --path https://github.com/user/repo




What Permi detects




Web scanning (--url)








SQL Injection — error-based, boolean-based blind, time-based blind



Cross-Site Scripting (XSS) — reflected XSS with context-aware testing



Missing Security Headers — HSTS, CSP, X-Frame-Options, X-Content-Type-Options

…





  


  View on GitHub




  
  
  Links


PyPI: pip install permi

GitHub: peternasarah/permi

Let's kill false positives together. 🔥 

 Permi CLI scanning a live URL for vulnerabilities

250 Clones in 4 Days! Thank You 🙌

Peter Nasarah Dashe — Sat, 11 Apr 2026 14:09:01 +0000

Permi just hit a huge milestone, and I couldn't be more grateful. Now, I need your help to make it even better.

I'm building this in public, and your feedback is the most valuable tool I have.

How is your experience so far?

If you've run permi scan, please leave a comment with one of these words:

🔴 "broke" – if something crashed
🟡 "confusing" – if it wasn't clear
🟢 "useful" – if it helped

Alternatively, feel free to DM me with specific details. No pitch—just trying to build something helpful.

Peternasarah / permi

AI-powered vulnerability scanner for Nigerian developers and global SMBs

Permi

AI-powered vulnerability scanner for Nigerian developers and global SMBs.

Permi scans live websites and source code for security vulnerabilities, then uses AI to filter out false positives — so you only see findings that actually matter.

Built in Nigeria. For Nigeria. Then for the world.

Two scan modes

`--url` — Live web scanning

Point Permi at any website. It crawls the pages, tests for SQL injection, XSS, and checks security headers on the running application.

permi scan --url https://yoursite.com

`--path` — Static source code scanning

Point Permi at a local folder or GitHub repository. It reads your code files, matches vulnerability patterns, and flags issues before they ship.

permi scan --path ./myapp
permi scan --path https://github.com/user/repo

What Permi detects

Web scanning (`--url`)

SQL Injection — error-based, boolean-based blind, time-based blind
Cross-Site Scripting (XSS) — reflected XSS with context-aware testing
Missing Security Headers — HSTS, CSP, X-Frame-Options, X-Content-Type-Options
…

View on GitHub

Open an issue on GitHub

250 Clones in 4 Days: A Student's Journey Building an AI Security Tool

Peter Nasarah Dashe — Tue, 07 Apr 2026 12:07:05 +0000

🚀 250 Clones in 4 Days: A Student's Journey Building an AI Security Tool

By Nasarah Peter Dashe

Cybersecurity Student @ UNIJOS | Founder of Permi

The Numbers That Surprised Me

On April 2nd, 2026, I did something terrifying.

I typed pip install permi into my terminal, ran a few final tests, and hit publish on PyPI. A vulnerability scanner built by a student with no funding, no team, and no prior accomplishments was now available for anyone in the world to download.

Four days later, GitHub told me something I didn't expect:

250 clones.

62 developers per day, on average, downloading Permi. Testing it. Breaking it. Some even giving feedback.

This isn't a Silicon Valley startup with millions in backing. This is a cybersecurity student at the University of Jos, building in public, one commit at a time.

The Problem That Wouldn't Leave Me Alone

I've spent hours staring at security scan reports. You know the kind: 47 "critical" vulnerabilities flagged, only 4 of them real. The rest? False positives. Misconfigurations that don't apply. Warnings about libraries I wasn't even using.

That's not security. That's noise.

And noise has a cost:

Developers learn to ignore alerts
Real vulnerabilities slip through
Breaches happen

The recent LiteLLM supply chain attack proved that even the tools we trust to secure us can become the vulnerability. Three security tools compromised in five days using the same stolen credentials. The attacker didn't exploit the tools – they exploited the CI/CD access those tools had.

I saw this gap and couldn't unsee it.

Nigerian developers and SMBs are stuck with expensive, complex tools built for Western enterprises. Tools that don't understand our local fintech APIs, our hosting constraints, or the unique threats we face. Tools that interrupt our flow instead of supporting it.

So I decided to build something different.

What Permi Is (And Isn't)

Permi is an AI-powered vulnerability scanner designed for one job: meet developers where they already work.

Feature	Status
`pip install permi`	✅ Live
CLI scan command	✅ Live
Web vulnerability detection (SQLi, XSS, etc.)	✅ Live
AI false-positive classifier	🚧 In progress
VS Code extension	🔜 Planned
GitHub Action	🔜 Planned

One command to scan a website:

pip install permi
permi scan --url https://example.com

No context switching. CLI first, with IDE integrations coming soon.

AI that actually helps. False-positive filtering, remediation suggestions, risk prioritization.

