More Open Source Security episodes

Open Source Malware with Paul McCarty thumbnail

Open Source Malware with Paul McCarty

Published 13 Apr 2026

Duration: 38:23

Open Source Malware (OSM) addresses the gap in detecting intentional malicious open-source components by cataloging threats, de-obfuscating code, extracting indicators of compromise, and providing post-incident data, while tackling challenges like persistent malicious packages, limitations of traditional tools against interpreted languages, fragmented collaboration, AI risks, and the need for improved CI/CD security, audit tools, and balanced AI-human oversight.

Episode Description

Josh talks to Paul McCarty of Open Source Malware about ... open source malware. Paul explains why there aren't many good open source malware datasets...

Overview

The podcast discusses the development and purpose of Open Source Malware (OSM), a platform founded to address the gap in detecting malicious open-source components, such as GitHub repositories, packages, and extensions, which traditional vulnerability tracking systems like OSV and GHSA overlook. While these tools focus on accidental vulnerabilities, OSM specializes in cataloging and analyzing packages with malicious intent, providing actionable insights for both proactive protection and post-incident response. Key challenges highlighted include misaligned data models in existing vulnerability databases, limited incident-specific details (like threat intelligence or indicators of compromise), and the difficulty of analyzing deleted or obfuscated malicious code. OSM emphasizes community-driven contributions and transparency, unlike proprietary or corporately sponsored solutions, and aims to build a business around its unique value in open-source security.

The discussion also underscores persistent risks in the software supply chain, such as malicious packages persisting in private repositories or developer environments even after removal from public registries. Critiques of platforms like OpenClaw, which lack curated security measures, and the broader industrys tendency to overlook threats in AI-driven tools and AI agent workflows are emphasized. Security experts warn of escalating risks from AI agents misused for credential theft, privilege escalation, or unauthorized access, stressing the need for education and proactive defenses. The podcast calls for industry-wide collaboration to unify threat intelligence, improve registry curation, and address systemic gaps in security practices, particularly in CI/CD pipelines and AI integration, to mitigate emerging threats.

Recent Episodes of Open Source Security

29 Jun 2026 AIBOM, CBOM, and HBOM with Allan Friedman

The evolution of Software Bill of Materials (SBOM) beyond manufacturing into cryptographic, hardware, and AI domains faces challenges in unified integration, compliance, tooling, and dependency tracking, requiring open-source collaboration, standardized frameworks, and adaptive policies to meet industry demands in procurement and risk management.

22 Jun 2026 Packagist and Composer security with Jordi Boggiano

Strategies for securing open-source ecosystems include malware detection via third-party feeds, transparency logs, rapid incident response, blocking malicious downloads, private registry controls, immutable package releases, standardized workflows, MFA enforcement, and technical proposals like artifact validation and build attestation, while addressing challenges like maintainer hacking, AI risks, usability trade-offs, and the need for ecosystem-wide alignment and human verification.

15 Jun 2026 Sustaining Open VSX with Mike and Thabang

Eclipse Foundation's OpenVSX, a VS Code extension repository, surged to 600M monthly downloads, evolved to a commercial model with enterprise SLAs and security teams, while addressing scalability, open-source balance, and funding challenges for AI expansion.

8 Jun 2026 Hacking your CI/CD with Francois Proulx

Critical vulnerabilities in open source CI/CD pipelines, including hijacking and supply chain attacks via social engineering or compromised builds, are highlighted through incidents like TJ Actions and Ultralytics, with mitigation strategies emphasizing secure credentials, externalized workflows, threat modeling, and tools like *Smoked Meat* and *Bagel* to enhance incident response and supply chain security.

1 Jun 2026 Open source verification with Sal Kimmich

Cybersecurity challenges include complex application ecosystems, overlooked kernel vulnerabilities, supply chain risks, and systemic risks from under-resourced organizations prioritizing surface-level controls, alongside calls for regulatory reforms, proactive threat modeling, secure development practices, and addressing tribal nations' unique legal and sovereignty concerns.

More Open Source Security episodes