Jenn Gile 0:00

All right. Hey, Paul. Hey everyone who's watching. We're here on Thursday, April 30th to talk a bit about what's in the news, what's been on our minds. And spoiler, we're going to be talking about the nasty campaign that's been going on for the last couple of days by Team PCP called Mini Shy Halud. So let's start off quickly with a little uh lightning round of news. So, first of all, in the last couple of weeks, there were some major uh security incidents with Versell and Lovable. And uh we'll say we're fans of those platforms. Uh, we know people at those companies, you know, we're we're not here to uh throw rocks, but at the same time, we don't necessarily feel like the security announcements went the way that uh we would want to see them. So, Paul, why don't you kind of start and share your thoughts a little?

Paul McCarty 1:00

Yeah, I think that um, you know, you kind of summed it up well there. The the, you know, while we're fans of those platforms and we use some of these platforms, I think one of the things that we saw, you know, with both the lovable and the Vercell announcements were you know an initial kind of defensive um uh kind of way of responding to it. Like, no, there's no there's nothing to see here.

Jenn Gile 1:25

Nothing to see here. Move on, folks.

Paul McCarty 1:29

And then with both cases, like so the lovable thing wasn't technically like a breach per se. I mean, basically what they did is they regressed um something they'd fixed in early February, um, and uh something they'd fixed earlier. They it accidentally got re regressed, they didn't catch that, and then it opened up this ability for people with free accounts to be able to see both the source code and the chat history for anybody on the platform. I mean, that's a pretty huge, glaring problem. And for lovables, kind of their combativeness and their hubris in their you know, tweets and their responses just do not sit well with me. And even in the last tweet, um, you know, which I posted on LinkedIn, you know, they said, let's be clear, this is not a data breach. Whoa, you're being kind of wishy-washy with your words there, yo. What this is a I mean, I can't think of this is like the mother of all idores, right? Where you can basically see the source code, the core intellectual property, and the the chat history where you're dropping API keys, and then you layer on top of that what you and I are going to be talking about next week or whenever we can release that that research, where lovable and many of these AI platforms are encouraging you know people using them to drop API keys and credentials into the lovable chat. Now you have a problem where the chats are anybody in the world can see them, and you've been dropping all these things in there because even if you tell it not to, it still prompts you to do these things. So you do it, and then you're kind of screwed. And for Vercell, you know, the the biggest issue that I had as a Vercel customer is they did not produce any actionable mitigation steps, none, zero. Like, so I had had to basically write a document, which is on the open source malware um GitHub repo, which has been very popular. And I had people inside of Vercel reaching out to me saying, Thank you, you know, for creating this. This is good. And that was really frustrating as a Vercel customer, a paying customer, and to not have remediation advice. That was frustrating.

Jenn Gile 3:30

Yeah, and I mean that said, we've heard uh that there have been some culture changes since that incident. I'll go ahead and pop the um incident response repo that you made into the chat. And meanwhile, let's move on to our next topic because we said lightning. Uh so uh let's talk about the GitHub RCE that came out. Is it this week? A lot has happened this week.

Paul McCarty 3:54

Yeah. So basically, this is crazy. Like when I read this, I thought for sure this is like not, this can't possibly be true. But basically, what happened is that sitting inside of the code base, the GitHub code base, for over a decade. Um, you know, I actually don't know what year that was introduced, but anyhow, you could pass a dash o option when you do a git push. So this is the first part of this is a git thing that then GitHub themselves, you know, interpreted in poorly. So the first is a git issue, right? And we all know the git itself is not secure by design. Linus wrote it and you know didn't add authentication, yada yada to it. So, you know, the fact that we then are taking uh anything you pass with dash o into GitHub and pass and then and then execute basically it's it's remote remote code execution. It basically you can pass it anything and or you could and it would run run that. So, you know, that's like a huge I can't believe that wasn't horrible.

