BLOG
The OpenSourceMalware Show: #9
Mastra compromise, agentjacking, and malware mythbusting
By cb482791-4ef1-4762-96ad-b0ca4bdd538e ·
The OpenSourceMalware Show is available on YouTube, LinkedIn, and as a podcast.
Mastra Package Compromise: Threat actors hijacked the entire Mastra npm organization (116 packages) after a maintainer was targeted with a ClickFix-style attack that stole his credentials. Rather than injecting malware directly into Mastra packages, attackers pre-staged a typosquatted package called 'easy-day-js' and added it as a dependency across the org. The malware differs from the structurally similar Axios attack in one notable way: it targets browser extensions, including password managers (LastPass, Bitwarden, Dashlane, 1Password) and MFA tools, with Zapier among the more unusual targets.
“Agentjacking” as a malware attack vector: A Cloud Security Alliance paper describes a concept called "agentjacking", where attackers inject malicious instructions into Sentry error events, which AI coding agents then retrieve via MCP and execute with the developer's own elevated permissions. This pattern isn't new: weaponizing an agent's privileged access against its owner was a core mechanic of the 2025 S1ngularity attack. What the paper describes is sophisticated prompt injection through an MCP server that fails to sanitize third-party data before passing it to the agent. Its conclusion that EDR can't catch this misses the point, because EDR can't catch most open source malware since the traffic and signals are indistinguishable from normal software development activity.
Malware Myths: We bust four myths making the rounds in the AppSec community. First, that open source malware only lives two to three days: typosquatting and dependency confusion packages routinely survive for weeks or months, and NPM's inconsistent takedown practices make it worse. Second, that npm install scripts are going away: they're not, they are becoming opt-in by default. Third, that package firewalls and cooldowns will eliminate 99% of risk: they won't, for the same reason the lifespan myth is wrong. Fourth, that threat actor attribution doesn't matter: it does, because knowing who compromised you tells you what persistence mechanisms and next steps to look for during incident response.
Resources
(GitHub Issue) INCIDENT REPORT: 2026-06-16: Mastra hit by supply-chain attack
(blog) Mastra Attack Targets Crypto, Password Managers, Authenticators, and Zapier
Mastra Package Compromise
[00:00:00] Jenn Gile: We're back. It's Thursday. Thursday, June 18th. Um, I can't believe how quickly this year has gone by. When I set up the stream on, what was it, Monday or Tuesday, our, like, little backlog of topics to talk about this week was empty, and I thought, you know, I shouldn't say anything, but I'm gonna say it 'cause I don't believe words can make things actually happen.
[00:00:27] Jenn Gile: So I was like, "You know, it's kinda quiet this week, but I'm sure we'll find something to talk about." Lo and behold, uh, we have something to talk about, and that is the Mastra or Maestra, however you pronounce it, compromise. Um, we got a few other things on the list, but before we jump in, anything you wanna chat about, Paul?
[00:00:52] Paul McCarty: Uh, I'm making progress in wiring my office, so I'm hoping that next week, if not next week, I'll be able to record this in my new office. But if not that week, then the week after that. So getting there.
[00:01:02] Jenn Gile: Exciting.
[00:01:04] Paul McCarty: Very exciting. Uh- The Southern Hemisphere headquarters ... here at Earth's- Southern headquart- Southern Hemisphere headquarters for OSM.
[00:01:11] Jenn Gile: Will soon have electricity.
[00:01:14] Paul McCarty: I'll put a sign up and everything.
[00:01:16] Jenn Gile: Okay.
[00:01:16] Paul McCarty: There's a sticker already, but yeah.
[00:01:17] Jenn Gile: Okay. Well, you know, progress. Um, now up here, up, up in the, the almost the Great White North, uh, school is finally out for the year. I've got a kid out of school, and so now we're kind of properly getting into summer.
[00:01:32] Jenn Gile: And gosh, I really wish I could have a summer vacation. But you and I will be in Vegas in what? A couple months? Less than two months. Yeah. We'll be there for- Yeah ... BSides and DEF CON and actually Black Hat as well. So if anybody is gonna be there, let us know. We'd love to meet up. Um, who knows if we'll do a happy hour or what the case will be, but, you know, coffee, probably lots of water.
[00:02:01] Jenn Gile: I don't know, Vegas in August is not my favorite place to be, but it is a fun week.
[00:02:08] Paul McCarty: I, I, I despise Vegas, right? I despise it. But that week, I just, I love that week so much. I just get so stoked for that week that I don't care it's in Vegas. It could be in the ninth ring of hell. Well, kind of sort of the same thing.
[00:02:24] Paul McCarty: It kinda is. Yes. It could be in, could be in the 10th ring of hell and I would still love that week. It's just such a dope week. I just see so many people, you know, the absolute AppSec guys, and just, ah, it's just such a great week, man.
