Эпизоды
-
Miasma Worm Hits Microsoft — On June 5th, 73 Microsoft GitHub repositories were disabled in 105 seconds after being compromised by the Miasma worm. Four GitHub organizations were affected, including Azure Functions, which broke CI jobs worldwide for anyone calling those official GitHub Actions. The initial foothold traces back to a May 19th compromise of the Durable Task repo, with threat actors maintaining persistence via stolen credentials before returning to trigger the mass takedown. As of this recording, Microsoft had issued no official statement about what happened or the real-world impact it caused.
VS Code Extension Auto-Update Cooldown — VS Code shipped a two-hour auto-update delay for third-party extensions, responding to community requests citing the frequency of extension compromises. Two hours is well short of the three-to-seven days practitioners typically ask for, and the change only applies to the Microsoft Marketplace — not OpenVSX, which has no equivalent scanning. The NX Console compromise is a useful reference point: NX caught the malicious version themselves via a Marketplace email notification, not through any platform detection.
npm v12 Disables Install Scripts and Dynamic Dependencies — npm v12 will disable install lifecycle scripts (pre, post, and install), direct Git dependencies, and remote tarball dependencies by default — all three together. These are the mechanisms malware uses to execute at install time, before it reaches a pipeline. Significant breakage is expected since many legitimate packages rely on install scripts. The harder problem is adoption: this is a package manager change, not a registry change, meaning every developer workstation and CI environment has to upgrade before the protection applies. Based on how slowly similar changes have rolled out elsewhere, the practical impact will be years in the making.
Miasma Gets Open-Sourced — The threat actor behind Miasma open-sourced the worm, continuing the pattern TeamPCP established with MiniShai Hulud. Unlike that release, which originated from a compromised account, this one appears to belong to a quasi-security researcher with no signs of compromise — an unusual wrinkle still under investigation.
Package Firewalls — Package firewalls block installation of known or suspected malicious packages at the developer endpoint, before anything reaches a pipeline — a proactive control where EDR is reactive. Two broad categories exist: simpler alias-based tools that intercept package manager calls (bypassable by calling the binary's absolute path directly) and more sophisticated daemon-based tools that proxy registry traffic continuously. Key things to evaluate before choosing one: what's the data source and how fresh is it, does it cache locally, and how easy is it to bypass? OSV and GHSA are common feeds but have coverage gaps.
(article) Microsoft's open source tools were hacked to steal passwords of AI developers(blog) The Blight Reaches Microsoft: 73 Repos Disabled in 105 Seconds(article) Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack(GitHub issue) Security: minimumReleaseAge setting for mitigating supply chain attacks on extensions(release notes) Visual Studio Code 1.123(blog) NPM disables install scripts by default, but is that going to solve its malware problem?
Episode Resources -
This week Paul and Jenn talk about:
Miasma Campaign — Starting June 1st with 32 Red Hat @redhat-cloud-services packages (averaging 80,000 weekly downloads) compromised, the campaign expanded to over 80 packages and 286+ malicious versions within days. The worm is the first confirmed in-the-wild use of TeamPCP's open-sourced MiniShai Hulud worm, though TeamPCP has not claimed credit. It is multi-ecosystem (npm, PyPI, RubyGems) and the Ruby variant appears to be LLM-translated, not part of the original open-sourced code. The initial Red Hat compromise came not through a GitHub Actions vulnerability but through abused gaps in npm trusted publishing. A live comment from Francois (VP of Security Research at BoostSecurity) corrected this in real time during the show.The Shift from Human to Machine Attack Paths — Account takeover attacks have shifted away from social engineering as the primary foothold. The Axios compromise in early 2026 was likely the last major example of a social-engineering-based entry point. Threat actors now primarily target CI pipelines, automated builds, and developer tooling. Automation has also accelerated post-compromise activity: credential abuse now begins within seconds of a system being popped, rather than requiring manual follow-through.OpenSourceMalware Data Trends (Jan to mid-May 2026) — Three trends from six months of OSM threat report data. First, npm remains the dominant ecosystem by volume but PyPI is growing at a comparable rate and the two frequently correlate, reflecting multi-ecosystem attack campaigns. Second, the vast majority of malicious packages have fewer than 10,000 weekly downloads (indicative of typosquatting and dependency confusion), but the share of high-download packages has grown over the period, with account takeovers representing 60 to 65% of new records in the week of May 11th. Third, malicious ClawHub skills have grown rapidly since January, with over 700 in the database by end of March. Nearly a fifth target marketing roles (SEO, Klaviyo, TikTok, YouTube), reflecting threat actors going after non-developer users of AI tools.Moika Campaign — Over 260 verified threat reports tied to infrastructure at oob.moika.tech, with nearly 300 packages deployed. The campaign sits in a gray area: the account has a history consistent with bug bounty research (PoCs, packages without payloads, version numbering at 99.9 to float above legitimate packages), but the payloads on others are overtly credential-stealing and one researcher has attributed the campaign to a Russian nexus. This connects to a broader conversation about the volume of security-researcher-style packages in the ecosystem: between October 2024 and January 2025, between 25 and 41% of malicious packages entering OSV were attributable to bug bounty researchers. The episode also covers AI hallucination as an attack vector, using Events Channel (still live on npm with 168,000 downloads despite being reported) as an example of how LLM-hallucinated package names get weaponized.Resources
OpenSourceMalware threat reports for Miasma(blog) Miasma: Supply Chain Attack Targeting RedHat npm Packages(blog) Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp(blog) Trusted Publishing, Untrusted Branch: Red Hat npm(blog) The Software Supply Chain Malware Landscape: January - May 2026OpenSourceMalware threat records for Moika (blog) 183 npm Packages Target Cloud and Finance via oob.moika.tech -
Пропущенные эпизоды?