Jenn Gile 5:01

All right. And then third, uh, maybe this is like the hot take of the week. Um, we're seeing a trend where EDR is becoming the agent of coding, becoming the enemy of coding agents. And this is a little bit wild how uh we kind of came to this conclusion. It was through a personal experience. I think you and I might have actually been chatting when it happened, but you said, oh no, you know, just got a um pop-up from our EDR, we won't say who it is, uh, that, you know, you've been compromised and you looked into it and it turned out uh, thank goodness, not compromised, false alarm. Um, but this connects to behaviors that EDRs look for that uh in the past uh perhaps would have been legitimate signals that something malicious was happening. But in the age of AI is not a signal. And what was that? It was uh changes happening, not at the speed of human action. So, Paul, maybe talk just like another minute about what happened and why you think EDR is having an issue here.

Paul McCarty 6:17

Yeah, and I want to expand on this in future episodes, but um uh basically what it comes down to, you said it you pretty succinctly there that like you know, I was working with Claude, refactoring a library. Uh, I was editing files myself manually in Vim. Um, and Claude was editing some of these files too as well. And um, you know, this wasn't malware, like this I'm not doing malware analysis on my laptop. This was a library that we're writing as part of the open source um uh malware platform. And that library has to do with deobfuscating code, de-obfuscating, not obfuscating. So basically what happened is the EDR that we won't mention put together these actions, like the fact that Claude was moving at non-human speed, which is what you know you you said well, which is making all these changes really quickly, renaming files and changing files and what which looks kind of like looks kind of like what happens, you know, when you get wiped or when ransomware happens. But then there was also this there, there was also this obfuscation factor because when we went and looked at the logs later on, um, you know, or well, pretty quickly, you know, we saw that it was talking about obfuscated files. And we weren't obfuscating files in that code base, we were doing the opposite, but the EDR thought we were. And so you put all those things together and it throws up this huge screen that says infected and quarantines the library that I'm working on, which there's thereby stops my ability to actually do it. So um I think this is gonna become a bigger issue in the same way that Git and GitHub are not cut out for like the speed and scale of iterations for Git commits and being able to iterate on code, in the same way EDR now with agents running on your machine that move at agent speed, it doesn't look like a human, and yet they're built to detect things that that are non-human.

Jenn Gile 7:58

Yeah, absolutely. And I mean TLDR here, EDR needs better context so that uh you know, typical AI behavior doesn't result in a false alarm, a false positive. Okay. Let's talk about the thing that every um defender, incident responder, researcher uh is dealing with. I'm gonna read uh one of the messages we got today. And I don't know if you've seen this one, Paul, yet, but it it absolutely uh it spoke to me. I've had the same thought. Uh one of our friends said, uh, pack up 2026, I'm going home. Uh truth. So what yesterday morning, I want to say, is when Team PCP launched their latest attack. Uh Team PCP is a uh threat actor group. They're not government affiliated. Um, there's lots of different subgroups in it. So I'd say it's a loose coalition of people who um historically were not very savvy, but definitely starting in March, um, you know, with the trivy and check marks and light LLM attacks, uh, we've seen them mature. And uh we just observed another iteration of this week with their mini shy hallued campaign. Their name, not ours, but uh it does have shy halud um hallmarks. But they're also doing something really interesting with it where they're borrowing um a technique from the Pollenwriter campaign, which is uh North Korean threat actor group, uh or it's North Korean threat actors is their campaign. Um so we've got uh thousands of compromised repositories at this point. I'll share the link so you can see it if you want. Um most recently the Lightning project was compromised. Uh, we saw, let's see here, there was another one that just came through. We're seeing this one not being a nothing burger. Um, Paul, what were your thoughts when you first saw it?

Paul McCarty 10:12

Yeah, this is definitely not a nothing burger. I mean, there's there's last time I checked, which was last night, there's like you said, 1200 repos on GitHub. So basically, in I'm jumping ahead, but one of the shy halud kind of components of this is when it compromises a developer or a CI environment, because it works in both. Um, it basically does all the info stealing, wraps it up, compresses it, and then creates a net new um repository on in the compromised user's GitHub or organization's GitHub and names it um what is it? Uh a mini shy hulud has appeared, um, which is why I made that art, which is like everybody is like loving.