[00:02:38] Jenn Gile: I love that week. It is a great week. Okay, on to the meat of things. Um, two days ago my time, one day ago your time, uh, we saw a large account takeover in progress.
[00:02:51] Jenn Gile: Um, threat actors hijacked the entirety of the Mastra organization, which is 116 packages. And, um, very similar to what we saw a couple months ago with the Axios compromise, they didn't actually put the malware in any of the Mastra packages. What they did is they pre-staged a, um, typosquatted package, an easy- Easy Node.js, easy something JS.
[00:03:21] Jenn Gile: Now I can't remember what it is.
[00:03:23] Paul McCarty: Easy, EasyDayJS.
[00:03:24] Jenn Gile: EasyDayJS. Um, so like what we see with a lot of malware, they copied an existing legitimate package, kept everything, and just gave it a snappier name. So they staged it with no malware, and then once they executed their takeover on Mastra, all they had to do was, uh, add this as a new dependency for all those packages, et voila, you have an info stealer, uh, in your packages.
[00:03:56] Jenn Gile: Um- Yeah ... a lot of vendors have covered what happened with this. Um, it is almost, uh, stage for stage, step for step the same as the Axios attack, uh, including the initial compromise of the account came through a social engineering, uh, very targeted, uh, spear phishing-type thing where the maintainer clicked something that, you know, ClickFix style, kind of a, "Hey, there's something wrong with your microphone.
[00:04:25] Jenn Gile: Oh, I figured it out. You can click this." We saw almost the same thing happen with Axios. Um, Paul, you did a really deep dive on it. I'll share the link, uh, to the blog that you published. I think it's a really great analysis because, um, you went deep into the similarities between the two attacks, a little bit about the potential threat actor, which we will say, anyone who's saying they know who this is, we're a little skeptical.
[00:04:53] Jenn Gile: We don't have a confirmed, um, attribution. And then, uh, what it's targeting I think is really interesting. So have at it. I'll stop talking. Me,
[00:05:02] Paul McCarty: me too. Um, yeah, listen, first and foremost, there's a lot of other great write-ups from Step Security and Akito and a bunch of other companies, and mad respect to them, right?
[00:05:14] Paul McCarty: Um, this was an opportunity for me to do, to go deep like I used to do all the time before I, you know, was building a, a startup and a business and, you know, all these things that we're doing now, right? But so it was nice. It was a blast from the past for me able to go super deep on something. But, um, yeah, so a couple things.
[00:05:31] Paul McCarty: First, um, I didn't know that the actual, um, the compromise was, was, happened the way you said it, 'cause I know there was a couple... There's contemporaneous, like, there was a couple of people that were talking on Twitter about the approach that was-
[00:05:47] Jenn Gile: So my source is somebody with the company. There's a very good- Ah Well, not very good.
[00:05:55] Jenn Gile: It could be better. But there's a pretty decent, um, retrospective incident report on it, on their, um, GitHub issues- Yes ... from someone who's with the company. I didn't look up who it was. Um, but this person said specifically that it was an employee account, um, that what had happened is, I'm gonna read this.
[00:06:14] Jenn Gile: Uh, "The maintainer is a current active Maestra employee. He was compromised via a social phishing attack. A compromised LinkedA- LinkedIn account reached out to him, as well as maintainers of other prominent TypeScript open source packages. He was on a call, clicked a suspicious link," and then, um, there's a, an X post linked in here that says, "This is the same attack vector as other open source maintainers have reported."
[00:06:43] Jenn Gile: And so, uh-
[00:06:44] Paul McCarty: Right ...
[00:06:45] Jenn Gile: uh, yeah. It was Very, very similar to what we saw with Axios
[00:06:51] Paul McCarty: Yeah, it does sound very, very similar. Um, I think thanks for filling that blank for me. I had seen, I had read some of the Twitter posts from other people that have been targeted, uh, you know, in the same timeframe. I hadn't seen that specific thing, so.
[00:07:04] Paul McCarty: Um, 'cause you know why? 'Cause I went way deep on the malware. So, uh, in all those other write-ups, I h- I didn't really see a complete burn down of the malware. Um, and I really wanted to do that because as I started looking at this, and I, I went really deep on the plain crypto JS package, which is what compromised, which was the malicious component that they added to, the threat actors added- Mm-hmm
[00:07:26] Paul McCarty: to A- uh, Axios. I went really deep on that one, and so I had all my analyses from that, and then I had all my analyses from this new one, and I could compare them. And the malware, unlike the rest of it, the infrastructure, so basically where they hosted it, like all... And I go into a, a lot of that in my blog, so I'm not gonna go over every single thing again.
[00:07:45] Paul McCarty: But basically, from an infrastructure perspective, this looks and feels exactly like Axios. Um, so they, um, the-
[00:07:52] Jenn Gile: Well, and their mistake here, honestly, it could have been a lot worse, but from what I can see, the way that they handled the publishing, because these, uh, packages normally come with attestations and, um- Yeah
[00:08:06] Jenn Gile: there were some tells that meant it was caught extraordinarily quickly. We heard from a friend at AWS that he caught it, uh, or they caught it within what? 30 seconds or two minutes or something really fast.
