BLOG
The OpenSourceMalware Show #11
NPM account lockout protection, GitHub Enterprise credential revocation, researcher-deployed malware, and an FBI notice on Team PCP
By cb482791-4ef1-4762-96ad-b0ca4bdd538e ·
The OpenSourceMalware Show is available on YouTube, LinkedIn, and as a podcast.
This week we talked about:
GitHub’s two new account protection features: NPM added a 72-hour read-only lockout for high-impact accounts triggered by an email change or 2FA recovery code use, aimed at slowing account takeovers. Separately, GitHub Enterprise rolled out self-service credential revocation, letting enterprise owners revoke tokens, SSH keys, and SSO authorizations for a single user or the whole org during incident response. Paul flags an open question on both: the npm change could make ATO recovery harder for legitimate maintainers if it locks them out too, and the GitHub Enterprise tool’s scope may not cover personal access tokens created outside the enterprise boundary.
A security researcher’s malicious packages targeting AI companies: Paul found six npm packages published by a researcher at a stealth cybersecurity startup, targeting OpenAI, Anthropic, Vercel, and Ollama users. The packages avoid exfiltrating credentials directly but do pull data from .git and .ssh, which Paul argues crosses an ethical line for security research. He draws a direct parallel to the 2025 incident where a Snyk researcher published malicious packages targeting Cursor.
FBI FLASH notice on TeamPCP: The FBI issued a FLASH covering TeamPCP’s behavior and IOCs. Note - you’ll get more complete info on their malware and TTPs from OpenSourceMalware.com
Next week’s special guest: Jenn and Paul will be joined by Mikael Barbero, Head of Security at the Eclipse Foundation, to talk about Open VSX. The draw: AI IDE platforms like Cursor and Windsurf use Open VSX instead of the official VS Code marketplace, which is turning it into a more attractive target for threat actors.
Resources
(blog) NPM adds preventive account protection for high-impact accounts
(blog) Self-service credential revocation for incident response
(blog) Snyk appears to deploy ‘malicious’ packages targeting Cursor for unknown reason
(PDF) FBI FLASH on Team PCP
[00:00:00] Jenn Gile: Okay. It is Thursday, July 2nd, and, uh, I don’t wanna jinx us, but we’re having another quiet week, and I’m, I’m happy about it
[00:00:13] Paul McCarty: Yeah, I mean, quiet week, it’s all kind of relative. Like, has there been any kind of crazy TeamPCP slash, you know, DPRK Shi Hulud style attack? No. But I mean, NPM malware is at an all-time high, so
[00:00:30] Jenn Gile: Yeah, well, fair.
[00:00:32] Jenn Gile: Uh, I was talking to somebody back on Monday this week who wanted to know, uh, if I thought we’d seen the last of TeamPCP, if they’ve retired. Uh, I don’t think so. Um, it’s interesting that we haven’t seen anything notable from them in a few weeks, but, uh, like, let’s not poke that bear.
[00:00:54] Paul McCarty: Well, I have a mini update.
[00:00:57] Jenn Gile: Oh, let’s
[00:00:57] Paul McCarty: hear it. And I can’t go, I can’t go into a ton of detail, but I think one of the ma- And I have, I’ve, I’m on record as saying, I did the Sans Podcast last week. I’m on record saying TeamPCP is really just one person. Like, exploiters and some of the other people, those are additional people, but TeamPCP is really just one person.
[00:01:19] Paul McCarty: Um, and they might be in flight. We’ll just leave it, we’ll just leave it like that.
[00:01:28] Jenn Gile: Yeah.
[00:01:28] Paul McCarty: Yeah. We can- And by flight, I mean fleeing.
[00:01:34] Paul McCarty: Yeah.
[00:01:35] Jenn Gile: Fingers
[00:01:35] Paul McCarty: crossed. I think, I think we’re gonna have something important to talk about soon. Oh, um, actually, speaking of which, um, gosh, I didn’t put this on the agenda. I’m sorry everybody, this is off script, but, um- Go for it … uh, the FBI posted a, you know, the cyber equivalent of their wanted poster for Team BCP today, so, uh-
[00:01:53] Jenn Gile: Oh, I missed that.