-
This week Jenn and Paul covered:
OSV false positives from AWS Inspector: AWS's automated malware detection pipeline submitted 157 false positive entries to osv.dev. The entries were merged before anyone caught the errors. When the community began pointing out that some of those "false positives" were actually real malware, AWS started adding some back, making this a mess on both ends. AppSec vendors piled on publicly despite relying on OSV as their primary detection source without contributing to it. Paul publicly thanks Chi Tran's team at AWS Inspector for their contributions overall.CrowdStrike, Google, and Shadowserver take down Glassworm C2 (including the botnet vs. worm distinction): The operation targeted four infrastructure components: Solana blockchain dead drops, BitTorrent DHT, Google Calendar abuse, and commercial VPS servers. The legal and technical basis for the takedown is unclear and CrowdStrike declined to comment on specifics. Paul explains how blockchain memo fields work as dead drops and how multi-stage attack chains evolve. As part of the discussion, Paul clarifies the technical difference between a botnet (centrally orchestrated persistent access across many machines) and a worm (self-replicating), and ties it to how both Glassworm and DPRK/PolinRider operate.MSRC, Nightmare Eclipse, and the state of coordinated disclosure: Researcher Nightmare Eclipse published six unpatched Windows zero-days (RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, MiniPlasma) after a breakdown in MSRC's handling of their disclosures. Microsoft's claim that no prior notice was given is contested. Nightmare Eclipse says MSRC knew BlueHammer was coming. Microsoft's MSRC blog post named all six vulnerabilities, invoked its Digital Crimes Unit, and never acknowledged Nightmare Eclipse's claim that Microsoft deleted the account they used to report bugs and paid them nothing. The MSRC post instead triggered a flood of other researchers sharing similar experiences: Gabriel Landau reported MSRC agreed to issue a CVE in exchange for an extended embargo, then patched silently and broke that agreement. Rootsecdev reported a five-month wait followed by a "doesn't meet the bar for servicing" response, while Microsoft silently fixed it anyway. GitHub then banned Nightmare Eclipse's account; GitLab followed suit days later. Paul and Jenn note this reflects a broader, documented pattern of MSRC underinvesting in researcher relationships, not an isolated incident.Using GitHub as a forward-hunting collection source: Paul and Jenn co-authored a guide with Feedly based on the hunting technique Paul has used to discover campaigns like PolinRider. Workshop may be submitted to DEF CON Adversary Village.Episode Resources:
GitHub PR: OSV false positive withdrawals: AWS Inspector PR #1276Blog: CrowdStrike: Inside the Takedown of a Developer-Targeting BotnetBlog: Four Arms, One Monster — GlassWorm Invades GitHub, NPM, Open VSX and VS CodeOpenSourceMalware threat reports for GlasswormX post: International Cyber Digest: Microsoft's response to Nightmare-Eclipse zero-day disclosuresBlog: MSRC: A Shared Responsibility — Protecting Customers Through Coordinated Vulnerability DisclosureGuide: How to Collect Intelligence from GitHub on Open Source Malware -
This week Jenn and Paul cover:
npm Staged Publishing: npm's new feature adds a human approval checkpoint before a package goes live. Real improvement, real caveats. We walk through what it does, where it falls short, and the questions the docs still don't answer.DPRK Axios-Linked npm Packages: Paul discovered three malicious npm packages tied to the March Axios attacker that have been quietly harvesting credentials since early April. Classic DPRK multi-use attack infrastructure, built to support Contagious Interview and TaskJacker campaigns running in parallel.TeamPCP's Biggest Maintainer Compromise Yet: Two npm maintainers compromised. One developer maintained over 540 packages. TeamPCP published over 600 malicious versions. Three of the affected packages alone account for more than 5 million weekly downloads.GitHub Employee Device Compromised via Poisoned VS Code Extension: A malicious Nx Console extension published May 18th made it to a GitHub employee's device, exposing an estimated 3,800 repositories. The credential theft happened seven days earlier through the TanStack compromise. We also cover the CISA "private" repository that was not private, and what both incidents say about secrets management and GitHub permissions defaults.Episode Resources:
npm Staged Publishing documentationAxios attacker strikes again: Three npm packages hiding in plain sight for two monthsTeamPCP compromises npm maintainer with over 540 packagesOpenSourceMalware threat report: nrwl.angular-console (Nx Console)Nx Console v18.95.0 postmortem -
Join OpenSourceMalware co-founders Jenn Gile and Paul McCarty for episode four!