[00:08:18] Paul McCarty: Right. Yeah, I mean, I think that the, yeah, it, it was caught really quickly and, you know, and as we see these changes in the NPM ecosystem, you know, I've talked about on other episodes, we'll start to see account takeover compromises go down, right, in the post install.
[00:08:33] Paul McCarty: Uh, you know, uh, this does use post install scripts. Um, and, and so I think bad guys know that, you know, NPM 12 is coming and they're trying to... I'm seeing, like this week I'm seeing just this huge onslaught of, of new stuff. You know, bad guys trying to get things in before that goes away. But the reality is that most people aren't gonna upgrade to NPM 12 right away anyhow, but I digress.
[00:08:55] Paul McCarty: Um, what, what I think- Yeah, sorry, I
[00:08:57] Jenn Gile: got you off track. Tell us about your analysis.
[00:08:59] Paul McCarty: No. No, it's okay. Um, yeah, so from an infrastructure perspective, this looks very similar to, um, the Axios attack, but when you get in the malware, the malware is different. Um, and it's a two-stage, uh, uh, payload and the, um- This Axio, sorry, this, um, uh, payload here in the Mastra campaign is really focused on stealing browser extensions, which Axios was not.
[00:09:28] Paul McCarty: Um, and so, um, I went to the trouble of enumerating all the browser extensions, uh, which are listed in the, the blog post. There was 166 of them, I think. And what's interesting about this is they're focusing on the crypto wallet stuff, which we always see, right? So whenever somebody's looking for browser extensions, they always look for crypto stuff.
[00:09:48] Paul McCarty: But in addition to that, they're looking for some stuff that's not crypto. So, like, roughly 20% of the, um, browser extensions they're looking for are not crypto wallet extensions. Instead, there's things like LastPass and One Password and Dashlane browser extensions, which those three alone, most of us are running one of those three, right?
[00:10:08] Paul McCarty: Because those are the big three, LastPass, Dashlane, and One Password, right? Oh, Bitwarden too, so there's the top four. Yeah, they
[00:10:13] Jenn Gile: got all the biggies there.
[00:10:15] Paul McCarty: Right? The top four password manager extensions, they, they're looking for all three of those. They're, they're exfilling all... Sorry, all four of those. Um, and, and a bunch of others too as well.
[00:10:25] Paul McCarty: There's, like, ones from Deloitte and all kinds of stuff. They're also exfilling a couple of browser-based MFA tools. Um, and, uh, and the last one, which I think was interesting, was Zapier. They're
[00:10:37] Jenn Gile: exfilling- I know. I really wanna talk about why you think- Yeah ... they're interested in Zapier, 'cause, like, one of these things is not like the other.
[00:10:44] Jenn Gile: Uh, Zapier is, you know, used to send, uh, s- basically between things that don't have integration. So, like, your website doesn't have a HubSpot integration, you use Zapier in the middle, and you can pull information back and forth. Why do you think that they targeted Zapier?
[00:11:02] Paul McCarty: Well, my only guess, and that's all it is, is just a guess, is that, you know, they're looking to, um, you know, to pivot into other platforms that you've used Zapier to integrate to, right?
[00:11:13] Paul McCarty: Because you have to give Zapier authentication, um- Fair ... you know, for all these things that you're g- you know, plugging into to go and do the automation that Zapier's gonna do. And it, it makes sense to go and, and pull it. Um, now you would think ostensibly if they're, uh, exfilling it, if they're stealing it, then they have a way to use it, right?
[00:11:32] Paul McCarty: Um, which is the expectation. You don't steal stuff, you don't make your exfil package larger unless you have to. Um, you know, I guess the counterargument is just grab everything you can and make the exfil package as big as possible, 'cause this is a smash and grab kind of thing. But anyway, I just thought it was
[00:11:47] Jenn Gile: really- Sure, but if you know people are getting better about rotating credentials, like if you're not prepared to use it immediately, then it's kinda, kinda silly.
[00:11:56] Paul McCarty: Yeah. I mean, you know, then you've got the TeamPCP thing where they're just sitting on this massive... By the way, I've got something interesting about TeamPCP too as well. Um, they were sitting on this massive cache of tokens, which are aging poorly for them, right? So people are rotating those. And so every day that goes by...
[00:12:10] Paul McCarty: Now, obviously somebody would make the argument that, you know, a lot of people don't know that their tokens from TeamPCP were stolen, and so they're not, you know- Mm-hmm ... they're not, um, they're not rotating them, which is true, but a lot of people are. And so every day that goes by, TeamPCP and others like DPRK lose that.
