The Secure Disclosure

Mackenzie Jackson
  • 5.0 (1)
  • 科技
  • 一周一更

Cyber, Sake, News, Research and more The Disclosure is a weekly cybersecurity podcast that brings the latest in news, research, and leaders into a 45-minute podcast. Hosted by Mackenzie Jackson, we bring new guests each week to share their research and expertise in the space.

单集

  1. 1天前

    The Largest Breach That Wasn’t: Debug & Chalk + NPM’s Almost-Apocalypse

    This week on The Secure Disclosure, host Mackenzie Jackson dives into “the largest breach that never really happened” the September npm supply chain compromise that put 2.6 billion weekly downloads at risk but somehow didn’t take down the internet.Joining me are two key voices from the incident:Josh Junon – the maintainer who was phished, unknowingly triggering the chain of events.Charlie Erikson – the security researcher who first discovered and analyzed the malware.Together, we unpack the timeline: the phishing email that started it all, the malware hidden inside foundational packages like debug and chalk, the viral panic that followed, and why the attackers walked away with just $900 in crypto instead of world domination.We also discuss what the breach teaches us about security “working,” luck, and where the ecosystem still leaves maintainers dangerously exposed.SponsorThis episode is brought to you by Aikido Security — your complete code security platform.Check out Aikido: https://aikido.devPrevent supplychain attacks with Aikido SafeChain: https://www.npmjs.com/package/@aikidosec/safe-chainWatch & Listen🎧 Spotify & other platforms: https://creators.spotify.com/pod/profile/thesecuredisclosure/Connect with MeX (Twitter): https://x.com/advocatemackLinkedIn: https://linkedin.com/in/adovcatemackReferencesXKCD Web Comic: https://xkcd.com/2347/Wiz Blog Post: https://www.wiz.io/blog/widespread-npm-supply-chain-attack-breaking-down-impact-scope-across-debug-chalkInsiderPhD YouTube: https://www.youtube.com/c/InsiderPhDInsiderPhD X Post: https://x.com/InsiderPhD/status/1965110610972250550My LinkedIn Post: https://www.linkedin.com/feed/update/urn:li:activity:7373625746822696960/John Hammond Video: https://www.youtube.com/watch?v=4caJw0JJZTQChapters00:00 – Intro00:18 – Setting the stage: the breach that “never really happened”01:31 – Josh Junon: the phishing email that started it all04:39 – Malware injection and Charlie Erikson’s discovery06:58 – The viral panic: LinkedIn posts, headlines, and John Hammond’s roast09:01 – Why the npm compromise looked bigger than it was12:31 – Foundational packages, open-source reliance, and the Nebraska problem16:18 – What really happened: $900 stolen in crypto18:31 – Security win or just luck? Community reactions and InsiderPhD’s take23:09 – The scarier “what ifs” and why attackers underused their access23:40 – Sponsored segment: Aikido Security & SafeChain24:26 – Josh on community support and mental health for maintainers26:23 – Where npm failed and how package managers need to improve28:14 – Outro and reflections

    29 分钟

  2. 6天前

    Phishing, Zero-Clicks & World Champion Hackers: The Secure Disclosure

    In this episode of Secure Disclosure, host Mackenzie Jackson takes you on a journey through the evolving world of cyber threats and the people on the frontlines. We kick things off with a deep dive into phishing attacks with Jacques Louw and the surprising ways they continue to outsmart defenses in 2025. Then, we unravel the story of a dangerous WhatsApp zero-click vulnerability that, when paired with an Apple iOS flaw, gave attackers full control of victims’ devices, all without a single tap.We also take a lighter turn at the Cyber Sake Bar, where we sit down with the world’s number one competitive hacker, Philippe Dourassov, to talk about the thrill of international hacking competitions, how he accidentally hacked Discord, and why he’s now building his own startup. Along the way, we highlight the crucial role of defense, the impact of AI on modern attacks, and even taste test Japanese vs Californian sake.LinksPush Security Phishing Report - https://pushsecurity.com/resources/phishing-evolutionWhatsApp Vulnerability - https://www.bitdefender.com/en-us/blog/hotforsecurity/whatsapp-zero-click-spyware-attack-android⏱️ Chapters00:00 Intro – Welcome & Overview01:32 The Evolution of Phishing Attacks- Jacques Louw Push Security 21:31 WhatsApp Segment – Zero-Click Vulnerability Deep Dive26:18 Sponsor Segment – Aikido Security Spotlight27:01 Sake Segment – Philippe Dourassov on Competitive Hacking

