Welcome to the very first episode of The OpenSourceMalware Show! Join OpenSourceMalware co-founders Jenn Gile and Paul McCarty as they break down the latest news, threats, and best practices in the open-source ecosystem. 

In this episode, we dive into four major topics:

• Bitwarden CLI Compromise: We analyze the recently discovered malicious version (2026.4.0) of the Bitwarden CLI package. We break down how this cloud-native infostealer silently executes via pre-install scripts to harvest credentials across AWS, Azure, GCP, and GitHub, as well as hoovering up AI config files like Claude. We also discuss its exfiltration tactics to a lookalike domain and explain why we are skeptical of the threat actor's claims that this is the "third coming of Shai-Hulud".
• The Danger of npm Lifecycle Scripts: Why are pre-install and post-install scripts such a popular attack path? We discuss how threat actors exploit these convenience features to auto-install malware. We also explore the differences between package managers, noting that while these scripts are off by default in tools like pnpm and bun, they remain on by default in npm.
• OWASP's npm Security Cheat Sheet: We review a 12-point cheat sheet from OWASP covering npm security best practices. We share our thoughts on artifact governance, the realities of responsible disclosure, and why falling for dependency confusion or typo squatting attacks relies more on machine automation than just "dummy" human errors. 
• GenAI and Cross-Ecosystem Attacks: We wrap up with an alarming new trend we observed just this week: threat actors using Generative AI (like Claude) to rapidly translate working malware into different programming languages. This enabled them to deploy malicious packages across multiple ecosystems to target users of a specific company within a coordinated 8-hour window.

Resources:

• bitwarden/cli threat report
• NPM security cheat sheet from OWASP
• Get started with OpenSourceMalware for free