[00:01:54] Paul McCarty: Yeah, sorry. That’s
[00:01:55] Jenn Gile: good. I’ll have to share it.
[00:01:57] Paul McCarty: Yeah, I’ll find it right now and send it to you. I’m sorry.
[00:02:01] Jenn Gile: Okay. Well, while you’re, uh, searching the internet, though, I think I can probably find it pretty quickly as well. Um- I got
[00:02:08] Paul McCarty: it here.
[00:02:08] Jenn Gile: Yeah. Uh, let’s come back to that. And, uh, the first topic on our agenda is something that both of us, I think, is good news.
NPM preventative account protection for high-impact accounts
[00:02:19] Jenn Gile: Um, GitHub released two changes last week, and I will say, like, kind of quietly released. The only reason I knew that these had happened is because of other accounts that I follow. I haven’t seen GitHub be very loud about it. Um, I will Talk about them one at a time, kind of in the order that I found out about them.
[00:02:41] Jenn Gile: Uh, it’s a slightly different order when they came out. But the first thing I learned about, um, is that NPM has added what they’re calling preventative account protection for high impact accounts. And what that means is if, uh, one of these high impact accounts changes the email address associated with the account, there is an automatic…
[00:03:03] Jenn Gile: Or, uh, sorry, changes the email address or uses a two FA recovery code, the account is placed on an automatic seventy-two-hour read-only hold, and an alert gets sent to the previous email address. And, uh, what this does is this creates a mechanism when the maintainer gets locked out by a threat actor, um, they, the threat actor can’t actually do anything with the account.
[00:03:31] Jenn Gile: So the things that they said in the announcement that they freeze are not an exhaustive list. They’re saying that it’s, uh, security related things. Let me see if I can find the list. Uh, publishing, managing tokens, changing package visibility, modifying org or team membership. Um, so all of that is frozen.
[00:03:49] Jenn Gile: So, uh, this only applies to what they call high impact accounts, uh, which they don’t define in this blog, but from what I’ve heard kind of through other channels, might be packages with, uh, more than a million downloads. So, you know, very popular accounts. And, you know, the, the goal here again is to shut down one of the more common but not exclusive account takeover mechanisms.
[00:04:18] Jenn Gile: So this is going back to, uh, I guess the human path being exploited if somebody gets locked out. Uh, you know, for example, we saw a lot of the social engineering related attacks earlier and last year where, um, the attacker would get a hold of, um, you know, something related to the maintainer’s account. For example, they might send them a phishing email or something like that.
[00:04:44] Jenn Gile: They would use that to gain access, change the email, get them locked out, et cetera. Um, there’s also circumstances where the attackers have gained access through other means and choose to change the email as a delaying tactic so that the, you know, genuine maintainer doesn’t know, uh, or can’t do anything about an attack.
[00:05:07] Jenn Gile: Uh, what it’s not going to protect against is these other, um, you know, more machine path type attacks. You know, if they can get into the pipeline, if they don’t need to change the email address or, you know, use a two FA code in order to break into the account, then it’s not gonna- Uh, yeah, Paul, what do you think?
[00:05:28] Paul McCarty: I have, I have a lot to say about this, but I’ll try to, I’ll try to simplify. I think this is… On the whole, I think this is v- slightly on the better side, uh, 'cause I see, you know, not that I’m negative or anything, but I tend to see, I look at a change like this and I think, "Okay, what is the benefit? Now let me think about what’s, what’s the negative?
[00:05:53] Paul McCarty: How can this go bad?" Mm-hmm. And you kind of touched on it there a second ago. What we’ve seen in many of these cases where a high-profile NPM maintainer has been compromised is they get locked out of their account, and then you have this kind of weird situation where they can’t go make productive changes to the bad thing that has now been published by the threat actor.