Built for Nigeria first. Affordable pricing, local vulnerability checks, NDPR compliance mapping.

Permi isn't trying to replace every security tool. It's trying to fix the parts that frustrate developers most.

What 250 Clones Tell Me

Numbers without context are just numbers. Here's what these 250 clones mean to me:

1. The problem is real

Developers don't clone random repos. They clone tools they intend to use or learn from.

2. My announcement worked

The spike of 70 clones in a single day came right after I shared Permi on social media. Community matters.

3. Word of mouth is happening

250 clones in 4 days means people are sharing my link. I don't have a marketing budget. I have developers who see value.

4. I'm no longer "pre-product"

An investor recently told me Permi had "no traction." Now I have evidence that the market disagrees.

What I've Learned (In Just 4 Days)

Shipping is everything.

An imperfect product in the wild is infinitely more valuable than a perfect product in your head.

Traction talks.

No amount of pitch deck polish replaces a developer typing pip install permi and running your code.

Community is my unfair advantage.

Senior security leaders accepted my connection requests. Practicing security analysts took time to explain real-world misconfigurations like .env leaks and dependency confusion. Security companies engaged with my posts.

These aren't just names. They're people who saw a student trying to build something real and decided to help.

What's Next for Permi

The MVP is live. Now I'm building:

AI false-positive classifier – cut the noise by 80%
VS Code extension – real-time scanning as you code
GitHub Action – automatic PR comments and blocking
API scanner – for fintechs and backend teams

I've also applied to the iDICE Founders Lab – a ₦10 million grant program for early-stage Nigerian founders. If selected, I'll use the funding to focus on Permi full-time, hire a part-time developer, and reach our first 500 paying users.

I Need Your Help

I'm not writing this to brag about 250 clones. I'm writing this because I genuinely believe the best products are built with the community, not in isolation.

So here's my ask:

If you're a developer, founder, or security professional:

Try Permi:

   pip install permi
   permi scan --url https://your-site.com

Break it. Tell me what's missing, what's confusing, what's broken.
Share this post with one person who struggles with security noise.

And if you've ever ignored a security alert because you've been burned by false positives before – drop a comment. I want to hear your story.

One Last Thing

Four days ago, Permi was just a PyPI package.

Today, it's been cloned 250 times.

Tomorrow, I'm back to building.

Because that's what founders do. We ship, we learn, we iterate. And we do it in public, so everyone can see that a student at UNIJOS with no funding can still build tools that matter.

pip install permi and let's secure Nigeria's developers, one scan at a time.

🔗 Links

GitHub: github.com/peternasarah/permi
PyPI: pypi.org/project/permi
Twitter/X: @peternasarah
Permi: https://peternasarah.github.io/permi

🏷️ Tags

cybersecurity devsecops opensource python buildinpublic supplychainsecurity

The Vulnerability Scanner That Became the Vulnerability

Peter Nasarah Dashe — Tue, 31 Mar 2026 21:27:31 +0000

The Story

A vulnerability scanner got hacked.

Then the hackers used it to poison one of the most popular AI libraries on the planet.

That happened last week.

Here's what went down:

March 19 — TeamPCP compromised Aqua Security's Trivy, one of the most trusted open-source vulnerability scanners in DevSecOps.

March 23 — Using stolen credentials, they compromised Checkmarx's KICS GitHub Actions and VS Code extensions.

March 24 — Those same credentials gave them access to LiteLLM's CI/CD pipeline.

What Is LiteLLM?

LiteLLM is the universal AI gateway used across 36% of all cloud environments. It averages 95 million downloads per month. It sits between applications and 100+ AI providers—holding API keys for OpenAI, Anthropic, AWS, and Azure in one place.

The attackers published two backdoored versions to PyPI.

What the Malware Did

In just three hours, the malware:

Harvested SSH keys, cloud credentials, and Kubernetes secrets
Deployed privileged pods to every node in Kubernetes clusters
Installed a persistent backdoor polling for additional payloads
Swept cryptocurrency wallets and .env files

TeamPCP posted this on Telegram:

"These companies were built to protect your supply chains yet they can't even protect their own."

They also announced a partnership with LAPSUS$.

Let that land.

The Irony That Kills

Victim	Their Job	What Happened
Aqua Trivy	Vulnerability scanner	Got hacked
Checkmarx KICS	Infrastructure as Code security	Got hacked
LiteLLM	AI gateway with 95M downloads	Got backdoored

The companies selling supply chain security became the supply chain risk.

What This Means for Developers

If Trivy, KICS, and LiteLLM—with all their resources and visibility—can be compromised this way, what does that mean for the rest of us?

More importantly: What should we be asking our security tool providers right now?

