Josh talks to Paul McCarty of Open Source Malware about … open source malware. Paul explains why there aren’t many good open source malware datasets. We discuss why the existing data is lacking for many use cases. We of course touch on AI and the malware in skills problems and challenges. It’s a fun discussion with a lot of new and interesting problems we all have to deal with.

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Episode Transcript

Josh Bressers (00:00) Today, open source security is talking to Paul McCarty the founder and maintainer of open source malware. I have been following Paul’s work for a long time and I am really excited to have you here. So Paul, welcome to the show, man.

Paul (00:12) Thanks buddy, ⁓ long time listener, first time caller as it were.

Josh Bressers (00:15) Awesome, I’m really excited. I’m going to set the stage a little bit. So I’ve done a little bit of, we’ll say investigation into kind of what you’re doing, but I’m also purposely coming into this with a lot of dumb questions because I feel like there’s a bunch of dumb questions I want to ask you and I suspect a lot of other people want to know. So why don’t you just start, tell us who you are and tell us what open source malware is. And then I’ll start asking dumb questions shortly after that.

Paul (00:40) Yeah, I love dumb questions because then I can give dumb answers. My name is Paul McCarty. I’ve been in the game a long, time. been in IT over 30 years now. originally from the US, now living in Australia, I’ve had a bunch of startups. Probably the most well-known one was SecureStack, which I started in 2017 and shut that down in 2023.

Josh Bressers (00:43) There.

Paul (01:05) kind of early ASPM company, while I was building ⁓ SecureStack, we came across the problem of how do you cover malicious components, right? Malicious packages, but malicious GitHub repositories. And there wasn’t a good solution out there. And so last year I started tinkering around and…

and ended up building the first version of open source malware in like a morning, a Sunday morning, ⁓ and it’s kind of blossomed into this other thing and we’re gonna build a business around part of it. So I’m super excited to talk about it here. Thanks, man.

Josh Bressers (01:34) Thanks.

Yeah, that’s awesome. All right, so I’ll just start with a question that I hinted at at the beginning. So I looked at open source malware and you have all of this data, you have the ability for the community to contribute, and it looks really good. What’s the angle here, right? I kept looking for, there’s no logo from a company sponsor, there’s no secret click here to get the good access type thing. It’s just like, I…

I feel like the Pepe Silvia meme where it’s like, I’m looking for something here that doesn’t seem to be there, right?

Paul (02:19) I’m a simple man, Josh. And as I said before we started taping, I genuinely built this thing on a Sunday morning because I was frustrated that there was nothing out there. I legit vibe coded this. The first version of it was vibe coded. So basically the impetus, I’ll just say it. The impetus was that we have two types of software risk. We’ve got the accidentally vulnerable, which.

Josh Bressers (02:26) Amazing.

Paul (02:45) We have a whole, know, hundreds of startups and big companies and the OWASP top 10 and all this stuff, right? And then we have this second class of risk, software risk, which is malicious software components, GitHub repos, packages, now AI skills and VS code extensions. And the problem is that…

Josh Bressers (03:04) Yeah.

Paul (03:07) When I was at SecureStack and we were trying to help our customers at SecureStack cover off both of those risks, we just didn’t find, this is before OSV had malicious package data inside of their database, we just didn’t find anything out there. So that kind of stuck in my head and ⁓ I wanted to be able to build for that and that’s how open source malware started. It really started out of that need to be able to protect myself from those malicious components.

Josh Bressers (03:35) That’s, I mean, that’s really cool. And you’re right. This is not something that, I mean, for a long time there was almost nothing. And then I know, what was it? I think GitHub started tracking some of this, OSV started tracking some of this, but yeah, mean, fundamentally malicious packages is not kind of a data source we’ve had. And my favorite thing is malicious packages are explicitly outside the scope of CVE. So if you have a malicious package, it like isn’t supposed to get a CVE ID, which is like,

Also, I feel like, what?

Paul (04:08) Well, yeah, that cuts both ways too, Josh. And we can talk about that in terms of like Singularity and NX, which were the precursors for Shai-Hulud But yeah, mean, the reality is that I think it made sense for OSV and GHSA to try to tackle these things initially because people thought, well, it’s the same atomic unit. Like it’s a package, right? It’s a software package if we’re talking mostly about packages, at least at first. And so they thought, well, let’s just, you know, we have all this kind of infrastructure around vulnerable packages.

Why don’t we put malicious packages in there too? It’s the same thing, right? But that’s kind of where things started to go off the tracks right then and there because the reality is that the kind of metadata that you care about when you’re dealing with a vulnerable package is intrinsically different from the metadata that you care about if you’re dealing with a malicious package. But because they’re both packages, we think, we’ve got to cram them in the same database.