[00:06:19] Paul McCarty: And I’m worried that a blunt instrument like this change will have more negative effect than it will positive, and that’s not me just trying to be, you know, armchair quarterback, you know, throwing stuff at NPM. I think that this makes sense at face value, but when you really look at what happens after one of these big ATO style account takeover style compromises, one of the most damaging things that we’ve seen is when the account maintainer, the legitimate account maintainer, is locked out.
[00:06:53] Paul McCarty: Is this prob- Is this change gonna make that worse? I hope not. But maybe.
[00:06:59] Jenn Gile: Yeah, I mean, I think it maybe depends on the order that the threat actors do things in. If they, for example, uh, compromise the package before trying to change an email address, then I could certainly see, um, like what you’re talking about.
[00:07:16] Jenn Gile: It makes it more difficult for maintainers to potentially, uh- You know, uh, recover. So I think we’ll see, right?
[00:07:27] Paul McCarty: Yeah. And, and sorry, and one thing I missed there, which I meant to go into detail. So it says that this is gonna be a 72-hour read-only state, and you can kind of, you know, forgive the pun, you can kind of read between the lines here and, and see that they are effectively saying that this, the maintainer will not be able to make any write changes, and this is where my concern comes from.
[00:07:50] Paul McCarty: If everything gets turned- Mm-hmm … does that mean they can’t publish or remove? Can they not make write style changes to the package? Uh, presumably,
[00:07:57] Jenn Gile: yeah. I would assume- Yeah … anything that’s not read-only is therefore not, uh, achievable. So, yeah.
[00:08:04] Paul McCarty: Right. I think, I think then that really kind of opens us up to be, you know, more potentially, you know, cause more harm itself as an automated blunt instrument.
[00:08:13] Paul McCarty: And we see that with npm, whenever they do one of these kind of automated things, because, you know, npm doesn’t have security staff anymore, because GitHub security staff is, is threadbare, um, you know, when one of these automated changes happens, a lot of times the technical people inside the GitHub organization, you know, don’t have time or, or they just can’t fix it really quickly.
[00:08:34] Paul McCarty: And so then we have a problem where something that’s malicious is still out there longer than… The other thing I wanted to point out is that there is a secret flag. Uh-huh. There is a secret flag in npm. You cannot get it from the fire hose. You have to know how to go and look for it. But there is a secret flag that is applied to, um, these important maintainers, um, and it’s on a per…
[00:08:57] Paul McCarty: It’s not a maintainer flag, it’s a package flag. And so if you know where to look for it, you can find that, and then you know, and, and you can just basically just walk, you know, the whole fire hose and find all those flags for the specific packages, and that’s your list right there.
[00:09:13] Jenn Gile: Yeah Hmm. Well, time will tell.
GitHub Enterprise self-service credential revocation
[00:09:17] Jenn Gile: Uh, okay. Moving on to the second, uh, change that happened at GitHub. This one actually went through the day before the, um, high-impact account 72-hour hold thing, and this one is self-service credential revocation for incident response circumstances. And, uh, I think there’s a couple things to understand about what this is.
[00:09:41] Jenn Gile: First, it’s only for GitHub Enterprise owners, so, uh, not for anybody using GitHub. You have to be, uh, subscribing. And it gives you the ability to either, um, revoke a single individual’s credentials, all of their creds, or, uh, across the entire organization. So, um, it says you can revoke authorizations, delete tokens and SSH keys, uh, list and revoke SSO authorizations, and then individuals will have the ability under the GitHub Enterprise, uh, um, contract as well to review their own, uh, credential accounts and self-service, revoke, or delete.
[00:10:25] Jenn Gile: And so, uh, I think we have a few things to say about this. One, uh, this is a great feature. This is- Yeah … absolutely necessary. We have seen so many examples in, um- The last year where organizations had a lingering credential somewhere that they didn’t know about and didn’t have a way to find out about.