    53 分钟

  3. 9月5日

    Secrets in the Open: The NX Breach and Cloud Security’s Future - The Secure Disclosure Podcast

    In this episode of Secure Disclosure, host Mackenzie Jackson unpacks the NX breach with malware researcher Charlie Ericson and GitGuardian’s Guillaume Valadon, revealing how stolen tokens exposed thousands of secrets on GitHub. Analyst James Berthoty then offers an exclusive preview of Lacio Tech’s Cloud Security Report, cutting through the AI hype to highlight real trends. Finally, Ashish Rajan joins the Cyber & Saki segment to share his vision for the future of cloud security.00:00 – Introduction01:15 – The NX Breach Explained06:25 – Secrets in Public Repos20:47 – Cloud Security Report Sneak Peek with James Berthoty36:25 – Cyber & Saki with Ashish Rajan

    56 分钟

  4. 8月29日

    AI Cyber Defense & Cyborg Hackers - The Future of Security: The Secure Disclosure

    In this episode of The Secure Disclosure, host Mackenzie Jackson is joined by Darktrace VP Nathaniel Jones to unpack the newly discovered AutoColor malware exploiting SAP NetWeaver vulnerabilities. We also cover the WinRAR zero-day actively exploited by RomCom APT and wrap up with an unforgettable interview with Len No, a real cyborg hacker with 11 implants who demonstrates what’s possible when the human body meets hacking. Timestamps & Chapters: 00:00 – Intro 01:07 – AutoColor used in SAP NetWeaver Vuln 18:39 – Sponsor: Aikido Security 19:25 – WinRAR Zero-Day 23:30 – Interview with Len Noe

    46 分钟

  5. 8月21日

    Erlang RCE Vulnerability, Finding Security Champions and Securing AI Applications

    In this episode, we bring you insights from Black Hat and DEF CON 2025. We start with a breakdown of Erlang OTP CVE-2025-32433, a critical remote code execution flaw scoring a perfect 10, and why it’s being exploited in real-world infrastructure.Next, we sit down with Dustin Lehr, author of the Security Champions Program Success Guide, to discuss how to build effective security champion programs inside organizations — from finding the right people to measuring success.Finally, at the Cyber Sake Bar, we chat with Steve Giguere from Lera about the growing field of AI security. We explore risks like prompt injection, agentic AI systems, and what securing AI models really means for modern applications.Perfect for anyone interested in cybersecurity, secure development, and the future of AI security.00:00 – Intro & Hacker Summer Camp Recap01:22 – Critical Vulnerability: Erlang OTP CVE-2025-3243307:04 – Interview with Dustin Lehr: Building Security Champions29:00 – Sponsor Segment: Aikido Security & Safechain29:45 – Cyber and Sake with Steve Giguere: Securing AI Models44:09 – Prompt Injections, Agentic AI & Closing Thoughts

    52 分钟

  6. 8月14日

    Security Flaws, Phishing Attacks & Code Quality: Vibe Coding’s Dark Side: The Disclosure Episode 3