And that’s why OSV and GHSA, I’m sorry, I love OSV, but like that’s why both of them are really kind of failing at offering a real solution for malicious packages. And that’s why I built open source malware.

Josh Bressers (05:15) I mean, I’m genuinely curious what you mean by that because like, so obviously I work for a company called Anchore We have a vulnerability scanner called Grype and like we support the GitHub malicious packages and they’re just kind of treated as any version greater than zero, right? So they get tripped up. The package scanner gets triggered and I’m genuinely curious. Like I don’t know what else you’re looking for here because like in my universe, like greater than zero.

Good enough it’s on the list, we’re done here.

Paul (05:46) 100%, 100%. And when you’re trying to protect yourself, like when you’re talking about left of incident before an incident, right, in the SCA world, that makes some sense. I I still don’t think that those solutions actually deliver value there, but the problem is really when you get to post-incident, right? When you get to post-incident, all right, so one of my developers has installed one of these things, what do I do? And you go to GHSA, you go to OSV and you’re like,

There’s just no data there. You don’t know, like, there’s no severity or impact. There’s no threat information about what the payload does. There’s no IOCs. So from like an incident response perspective, those solutions just aren’t delivering. And that’s, you know, the first thing that we built in open source malware. So from a post-incident perspective, you know, we cover off, ⁓ you know, a whole set of data that the OSV and GHSA just never have and never will, frankly.

Josh Bressers (06:43) Okay, that makes sense. Let me make sure I understand what you’re talking about here, because I think I do. So what you’re talking about is, like what I mentioned is just, we have a container, we have a developer installing something, and we just say, like, don’t do that, right? Like, we’re way on the left side, is what I was kind of talking about, like greater than zero, right, in that regard. And what you’re talking about is the developer got the package installed, and now we need to understand, like, was it…

Was it running a crypto miner? Was it stealing SSH keys? Was it installing something other malware onto the system? Right? Like that level was what you’re talking about.

Paul (07:18) All

Was it little Jimmy next door that has a package that got downloaded 100 times, has a crypto, like just an obvious crypto miner in it, right? Or was it DPRK, you know, North Korea, that package has been downloaded 125,000 times, and man, if you get that, you know, your day is gonna get really, really bad really, really quickly, right? So that distinction, and it’s weird too, Josh, because you think…

Josh Bressers (07:32) Yes.

Yes.

Paul (07:46) Like I want to know this kind of idea of like Boolean maliciousness. Like I want to know if it’s malicious. And if it is, that’s good enough, right? And this is effectively what you were saying earlier. And that’s, you can make that argument before the incident, but that argument really falls apart really quickly after the incident, for sure.

Josh Bressers (08:03) Right, right. Yes, a hundred percent. mean, having, I’ll admit I’m firmly rooted in the AppSec world where I luckily avoid incidents whenever possible because I know how much work they are and I’m lazy. But yes, you are absolutely correct. Like depending upon what happened, it strongly dictates what happens kind of next. okay, so let me ask that then. So one of the challenges I’ve had is when I know there’s like a malicious package.

Like how do you get a hold of it to even do the analysis to find the IOCs to find what happened because generally speaking these package repositories, they just whack it and it’s like gone forever and you can never find a copy.

Paul (08:46) but is it? I built a library and I built a CLI tool. ⁓ It’s on NPM, ironically, called Undelete. But yeah, I’ve been doing this for a long time. the reality is that ⁓ even after… So let’s just assume that if something comes out and it’s been marked as malicious, I want to go and get it. You can usually go and get it if you know where to look. But I think many orgs and Open Source Malware certainly wants to be on this side.

Josh Bressers (08:47) ⁓ so we know secrets.

Okay.

Paul (09:15) We don’t want to wait for somebody else to find it, right? So we have a whole scanning. And you can’t find any mention of this on the website, because this is all stuff we’ve just been building in the back end. But we scan every single package and look for those kind of malicious tells. And then if we find some of those malicious tells, we pull it apart, find the IOCs, find what it does, and do kind of classic malware. Well, not classic, because it’s interpreted. It’s not binary. It’s typically not. ⁓

de-affuscating it, figuring out what it talks to you, figuring out what it pulls. A lot of the North Korean stuff pulls four and five subsequent payloads. So you’ve to pull all those payloads and each one is progressively bigger and making sure that you pull it in the right way so you can get it. So there’s a lot of massination and infrastructure that goes on behind the scenes and that’s something that we built it at Open Source Malware as well.