[00:12:30] Paul McCarty: Now I, here's the other thing. I wonder, I just, I thought this in bed last night as I was going to sleep. I thought, I wonder if DPRK is like, "Hey, listen, you know, this whole crypto wallet stealing thing is going well for us, but it would be nice if, you know, the boss is really pushing our KPIs," you know? In the- We
[00:12:46] Jenn Gile: gotta
[00:12:47] Paul McCarty: diversify
[00:12:47] Paul McCarty: in the Lazarus Group Q1 meeting, they really pushed us to increase our capacity
[00:12:57] Jenn Gile: You're killing
[00:13:00] Paul McCarty: me over here. And what about if we, if we get into to, uh, initial access broking? You know, basically selling all this stuff that we don't want, right? Mm-hmm. If it, if we find it and we exfil it, we being DPRK, I'm pretending like I'm the threat actor here, um, you know, what if we just onsell it?
[00:13:17] Paul McCarty: Um, now the funny thing about the, the IAB marketplace is the more stuff that's out there, the more legitimate stuff that's out there, it drives down the prices, just like any other supply and demand, right? So if you look at the dark web, any kind of credential that there's a lot of and, and legitimate examples of, drives the price down, with a few exceptions.
[00:13:39] Paul McCarty: However, if your, uh, if the, if the access that you're selling is the freshest and the best, then you're always gonna get a premium, right? And I think that because DPRK isn't out there tweeting every gosh darn second, you know- Their, their stuff is probably a little bit fresher than maybe- Mm-hmm. Mm-hmm
[00:14:00] Paul McCarty: other, other threat actors.
[00:14:01] Jenn Gile: Holds
[00:14:01] Paul McCarty: its- Sorry, that was the, that was the- ... value better ... spiel.
[00:14:04] Jenn Gile: Interesting.
[00:14:04] Paul McCarty: Say that again, sorry.
[00:14:05] Jenn Gile: Oh, it just, it holds its value better, yeah.
[00:14:08] Paul McCarty: Perhaps, yeah. So anyway, I think that was the most interesting thing to come out of Mass Show, um, sorry, Mass Draw, um, uh, was, was that, yeah.
Agent Jacking and MCP Server Security
[00:14:17] Jenn Gile: Yeah. Well, I think that's an interesting segue into one of the other things I have on our show notes. I saw a paper published on the Cloud Security Alliance's site earlier this week, and um, I'm gonna say the paper itself isn't, like, earth-shattering, uh, like crazy stuff. But, um, the reason I wanna talk about it is because we're seeing both, um, registries and defenders starting to close gaps that are making it harder.
[00:14:58] Jenn Gile: And, like, actually ironically, I think you and I talked like last week or the week before about how we hadn't seen a social engineering, uh, generated account takeover in a while, and it happened this week. But-
[00:15:12] Paul McCarty: There you
[00:15:12] Jenn Gile: go ... you know, it's getting harder, and the trend that we've been seeing is because things are getting more firmed up, uh, attackers are more likely to attack the machine pipe.
[00:15:23] Jenn Gile: You know, they're trying to get into the, the... Sorry, machine path. They're trying to get into the pipeline instead of, you know, scamming a developer. Well, they're gonna continue to do things along that vibe as we, you know, implement cool down periods, as we get better at identifying account takeovers.
[00:15:43] Jenn Gile: They're gonna look for other means. We've been saying this all spring. And so what I do think is worth talking about with this paper is it's specifically talking about the possibility of threat actors using your, uh, integrations with AI agents to get malware to you. And so they're trying to label it as agent jacking.
[00:16:07] Jenn Gile: Um, you know, every vendor loves to coin a term. Uh, sure, why not? I think what they've described is really just sophisticated prompt injection. Um, but what they talk about is they take advantage of, uh, a tool called Sentry. They send it some bogus logs that have, uh, some- Malicious payload in there. Uh, y- when the developer goes to say, "Oh, you know, Sentry's got this, uh, incident," or whatever the right word is to say.
[00:16:44] Jenn Gile: Um, you know, "I need to research this. I'll just ingest the logs into Claude and figure out how to fix this." Well, the logs come in through an mCP server, which that in itself I think is, like, okay, fine. There's lots of ways you can get logs from A to B. Doesn't have to be through an mCP server. But the point is, the logs with the malicious payload get handed over to Claude or whatever agent, and then, uh, much like what we saw last year with the NX Singularity attack where the agents were weaponized to, um, scrape for credentials, that's the exact same thing that we're seeing here.
[00:17:24] Jenn Gile: So long story short, I'm not sure that this paper is all that interesting, but it does illustrate what it would look like to take the human mostly out of the equation, which is what attackers are going to increasingly want to do
[00:17:43] Paul McCarty: Yeah. I mean, I think
[00:17:45] Jenn Gile: several- And I'm gonna try to figure it out 'cause I know I'm being really vague about it, but I don't really wanna promote this vendor 'cause I think it's a little vendory.
[00:17:51] Jenn Gile: So
[00:17:51] there.