[00:10:46] Jenn Gile: We’re seeing vendors create products to address this problem. So, uh, no, no holds barred, this is a good thing. Uh, asterisk- It is … it’s a little bit of a bummer that it’s only for GitHub Enterprise and, uh, Paul, as we were preparing, you made a, a little bit of a comment of like, “Gosh, it’s 2026.” This is… It’s actually a little surprising that it’s taken this long.
[00:11:09] Paul McCarty: Uh, it just, it just proves that you can take the word enterprise and you can apply it to something, but that does not mean that it was built with the enterprise in mind, and GitHub Enterprise is the perfect example of that. This is a product that evolved out of standard GitHub, which is not, you know, it, it’s not really built for an enterprise.
[00:11:28] Paul McCarty: So the fact that in 2026, July 2026, we are now finally getting the ability to do this, I mean, hey, this is a great… This is like one of the best things they’ve done, like ever. This is one of the best kind of, you know, mitigation tools they’ve ever given us. So I’m happy for it, not complaining about it, just wondering why did it take you this long to add something, you know, to something that’s called enterprise.
[00:11:53] Paul McCarty: Now, here’s the other thing. I, I want people to understand there’s a very specific account boundary here, that this only applies to credentials that are generated by somebody that’s inside the envelope of your enterprise working on an enterprise, uh, resource. So this does not bleed over into these people that you’ve given access to your enterprise that…
[00:12:18] Paul McCarty: So, and here’s, here’s the problem, Jen. You’ve given… I’ve given you access to my GitHub Enterprise, and you’ve got a bunch of personal stuff and then you’ve got access to enterprise assets, right? You create a PAT for some of your personal stuff, but it, it, it applies to lots of stuff. I can’t go and kill that PAT- Mm
[00:12:37] Paul McCarty: for you as far as I can tell. You know, and, and we need more details here and I’m sure people like, you know, Francois and other people that spend more time looking at this will understand better. But as far as I can tell, just on the, on what they’ve given us so far, you have a problem here where, you know, somebody’s been compromised, uh, but you can only revoke assets that are specific to the enterprise itself.
[00:13:01] Paul McCarty: And so what does that mean in terms of them creating their own PATs, for example? I don’t know.
[00:13:06] Jenn Gile: Yeah, might need a little poking at that to really understand the edges.
[00:13:11] Paul McCarty: I don’t know
[00:13:15] Paul McCarty: if I wanna test- Okay, next … I’ll have to, I’d have to create and pay for an enterprise just to test this. I don’t think I, yeah.
[00:13:16] Jenn Gile: Yeah. Well, maybe, uh, if somebody else out there in the community plays around with it, let us know. Let
[00:13:22] Paul McCarty: us know.
Security researcher ethics: Malicious packages targeting AI companies
[00:13:23] Jenn Gile: Um, next on our list, uh, we have kind of a, mm, I don’t wanna say a weird situation that we ran across this week, because it’s not unusual, but it bears talking about because it is some, uh, not great behavior on behalf of an organization that can cause some harm.
[00:13:47] Jenn Gile: So that’s the only setup I’m gonna give it. You’ve really been looking at this, uh, throughout the week, so why don’t you talk us through what you found, what your concerns are about it, what the community should know
[00:14:02] Paul McCarty: Yeah. So just a little bit of background here. Um, last year I found, um, some Snyk researchers, um, creating some malicious packages in the ecosystem and I…
[00:14:11] Paul McCarty: And Jen, I just dropped you the Reddit- Yeah, I remember
[00:14:13] Jenn Gile: that. I will, uh-
[00:14:14] Paul McCarty: Yeah …
[00:14:14] Jenn Gile: drop that link in the chat.
[00:14:17] Paul McCarty: Yeah. And, and listen, so basically what happened, you know, last year was that some researchers that work at Snyk created some malicious packages targeting Cursor, specifically three packages targeting Cursor.
[00:14:27] Paul McCarty: Cursor was not a customer of Snyk. Um, and, um, you know, I found them and called them out publicly, and their CTO and a bunch of people came on my LinkedIn page to, you know, tell me how it wasn’t really a problem. But like everybody that looks at this, like my group of friends and, you know, the, the, the Signal Researcher group, like, it’s a really bad look, right?
