More The Secure Disclosure episodes

Open Source Malware, Supply Chain Risk, and Contagious Interviews: w/ Paul McCarty and Jenn Gile thumbnail

Open Source Malware, Supply Chain Risk, and Contagious Interviews: w/ Paul McCarty and Jenn Gile

Published 7 Apr 2026

Duration: 00:38:45

Cyberattacks exploit developers and non-technical roles via social engineering and malware, with inadequate detection systems, state-sponsored threats targeting open-source ecosystems, and proposed solutions like the Open Source Malware Initiative and registry reforms to enhance tracking, accountability, and threat intelligence sharing.

Episode Description

In this episode of The Secure Disclosure, Jenn Gile and Paul McCarty from Open Source Malware break down how malicious packages are evolving, why deve...

Overview

The podcast discusses the evolving threat landscape in cybersecurity, emphasizing the growing risk of attacks targeting developers and non-technical staff as initial entry points ("patient zero"). Threat actors increasingly exploit social engineering tactics, such as posing as recruiters on platforms like LinkedIn or Upwork to trick developers into downloading malware. Current detection systems are inadequate, leaving 15,000 malicious samples undetected, while challenges like rapid software updates and weak registry security exacerbate the proliferation of open-source malware. A key focus is the Open Source Malware (OSM) Initiative, a community-driven project aimed at creating a transparent, collaborative database to track malware, including details on authors, severity, and impact, with features like human-validated reports and an accessible API. This initiative addresses gaps in existing repositories, such as poor API usability and limited malware-specific data, and prioritizes open data sharing to foster broader security collaboration.

The discussion contrasts malware management with traditional vulnerability management, highlighting the fundamental differences: unlike vulnerabilities, malware cannot be "accepted" and requires proactive blocking or aggressive mitigation. Malware often exploits interpreter-based languages (e.g., JavaScript, Python) to evade detection, while vulnerabilities depend on version tracking for patching. Case studies reveal state-sponsored actors like North Korea leveraging sophisticated campaignssuch as the "Contagious Interview" strategyto steal cryptocurrency and access sensitive corporate data through malicious packages in repositories. Challenges include the lack of accountability from package registries (e.g., NPM, PyPy), insufficient scanning of low-impact packages, and organizational ambiguities about responsibility for handling open-source malware. Proposed solutions stress registry-level reforms (e.g., stricter metadata verification), developer best practices (e.g., secrets management), and improved tooling to address the "perfect storm" of fast update cycles and weak security oversight in software supply chains. The podcast also underscores the need for industry-wide collaboration, incident response preparedness, and redefining security priorities to mitigate risks from open-source ecosystems.

Recent Episodes of The Secure Disclosure

16 Jun 2026 Your Microphone Became a Keylogger w/ David vonThenen

Machine learning analyzes keystroke acoustic signatures to infer typed characters over remote platforms, highlighting high accuracy with known keyboards, privacy risks from surveillance, and challenges in noise and variability, while proposing defenses and noting AI's dual-use implications.

9 Jun 2026 Understand the Software Supply Chain Chaos w/ Roeland Delrue

Rapidly evolving supply chain security threats, including malicious open-source components and AI-driven malware, demand advanced AI-powered solutions like Akito Securitys self-securing software and tailored tools to address vulnerabilities in developer environments and package repositories.

28 May 2026 Prompt Injection Might Never Be Solved w/ Paul Vann

The text details AI security threats like prompt injection, jailbreak attacks, and distillation attacks, along with vulnerabilities such as AI bias and autonomous agent risks, highlighting detection challenges, emerging malware, supply chain exploits, and the industry's struggle to keep pace with rapidly evolving AI technologies.

22 May 2026 AI Broke the Security Ecosystem w/ Chris Hughes

Evolving cybersecurity challenges include supply chain threats, AI vulnerabilities, and outdated tools, highlighting the need for systemic reforms like developer incentives, regulatory clarity, and industry-government collaboration to address gaps in vulnerability management and the dual risks of AI's role in both threat detection and exploitation.

15 May 2026 PostHog is placing a wild bet on AI Coding w/ James Hawkins

Recommended: Should you go open source?

PostHog's open-source analytics platform prioritizes transparency, developer autonomy, and AI integration while critiquing corporate norms, emphasizing price clarity, building in public, and balancing automation with security governance in product development.

More The Secure Disclosure episodes