[00:17:51] Paul McCarty: And, um, well, that's where I was going with this, 'cause you know- Yeah ... I was gonna, I'm gonna go, I'm the ranching- Just go there ... rampaging, spicy jerk face that I am. Um, yeah, I mean, to me, this read like this is a, um, PR release from the company, and it turns out it's actually a CSA cloud security, which I'm a member of.
[00:18:08] Paul McCarty: I don't know if I'm a paying member or not, but you know, it's just it sound... It felt kind of gross and vendory to me. But, um, and like you, I think that what they're describing and them calling it agent jacking, I think ultimately a lot of this just comes down to behavior that I see when people build MCP servers, which is they, they built them a year and a half ago, two years ago really, really quickly.
[00:18:30] Jenn Gile: Mm-hmm.
[00:18:30] Paul McCarty: And they just... When you look at MCP servers, you see basically a smorgasbord of the OWASP top 10, you know, all encapsulated in many of these systems. It's like,
[00:18:41] Jenn Gile: how many mistakes can we make with one technology?
[00:18:44] Paul McCarty: Right? Oh, my God. Let's put it all in
[00:18:46] Jenn Gile: one place.
[00:18:47] Paul McCarty: The over-provisioning and the exposure of credentials and, you know, just every, like, all these things in one thing.
[00:18:55] Paul McCarty: So it's not surprising to see that it's taking advantage of, um, you know, the MCP server, the Sentry MC- MCP servers, um, uh, to do, you know, to do its bidding. Um, I, I guess that's not surprising to me. I also wanna mention, and this is something I mentioned to you, is that Sentry, like, I've been seeing this in, in my malware, you know, analysis for- a couple, well, maybe not a couple years, but it's been a while.
[00:19:20] Paul McCarty: It's been over a year for sure. Um, may- uh, probably a couple years, where DPRK in particular, like as soon as I see, like if I see two things, Jenna, if I see a file, like index.js is obfuscated, and I see, and I start looking at it and I see the first thing it imports is, is, um, s- the Sentry IO library, uh, DPRK, like it's just, you know, I mean, the, those, those two things alone-
[00:19:45] Jenn Gile: Little calling
[00:19:46] Paul McCarty: card right there
[00:19:46] Paul McCarty: right? And any other, any other, you know, researcher listening right now probably thinking the same thing, laughing. But they've been using Sentry for ages to exfil, um, uh, their stolen goods, and it makes a lot of sense because, you know, it's l- we need to coin a new term, like living off the SaaS or living off the vendor- Mm-hmm
[00:20:06] Paul McCarty: whatever, you know? Like- Mm-hmm ...
[00:20:07] Jenn Gile: you're, you're taking your-
[00:20:08] Paul McCarty: Like an alternative
[00:20:09] Jenn Gile: working off the land, yeah. Uh-
[00:20:10] Paul McCarty: Yeah ...
[00:20:11] Jenn Gile: yeah. '
[00:20:12] Paul McCarty: Cause you're, you're hiding in normal Sentry traffic, right? It looks legit. Um, so you know, it makes sense to use it, and sure enough, it's the first thing, pretty much the first thing... Well, they, they'll import a couple things, FS and HTP, and then th- then they import Sentry.
[00:20:26] Paul McCarty: So anyhow.
[00:20:27] Jenn Gile: Yeah. A little pop-up And I think, uh, another perhaps, uh, I'm gonna call it a criticism of this paper, is it talks about why your security processes can't catch this agent jacking, and it's very SecOps focused. It's very focused on EDR. Yep. And, um, while they're not wrong, the same can also be said for most malicious open source, because the threat actors are very good at hiding their activity in benign-looking things.
[00:20:58] Jenn Gile: You know, they'll spin up a Vercel endpoint or, uh, they'll use a, a Bitcoin wallet or something like that. So, uh, what we do need to, like, work on as an industry is understanding that our SecOps practices are built up around, um, different types of compromises. You know, cloud, uh, you know, coming in through email, but not so much recognizing anomalous behavior in the software-
[00:21:25] Jenn Gile: Right development life cycle. Um, and that- Yeah ... you know, it comes back to, like, harden your agents, uh, least privilege, use a sandbox
[00:21:34] Paul McCarty: Maybe don't use some MCP server they just found on the internet, right?
[00:21:38] Jenn Gile: Um- Well, I mean, the key in this is actually the MCP server is not dangerous. It's that it's, um, taking untrusted data from Sentry, because Sentry will look, like you put a third-party submission into Sentry.
[00:21:53] Jenn Gile: Yeah. The MCP server here is, uh, a bit of a red herring. There's nothing malicious about it. It's just- Nope ... untrusted input into the OLM.
[00:22:04] Paul McCarty: Well, that's exactly my point. You made my point for me. Let's apply the same thing to the MPC- MCP server that we do- Yeah, it should be saying, "
[00:22:10] Jenn Gile: No, no,
[00:22:10] Paul McCarty: no, no, no" ... to web apps, right?