[00:14:47] Paul McCarty: So-
[00:14:48] Jenn Gile: Yeah, I was at another vendor- What we wanna- … when that happened, and there was a lot said in the, the vendor community as well as the customer community about that
[00:14:56] Paul McCarty: behavior. And I, I get where this comes from because having done bug bounty and, and offensive research, sometimes you get this ability to do things where you’re allowed to cross this kind of ethical and, and legal line, right?
[00:15:09] Paul McCarty: But that’s very rare. And so what you see now happening is you see certain researchers, you know, acting like they, um, acting like- Get a little out of
[00:15:21] Jenn Gile: the, uh, the screen share. Starting to distract you, but it got me. One of our LinkedIn users, “What? This is crazy shocking.”
[00:15:28] Paul McCarty: The only b- the only downside to live stuff coming up in the podcast is that I stop and look at it.
[00:15:33] Paul McCarty: But, um, yes, very shocking, which was the comment. Um, yeah, so I mean, I, l- you know, I… The, what we see is we see a new kind of generation of security researchers not understanding where that moral line, that moral and ethical line is. And so there’s the moral and ethical line, right, which is, as researchers we’re not supposed to do any harm, right?
[00:15:55] Paul McCarty: So for example, the, the best example of this, and something I’ve been railing about for years, is when bug bounty researchers create their payloads inside of their mo- their, you know, their POC NPM or Python packages or whatever the case may be, the kind of, you know, the understood what they can exfil is typically like host name, public IP, you know, maybe system host name, something like that.
[00:16:19] Paul McCarty: Um, maybe username at most. But that’s it, right? Because what you’re trying to do is you’re trying to show to the, the program team that, “Hey, you know, we ran this inside your organization. We got this data. We, we prove imp- impact.” So you have to be able to collect a little bit of information, right? But that’s where it stops.
[00:16:36] Paul McCarty: But you still all the time see bug bounty researchers exfilling all kinds of stuff. Like, the most common thing they do is they just, they gank every single environment variable that’s running via ENV, and they just exfil the whole- Well, we talked about
[00:16:48] Jenn Gile: this maybe a month ago with the Moika campaign-
[00:16:51] Paul McCarty: Yeah.
[00:16:51] Paul McCarty: Yeah … which may
[00:16:53] Jenn Gile: fall further on the, the naughty side- Yeah … of that trend. But why don’t you explain what you found this week?
[00:16:59] Paul McCarty: Yeah, thanks. S- uh, Jen’s bringing me back on center. I just wanted to give that background there, because I think it’s important. Yeah, yeah, I know. Um, so what I found this week is six packages, um, published, um…
[00:17:11] Paul McCarty: And they’re not hiding their identity, published by a security researcher that’s working for a new, um, cybersecurity startup that’s in stealth. And basically what those packages do is that they target OpenAI, Anthropic, Vercel, Ollama, and a few others. Um, and they’re info stealers. Um, now they’re careful in those info stealers to not exfil credentials, which is good, but they exfil a bunch of information that, that, uh, it, it, it’s, it goes beyond, it crosses a line.
[00:17:40] Paul McCarty: Basically what… They’re, they’re ganking a lot of information, pulling stuff out of .git, .ssh. So this is like, this is sensitive stuff even if it’s not credentials. Um, and you know, uh, it’s pretty obvious that they’re doing this, you know, to kind of build some research capability that they can then launch their startup on.
[00:18:00] Paul McCarty: But I just wanna call it out, and we got a, we got a blog post coming. I wanted to call it out because it’s our job as security researchers to, to find the bad things, and it’s not our job as security researchers to become the bad guy. And I, like, I’m… You know, come at me, bro. You k- you know, I’ll be at DEF CON, come at me and I’m happy to have a very lively conversation with you about this.
[00:18:20] Paul McCarty: But this is not good behavior and we wanna call it out, and we’re gonna do that in our blog post.