Josh Bressers (10:05) Nice, yeah. So I remember when I was at Elastic, we had a team of people that would like, you know, detonate malware and see what happens and scan it while it’s doing its business and all that. And it was just like, that was always the scariest thing to be. Cause it’s like, what happens if it gets out? Like what, ah, this is just, I, I.

Paul (10:20) Right?

Josh Bressers (10:22) I can only fathom the amount of stress that comes along with all of that. Cause I know how hard it is to secure and lock down this stuff. But then when you’re also like actively running exploits that are actively doing bad things in the world, it’s just like,

Paul (10:35) All right.

100%. And I think the problem too is a lot of those kind of sandbox technologies and, you know, free open source, not free, not open source, but free tools like AnyRun and Recorded Futures triage. Those are great tools, but like I drop stuff into them all the time and they rarely, rarely identify it as malicious. And that’s just because the type of, the type of detonation that happens out of typically Python or JavaScript malware is just different.

It’s just different than what you see when things go boom with kind of classic malware. So those tools just frankly aren’t very good at identifying it. And even VirusTotal, uses ⁓ hashes mostly. So 90 plus percent of the stuff I drop into VirusTotal doesn’t trigger. So that’s part of the problem too.

Josh Bressers (11:27) I mean, that makes sense. So what are you triggering? So if I’m a user, and I actually don’t know this, because I’ve not dug deep enough into your API, but if I’m a user, what am I sending? Am I sending you hashes? Am I sending you package names and versions? Like, what is it the thing you want from me to give me the information I need?

Paul (11:47) Yeah, you can go to the website, opensourcemailware.com, and you can search for package names, Git repos, AI skills, VS code extensions. We even have domains and IPs, and you can search for those too as well. But yeah, those domains and IPs, though, we haven’t sourced those lists from other kind of places. Those domains and IPs have only come out of software supply chain attacks. So for example, I wrote up a blog post today. ⁓ It’s the latest Glassworm stuff.

Josh Bressers (11:59) nice.

cool.

Paul (12:17) And it uses blockchain, but it also uses like 10 different IPs. And so those IPs are all connected inside of open source malware to that particular campaign.

Josh Bressers (12:26) Right, right. Okay, that makes sense.

Paul (12:28) That’s a web UI. So the other half of it is API. All those things I just said you can look up, you can pull that via our API too as well. And you can also pull threat actor data and a bunch of other cool stuff if you get access to the kind of fancier API endpoints. So that’s a whole set of things that we have inside of our database and inside of our ecosystem that OSV and GHSA and ASPM companies don’t have as well. Like who are the threat actors?

What are the accounts they’re using? What do those accounts do? How are they connected, et cetera?

Josh Bressers (13:02) Yeah, and that’s always fascinating once you start, you know, kind of going down that rabbit hole. So let me ask you then, you have a public API, you have pretty juicy data. So how bad are the scrapers like pounding on your infrastructure?

Paul (13:16) ⁓ you know, not too bad, but you know, we’ve had to put protections in place. We’ve got the typical kind of rate limits and we’ve put like a limit around the number of things that you can pull. And the reality is that that infrastructure does cost us something. So we’ve got an AWS bill and you know, just like everybody else. And so that’s one of the reasons that we’re, you know, ⁓ you know, building a commercial model on top of that. But, the reality is that, you know, some of our users pull tens of thousands of times a day. ⁓ and that’s okay. As long as they’re within those.

Those rate limits have at it. ⁓ The data is there. And the really cool thing is that unlike some of the other kind of platforms like GHSA and OSV, we’ve got people. I really wanted this idea of like bug bounty meets OSV meets Wikipedia. So basically really encouraging community and contributors as part of that. So every day when I wake up in the morning here in Australia,

I log in to OSV and I see a bunch of stuff that people have contributed overnight and I go and I validate whether or not it’s actually malicious or not. And then once I validate it, it goes in the database.

Josh Bressers (14:21) Nice. Yeah. Yeah. Which is, mean, I do appreciate that. I like the way GitHub and OSV have, I mean, it’s enough community contributions, I’d say, versus when we look at like, especially the CVE program, it’s just a brick wall. Like if you have information that can be contributed, like, ha ha, too bad. It’s not going anywhere.

Paul (14:45) Yeah, mean,

OSV- Sorry, go ahead.

Josh Bressers (14:47) No, no, I was just, yeah, it’s very frustrating sometimes. So seeing like, you you building a community portal, that kind of delights me.

Paul (14:58) I am, you know, that’s one of things I like about OSV’s malicious package repo. It’s a repo. Anybody can contribute to it. And for a while there I was the leading contributor and then a guy at AWS overtook me and is crushing it. the reality is that, you I wanted people to be able to contribute, but I also wanted people to be able to, if they find a threat report on open source malware that they don’t agree with or that they have better, and this is typically what happens if they’ve got more enrichment data.