[00:22:11] Paul McCarty: "You shouldn't do this." Let's v- let's validate this input that you're about to pass on here, but it doesn't, it just passes it on, right? Which is like- Yeah ... web app, you know, uh, pen testing 101, right? Hardening 101. Um, uh, listen, I think from, you know, when you were talking about it earlier, I think the, the main thing I was, I was hearing from you, um, uh, was that, you know, they go out of their way to, to talk about EDR not catching this, and like you said, that's true, but it's also like why are you calling out that tool?
[00:22:38] Paul McCarty: That tool never... Like if you're an enterprise expecting your EDR to do that, well then I'm sorry, you don't understand what your EDR tool does, right? It's like, it's like somebody calling out- Yeah ... "Well, see, you had all these soldiers on the ground with M16s, why couldn't they shoot down the MiG-29?" You're like, "Well, the MiG-29 is traveling at 500 miles an hour.
[00:22:57] Paul McCarty: That's not what that tool was designed for." Um, anyhow, sorry, rant over.
Malware Myths
[00:23:02] Jenn Gile: Rant over. Okay. Before we move on, got a little, little happy to share. Uh-
[00:23:07] Paul McCarty: Oh, nice ...
[00:23:07] Jenn Gile: we have, uh, Joshua here, "Great information so far. Enjoying the learning and bookmark all of these." Awesome, glad you're liking it. Always good- Thanks, buddy
[00:23:14] Jenn Gile: to have a note. Anybody else who's listening, send us a note so we know we're not in this room by ourselves.
[00:23:20] Paul McCarty: Um- Drink some coffee to Joshua here.
[00:23:22] Jenn Gile: Yeah. Okay. Um, I don't know, maybe the theme of this show is, uh, old manuals at cloud. I don't know if you know that, uh- reference, but, uh, I'm gonna- Am I
[00:23:34] Paul McCarty: the old man in this reference?
[00:23:36] Jenn Gile: No, I, I'm the old man. Um-
[00:23:38] Paul McCarty: Oh, okay.
[00:23:39] Jenn Gile: So you probably, uh, watched a show at some point called MythBusters. We're gonna do some myth busting on, uh, malware myths, and the reason I wanted to do this today is I, uh, listened to a podcast earlier this week featuring, um, a leader from a, an application security company, and that's all I'm gonna say.
[00:24:02] Jenn Gile: Uh, I don't wanna call out the person specifically or the company or the podcast, um, because much of what they shared was useful, but there were some things that they said that were wrong. And I don't necessarily believe in calling out wrong things for the sake of it, but rather these are wrong things that are legitimately harmful if people believe them, and so I wanna talk about them.
[00:24:26] Jenn Gile: Um, so the first thing that this person said is malware only lives for between a couple hours, maybe up to three days, and that is just patently false. Um, I'm gonna check right now while you talk about why it's false, 'cause I wanna look up and see if this package we've been talking about for a while is still live.
[00:24:46] Jenn Gile: So you tell, tell the people. Events
[00:24:47] Paul McCarty: channel.
[00:24:48] Jenn Gile: Yeah.
[00:24:49] Paul McCarty: There's another one, Events Runtime. They're actually from different threat actors, but they both have been up for, like, five weeks or something. Um, they both have, like, a- Yeah, so
[00:24:55] Jenn Gile: explain why, why is three days just a lie?
[00:25:00] Paul McCarty: Yeah, I mean, listen, the- Are we getting...
[00:25:04] Paul McCarty: I, I, at the heart of this myth is a truth, um, which is that from, with these large account takeover where the maintainer has been compromised, the industry, you know, us, the security researchers, are finding these things much quicker. You know, NPM's not, but anyhow, that's besides the point. So that part is true.
[00:25:25] Paul McCarty: But then extrapolating that, Jen, to then say that all open source malware, all software supply chain malware only lives for three days or less is just patently... I love how you said it, 'cause I literally said the same thing from stage the other day at the conference. It's just patently, materially not true.
[00:25:45] Paul McCarty: The reality is that the non, um, uh, compromise ATO style takeovers, right? Which by the way, most of the AppSec companies aren't scanning with the same frequency. They're not looking for it in the same frequency that they are
[00:25:59] Jenn Gile: with the large ones. Yeah, they're focused on good things going bad, not bad things-
[00:26:05] Paul McCarty: Right
[00:26:05] Jenn Gile: being bad.
[00:26:07] Paul McCarty: Well, and part of that, and I say this a lot, part of that is because the AppSec companies, or the scanning companies, you know, again, we're not gonna say names for any of these, are buying into a myth which is that, you know, typosquatting and dependency confusion are not, you know, like people with mature AppSec programs don't fall prey to these things, and that's just not true.