[00:18:26] Jenn Gile: All right. We will get that blog post up, uh, by the end of the week, I think, and we’ll share the link out.
TeamPCP FBI “FLASH”
[00:18:26] Jenn Gile: Circling back to what we talked about at the top of the episode, I got the, uh, FLAF is what it’s called, from the FBI about Team PCP.
[00:18:44] Jenn Gile: Uh, what’s been noted is it’s a FLAF, and I’m sure that stands for something because it’s all caps. Um,
[00:18:51] Paul McCarty: Right. It’s an acronym.
[00:18:53] Jenn Gile: Yeah, it’s an acronym for something. Um, it, uh, is in lieu of doing a, a traditional wanted poster, and I don’t know the ins and outs of why they decided to do one versus the other. Uh, so the warning here is this is a PDF, you know, do what you will with the PDF that comes through.
[00:19:10] Jenn Gile: Um, but it goes over, uh, you know, who Team PCP is, the behavior that they’ve been doing, the IoCs that you can look for. So worth taking a look at. Um, anything else you wanna say on that?
[00:19:25] Paul McCarty: Yeah, I mean, there’s, you know, some good i- indicators in there, but there’s, like we have a whole lot more in OSM. So if you want, y- you know, if you’re somebody working in government or, you know, law enforcement and you want better data, indicator data, come and, and talk to us.
[00:19:39] Paul McCarty: Yeah Weird plug, but nonetheless. Yeah.
Next Week: Open VSX with special guest Mikael Barbero
[00:19:46] Jenn Gile: Um, okay. For next week, uh, we’re excited. We’re gonna have our first guest on the show. His name is Mikael Barbero. He’s the head of security at the Eclipse Foundation, which, uh, maybe you haven’t heard of them, but you probably have heard of OpenVSX, which is one of the projects that the Eclipse Foundation manages.
[00:20:07] Jenn Gile: I got to sit down with him this morning to talk about, uh, what we’ll be discussing on the show. Uh, he’s very passionate about the foundation and making OpenVSX, uh, secure, so I think it’s gonna be super interesting. Um, something that I learned today, and I wouldn’t, uh, blame our audience for not knowing this either, but the reason for OpenVSX really having a moment right now is actually because all of these, uh, AI IDE platforms, you know, they run on VS Code, but they don’t use official VS Code extensions for various reasons.
[00:20:46] Jenn Gile: Right. And so they have turned to OpenVSX, and so that’s platforms like Cursor and Windsurf. And so OpenVSX is really having a moment in a way that is, uh, potentially great for the ecosystem, but, uh, as all of these things go, it also is making it an attractive new target for, um, threat actors who want to exploit users of VS Code.
[00:21:13] Paul McCarty: Yeah. I’ve got a little spiel here. Um- Do it … I’m really excited to, I’m really excited to have him on the podcast. I’ve been vaguely critical of, of their organization in the past in terms of security practices. Um, I’m, you know, I’m o- I’m coming to this with open ears and an open heart, and if I’m, if I’ve been wrong about something, I’ll definitely cop to it live on air.
[00:21:33] Paul McCarty: Um, but, uh, you know, I’m excited to be- to help them and be part of the solution. Um, but, um, something I wanna k- uh, segue here is y- you know, these, these, uh, registries are great because these registries do have the ability to kind of create some security choke points, which is awesome, which is why you should be using them.
[00:21:53] Paul McCarty: Because the reality is that anybody can go and download these VS Code extensions from a GitHub repo or anywhere else, right? You know, they’re just a… They’re j- they’re basically just JavaScript in a proprietary zip format. That’s all. Um, and, uh, what we’re gonna start to see- Is we’re gonna start to see the same thing happening in the VS Code ecosystem, VS Code extensions ecosystem that we’re seeing now with npm.
[00:22:15] Paul McCarty: Bad guys, let me be very clear, we’re gonna talk about this more on next week’s show or maybe the week after that. But in anticipation of V12, the, the npm package manager changes that are coming, which by the way are… This is gonna roll in not like thunder, but like a whimper because nobody’s gonna upgrade.
