The OpenSourceMalware Show

OpenSourceMalware

When you think about malware, you probably envision phishing emails or sketchy websites. But malicious open source - targeting software developers and their build systems - is becoming a top way that threat actors deliver malware. Just one 'npm install' can trigger payloads that steal information and credentials. Software supply chain attacks by state actors, ransomware groups, and freelancers are happening every day. Hosted by Jenn Gile and Paul McCarty (co-founders of OpenSourceMalware), this podcast explores the latest trends and attacks, and helps defenders understand the tactics needed to prevent their orgs from being the next target. OpenSourceMalware provides community-driven threat intelligence on malicious open source assets including packages, domains, IP addresses, crypto wallets, and more. https://opensourcemalware.com/

  1. vor 1 Tag

    Dependabot cooldowns, Jscrambler and AsynchAPI compromises, new PolinRider research

    This week we talked about:  GitHub turns on Dependabot cooldown periods by default — A three day cooldown is now applied automatically to all Dependabot version updates, a shift we've been anticipating in the fight against account takeover malware, though it may leave developers confused about why their upgrades are getting blocked JScrambler compromise — A threat actor gained access to a publishing credential and pushed five malicious versions of the jscrambler package. The malware evolved quickly, with the first three versions containing the trigger in a pre-install script to the last two on-import execution partway through. They also published four versions of related packages that pinned to malicious v8.18.0.AsyncAPI compromised — Attackers exploited a GitHub Actions pull_request_target flaw that sat unresolved for 58 days to steal a privileged token. They published malicious npm packages under the @asyncapi namespace, all with components of the Miasma malware that was open-sourced earlier this year (but no worm). New PolinRider research — Paul's latest hunt found 2,417 newly-compromised repositories, confirming config file injection as the dominant delivery vector alongside a growing fake font technique, still overwhelmingly hitting individual developers rather than organizations.Episode Resources (talk) BSides Adelaide 2026 Schedule(docs) Dependabot cooldown(blog) Security Advisory: Unauthorized Publication of a Malicious npm Package(feed) OpenSourceMalware threat reports for Jscrambler(blog) M-Red-Team: AsyncAPI Supply Chain Compromise via GitHub Actions(feed) OpenSourceMalware threat reports for AsyncAPI(blog) PolinRider Confirmed Footprint Grows 6.5x Since March

    Dependabot cooldowns, Jscrambler and AsynchAPI compromises, new PolinRider research
  2. 2. Juli

    GitHub security improvements, shady vendor practices

    This week we talked about: GitHub’s two new account protection features: NPM added a 72-hour read-only lockout for high-impact accounts triggered by an email change or 2FA recovery code use, aimed at slowing account takeovers. Separately, GitHub Enterprise rolled out self-service credential revocation, letting enterprise owners revoke tokens, SSH keys, and SSO authorizations for a single user or the whole org during incident response. Paul flags an open question on both: the npm change could make ATO recovery harder for legitimate maintainers if it locks them out too, and the GitHub Enterprise tool’s scope may not cover personal access tokens created outside the enterprise boundary. A security researcher’s malicious packages targeting AI companies: Paul found six npm packages published by a researcher at a stealth cybersecurity startup, targeting OpenAI, Anthropic, Vercel, and Ollama users. The packages avoid exfiltrating credentials directly but do pull data from .git and .ssh, which Paul argues crosses an ethical line for security research. He draws a direct parallel to the 2025 incident where a Snyk researcher published malicious packages targeting Cursor. FBI FLASH notice on TeamPCP: The FBI issued a FLASH covering TeamPCP’s behavior and IOCs. Note - you’ll get more complete info on their malware and TTPs from OpenSourceMalware.com Next week’s special guest: Jenn and Paul will be joined by Mikael Barbero, Head of Security at the Eclipse Foundation, to talk about Open VSX. The draw: AI IDE platforms like Cursor and Windsurf use Open VSX instead of the official VS Code marketplace, which is turning it into a more attractive target for threat actors. Resources (blog) NPM adds preventive account protection for high-impact accounts(blog) Self-service credential revocation for incident response(blog) Snyk appears to deploy ‘malicious’ packages targeting Cursor for unknown reason(PDF) FBI FLASH on Team PCP