[00:26:24] Paul McCarty: I see it all the time. 'Cause here's the difference. I'm just gonna say it. I'm brutal. The difference is that all you AppSec companies, you don't do incident response, right? You build a product, and your companies, when they get popped, they have to do their own incident response. I've been doing incident response for years, and I've been seeing the fact that typosquatting and dependency confusion have been affecting some of the largest, most mature from an AppSec, you know, perspective companies for years.
[00:26:49] Paul McCarty: So the reality is that those things, and the ones that Jen's looking up, events channel, events runtime,
[00:26:56] Jenn Gile: it just, the layers of- Yeah, they're still alive was gonna be my point. Yep. Uh, we've been talking about some relatively sophisticated typosquat packages for maybe a month now. Uh, they've been reported to NPM.
[00:27:08] Jenn Gile: Um, they are incontrovertibly malicious. They are copies of existing legitimate packages, and this is something that threat actors do, is kind of that more Uh, instead of the, you know, I'm gonna hit you as fast as I can and steal all your stuff and you have no idea what's going on, this is the more tactical, like, I'm gonna slip this thing in.
[00:27:37] Jenn Gile: You're never gonna know you consumed it. You're gonna think you consumed a safe thing. And, um, the reason that they hang around a long time, there's, they're twofold. One is what you talked about, Paul, is they're a little bit, I won't say harder to find, but it takes a little bit more effort to find them because you're not just looking at diffs and saying, "Oh, well, the old one looked like this and the new one has a nasty payload.
[00:28:00] Jenn Gile: Don't use that." Right. So that's one reason. Um, but the other- Which is
[00:28:03] Paul McCarty: hard enough just doing that.
[00:28:05] Jenn Gile: That's hard enough, right? It is hard enough. Let's be clear, that is hard. Um- Yeah ... so it is hard to find these, but the other reason they have such a long shelf life is NPM is not taking them down. Um, when they get reported, and they're being reported like in our case by, uh, credible researchers, they're not getting taken down.
[00:28:24] Jenn Gile: And, uh, one thing that I thought was, mm, interesting in a disappointing kind of way is I looked at that EasyDay.js, uh, package yesterday or the day before when it got published, and what NPM had done at the time, I'm gonna look it up again 'cause I'm curious, is they had removed the malicious version, but they didn't kill the package or the- Right
[00:28:50] Jenn Gile: the entirety of it. They left, I'm looking right now, the original version- Yeah, it's there ... 1.11.21- Yes ... is still live. Yep. So they've done a weird thing here where that is a known threat actor-controlled package that they have left live for who knows, to slip something into again in the future. Anyway, this is a long rant to say malware only living three days is wrong.
[00:29:18] Jenn Gile: Don't get trapped by that. Yes, cool down periods are very effective and good and you should do them and you should, um, you know, use your package firewalls and your private registries to like catch these things that turn bad quickly. But just understand, um, anyone who tells you, "Oh, you know, you don't have to worry if it's been longer than three days," like, they don't know what they're talking about
[00:29:42] Paul McCarty: Yeah, I really wish I could cuss, but I'm not going to.
[00:29:44] Paul McCarty: That's bull pucky, right? Uh, and with that, with that EasyDayJS, right, clearly the person at npm, right, doesn't understand the sequence of events because they've left that package up. That package was not a preexisting package by that maintainer, which is your point, right? I'm just going a little bit deeper here.
[00:30:02] Paul McCarty: Mm-hmm. Just to say, the person at npm saw that, thinks, "Oh, that's owned by a legitimate person that was attacked," not realizing that that package, even though that one's not malicious, that's the decoy, that that package- Yeah ... was built specifically by the threat actor. Doesn't get that. Yeah. And that's just the perfect example of why we still have this problem.
[00:30:22] Paul McCarty: Even when npm is moving on these things, they don't understand, because most of the senior people there are gone, right? And they're, they're relying on a bunch of people, you know. Anyhow, we'll move on.
[00:30:33] Jenn Gile: Mm-hmm.
[00:30:34] Paul McCarty: I'm not here to... You know, I'm not here to, uh, listen, I'm not attacking npm staff. What I'm saying, though, is that npm and Microsoft and GitHub have not done what they need to do, which is increase their teams and build their teams and keep retention low, I mean, keep retention high.
[00:30:50] Paul McCarty: They're not doing those things.
[00:30:51] Jenn Gile: Yeah.
[00:30:51] Paul McCarty: Sorry, ran a few over.
[00:30:52] Jenn Gile: Well, uh, second item, we've got four myths to bust here. The second myth- I just added this
[00:30:57] Paul McCarty: one in real quick.
[00:30:58] Jenn Gile: I know. I saw. I was watching. Okay, good. Um, in the, they also said npm install scripts are going away. Um, not accurate. Uh, npm install strict scripts are not going away.
[00:31:11] Jenn Gile: Uh, they are needed to make many packages function correctly. Um, what is happening is they're going to become opt-in by default rather than opt-out by default. Um- Which is
[00:31:23] Paul McCarty: good ...
