Bad Dependencies Episode 3: Malware, Bug Bounties, and the Ethics of Offense

https://is1-ssl.mzstatic.com/image/thumb/Podcasts211/v4/20/69/48/20694887-9f9d-ff51-714f-501bb4159412/mza_8945796113236339360.jpg/600x600bb.jpg

Bad Dependencies Podcast

Mackenzie Jackson

8 episodes

5 days ago

Welcome to Bad Dependencies, the podcast where the digital supply chain gets audited in real-time. Hosted by security researchers Charlie Erikson and Mackenzie Jackson from Aikido Security, this bi-weekly show dives deep into the wildest, weirdest, and most dangerous malware found lurking in package registries like NPM and PyPI. From image-based payloads to AI-generated code noise, nothing is off-limits as Charlie and Mackenzie explore the bleeding edge of software supply chain attacks. Whether you’re a developer, security enthusiast, or just malware-curious, Bad Dependencies will open your ey

Technology

RSS

All content for Bad Dependencies Podcast is the property of Mackenzie Jackson and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

Technology

https://d3t3ozftmdmh3i.cloudfront.net/staging/podcast_uploaded_nologo/43802306/43802306-1748868151508-47df53ea4807e.jpg

Bad Dependencies Episode 3: Malware, Bug Bounties, and the Ethics of Offense

Bad Dependencies Podcast

28 minutes 25 seconds

4 months ago

Bad Dependencies Episode 3: Malware, Bug Bounties, and the Ethics of Offense

In this episode of Bad Dependencies, we explore the gray zone of offensive security with researcher Raphael Silva from Checkmarx. Hosts Mackenzie and Charlie break down June’s 4,000+ flagged malicious packages, then chat with Raphael about his real-world experiments planting “malicious-but-not” packages in places like npm and the VS Code Marketplace. From unicode deception to malware hidden in PNGs, this episode unpacks the ethics of bug bounties, the dangers of going too far, and how easy it is to slip past marketplace defenses—until a random security guy in Poland catches you first.00:00 – Intro & Weather Woes00:50 – Malware Madness: 4,000+ Packages Flagged02:00 – Offensive Security 10104:00 – The Ethics of Fake Malware06:00 – Where Researchers Cross the Line10:00 – Common Pitfalls & Accidental Exposure12:05 – Guest Joins: Raphael Silva from Checkmarx13:50 – Malicious-but-Not: ExpressJS-Session Deep Dive17:30 – Why Target VS Code Extensions?22:20 – Unicode Tricks, Copycats & What’s Next