In this episode of Secure Disclosure, host Mackenzie Jackson explores the growing threat of malicious VS Code extensions with Rami McCarthy from Wiz and Charlie Eriksen from Aikido Security, diving into how leaked secrets and clever obfuscation put developers at risk. Later, Patrick Debois, the “Godfather of DevOps,” joins to discuss the rise of AI-native development, how it mirrors past DevOps shifts, and what it means for the future of secure software.Links: Original Post from Aikido: https://www.linkedin.com/feed/update/urn:li:activity:7384986044867256320Wiz Security Research on VS Code https://www.wiz.io/blog/supply-chain-risk-in-vscode-extension-marketplaces Rami McCarthy LinkedIn: https://www.linkedin.com/in/ramimac/Patrick Debois LinkedIn: https://www.linkedin.com/in/patrickdebois/Charlie Erkson Linkedin: https://www.linkedin.com/in/charlie-eriksen-a318578/Chapters00:00 — Introduction01:10 — Malicious VS Code Extensions06:00 — Leaked Secrets & Supply Chain Risk15:00 — npm Security Updates & SafeChain19:00 — The Future of AI Development

In this episode of Cyber & Sake, host Mackenzie Jackson sits down with Maarten Mortier, former CTO of Shopad, now co-founder and managing partner at Entourage VCThey discuss Maarten’s early love for programming, how Ghent became a thriving European tech hub, and why builders make the best investors. Maarten shares his insights into what he looks for during startup due diligence, how AI is reshaping both development and venture capital, and why healthy security should be baked into company culture — not siloed off.This is a deep and candid conversation about technology, product, and philosophy — from scaling startups to the evolving role of AI in coding, investing, and innovation.Pour yourself a glass of sake and join us for an episode that blends code, capital, and curiosity.⏱️ Chapter ListTime Chapter Title00:00 Introductions & Sake Tasting01:10 From Early Coding Days to CTO Success04:07 Why Ghent is Becoming a European Tech Hub07:58 Building and Investing: The Story of Entourage VC11:02 Inside VC Due Diligence and the Founder Relationship18:03 Tech Health, Security, and Red Flags for Startups25:16 What Makes a Real Moat in the Age of AI32:03 AI, Product Building, and the Future of Venture Capital39:36 Final Thoughts, Security Advice & The Sake Game

In this episode of The Secure Disclosure Podcast, host Mackenzie Jackson sits down with Matias Madou, co-founder and CTO of Secure Code Warrior, to explore how developer education is the missing key to secure software. They unpack why we’re still struggling with vulnerabilities like SQL injection in 2025, how AI is reshaping application security, and why critical thinking might be the most important security skill of all. From COBOL to ChatGPT, this is a deep dive into the past, present, and future of secure coding.Chapters 00:00 – The Origin of Secure Code Warrior05:20 – Developers vs. Security: The Real Problem08:10 – AI’s Impact on Application Security13:00 – The Confidence Trap of AI17:00 – Evolving Secure Code Warrior28:00 – Would You Rather: Security Edition

In this episode of The Secure Disclosure, host Mackenzie Jackson dives into two fascinating conversations at the intersection of cybersecurity, trust, and AI innovation.First, Romain Moisescot from Veriff (https://veriff.com) explores the heated debate around digital identities in the UK, addressing concerns about privacy, government trust, and the rising wave of online fraud. With Veriff’s Identity Fraud Report 2025 (https://www.veriff.com/resources/ebooks/veriff-identity-fraud-report-2025), he shares insights into how fraudsters leverage AI and how digitally native IDs can fight back.Then, at the Cyber Saki Bar, Geoffrey De Smet, co-founder of Timefold.ai (https://timefold.ai), recounts his journey from building an open-source project 19 years ago to launching a company after IBM’s acquisition of Red Hat. Geoffrey breaks down the difference between heuristic AI solvers and LLMs, why scheduling is one of the hardest problems in tech, and how Timefold is freeing the world from “wasteful scheduling.”If you’re curious about the future of digital trust, fraud prevention, and practical AI applications, this is an episode you won’t want to miss.Chapters00:00 – Introduction01:19 – The Digital Identity Dilemma (with Veriff)18:18 – Sponsor Segment: Aikido Security19:02 – Cyber & Sake: Geoffrey De Smet and the Timefold Journey47:31 – Would You Rather48:14 – Closing Thoughts & Farewell