Josh Bressers (15:07) Nice.

Paul (15:25) Unlike OSV, unlike GSSA, they can actually add data to it that goes back into the system. One of the admins validates, ⁓ listen, know, Thais has added, you know, new IP addresses. Sure enough, those are legit. Let’s add that so those are additional IOCs that people can use to protect their organization. So we have this kind of constant stream of people updating and enriching the data as well.

Josh Bressers (15:31) Yeah.

That’s pretty cool. I dig. And you’re right, because I mean, this is one of the complaints you can have about OSV and GHSAs is they have very rigid schemas. Well, actually they have the same schema. And like, if you have something that doesn’t fit in their schema, like it just doesn’t go in. There’s that’s it. We’re done.

Paul (16:09) Yeah. mean, so they do have the ability to put IOCs inside of their schema. It’s something that’s supported in the database ⁓ parameter set. But guess what percentage of OSV reports have IOC data in?

Josh Bressers (16:24) man,

I would guess less than like 1 % if I had to.

Paul (16:28) It’s actually a little bit more than that, it’s less than 3%. And most of it’s very old, most of it’s from 2023. There’s one contributor that adds IOC data to his Python stuff, but very little of that data inside of OSV.

Josh Bressers (16:30) Okay, okay.

That’s fair. I mean, I kind of get it because, so one of, I guess, I don’t know if this is a complaint or just an observation, is like, OSV exists for Google to have vulnerability and malicious package information for their own uses. And then they also happen to let the rest of us look at their data and help them with it.

Paul (17:05) Right.

Josh Bressers (17:08) And from, from Google’s perspective, I suspect they don’t care about IOCs, right? They just want probably name inversion. Cause they’re going to stop it like way on the left side. it’s getting pulled for the first time versus it’s never going to detonate. they don’t care.

Paul (17:24) So that’s the reality is that it detonates all the time. mean, they’ve got Mandiant and GTI. I think that’s something that’s really kind of unique to how I’ve been dealing with things because I write these blog posts and I’ve gotten really kind of famous for writing these blog posts, right? And here’s the thing, Josh. People that have been hit by that particular thing, email me or they hit me up on LinkedIn. So I have just all these conversations.

Josh Bressers (17:27) Ahem.

Nice.

Paul (17:47) You know, on Reddit even people hit me up like, yeah, we got hit with that. So I get to say, I have this conversation with them like, do you know how the initial infection happened? They’re like, yeah, we think it was John when he did this thing. And so like, I am seeing the post compromise ⁓ data firsthand because of the way that I write these blog posts and I’m actually encouraging people to interact with me and have those conversations with me. I think the whole industry has this kind of, to your point earlier, has this kind of.

these blinders on that, hey, we’re protecting people because we let them know about this before they install them. Here’s the thing is, just because NPM removes it from NPM doesn’t mean it’s not in your artifactory, doesn’t mean it’s not in a CDN, doesn’t mean it’s not already in your developer’s laptops, right? And this idea, we just have to become more mature about the threat and the risk around these packages and these software components. And AI skills is a whole nother thing, right? Because these things are everywhere.

Josh Bressers (18:37) my goodness.

Paul (18:40) and all the AI skills registries, all they’re doing, Josh, they’re just aggregating GitHub repos. That’s all they’re doing. So they just keep aggregating the same malicious repos into a new registry and a new registry and a new registry. It’s crazy.

Josh Bressers (18:46) Yeah, yeah.

Well, I mean, so you actually probably have more insight then into this, because I know I read some reports that people were trying to report malicious packages to the open-claw folks because their registry was like chocked full of malware. And I know you were one of them and they were basically like, there’s nothing we can do. It’s too hard. And it’s like, wait, what?

No, that’s not how this works. Do you know have they cleaned that up at all or is it still like YOLO?

Paul (19:25) my God, duh. So have they cleaned it up? So the OpenClaw ⁓ official registry is called ClawHub. ClawHub.ai. And if you go to ClawHub.ai’s website, most of the malicious stuff, historical malicious stuff has been removed from the website. New stuff goes in there all the time. Open source malware scans that every day, and so we’re finding new stuff all the time. So in our database, we have almost 1,000.

Josh Bressers (19:35) Yes.