    GitHub security improvements, shady vendor practices
  3. 25. Juni

    How malicious OSS is evolving in 2026, feat. DPRK innovations

    This week we talked about: DPRK Lazarus Group trends in software supply chain malware: Three active techniques he's observing from North Korea's Lazarus Group. The first is “version sandwiching,” where threat actors publish benign versions of a package before and after a malicious one, then pin their delivery mechanism to the malicious version so scanners checking the latest release see nothing wrong. The second is their continued reuse of Aptos, Tron, and Binance BSC blockchain addresses as mutable C2 infrastructure, which allows defenders to tie disparate campaigns to the same threat actor. The third is human-readable campaign name strings embedded in payloads, functioning like UTM tags and likely reflecting internal tracking within Lazarus subgroups. General supply chain threat landscape: Cross-ecosystem attacks, once limited to nation-state actors, are now being executed by low-sophistication crews using vibe coding tools to quickly port payloads across npm, PyPI, and other registries simultaneously. Package clusters, where only one or two packages in a published group carry the actual payload, have become standard operating procedure across threat actors of all levels. Dynamic imports and payload splitting are also on the rise, bypassing package managers and firewalls by pulling dependencies from URLs at runtime or distributing payload components across multiple files. Episode Resources (Video) How malicious packages on npm bypass existing security tools(Video) Poisoned Packages and Stolen Secrets: The Rise of Supply Chain Attacks

    How malicious OSS is evolving in 2026, feat. DPRK innovations
  4. 18. Juni

    Mastra compromise, agentjacking research, busting malware myths

    Mastra Package Compromise: Threat actors hijacked the entire Mastra npm organization (116 packages) after a maintainer was targeted with a ClickFix-style attack that stole his credentials. Rather than injecting malware directly into Mastra packages, attackers pre-staged a typosquatted package called 'easy-day-js' and added it as a dependency across the org. The malware differs from the structurally similar Axios attack in one notable way: it targets browser extensions, including password managers (LastPass, Bitwarden, Dashlane, 1Password) and MFA tools, with Zapier among the more unusual targets. Agent Jacking and MCP Server Security: A Cloud Security Alliance paper describes a concept called "agentjacking", where attackers inject malicious instructions into Sentry error events, which AI coding agents then retrieve via MCP and execute with the developer's own elevated permissions. This pattern isn't new: weaponizing an agent's privileged access against its owner was a core mechanic of the 2025 S1ngularity attack. What the paper describes is sophisticated prompt injection through an MCP server that fails to sanitize third-party data before passing it to the agent. Its conclusion that EDR can't catch this misses the point, because EDR can't catch most open source malware since the traffic and signals are indistinguishable from normal software development activity. Malware Myths: We bust four myths making the rounds in the AppSec community. First, that open source malware only lives two to three days: typosquatting and dependency confusion packages routinely survive for weeks or months, and NPM's inconsistent takedown practices make it worse. Second, that npm install scripts are going away: they're not, they are becoming opt-in by default. Third, that package firewalls and cooldowns will eliminate 99% of risk: they won't, for the same reason the lifespan myth is wrong. Fourth, that threat actor attribution doesn't matter: it does, because knowing who compromised you tells you what persistence mechanisms and next steps to look for during incident response. Episode Resources (GitHub Issue) INCIDEN3 iT REPORT: 2026-06-16: Mastra hit by supply-chain attack(blog) Mastra Attack Targets Crypto, Password Managers, Authenticators, and Zapie(PDF) Agentjacking: MCP Injection Hijacks AI Coding Agents