Jenn Gile 10:52

Like if you have a yeah, I'll see if I could do a quick screen share because I am delighted. First of all, your AI skills with you know AI art are um unparalleled, but also this one gave me represent homie. Um yeah, while you bring that up, um that one apparently is your superpower, other than you know, malware analysis.

Paul McCarty 11:12

Well, yeah, and being like a 1000X.

Jenn Gile 11:16

Yeah. Here's our little like little baby worm with the chicken. It's pretty cute. I like it.

Paul McCarty 11:21

Shahulute has appeared. Yeah, so basically the team PCP, the background of team PCP um is that they uh kind of made their mark doing cloud native uh info stealing and and compromise. So they so they you know their background is in compromising cloud providers like AWS. So fast forward to you know uh February when they started this new campaign. Um they took they kind of and that they're not they're not DPRK, they are not nobody thinks that they're actually the original Shy Hulud uh threat actors. Instead, they are this crew that is kind of pivoted to focusing on GitHub actions and compromising GitHub actions um in a number of ways, which is really kind of stretching GitHub. The the inside baseball that I'm hearing is that we're gonna see some really big changes coming from GitHub because GitHub Actions is just being stretched and pushed by threat actors like Team PCP so much. But so they compromise you initially in CI, but then they also have all these packages that they are pushing out, both npm and pipie. So lightning is a uh is a package that's used unfortunately in a lot of AI kind of tech stacks. It's downloaded 15 million times a year. Sorry, 15 million times a week, not a year. Um, very popular. On the same day, the intercom um client npm package, which is downloaded 370,000 times a week, was also compromised. Um, and you know, they compromised several other packages over the last couple of days as well. Um, but what's unique about this new mini Shy Hulud has appeared campaign is that they are they've taken, you know, what open source malware, you know, we we've we've done all this research, you know, starting way back at the beginning of 2026 around DPRK, specifically DPRK, using evolving the contagious interview uh campaigns to now be proactive. So they're instead of waiting to social engineer people, they still do that, but instead of only doing that, they now proactively go and uh attack people or use existing compromise from people that have been earlier compromised in these kind of contagious interview fake recruiter things, they get persistence on their machines on their developer laptop or in CI and they do onward stuff, right? They they add stuff to repos and whatnot. But they're using one kind of technique is the kind of core persistence and infection vector, which is VS Code tasks files. Now, this was something that only you know the kind of tasks jacker and pollen rider campaigns were doing, you know, that evolved out of contagious interview, so it's the same subgroups inside of a Lazarus group and DPRK, North Korea, excuse me. Now, Team PCP, who is not North Korean, is now using this technique because it's such an effective, you know, persistence. So whoever I said this last time, but I'm gonna say it again. Whoever at Microsoft thought it was a good idea to create a file that adds persistence every single time code is opened on in the folder, because that's what they're doing, is they're using this parameter inside of VS Code task file that say anytime you open something inside this folder. So anytime you open any piece of source code in VS Code from that affected um thing, it then compromises you. Um I mean it's just it's just beautiful, and that's why now you see so many you know uh threat actor groups moving to this singular threat vector.

Jenn Gile 14:47

Yeah, and last week uh we talked about lifecycle scripts in npm. This is for all intents and purposes the exact same playbook, you know, different ecosystem, but you download the file, you don't have to install it. Uh these lifecycle scripts run automatically, and voila, they own your machine. Um, I am screen sharing right now, so anyone who's listening on the podcast will have to pop over into YouTube or LinkedIn to see the visual if you want to. But this is um a threat graph visualization of the lightning compromise. So what we have here uh is we have our lightning package and several indicators of compromise associated with it. This is the infrastructure used to deliver this malware. So we have three URLs, we have hashes, we have um IP addresses, and it's interesting, you know, one of these is connected to I didn't count, what is that? Maybe 10 or 11 other packages, other plugins. So you can see with these um types of campaigns the breadth and the impact of them when you know they're using infrastructure for multiple things.

