More The Secure Disclosure episodes
Published 7 Apr 2026
Duration: 00:38:45
Cyberattacks exploit developers and non-technical roles via social engineering and malware, with inadequate detection systems, state-sponsored threats targeting open-source ecosystems, and proposed solutions like the Open Source Malware Initiative and registry reforms to enhance tracking, accountability, and threat intelligence sharing.
In this episode of The Secure Disclosure, Jenn Gile and Paul McCarty from Open Source Malware break down how malicious packages are evolving, why deve...
The podcast discusses the evolving threat landscape in cybersecurity, emphasizing the growing risk of attacks targeting developers and non-technical staff as initial entry points ("patient zero"). Threat actors increasingly exploit social engineering tactics, such as posing as recruiters on platforms like LinkedIn or Upwork to trick developers into downloading malware. Current detection systems are inadequate, leaving 15,000 malicious samples undetected, while challenges like rapid software updates and weak registry security exacerbate the proliferation of open-source malware. A key focus is the Open Source Malware (OSM) Initiative, a community-driven project aimed at creating a transparent, collaborative database to track malware, including details on authors, severity, and impact, with features like human-validated reports and an accessible API. This initiative addresses gaps in existing repositories, such as poor API usability and limited malware-specific data, and prioritizes open data sharing to foster broader security collaboration.
The discussion contrasts malware management with traditional vulnerability management, highlighting the fundamental differences: unlike vulnerabilities, malware cannot be "accepted" and requires proactive blocking or aggressive mitigation. Malware often exploits interpreter-based languages (e.g., JavaScript, Python) to evade detection, while vulnerabilities depend on version tracking for patching. Case studies reveal state-sponsored actors like North Korea leveraging sophisticated campaignssuch as the "Contagious Interview" strategyto steal cryptocurrency and access sensitive corporate data through malicious packages in repositories. Challenges include the lack of accountability from package registries (e.g., NPM, PyPy), insufficient scanning of low-impact packages, and organizational ambiguities about responsibility for handling open-source malware. Proposed solutions stress registry-level reforms (e.g., stricter metadata verification), developer best practices (e.g., secrets management), and improved tooling to address the "perfect storm" of fast update cycles and weak security oversight in software supply chains. The podcast also underscores the need for industry-wide collaboration, incident response preparedness, and redefining security priorities to mitigate risks from open-source ecosystems.
2 Apr 2026 Bugcrowd Founder Casey Ellis: AI Slop, and the Future of Hacking
Ethical hacking evolved from underground communities to enterprise-driven security frameworks, addressing stigma and legacy systems, AI's dual role in threat detection and synthetic risks, and the need for secure-by-design practices, hybrid human-AI strategies, and managing supply chain vulnerabilities amid evolving cyber threats.
25 Mar 2026 Are Humans the Weakest Link in Security? w/ Sean Juroviesky
Securing organizations requires aligning human-centric workflows and communication with embedded, frictionless security practices, addressing human error through behavior monitoring and training, managing shadow IT/AI via collaboration and inventory, balancing usability with targeted access controls, and fostering proactive security culture through education and storytelling rather than enforcement.
17 Mar 2026 AI Agents Must Have Identity & Access Control w/ Johannes Keienburg
Autonomous AI agents, with transformative productivity potential, pose significant security, accountability, and governance challenges requiring dynamic access controls, human oversight, and industry-wide standards to ensure safe and regulated integration.
16 Mar 2026 The Creator of Curl on Why AI Is Breaking Bug Bounties w/ Daniel Stenberg
The Curl project's evolution from a 1996 currency tool to a prominent open-source library highlights community-driven growth, open-source maintenance challenges, AI's impact on security reporting, sustainability issues, and tensions between innovation and unresolved technical risks.
9 Mar 2026 LLMs Will Never Be Fully Secure w/ Brooks McMillin
Security oversights in AI/MCP server development, mirroring historical flaws like SQL injection, include unsafe practices such as `eval` usage and weak authorization, risking remote code execution and data leaks, while stressing the need for layered defenses against AI-amplified exploits in untested ecosystems.