    Mastra compromise, agentjacking research, busting malware myths
  5. 11. Juni

    MSFT hit by Miasma worm, VS Code cooldowns, npm v12 breaking changes

    Miasma Worm Hits Microsoft — On June 5th, 73 Microsoft GitHub repositories were disabled in 105 seconds after being compromised by the Miasma worm. Four GitHub organizations were affected, including Azure Functions, which broke CI jobs worldwide for anyone calling those official GitHub Actions. The initial foothold traces back to a May 19th compromise of the Durable Task repo, with threat actors maintaining persistence via stolen credentials before returning to trigger the mass takedown. As of this recording, Microsoft had issued no official statement about what happened or the real-world impact it caused. VS Code Extension Auto-Update Cooldown — VS Code shipped a two-hour auto-update delay for third-party extensions, responding to community requests citing the frequency of extension compromises. Two hours is well short of the three-to-seven days practitioners typically ask for, and the change only applies to the Microsoft Marketplace — not OpenVSX, which has no equivalent scanning. The NX Console compromise is a useful reference point: NX caught the malicious version themselves via a Marketplace email notification, not through any platform detection. npm v12 Disables Install Scripts and Dynamic Dependencies — npm v12 will disable install lifecycle scripts (pre, post, and install), direct Git dependencies, and remote tarball dependencies by default — all three together. These are the mechanisms malware uses to execute at install time, before it reaches a pipeline. Significant breakage is expected since many legitimate packages rely on install scripts. The harder problem is adoption: this is a package manager change, not a registry change, meaning every developer workstation and CI environment has to upgrade before the protection applies. Based on how slowly similar changes have rolled out elsewhere, the practical impact will be years in the making. Miasma Gets Open-Sourced — The threat actor behind Miasma open-sourced the worm, continuing the pattern TeamPCP established with MiniShai Hulud. Unlike that release, which originated from a compromised account, this one appears to belong to a quasi-security researcher with no signs of compromise — an unusual wrinkle still under investigation. Package Firewalls — Package firewalls block installation of known or suspected malicious packages at the developer endpoint, before anything reaches a pipeline — a proactive control where EDR is reactive. Two broad categories exist: simpler alias-based tools that intercept package manager calls (bypassable by calling the binary's absolute path directly) and more sophisticated daemon-based tools that proxy registry traffic continuously. Key things to evaluate before choosing one: what's the data source and how fresh is it, does it cache locally, and how easy is it to bypass? OSV and GHSA are common feeds but have coverage gaps. Episode Resources (article) Microsoft's open source tools were hacked to steal passwords of AI developers(blog) The Blight Reaches Microsoft: 73 Repos Disabled in 105 Seconds(article) Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack(GitHub issue) Security: minimumReleaseAge setting for mitigating supply chain attacks on extensions(release notes) Visual Studio Code 1.123(blog) NPM disables install scripts by default, but is that going to solve its malware problem?

    MSFT hit by Miasma worm, VS Code cooldowns, npm v12 breaking changes
  6. 4. Juni

    Miasma npm worm hits Red Hat, new OpenSourceMalware research on 2026 trends, the Moika campaign

    This week Paul and Jenn talk about: Miasma Campaign — Starting June 1st with 32 Red Hat @redhat-cloud-services packages (averaging 80,000 weekly downloads) compromised, the campaign expanded to over 80 packages and 286+ malicious versions within days. The worm is the first confirmed in-the-wild use of TeamPCP's open-sourced MiniShai Hulud worm, though TeamPCP has not claimed credit. It is multi-ecosystem (npm, PyPI, RubyGems) and the Ruby variant appears to be LLM-translated, not part of the original open-sourced code. The initial Red Hat compromise came not through a GitHub Actions vulnerability but through abused gaps in npm trusted publishing. A live comment from Francois (VP of Security Research at BoostSecurity) corrected this in real time during the show.The Shift from Human to Machine Attack Paths — Account takeover attacks have shifted away from social engineering as the primary foothold. The Axios compromise in early 2026 was likely the last major example of a social-engineering-based entry point. Threat actors now primarily target CI pipelines, automated builds, and developer tooling. Automation has also accelerated post-compromise activity: credential abuse now begins within seconds of a system being popped, rather than requiring manual follow-through.OpenSourceMalware Data Trends (Jan to mid-May 2026) — Three trends from six months of OSM threat report data. First, npm remains the dominant ecosystem by volume but PyPI is growing at a comparable rate and the two frequently correlate, reflecting multi-ecosystem attack campaigns. Second, the vast majority of malicious packages have fewer than 10,000 weekly downloads (indicative of typosquatting and dependency confusion), but the share of high-download packages has grown over the period, with account takeovers representing 60 to 65% of new records in the week of May 11th. Third, malicious ClawHub skills have grown rapidly since January, with over 700 in the database by end of March. Nearly a fifth target marketing roles (SEO, Klaviyo, TikTok, YouTube), reflecting threat actors going after non-developer users of AI tools.Moika Campaign — Over 260 verified threat reports tied to infrastructure at oob.moika.tech, with nearly 300 packages deployed. The campaign sits in a gray area: the account has a history consistent with bug bounty research (PoCs, packages without payloads, version numbering at 99.9 to float above legitimate packages), but the payloads on others are overtly credential-stealing and one researcher has attributed the campaign to a Russian nexus. This connects to a broader conversation about the volume of security-researcher-style packages in the ecosystem: between October 2024 and January 2025, between 25 and 41% of malicious packages entering OSV were attributable to bug bounty researchers. The episode also covers AI hallucination as an attack vector, using Events Channel (still live on npm with 168,000 downloads despite being reported) as an example of how LLM-hallucinated package names get weaponized.Resources OpenSourceMalware threat reports for Miasma(blog) Miasma: Supply Chain Attack Targeting RedHat npm Packages(blog) Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp(blog) Trusted Publishing, Untrusted Branch: Red Hat npm(blog) The Software Supply Chain Malware Landscape: January - May 2026OpenSourceMalware threat records for Moika (blog) 183 npm Packages Target Cloud and Finance via oob.moika.tech