Okay, sure, sure,

Paul (19:54) malicious skills ⁓ in the database. But here’s the problem. The official OpenClaw GitHub repository doesn’t remove those malicious packages, those malicious skills, sorry, not packages, those malicious skills, does not remove those from the GitHub repo. And as I said a minute ago, all the registries are just searching GitHub looking for skill.md. And so they’re finding these malicious, these hundreds of malicious skills.

and then they’re sucking them into their ⁓ registry, right? And there’s a bunch of them. I won’t call people out, that’s unfortunately what’s happening. ⁓ yeah, the problem is compounded by the ignorance around how you, this idea that once they’re removed from the web UI, that the problem goes away, it’s just not the case.

Josh Bressers (20:31) awesome.

I mean, I don’t know if it amuses me or depresses me, Paul, that I see like all these new registries like literally making the same mistakes. NPM and PyPI and Ruby gems and everyone have all made in the past.

Paul (21:00) Right?

I actually said that I tweeted that I actually got back in Twitter just to have this conversation with Pete, the guy that created OpenClaw. I said to him, mate, if you had approached me, I would have told you, I would have for free, I would have met with you and told you all the things that NPM and PyPI do wrong. And I know them very well. So you don’t have to do those things. But in his hubris, he just said, fuck it. And he just YOLO’d a whole registry out of his brain. of course, and dude, seriously, Josh.

DPRK, North Korea showed up on that really quickly. there’s legit evidence that shows that some of these campaigns that I’ve been following, Paul and Ryder and some of the other ones, are actually from the Open Claw Registry, those malicious, when DPRK showed up and started dropping all these hundreds of malicious packages, sorry, skills, I keep saying packages, skills, habit.

Josh Bressers (21:52) It’s fine. We know what you mean. It’s all good. But I mean, mean, that doesn’t surprise me though,

right? Because you’ve got really, when we think about, you know, malicious actors, there are very opportunistic threat actors and they’re going to go wherever they can go. And right now it’s, it’s claw hub because

That’s where a lot of people are using it. It’s super YOLO. Like no one is paying attention to what they’re doing here. And they’re obviously, don’t, they don’t have a security team. Like you think about like NPM and PyPI like we can, we can, you know, poo poo them every now and then for the amount of malware they have, but they do have like literal teams of security people that are dealing with the malware, right? I suspect Claw Hub has zero security people dealing with malware. Okay. Paul.

Paul (22:37) They’ve got me. They’ve got me in open source malware acting

as like. Yeah, I mean, and the problem is too that because many of these skills then install packages or do things because a skill is basically just you’re telling your agent, and the agent’s already been pre-packaged. You’ve already given it a ton of permissions, right? You’ve given it your GitHub credentials and everything else, right?

Josh Bressers (22:41) You

Yeah. Yeah, right.

Paul (23:03) So now it’s basically just running whatever’s in the skill. And those skills typically, some significant number of those skills install packages. Very, very common, and people are used to it. So the bad guys can install packages from NPM. They can set the NPM, I’ve already seen this, they can set the NPM registry to be something that’s not the replicate.npm.js. And so you’re pulling packages from somebody’s homemade. A lot of bug bounty kids are doing this right now, but the real bad guys are doing this too as well. ⁓

Josh Bressers (23:31) Nice.

Paul (23:33) So yeah, Skills has kind of reinvigorated the whole ecosystem by just like adding this layer. And nobody wants to get left behind. Nobody wants to be the dummy luddite that doesn’t understand this stuff. a bunch of people, even security people are trying out things like OpenClaw and you know, it’s as you say, it’s a Wild West.

Josh Bressers (23:52) It, okay. I’m, I’m going to take us in a weird direction just cause I value opinions from people like you is. So I remember I looked at open claw and literally like hours after this became like big news, I had a message to all of my employees, you know, work that is like, the love of God, do not run this on your work computer. after looking at it for like 30 seconds, I found more horrifying things than I want to explain.

And like, here is the question always, right? Cause I know like the, the app sec people, you look at like the OWASP crew, there’s all these people that are like, oh, we’ll just teach people to be secure and they’ll, they want to do the right thing and they’re going to do the right thing. And then this new technology, mean, this is the NPM was a story, Python was everything’s been this story. Same thing. We’re like, everyone sees this new thing and like security be damned, go away nerd. You’re in the way. And they just like.

do whatever they want and the security people are like, oh no, we’ve done it again. And like, I would love your thoughts on this. Like, is this just the way it’s always going to be? Is there something that could have happened different? Is there something we don’t do correctly? I don’t know. I genuinely don’t know.

Paul (25:13) Well, the real problem is that the human race has the luxury of lots of free time on his hands, right? We don’t have to hunt for our food and stuff like that anymore. And so we have all this time to mess with things like open claw Listen, I think a lot of security people, I can speak for myself, have had real benefit from using agentic AI, Gen AI stuff. So I use Claude every day. I’ve got these complicated workflows and lots of cool skills.