This week on The Secure Disclosure, host Mackenzie Jackson dives into “the largest breach that never really happened” the September npm supply chain compromise that put 2.6 billion weekly downloads at risk but somehow didn’t take down the internet.Joining me are two key voices from the incident:Josh Junon – the maintainer who was phished, unknowingly triggering the chain of events.Charlie Erikson – the security researcher who first discovered and analyzed the malware.Together, we unpack the timeline: the phishing email that started it all, the malware hidden inside foundational packages like debug and chalk, the viral panic that followed, and why the attackers walked away with just $900 in crypto instead of world domination.We also discuss what the breach teaches us about security “working,” luck, and where the ecosystem still leaves maintainers dangerously exposed.SponsorThis episode is brought to you by Aikido Security — your complete code security platform.Check out Aikido: https://aikido.devPrevent supplychain attacks with Aikido SafeChain: https://www.npmjs.com/package/@aikidosec/safe-chainWatch & Listen🎧 Spotify & other platforms: https://creators.spotify.com/pod/profile/thesecuredisclosure/Connect with MeX (Twitter): https://x.com/advocatemackLinkedIn: https://linkedin.com/in/adovcatemackReferencesXKCD Web Comic: https://xkcd.com/2347/Wiz Blog Post: https://www.wiz.io/blog/widespread-npm-supply-chain-attack-breaking-down-impact-scope-across-debug-chalkInsiderPhD YouTube: https://www.youtube.com/c/InsiderPhDInsiderPhD X Post: https://x.com/InsiderPhD/status/1965110610972250550My LinkedIn Post: https://www.linkedin.com/feed/update/urn:li:activity:7373625746822696960/John Hammond Video: https://www.youtube.com/watch?v=4caJw0JJZTQChapters00:00 – Intro00:18 – Setting the stage: the breach that “never really happened”01:31 – Josh Junon: the phishing email that started it all04:39 – Malware injection and Charlie Erikson’s discovery06:58 – The viral panic: LinkedIn posts, headlines, and John Hammond’s roast09:01 – Why the npm compromise looked bigger than it was12:31 – Foundational packages, open-source reliance, and the Nebraska problem16:18 – What really happened: $900 stolen in crypto18:31 – Security win or just luck? Community reactions and InsiderPhD’s take23:09 – The scarier “what ifs” and why attackers underused their access23:40 – Sponsored segment: Aikido Security & SafeChain24:26 – Josh on community support and mental health for maintainers26:23 – Where npm failed and how package managers need to improve28:14 – Outro and reflections

In this episode of Secure Disclosure, host Mackenzie Jackson takes you on a journey through the evolving world of cyber threats and the people on the frontlines. We kick things off with a deep dive into phishing attacks with Jacques Louw and the surprising ways they continue to outsmart defenses in 2025. Then, we unravel the story of a dangerous WhatsApp zero-click vulnerability that, when paired with an Apple iOS flaw, gave attackers full control of victims’ devices, all without a single tap.We also take a lighter turn at the Cyber Sake Bar, where we sit down with the world’s number one competitive hacker, Philippe Dourassov, to talk about the thrill of international hacking competitions, how he accidentally hacked Discord, and why he’s now building his own startup. Along the way, we highlight the crucial role of defense, the impact of AI on modern attacks, and even taste test Japanese vs Californian sake.LinksPush Security Phishing Report - https://pushsecurity.com/resources/phishing-evolutionWhatsApp Vulnerability - https://www.bitdefender.com/en-us/blog/hotforsecurity/whatsapp-zero-click-spyware-attack-android⏱️ Chapters00:00 Intro – Welcome & Overview01:32 The Evolution of Phishing Attacks- Jacques Louw Push Security 21:31 WhatsApp Segment – Zero-Click Vulnerability Deep Dive26:18 Sponsor Segment – Aikido Security Spotlight27:01 Sake Segment – Philippe Dourassov on Competitive Hacking

In this episode of Secure Disclosure, host Mackenzie Jackson unpacks the NX breach with malware researcher Charlie Ericson and GitGuardian’s Guillaume Valadon, revealing how stolen tokens exposed thousands of secrets on GitHub. Analyst James Berthoty then offers an exclusive preview of Lacio Tech’s Cloud Security Report, cutting through the AI hype to highlight real trends. Finally, Ashish Rajan joins the Cyber & Saki segment to share his vision for the future of cloud security.00:00 – Introduction01:15 – The NX Breach Explained06:25 – Secrets in Public Repos20:47 – Cloud Security Report Sneak Peek with James Berthoty36:25 – Cyber & Saki with Ashish Rajan

In this episode of The Secure Disclosure, host Mackenzie Jackson is joined by Darktrace VP Nathaniel Jones to unpack the newly discovered AutoColor malware exploiting SAP NetWeaver vulnerabilities. We also cover the WinRAR zero-day actively exploited by RomCom APT and wrap up with an unforgettable interview with Len No, a real cyborg hacker with 11 implants who demonstrates what’s possible when the human body meets hacking.