    Miasma npm worm hits Red Hat, new OpenSourceMalware research on 2026 trends, the Moika campaign
  7. 28. Mai

    OSV false positives, Crowdstrike takedown of Glassworm infra, and MSFT nukes a researcher

    This week Jenn and Paul covered: OSV false positives from AWS Inspector: AWS's automated malware detection pipeline submitted 157 false positive entries to osv.dev. The entries were merged before anyone caught the errors. When the community began pointing out that some of those "false positives" were actually real malware, AWS started adding some back, making this a mess on both ends. AppSec vendors piled on publicly despite relying on OSV as their primary detection source without contributing to it. Paul publicly thanks Chi Tran's team at AWS Inspector for their contributions overall.CrowdStrike, Google, and Shadowserver take down Glassworm C2 (including the botnet vs. worm distinction): The operation targeted four infrastructure components: Solana blockchain dead drops, BitTorrent DHT, Google Calendar abuse, and commercial VPS servers. The legal and technical basis for the takedown is unclear and CrowdStrike declined to comment on specifics. Paul explains how blockchain memo fields work as dead drops and how multi-stage attack chains evolve. As part of the discussion, Paul clarifies the technical difference between a botnet (centrally orchestrated persistent access across many machines) and a worm (self-replicating), and ties it to how both Glassworm and DPRK/PolinRider operate.MSRC, Nightmare Eclipse, and the state of coordinated disclosure: Researcher Nightmare Eclipse published six unpatched Windows zero-days (RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, MiniPlasma) after a breakdown in MSRC's handling of their disclosures. Microsoft's claim that no prior notice was given is contested. Nightmare Eclipse says MSRC knew BlueHammer was coming. Microsoft's MSRC blog post named all six vulnerabilities, invoked its Digital Crimes Unit, and never acknowledged Nightmare Eclipse's claim that Microsoft deleted the account they used to report bugs and paid them nothing. The MSRC post instead triggered a flood of other researchers sharing similar experiences: Gabriel Landau reported MSRC agreed to issue a CVE in exchange for an extended embargo, then patched silently and broke that agreement. Rootsecdev reported a five-month wait followed by a "doesn't meet the bar for servicing" response, while Microsoft silently fixed it anyway. GitHub then banned Nightmare Eclipse's account; GitLab followed suit days later. Paul and Jenn note this reflects a broader, documented pattern of MSRC underinvesting in researcher relationships, not an isolated incident.Using GitHub as a forward-hunting collection source: Paul and Jenn co-authored a guide with Feedly based on the hunting technique Paul has used to discover campaigns like PolinRider. Workshop may be submitted to DEF CON Adversary Village.Episode Resources: GitHub PR: OSV false positive withdrawals: AWS Inspector PR #1276Blog: CrowdStrike: Inside the Takedown of a Developer-Targeting BotnetBlog: Four Arms, One Monster — GlassWorm Invades GitHub, NPM, Open VSX and VS CodeOpenSourceMalware threat reports for GlasswormX post: International Cyber Digest: Microsoft's response to Nightmare-Eclipse zero-day disclosuresBlog: MSRC: A Shared Responsibility — Protecting Customers Through Coordinated Vulnerability DisclosureGuide: How to Collect Intelligence from GitHub on Open Source Malware

    OSV false positives, Crowdstrike takedown of Glassworm infra, and MSFT nukes a researcher

Info

When you think about malware, you probably envision phishing emails or sketchy websites. But malicious open source - targeting software developers and their build systems - is becoming a top way that threat actors deliver malware. Just one 'npm install' can trigger payloads that steal information and credentials. Software supply chain attacks by state actors, ransomware groups, and freelancers are happening every day. Hosted by Jenn Gile and Paul McCarty (co-founders of OpenSourceMalware), this podcast explores the latest trends and attacks, and helps defenders understand the tactics needed to prevent their orgs from being the next target. OpenSourceMalware provides community-driven threat intelligence on malicious open source assets including packages, domains, IP addresses, crypto wallets, and more. https://opensourcemalware.com/

Das gefällt dir vielleicht auch