Josh Bressers (25:17) That’s true.

yeah, for sure.

Paul (25:39) And so to make the argument that autonomous agents, right, this idea that they do stuff and they come back to you every once in while and they have you answer questions and they go and do their things and all the things, you I mean, you could make, you could see the kind of line from what we’re doing with Claude and agents and skills, sorry, and skills and whatnot to that. The difference is that you and I and a bunch of other people, we know that bad things happen. There be dragons, right? And even yes, yes.

Josh Bressers (26:05) Yeah, yeah.

Paul (26:08) Many security people have probably done things, including myself, with agent tech AI that they probably wouldn’t have done before because they don’t want to be the dummy that doesn’t know how, right? That’s just, you know, it is what it is, right? But at the same time, in the back of our heads, we always have this kind of thing bugging us like, shit, like this is, there’s a lot, I just gave them my GitHub creds, like how did, what was that pat scoped down to, like, you just kind of, right? And so you’re thinking this. The problem is many of the people that have been given this technology don’t have that. They’d never have seen the thing go.

Josh Bressers (26:18) Yeah, yeah.

Paul (26:37) Boom, right? They’ve never seen the bad thing happen. Your job, Josh, my job, is that in part we’ve seen the bad thing happen a lot. And that’s why we try to build security earlier than the bad thing happens, right? And they just never seen that. And so they just don’t think it’s gonna happen. that’s why they’re acting the way they are. They’re just running this shit with a lot of credentials and ⁓ very little oversight.

Josh Bressers (27:00) Well, and it is cool. It’s almost magical, right? When you run a bunch of these agents and like things just happen. And now I will also say like, one of my favorite examples, I guess, is so, SELinux right? Everyone knows SELinux and I worked at Red Hat. I know how to configure SELinux. I know how all this stuff works. And as soon as it gets in my way, I turn it off every single time. Cause it’s just, it’s too much hassle to fix it correctly. So I just turn it off.

Paul (27:23) Turn it off. Disable.

Right.

Josh Bressers (27:29) And I suspect in a lot of these instances, have normal people, they have a GitHub token. They’re like, screw it. I just give it like admin on everything, it’ll just be able to work. Except now we have, you know, a North Korean skill that’s taking over GitHub repos. Cause, cause you’ve given it admin.

Paul (27:46) Right?

Yeah, and that is legitimately what is happening right now. I’m working two big campaigns, and the campaigns I’m working on aren’t even the Glassworm stuff that Socket and a bunch of other organizations are working on. So there’s multiple threat actors out there. Glassworm is Russian, ⁓ Paul and Ryder, and the other stuff I’m working on is DPRK. But they’re finding ways to get this stuff into the AI skills, to the VS code extensions. A couple people have reached out to me saying,

Josh Bressers (27:53) Yeah.

Paul (28:18) that they figured out how it came into their organization because people downloaded Electron apps that were doing, ⁓ that were helping them pass ⁓ coding challenges. It’s kind of, have you heard of Cluely?

Josh Bressers (28:30) Cluely I don’t think I know Cluely.

Paul (28:33) run by this terrible, anyhow, it’s a startup that all they do is help you pass coding challenges or they help you cheat. That’s the whole point of it, right? And so this app was to help people like they were in an interview and somebody say, okay, why don’t you show me how to create a nested list and blah, blah. And they were just having the thing do it, right? And that is how North Korea got on their laptop. then, because it’s not just the developer, it’s the developer has access to the enterprise, right? And if they’re a freelancer,

Josh Bressers (28:52) Nice.

Paul (29:01) They don’t have access to one enterprise. They’ve got access to lots of enterprises, right? That’s a lot of GitHub organizations to get pwned in a short period of time.

Josh Bressers (29:03) Right. Right.

That’s fair. Yeah. And you want to, I mean, you have the lateral movement between it. man. That’s, I mean, I’m impressed. Good job, threat actor. But, ⁓ man, I get it. I get it. Like, okay. All right.

This is, if Paul, if you would have told me what’s happening right now, like five years ago, I’d be like, there is no way that would happen. Like I wouldn’t have been like, that is the worst science fiction story I’ve ever heard. And yet here we are.

Paul (29:41) Right?

Josh, I’ve said that same sentence you just said to me. I’ve said that to my wife and a bunch of my friends in the last week. I would never have guessed this is where we are. But there’s an agent on my machine, and I’m never going to let it run in YOLO. But I’ve definitely thought about running it in YOLO, and I’m a security guy. This is a crazy time we live in.