I'm a cybersecurity student at UNIJOS, and I've been sitting with this question all week.

The Question I Keep Coming Back To

If you're using security tools in your workflow—scanners, CI/CD integrations, AI libraries—what's one thing you wish you knew about their security before you started using them?

Not asking for product pitches. Genuinely trying to understand how developers and security professionals are thinking about this.

Drop your thoughts in the comments. I'll read every single one.

A Quick Reflection

This attack reinforced something for me:

Firewalls aren't enough. Tools aren't enough. Even the tools built to protect us need to be secured.

If we're building on top of AI infrastructure, we have to start asking harder questions about the tools we trust—because right now, the attackers are asking the right questions.

Let's learn together.

If you found this helpful, consider sharing it with someone who's building on AI infrastructure. We need to have this conversation.

Reducing False Positives in XSS Detection: Designing Confirmation-Based Scanners

Peter Nasarah Dashe — Thu, 26 Feb 2026 23:53:23 +0000

Most beginner vulnerability scanners detect XSS using a simple pattern:

Inject payload
Check if payload appears in response
If yes → flag vulnerability

This approach is fast. It is also deeply flawed.

In real-world applications, reflection alone does not equal exploitability. Reflection without context analysis leads to massive false positives.

In this article, I'll walk you through a structured approach to reducing false positives in reflected XSS detection.

The Core Problem: Reflection ≠ Execution

A payload appearing in the response does not mean:

It executes
It appears in a dangerous context
It bypasses encoding
It breaks out of attributes or scripts

For example:

<p>You searched for: &lt;script&gt;alert(1)&lt;/script&gt;</p>

A naive scanner flags this. But the payload is HTML-encoded. There is no XSS. Yet many tools still report it.

Designing a Confirmation-Based Detection Model

Instead of binary reflection checks, a structured scanner should:

Inject a uniquely identifiable marker
Analyze where it appears
Classify context
Confirm exploitability conditions
Only then report

This changes detection from pattern-matching to context validation.

Step 1: Unique Marker Injection

Instead of injecting generic payloads like:

<script>alert(1)</script>

Use uniquely identifiable markers:

PERMI_XSS_9fA21

This allows precise reflection tracking without accidental matches.

Step 2: Context Classification

Where did the marker appear?

Inside HTML body text
Inside attribute value
Inside JavaScript block
Inside HTML tag name
Inside comment
Inside encoded output

Each context has different exploitability rules.

Safe contexts:

Fully HTML encoded
Inside comment
Inside text node without script context

Potentially dangerous contexts:

Inside unquoted attribute
Inside JavaScript string
Inside event handler
Inside script block

Context matters more than reflection.

Step 3: Encoding Detection

Before reporting, confirm:

Is < encoded?
Is " encoded?
Is ' encoded?
Are special characters escaped?

If the payload is consistently encoded, it should not be flagged.

A confirmation-based engine checks transformation patterns instead of blindly matching strings.

Step 4: Multi-Step Validation

Instead of one payload, use controlled variations:

Plain marker
Attribute-breaking marker
Script-breaking marker

If only the plain marker reflects but breaking payloads do not alter structure, likelihood of exploitation decreases.

This moves detection toward probabilistic validation.

Moving Beyond Rule-Based Logic

Traditional scanners operate with:

if reflected:
    report

A better approach introduces weighted scoring:

confidence = (
    (reflection_weight  * 0.3) +
    (context_weight     * 0.4) +
    (encoding_bypass    * 0.2) +
    (breakout_success   * 0.1)
)

Only report if the score exceeds a defined threshold. This reduces false positives dramatically.

Why This Matters

False positives have real consequences:

Developer fatigue
Security team distrust
Ignored reports
Delayed remediation

Precision builds trust. Noise destroys it.

If developers repeatedly see inaccurate reports, they stop believing the scanner.

A well-designed tool should prefer fewer findings at higher confidence over massive noisy output.

Architectural Considerations

To support confirmation-based scanning:

Separate scanner modules from UI
Centralize evidence formatting
Use structured vulnerability models
Keep payload sets modular
Avoid embedding logic inside GUI layers

Clean architecture makes improvement possible. Messy architecture locks in technical debt.

The Bigger Picture

Reducing false positives is not about clever payloads. It's about:

Context understanding
Confirmation logic
Structured scoring
Thoughtful design

Security tooling should evolve from brute-force injection engines to intelligent validation systems. That's where the real engineering challenge lies.

Final Thoughts

If you're building a scanner, don't ask: "Did it reflect?"

Ask: "In what context did it reflect, and does that context allow execution?"

The difference between those two questions is the difference between noise and intelligence.