In this episode:
RubyGems bot attack: Hundreds of bots pushed 500-plus packages to RubyGems, some carrying exploits, forcing the registry to shut down new account signups. Jenn and Paul break down why the DDoS label may be misleading and what this exposes about the friction-vs-safety tradeoff every open source registry faces.Canvas ransomware by ShinyHunters: ShinyHunters breached Instructure, the company behind the Canvas LMS used by over 30 million students globally, stealing 3.65TB of data including private messages between students and teachers. Instructure said almost nothing publicly for days. Jenn and Paul discuss the data sensitivity risks for minors and close with breaking news: Instructure paid the ransom.Mini Shai Hulud and TanStack: Team PCP is not connected to the original 2025 Shai Hulud campaign. Paul explains how they used Adnan Khan's GitHub Actions cache poisoning technique to compromise TanStack and 90-plus packages without long-lived credentials, why attestation and trusted publishing didn't stop it, what the CIS country geofencing in the payload actually signals, how malware is now targeting .claude directories on developer machines, why novel malware still dominates the OpenSourceMalware database by volume, and why open sourcing their worm and doing press interviews is likely to hasten Team PCP's capture.Episode Resources:
RubyGems Suspends New Signups After Hundreds of Malicious Packages Are UploadedRubyGems status pageOpenSourceMalware RubyGems threat recordsOpenSourceMalware Mini Shai-Hulud threat recordsInstructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leakblog: Mini Shai-Hulud Borrowed Its Best Trick From PolinRiderblog: TeamPCP Compromises MistralAI and OpenSearchTanStack npm supply-chain compromise postmortemThe Monsters in Your Build Cache - GitHub Actions Cache PoisoningTeamPCP interview -
Join OpenSourceMalware co-founders Jenn Gile and Paul McCarty for episode three, covering the latest threat activity and a deep dive they've been promising since episode one.
In this episode:
DPRK Lazarus Group using git hooks: Paul's latest research shows the Contagious Interview / TaskJacker campaign has evolved. The initial loader is still the VS Code task.json file, but it now calls concatenated Git commands that drop malware via pre-commit and post-checkout git hooks, hiding the payload URL from the place researchers have been looking. Post-checkout is particularly clever: it fires every time a developer checks out a branch, and most people never think to audit it.Antrea Kubernetes project compromise: The Antrea project, a popular Kubernetes CNI dependency, was compromised but so far no malware has been dropped into it. Paul has been tracking the threat actor and reached out proactively to the maintainers. The source of compromise is contested (we have evidence it was through the March Trivy compromise), but the core takeaway stands: threat actors don't always act immediately on stolen credentials. Assume credentials are burned and rotate aggressively.Dirty Frag Linux local privilege escalation: Dirty Frag is a new vulnerability class discovered and reported by Hyunwoo Kim (@v4bel) that chains two page-cache write vulnerabilities (the xfrm-ESP bug and the RxRPC bug) to obtain root privileges on major Linux distributions. It extends the same bug class as Dirty Pipe and Copy Fail. Because it is a deterministic logic bug rather than a race condition, it doesn’t require precise timing, does not panic the kernel on failure, and has a very high success rate. The embargo broke before a patch or CVE existed. It is already public.cPanel actively exploited at scale: A critical actively exploited vulnerability in cPanel is hitting organizations below the security poverty line hardest. The infosec press has been quiet, but incident responders are getting hammered. Every geolocation, every crew. If you're doing IR right now, you're not alone.Deep dive on interpreted language malware vs. compiled malware: Most malicious open source packages are written in JavaScript or Python, and that is not an accident. Jenn and Paul walk through why: no compilation step means the attack artifact ships with variable names and structural intent intact, post-install scripts enable auto-execution at install time, and sandboxes consistently fail against interpreted language malware for structural reasons. They also cover where static analysis fits in and why purpose-built engines outperform LLM-heavy pipelines for this problem.Episode Resources:
DPRK abusing git hooksAntrea project compromiseDirty Frag -
Join OpenSourceMalware co-founders Jenn Gile and Paul McCarty as they cover a week that had defenders everywhere ready to call it on 2026.