Timestamps & Chapters:

00:00 – Intro

01:07 – AutoColor used in SAP NetWeaver Vuln

18:39 – Sponsor: Aikido Security

19:25 – WinRAR Zero-Day

23:30 – Interview with Len Noe

In this episode, we bring you insights from Black Hat and DEF CON 2025. We start with a breakdown of Erlang OTP CVE-2025-32433, a critical remote code execution flaw scoring a perfect 10, and why it’s being exploited in real-world infrastructure.Next, we sit down with Dustin Lehr, author of the Security Champions Program Success Guide, to discuss how to build effective security champion programs inside organizations — from finding the right people to measuring success.Finally, at the Cyber Sake Bar, we chat with Steve Giguere from Lera about the growing field of AI security. We explore risks like prompt injection, agentic AI systems, and what securing AI models really means for modern applications.Perfect for anyone interested in cybersecurity, secure development, and the future of AI security.00:00 – Intro & Hacker Summer Camp Recap01:22 – Critical Vulnerability: Erlang OTP CVE-2025-3243307:04 – Interview with Dustin Lehr: Building Security Champions29:00 – Sponsor Segment: Aikido Security & Safechain29:45 – Cyber and Sake with Steve Giguere: Securing AI Models44:09 – Prompt Injections, Agentic AI & Closing Thoughts

In this episode of Disclosure, Mackenzie Jackson takes listeners deep into the fast-evolving—and increasingly risky—world of AI-assisted coding. First, security researcher Wout Debaenst exposes a massive vulnerability in Base44’s AI coding platform that made private applications accessible to anyone with minimal effort, highlighting how “vibe coding” can create the next wave of supply chain attacks.Next, malware researcher Charlie Ericson returns to reveal a fresh PyPI phishing campaign eerily similar to last week’s npm compromise, underscoring the fragility of our open-source ecosystems.Finally, Mackenzie heads to the Cyber Sake Bar for a candid conversation with Khachatur Virabyan, co-founder of Trag, exploring how AI can change code quality. Along the way, they sip sake, swap war stories, and debate the future of software development in the age of AI.00:00 - Introduction1:19 - Base44 Breach & The Risks of AI Coding Platforms 09:24 - PyPI Phishing Campaign and Open Source Security Gaps 17:08 - AI-Assisted Code Quality with Trag 34:02 - Cybersecurity “Would You Rather” and Closing

In this episode, we talk to Visha Bernard, Chief Hacker at Eye Security, about the catastrophic SharePoint vulnerability that was exploited by suspected nation-state actors.We cover how Eye Security’s team discovered the exploit, the flawed patching timeline from Microsoft, how Google Gemini was used to find a bypass, and what organizations must do now to secure their SharePoint servers.From government targets to AI-assisted exploitation, this is a deep dive into one of the most severe security incidents of the year.Chapters00:00 Introduction to the SharePoint Vulnerability01:00 Eye Security's Initial Discovery03:30 Uncovering the Zero-Day Exploit05:30 Internet-Wide Scanning and Findings07:00 Patch Analysis and Flaws10:00 Emergency Fix and Security Research12:00 Threat Actor Attribution13:20 Advice for Organizations and Closing Remarks

This week, we're exposing the untold truths behind major headlines:McDonald's Data BreachOver 60 million job applicants’ data compromised via Paradox.ai’s AI chatbot "Olivia." But was it just a weak password — or something far worse? We break it down and challenge the media’s misleading narrative.XAI Secret Key LeakResearcher Philippe Katrigeli joins us to reveal how a Doge/X developer accidentally leaked powerful internal API keys — and what that meant for access to Tesla and SpaceX LLMs. We talk entropy, GitHub mistakes, and the dangers of hardcoded secrets.Sources: https://krebsonsecurity.com/2025/05/xai-dev-leaks-api-key-for-private-spacex-tesla-llms/600 Laravel Apps Vulnerable to RCESecurity researcher Rémy Matas walks us through how 260,000 leaked Laravel app keys were matched with live endpoints, resulting in 600+ apps being exposed to remote code execution. They even built a tool for it: Laravel CryptoKiller.Sources: https://www.synacktiv.com/en/publications/laravel-appkey-leakage-analysishttps://blog.gitguardian.com/exploiting-public-app_key-leaks/🍶 AI Pentesting & The Future of HackingIn our signature “Sake with a Hacker” segment, we sip with Walt DeBond of Allseek to discuss how agentic AI is poised to revolutionize penetration testing, and whether AI will replace human hackers in the next five years.Chapters:0:00 - Introduction 0:54 - McDonalds Breach 3:28 - Xai API Key Leak14:02 - 600 Laravel APP_KEY Leaks 26:10 - Cyber And Sake with Wout Debaenst