Bad Dependencies: JPEGs, JavaScript, and Janky Malware: Image-Based Attacks in NPM

https://is1-ssl.mzstatic.com/image/thumb/Podcasts211/v4/20/69/48/20694887-9f9d-ff51-714f-501bb4159412/mza_8945796113236339360.jpg/600x600bb.jpg

Bad Dependencies Podcast

Mackenzie Jackson

8 episodes

6 days ago

Welcome to Bad Dependencies, the podcast where the digital supply chain gets audited in real-time. Hosted by security researchers Charlie Erikson and Mackenzie Jackson from Aikido Security, this bi-weekly show dives deep into the wildest, weirdest, and most dangerous malware found lurking in package registries like NPM and PyPI. From image-based payloads to AI-generated code noise, nothing is off-limits as Charlie and Mackenzie explore the bleeding edge of software supply chain attacks. Whether you’re a developer, security enthusiast, or just malware-curious, Bad Dependencies will open your ey

Technology

RSS

All content for Bad Dependencies Podcast is the property of Mackenzie Jackson and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

Technology

https://d3t3ozftmdmh3i.cloudfront.net/staging/podcast_uploaded_nologo/43802306/43802306-1748868151508-47df53ea4807e.jpg

Bad Dependencies: JPEGs, JavaScript, and Janky Malware: Image-Based Attacks in NPM

Bad Dependencies Podcast

34 minutes 48 seconds

5 months ago

Bad Dependencies: JPEGs, JavaScript, and Janky Malware: Image-Based Attacks in NPM

In the debut episode of Bad Dependencies, Charlie and Mackenzie unpack some seriously strange cases of malware hidden in plain sight on NPM. They explore how malicious actors are stuffing payloads into image files like JPEGs and PNGs, and how these are being unpacked with clever JavaScript tricks to evade detection.You'll hear how AI-generated decoy code, fake Readme files, and hidden PowerShell scripts are being used to disguise the true intent of packages — from base64 blobs in JPEGs to fake "fingerprinting" logic that serves no purpose other than distraction.Expect deep dives into packages like node-wave-http, axios-fingerprint, and expressjs-session, with behind-the-scenes insights on how attackers are setting the stage for future payload delivery. Plus, discover why Discord and Cloudflare are often abused for hosting malware — and what makes Windows such a popular target for these campaigns.If you've ever wondered how bad dependencies make it past package registry checks — or how to spot them — this episode is for you.00:00 - Welcome to Bad Dependencies01:10 - Hiding Malware in Images: NodeWave HTTP04:59 - Malicious JPEG Unpacks via PowerShell07:09 - Why Hackers Use Discord for Malware Delivery09:06 - Why NPM & GitHub Don’t Catch This Stuff11:00 - A Legit App or Malware Decoy? The OSU Twist12:34 - AI-Generated Code as Distraction Noise14:44 - Obscure Pre-flight Checks & Fake Logic17:09 - Alternate Payloads Hosted on Cloudflare22:00 - PNG with Base64-Encoded Eval Exploit26:30 - This Just Sends System Info: Bug Bounty Play?30:59 - Detecting Malware with Entropy Analysis