[00:22:31] Paul McCarty: But anyhow, um, that aside, I’m already seeing a shift in the deployment of malware in npm packages to these other kind of non-install script. And I’m seeing all kinds of unique ways, and I haven’t even shared this yet with Jen. This morning I got up super early and went through a bunch of them. But we’re gonna start to see the same th- kind of things happen in the VS Code ecosystems too, and that’s why it’s that much more important to use these platforms like OpenVSX, where they really are concerned about security and they wanna do something about that.
[00:23:01] Paul McCarty: So that’s important, and they can add that kind of, that, um, that security layer for us.
[00:23:07] Jenn Gile: Yeah. You know, some color I would lo- love to add on top of that is, uh, something you and I have talked about before. You know, people ask us about how scanning happens for various different types of assets. And, you know, you have npm, you have PyPi.
[00:23:23] Jenn Gile: Those are kind of, like, known locations for specific types of things. But then you have, um, I guess, things that don’t m- meet the regular mold. Uh, you have AI skills and you have extensions where they can just live in any GitHub repository, and that makes it much more difficult, uh, for both defenders as well as, you know, organizations like us that are doing proactive scanning to find all of the skills and the extensions that are out there.
[00:23:56] Jenn Gile: These two things behave in very similar ways. You know, setting aside the fact that one’s natural language and the other’s code, um, you know, where they live, how they’re used, they behave similarly. So, um, plus one to what you just said about consuming them through a credible ecosystem. Right. Um, what I learned about OpenVSX, and what we’ll talk about next week, gives me hope that it’s a good place, uh, to start, you know, feeling a bit more trustworthy about what you’re consuming.
[00:24:26] Jenn Gile: But, uh, I guess- Even, even if you don’t think it’s perfect, it’s better than just pulling it down off some random GitHub Yeah.
[00:24:37] Paul McCarty: And frankly, you know, based on some of the things you said that you guys talked about, I, I feel more confident about , about OpenVSX than I do about the official VS Code marketplace, so there’s that.
[00:24:49] Paul McCarty: Um- Yeah, it should
[00:24:49] Jenn Gile: be interesting. I’m really looking forward to the
[00:24:51] Paul McCarty: conversation- Yeah … next
[00:24:52] Jenn Gile: week.
[00:24:53] Paul McCarty: I wish I could be there live for that part of the conversation, but I’m not getting up at 1:00 AM, so I’m sorry I won’t be, but-
[00:24:58] Jenn Gile: Yeah … that’s okay. Uh, you know, this whole thing where, uh, we’re more connected because of technology also doesn’t change the fact that the earth is round and, um, you and I are on very different parts of it.
[00:25:13] Paul McCarty: Right. And, and humans need… As much as my body tries to pretend like that’s not the case, humans need sleep.
[00:25:19] Jenn Gile: Humans need sleep, yes. Okay, we’re at about, uh, 25 minutes so far. I think we’ve exhausted this week’s agenda. Did you have anything you wanted to talk about before we wrap?
[00:25:30] Paul McCarty: No, I, I, I could go, like… No.
[00:25:33] Paul McCarty: We’ll, we’ll save it for next week when it’s a little bit more structured. I do wanna get into these, kind of, these new ways that bad guys… 'Cause I’ve, I’ve got a bunch of screenshots to share with you and stuff like that too as well, so I think it’s- Yeah … just watching people be creative, in this case bad guys, but watching bad guys be creative is really fascinating.
[00:25:49] Paul McCarty: It’s one of the things I love about my job.
[00:25:51] Jenn Gile: Yeah. Always seeing new things. We may not like the things we see, but it is, if- Right … if nothing else, it is interesting.
[00:25:59] Paul McCarty: Right.
[00:26:00] Jenn Gile: All right, everyone have a great week. We’ll see you next week.
[00:26:04] Paul McCarty: Thanks for listening, people. Appreciate it.