    In this episode of Disclosure, Mackenzie Jackson takes listeners deep into the fast-evolving—and increasingly risky—world of AI-assisted coding. First, security researcher Wout Debaenst exposes a massive vulnerability in Base44’s AI coding platform that made private applications accessible to anyone with minimal effort, highlighting how “vibe coding” can create the next wave of supply chain attacks.Next, malware researcher Charlie Ericson returns to reveal a fresh PyPI phishing campaign eerily similar to last week’s npm compromise, underscoring the fragility of our open-source ecosystems.Finally, Mackenzie heads to the Cyber Sake Bar for a candid conversation with Khachatur Virabyan, co-founder of Trag, exploring how AI can change code quality. Along the way, they sip sake, swap war stories, and debate the future of software development in the age of AI.00:00 - Introduction1:19 - Base44 Breach & The Risks of AI Coding Platforms 09:24 - PyPI Phishing Campaign and Open Source Security Gaps 17:08 - AI-Assisted Code Quality with Trag 34:02 - Cybersecurity “Would You Rather” and Closing

    36 分钟

  7. 8月14日

    Inside the SharePoint Exploit: How Eye Security Discovered the Attack

    In this episode, we talk to Visha Bernard, Chief Hacker at Eye Security, about the catastrophic SharePoint vulnerability that was exploited by suspected nation-state actors.We cover how Eye Security’s team discovered the exploit, the flawed patching timeline from Microsoft, how Google Gemini was used to find a bypass, and what organizations must do now to secure their SharePoint servers.From government targets to AI-assisted exploitation, this is a deep dive into one of the most severe security incidents of the year.Chapters00:00 Introduction to the SharePoint Vulnerability01:00 Eye Security's Initial Discovery03:30 Uncovering the Zero-Day Exploit05:30 Internet-Wide Scanning and Findings07:00 Patch Analysis and Flaws10:00 Emergency Fix and Security Research12:00 Threat Actor Attribution13:20 Advice for Organizations and Closing Remarks

    52 分钟

  8. 8月14日

    McDonalds Breach, XAI Doge Leak and More: The Disclosure Show

    This week, we're exposing the untold truths behind major headlines:McDonald's Data BreachOver 60 million job applicants’ data compromised via Paradox.ai’s AI chatbot "Olivia." But was it just a weak password — or something far worse? We break it down and challenge the media’s misleading narrative.XAI Secret Key LeakResearcher Philippe Katrigeli joins us to reveal how a Doge/X developer accidentally leaked powerful internal API keys — and what that meant for access to Tesla and SpaceX LLMs. We talk entropy, GitHub mistakes, and the dangers of hardcoded secrets.Sources: https://krebsonsecurity.com/2025/05/xai-dev-leaks-api-key-for-private-spacex-tesla-llms/600 Laravel Apps Vulnerable to RCESecurity researcher Rémy Matas walks us through how 260,000 leaked Laravel app keys were matched with live endpoints, resulting in 600+ apps being exposed to remote code execution. They even built a tool for it: Laravel CryptoKiller.Sources: https://www.synacktiv.com/en/publications/laravel-appkey-leakage-analysishttps://blog.gitguardian.com/exploiting-public-app_key-leaks/🍶 AI Pentesting & The Future of HackingIn our signature “Sake with a Hacker” segment, we sip with Walt DeBond of Allseek to discuss how agentic AI is poised to revolutionize penetration testing, and whether AI will replace human hackers in the next five years.Chapters:0:00 - Introduction 0:54 - McDonalds Breach 3:28 - Xai API Key Leak14:02 - 600 Laravel APP_KEY Leaks 26:10 - Cyber And Sake with Wout Debaenst

    44 分钟
  • 8 集

评分及评论

关于

Cyber, Sake, News, Research and more The Disclosure is a weekly cybersecurity podcast that brings the latest in news, research, and leaders into a 45-minute podcast. Hosted by Mackenzie Jackson, we bring new guests each week to share their research and expertise in the space.

信息

  • 创作者
    Mackenzie Jackson
  • 活跃年份
    2025年
  • 单集
    8
  • 分级
    儿童适宜
  • 版权
    © Mackenzie Jackson
  • 节目网站
    The Secure Disclosure