In this episode, we cover four topics:
Lovable and Vercel incident response failures: Two AI-native platforms had significant security incidents in recent weeks, and both initially responded by minimizing the severity. We break down why Lovable's regression exposed source code and full chat history to any free account holder (the mother of all IDORs), why Vercel's response left paying customers without a single actionable mitigation step, and what good incident response communication actually looks like.GitHub RCE via git push: A remote code execution vulnerability sitting in GitHub's codebase for over a decade allowed arbitrary code to be passed and executed via the -o option on a git push. We discuss why this happened, why it is not entirely surprising given Git's design history, and what it means for the ecosystem.EDR vs. AI coding agents: Paul's EDR flagged his own development environment as infected while he was refactoring a library with Claude. We unpack why AI agents operating at non-human speed trigger the same behavioral signatures as ransomware, and why this is going to become a bigger problem as agentic coding workflows become the norm.Mini Shai Halud by Team PCP: Team PCP's latest campaign compromised the Lightning Python package (15 million downloads per week) and the Intercom npm client (370,000 downloads per week), among others. We cover what makes this campaign notable: Team PCP has adopted the VS Code tasks file persistence technique previously seen only in DPRK-linked campaigns like TasksJacker and Pollen Rider. We also discuss what over 2,000 exfiltration repositories on GitHub mean for affected developers and organizations, and what you should be doing right now if you are worried you are affected.Episode Resources:
AI Full-Stack Development: The Anti-Patterns Rise Against Us - Part 1
Our research on some security anti-patterns we discovered when auditing how AI tools write codeMini Shai-Hulud Borrowed Its Best Trick From PolinRider
An analysis of the TeamPCP campaign “mini Shai Hulud, including details on the trick they borrowed from North Korean campaigns like PolinRider and Contagious InterviewRenovate & Dependabot: The New Malware Delivery System
A GitGuardian blog about the way these tools can accidentally auto-install malware -
Welcome to the very first episode of The OpenSourceMalware Show! Join OpenSourceMalware co-founders Jenn Gile and Paul McCarty as they break down the latest news, threats, and best practices in the open-source ecosystem.
Bitwarden CLI Compromise: We analyze the recently discovered malicious version (2026.4.0) of the Bitwarden CLI package. We break down how this cloud-native infostealer silently executes via pre-install scripts to harvest credentials across AWS, Azure, GCP, and GitHub, as well as hoovering up AI config files like Claude. We also discuss its exfiltration tactics to a lookalike domain and explain why we are skeptical of the threat actor's claims that this is the "third coming of Shai-Hulud".The Danger of npm Lifecycle Scripts: Why are pre-install and post-install scripts such a popular attack path? We discuss how threat actors exploit these convenience features to auto-install malware. We also explore the differences between package managers, noting that while these scripts are off by default in tools like pnpm and bun, they remain on by default in npm.OWASP's npm Security Cheat Sheet: We review a 12-point cheat sheet from OWASP covering npm security best practices. We share our thoughts on artifact governance, the realities of responsible disclosure, and why falling for dependency confusion or typo squatting attacks relies more on machine automation than just "dummy" human errors. GenAI and Cross-Ecosystem Attacks: We wrap up with an alarming new trend we observed just this week: threat actors using Generative AI (like Claude) to rapidly translate working malware into different programming languages. This enabled them to deploy malicious packages across multiple ecosystems to target users of a specific company within a coordinated 8-hour window.
In this episode, we dive into four major topics:Resources:
bitwarden/cli threat reportNPM security cheat sheet from OWASPGet started with OpenSourceMalware for free
