More The Secure Disclosure episodes
Published 7 Apr 2026
Duration: 00:38:45
Cyberattacks exploit developers and non-technical roles via social engineering and malware, with inadequate detection systems, state-sponsored threats targeting open-source ecosystems, and proposed solutions like the Open Source Malware Initiative and registry reforms to enhance tracking, accountability, and threat intelligence sharing.
In this episode of The Secure Disclosure, Jenn Gile and Paul McCarty from Open Source Malware break down how malicious packages are evolving, why deve...
The podcast discusses the evolving threat landscape in cybersecurity, emphasizing the growing risk of attacks targeting developers and non-technical staff as initial entry points ("patient zero"). Threat actors increasingly exploit social engineering tactics, such as posing as recruiters on platforms like LinkedIn or Upwork to trick developers into downloading malware. Current detection systems are inadequate, leaving 15,000 malicious samples undetected, while challenges like rapid software updates and weak registry security exacerbate the proliferation of open-source malware. A key focus is the Open Source Malware (OSM) Initiative, a community-driven project aimed at creating a transparent, collaborative database to track malware, including details on authors, severity, and impact, with features like human-validated reports and an accessible API. This initiative addresses gaps in existing repositories, such as poor API usability and limited malware-specific data, and prioritizes open data sharing to foster broader security collaboration.
The discussion contrasts malware management with traditional vulnerability management, highlighting the fundamental differences: unlike vulnerabilities, malware cannot be "accepted" and requires proactive blocking or aggressive mitigation. Malware often exploits interpreter-based languages (e.g., JavaScript, Python) to evade detection, while vulnerabilities depend on version tracking for patching. Case studies reveal state-sponsored actors like North Korea leveraging sophisticated campaignssuch as the "Contagious Interview" strategyto steal cryptocurrency and access sensitive corporate data through malicious packages in repositories. Challenges include the lack of accountability from package registries (e.g., NPM, PyPy), insufficient scanning of low-impact packages, and organizational ambiguities about responsibility for handling open-source malware. Proposed solutions stress registry-level reforms (e.g., stricter metadata verification), developer best practices (e.g., secrets management), and improved tooling to address the "perfect storm" of fast update cycles and weak security oversight in software supply chains. The podcast also underscores the need for industry-wide collaboration, incident response preparedness, and redefining security priorities to mitigate risks from open-source ecosystems.
22 May 2026 AI Broke the Security Ecosystem w/ Chris Hughes
Evolving cybersecurity challenges include supply chain threats, AI vulnerabilities, and outdated tools, highlighting the need for systemic reforms like developer incentives, regulatory clarity, and industry-government collaboration to address gaps in vulnerability management and the dual risks of AI's role in both threat detection and exploitation.
15 May 2026 PostHog is placing a wild bet on AI Coding w/ James Hawkins
Recommended: Should you go open source?
PostHog's open-source analytics platform prioritizes transparency, developer autonomy, and AI integration while critiquing corporate norms, emphasizing price clarity, building in public, and balancing automation with security governance in product development.
6 May 2026 AI Panic is Driving Shadow IT w/ Noora Ahmed-Moshe
AI's impact on employment and cybersecurity risks, driven by shadow AI, phishing, and emerging threats like prompt injection, require balancing workforce skills, security measures, and organizational trust.
29 Apr 2026 When AI Agents Change their Intent w/ Frank Vukovits
AI agents, autonomous non-human entities operating in enterprise systems without human oversight, pose security and governance challenges requiring updated access control frameworks, real-time monitoring, and intent-based governance to address risks like unauthorized access and shadow AI, paralleling historical tech challenges like Y2K.
22 Apr 2026 OWASP Top 10, Vibe Coding, and What Developers Miss w/ Tanya Janca
Gaps in cybersecurity education, persistent vulnerabilities like SQL injection, OWASP data limitations, evolving supply chain risks, high training costs, AI's contextual challenges, and the need for secure-by-design principles and collaboration highlight systemic challenges in addressing evolving cyber threats.