[00:31:24] Jenn Gile: which is good. Uh, but they're not going away. Okay. Uh, the next thing that they said was package firewalls and cooldowns will eliminate 99% of risk.
[00:31:33] Jenn Gile: This is wrong for the same reason that malware only lives three days is wrong. I don't think I need to belabor that one. Um, but the one I do wanna talk about a little bit more at length, and it ties into what you said, Paul, about, um, uh, incident response as a mindset versus- Mm-hmm ... uh, prevention as a mindset.
[00:31:55] Jenn Gile: This person said they don't care who the attackers are behind these software supply chain attacks. They don't care. They don't think we should care. They don't think it matters. And, um- That is true from a prevention stance. It doesn't matter who's behind it. If you can prevent it from coming in, you prevent it from coming in.
[00:32:16] Jenn Gile: But it does matter who's behind it if you didn't prevent it because, um, and I'm sure there's some, like, ridiculous, I don't know, criminal, like, law enforcement parallel that we could make here. Like, you need to know if it's the mob or your neighbor's kid who stole from you because there's really different, um, ways that you're gonna go about getting your bike back, right?
[00:32:42] Jenn Gile: I, I don't know why it's your bike. Right. I don't think the mob's gonna steal your bike, Paul. Um-
[00:32:45] Paul McCarty: No, they're not gonna steal my bike.
[00:32:47] Jenn Gile: Uh, but the point I- I do have
[00:32:48] Paul McCarty: a new bike.
[00:32:49] Jenn Gile: I know. I really wanna hear about your new bike. Maybe not today. Um, the point I'm trying to make is you do actually need to know who the attacker is to the best that you can, uh, because that's gonna help you understand, okay, what is, what is their next step going to be?
[00:33:03] Jenn Gile: Um, if it's, you know, traditionally DPRK, North Korea, they're after, um, theft of cryptocurrency, financial gain. Okay, so they're probably not going to be, you know, doing ransomware. Uh, TeamPCP, they're after your credentials. They wanna get into whatever you have access to and get onto the next thing. So, like, understanding who they are, like, their, you know, criminal psychology I guess, uh, helps you know how to respond to it.
[00:33:32] Paul McCarty: And their tradecraft, right? Like, uh- Yeah ... to your point, if it's DPRK, you know, if it's, um, yeah, if it's a DPRK, they know, y- you know that there's gonna be persistence via invisible ferret or otter cookie, right? You know what to look for, right? If you don't know who... If you don't spend the time figuring out who the bad guy is, y- you're not gonna know where to look for things like what is the persistence mechanism, where are they holding the files, what registry keys are in, like, all those kind of things that you need when you're doing incident response.
[00:33:58] Paul McCarty: And again, I'm just gonna take an- another opportunity. That's a observation made by somebody that's never had to do incident response for a software supply chain attack, full stop.
[00:34:09] Jenn Gile: All right. I think this is a good place for us to end today because we do have on our backlog, we wanna talk about DPRK trends in software supply chain malware.
[00:34:18] Paul McCarty: Yeah.
[00:34:19] Jenn Gile: Yeah. But we've been going for- Yeah ... a little over half an hour, and- Fair enough ... that one could take some time.
[00:34:26] Paul McCarty: So- And I still have to write the blog post, right? Yeah. So we wanna do the one-two combo.
[00:34:31] Jenn Gile: So, uh, next week, I think we'll plan on talking about what's going on with Lazarus Group, how they're evolving their malware.
[00:34:39] Jenn Gile: Uh, what I will leave people with is, again, this comes back to it kinda does matter who the attackers are. We see, uh, we've been seeing trend-wise, um, Lazarus Group doing innovations in the space of malware, and then that getting picked up by other threat actors. As far as we know- Yeah ... they're the first threat actor to really abuse VS Code task.json files, for example.
[00:35:05] Jenn Gile: Um, so yeah, it, it matters for sure. Now everybody's
[00:35:07] Paul McCarty: doing it, right?
[00:35:08] Jenn Gile: Yeah, now everyone's doing it. Everybody's
[00:35:09] Paul McCarty: using VS Code, yeah. 100%. Yeah. Right on. I, I think this is gonna be, it's gonna be a really good one. Let's hope there's no big attacks next week that will then, you know, knock the, the DPRK innovation conversation to the next week, but let's cross our fingers.
[00:35:23] Jenn Gile: Yeah, for many reasons, we hope there's no big attacks, uh, between now and the next week.
[00:35:28] Paul McCarty: But yeah. Uh, there might be something to talk about in terms of Team PCP next week, too, as well, so we'll, we'll tease that as well, so.
[00:35:35] Jenn Gile: Okay. Right on. I look forward to it. In the meanwhile, uh, now that we're done with our rants, let's go take a breath and get on with our days.
[00:35:42] Jenn Gile: Have a good one, everyone.
[00:35:43] Paul McCarty: Thanks everybody for listening. Appreciate it. Bye. Sorry about that. Bye.