Josh Bressers (29:53) Yeah.

I mean, I get tempted to spin up a VM like in DigitalOcean or something and just like let it, let it rip. Like what’s going to happen? Let’s see, you know, give it like, give it a prepaid credit card, give it a bunch of GitHub credentials and just see what happens next.

Paul (30:12) Right.

There’s somebody wrote up a meme in Australia we have slot machines we call them pokies because you’re poking them and When you’re sitting there with Claude right or codex and just asking you questions. You’re like, yes. Yes. Yes It’s like what people do in the slot machines. Yes. Yes. Yes but You know that means you and I are reading what it just asked us right or at least you know in theory We’re you know glancing over it, right? So there’s some

Josh Bressers (30:29) Yes, I did know that.

Paul (30:49) There’s some kind of resistance to this idea that the agent can just do whatever he wants to do it.

Josh Bressers (30:55) Well, mean, except there are documented instances of agents lying to whoever is running the agent. like, that’s a whole other aspect of this that I don’t think any of us are prepared for in any meaningful way.

Paul (30:56) Not everybody’s doing that.

Yeah, this idea that as things, as the agents get close to their context window, to to maxing out the context window, even before they get there, they start ignoring things that you’ve told them. It’s like you’ve taken the time to put it in the skill. You’ve taken the time to specifically remind it in the original prompt and yet it still does the thing, right? Hey, I’ve told my, I have a skill. was like, go and validate that the IP addresses in the, in the ports that you just pulled out, that you can hit those with a curl, right? Well, sometimes it says it does it.

But it doesn’t.

Josh Bressers (31:44) Yeah. Yeah. Right. Right. Or my, my favorite example. And I know I’ve seen this going, going around as a coworker of mine, tried out the Claude sandbox. And as we’re reading the log at one point, it’s like, I see the sandbox is on. Let me turn that off and try again. And it’s like, wait, what? No, that’s not how this works. And it did. And it worked. And I’m like, my goodness. don’t. ⁓ okay. All right. So here’s how I want to end this one, Paul is.

Paul (32:04) Yeah. Yeah.

Josh Bressers (32:12) I feel like we’ve only talked about bad things and it’s hard as security people sometimes I think to be optimistic. like, what do you see happening that, that doesn’t fill you with existential dread?

Paul (32:27) Well, I mean, think that AI, know, just sticking on the, I have found genuine benefit from AI. it the all expansive, you know, amazing stuff that people say on LinkedIn? No, it’s not. You know, you have to control it and you have to manage it, right? But I mean, the reality is that the ability to get, you know, to deobfuscate JavaScript really quickly and pull out IOCs and do some of these things and be able to help people get these things in the hands of people that are like, I think I have a problem right now. What do I do? Being able to get that.

Josh Bressers (32:40) I’m shocked to learn that.

Paul (32:56) When I used to do this before AI, de-obfuscating a highly obfuscated JavaScript sample took me days, right? And writing up the blog post to help people understand that took me days. But now AI is helping me do this stuff. Am I sitting there and constantly managing it? Of course I am, because that’s the kind of person that I am. But the reality is, to your question, that’s the part that makes me most hopeful, is that if we manage these tools the right way,

If we enforce the guardrails and constantly check that those guardrails are being used or are there, these things can produce and make things accessible to us in a much faster way and get those kind of things that people need in their hands a lot quicker to be able to address the problem. ⁓ So that part makes me hopeful, but that’s about it, mate. Not much else.

Josh Bressers (33:45) I mean, I’ll

add a little bit to that maybe. So you mentioned like using an LLM to deobfuscate JavaScript. this is one of the, so one of the, one of my side projects is I bought a framework desktop and I’m trying to, I’m seeing like how much stuff can I do locally at home? And it’s.

surprisingly good at many things. obviously de-obfuscating code is one of those things where I was obfuscating a bunch of stuff. JavaScript, like de-obfuscating is JavaScript to these things. Like it might as well be regular JavaScript. Like they don’t care, which is amazing. The other thing they’re really good at though is ⁓ like pointing them at code and saying like, for vulnerabilities, right? Where they’re, humans are terrible at this.

Anyone who’s ever done like vulnerability research knows how hard it is and how terrible it is. However, and this is true of like de-obfuscating JavaScript as well as finding vulnerabilities is while that’s hard to do as a human, it’s still less hard than what you do with it after that, right? Cause now like once you’ve de-obfuscated things, you have to start figuring out what does it mean? How do I, you know, talk about this? I’ve got to put together my IOCs. I got to put together whatever information I need to distribute. When you have a vulnerability, it’s like now I have to coordinate.

disclosure with a bunch of, you know what I mean? Like it, it’s still really hard even when we have these magic tools, which is, I mean, it’s okay. Cause like that’s fine, but like, holy cow, it’s, it’s, it’s funny how that is where we, I love reading these news stories and there’s like, no, no, this is, there’s still a lot of hard stuff that happens after this. Like we haven’t destroyed an industry. We just made one part of the process easier.

Paul (35:22) Right.

I was talking to somebody earlier today and they have a malicious component that keeps popping into their CI pipeline. They keep getting rid of it and it keeps coming back. And the reality is LLMs, you know, helping me to de-obfuscate the code and pull out the IOCs and all that stuff, that’s great. But that’s not really helping them right now, figuring out how the hell does this thing keep regenerating itself and where is it coming from? They clearly have a bigger issue somewhere upstream. They just don’t know where it is, right? And, you know, I mean, in…

Josh Bressers (35:35) guys.

Paul (35:54) you know, the CI pipelines we were talking about earlier, you know, Claude and all these tools, we give them a lot of credentials, but CI pipelines are where two super important things kind of come together. A whole lot of access, API credentials, AW, like all kinds of stuff, and your core intellectual property, right? Those two things are coming together in your CI pipelines and a bunch of automation is running. And the reality is that still today in 2026, we don’t have enough visibility there. There’s a lot of people using

Josh Bressers (36:07) Yeah, yeah.

Paul (36:22) free GitHub actions where the logs all go away after 30 or 60 days. you know, there’s not the visibility there we need to know whether or not that hugely important place is being, know, if bad things are happening in there. So, yeah.

Josh Bressers (36:39) Yes, having just done like a pretty extensive audit of all of our GitHub actions after some, some we’ll say competitors, vulnerability scanner had an incident. Like it is a lot of work and it’s, it’s also one of those things like it is, I don’t know how people would start doing this because quite frankly, there’s not very much information about what’s going on. one of the only reasons I like like

Paul (36:53) Yep.

Josh Bressers (37:05) Zizmore is a marvelous tool. And the only reason I even really know about that is I talked to William Woodruff on this podcast. He told me all about it. So I’m like, I know what to do. This is what we need to do, which is wild. Anyway. Okay. All right. You got the last word, Paul. Please, please.

Paul (37:22) Actually, can I just double click

on that? Yeah. To that point, I wrote a blog post today, it’s going live tomorrow, but in that blog post, I talk about the fact that I’m getting frustrated with all these different security vendors all kind of coming up with things in their own silos and not talking. Over the weekend, three different security vendors all came up with, one was about VS Code, one was about GitHub, one was about NPM or whatever, bye bye, excuse me.

Josh Bressers (37:41) my goodness, yes.

Paul (37:48) And there was all the same threat actor, right? But they were all presented like they were three separate kind of campaigns and attacks. And I get that, that’s fine. But we need to do a better job of talking amongst ourselves. And so, you know, rather than just being the guy that bitches about it, I’m part of a signal group that, you know, there’s a bunch of people from different vendors that are all sharing this kind of stuff behind the scenes because that’s what we need to do. So this is Paul’s call to action here, homies. You know, let’s start talking more amongst ourselves because

Josh Bressers (38:17) Yes.

Paul (38:17) Ultimately,

what we’re trying to do is we’re trying to help our customers, whether they’re my customer or your customer, we’re trying to help them. We’re trying to help them get through a really shitty time. And let’s try to share data amongst ourselves to do that better as a community. That’s my last word there, Josh. Bam!

Josh Bressers (38:31) No, that’s perfect. And yes, I could not agree any more than that. This is a perpetual problem security has always had is where everyone’s in a silo. We even see it with like open data sets where like the things GitHub is doing isn’t necessarily the things OSV is doing, isn’t the thing CVE is doing. And I mean, this is like, it’s such a pain in the butt where if it’s like, if everyone just worked together, we would solve an enormous number of problems. And I know that’s easier said than done.

But yes, that is, I can think of nothing better to end the show on Paul. So thank you so much. And I will put links. It’s perfect. It’s perfect. I’ll put links in the show notes to, to open source malware. And, and if you don’t follow Paul and LinkedIn do that, cause he’s prolific and he’s, he’s posting about what he’s up to all the time. And it’s just amazing work. So definitely go pay attention and you’ll have to come back man soon. Cause this is a ton of fun and I can’t wait to see what you do next.

Paul (39:06) It’s my Kumbaya moment there, man.

Thanks buddy, I really appreciate the opportunity. See you mate.

Josh Bressers (39:31) Awesome.

Thank you, Paul.