Paul McCarty 16:11

Yeah, 100%. So and as you can see there, they're affecting both PyPy packages and NPM, which we mentioned earlier. We're seeing this across you know the kind of threat you know landscape right now, where bad guys now, because they have access to agents like Claude and Codex, can take existing uh payloads that you know work in JavaScript and then make them work in Python or you know Rust. So we're for example, we're seeing a lot of campaigns right now where bad guys are publishing Rust, um, especially targeting the crypto ecosystem, using Rust libraries, but also using npm or python libraries to attack you know on different flanks. Um and so, yeah, in this case, to your point about lifecycle scripts, basically most of these npm packages and also the Python packages in their own way, there's a there's a lifecycle script that's added to it, it then runs a setup um.js file um automatically after you install the the package, the npm package, and that sets up a custom bun um environment, and then it runs a second file, um which in the latest iteration is router setup or something like that.js and um that file is the huge, it's over 11 megabytes um compressed and obfuscated um JavaScript. Um, and then that's where the payload is, and that payload is pretty gnarly. It's an info stealer, but it also adds persistence across all your Git repos and it basically finds all these places where to put things in for cursor and VS Code. And so from that point on, once that runs, they now have persistence on your machine. And so this is how Team PCP and DPRK separately can maintain persistence on your developers' machines. And we need to be talking about this more because we're seeing, I just got hit up by another researcher. Jen, you haven't heard this yet.

Jenn Gile 18:00

Oh no.

Paul McCarty 18:00

He's telling me that yeah, he's telling me that he's found an iteration in Pollen Rider. I have not verified this yet, but he's saying he's found an iteration on Pollen Rider that is hundreds of thousands of affected users rather than you know, you know, 2,500 that we have right now inside of our database. Uh so I need to go and look into that. But this is a huge issue uh because they are maintaining persistence on these machines, uh on these developer machines, and then doing bad stuff and stealing credentials. This is how this keeps growing and growing and growing and growing.

Jenn Gile 18:30

Yeah, the uh repositories that have been affected by many Shy Halud are in the over 2000 range at this point. Uh let's see here.

Paul McCarty 18:44

I'm gonna sort by those stars.

Jenn Gile 18:49

That's not super helpful. Now I'm just playing here because I haven't done it. Most forks is probably a better way to look at it. Probably, well, I guess these are the uh forked repos, not the original repos, but somebody starred a bunch of this here, innocent first test. Hmm. Could this be yeah?

Paul McCarty 19:11

There's there's all well, yeah, and then you're gonna have security research, you're gonna have security researchers also playing with this too as well. So there's all this, there's all this kind of gray area that happens after these where some subset of those git repos are gonna be either legitimate researchers like me trying to figure out how it works, but then also wannabe bad guys taking the functionality and trying to create their own version of it. But yeah, it looks like there's there's around 2,000 or more than 2,000. And basically what those repos are, just to say it again, that's somebody that's been compromised and has taken all their data that is stolen, wraps it up, compresses it, encrypts it, and then um stores it uh inside of this net new GitHub repo. So people need to be looking for these GitHub repos inside their personal GitHub environment and their organizations as well, the GitHub organizations.

Jenn Gile 19:58

Yeah, let's talk actions because undoubtedly there's a lot of people uh affected by this, compromised by this. And if we can learn anything from what we saw last year with uh the original Shy Halud campaign, waves one and two, is um credentials that were leaked in these repositories, you know, similar pattern again, uh lots of files pushed public. Um, they were not getting rotated quickly enough or at all, perhaps. And um I'm not sure as an industry that we've learned from that. Uh I realize, and I think a lot of security professionals will say, they don't necessarily have good uh insight into where credentials are living in their organization. Um, if that's a problem for your organization, that's something that I would personally prioritize if this is a concern to you. Um, these are not just uh targeting tech companies. Uh the data that we saw last year is only a little over half of the Shy Halut 2.0 wave victims were tech companies. Um and it's not only targeting large organizations, lots of small companies are going to be hit by this also. Um, so you know, some things that you can be doing. I was actually chatting with the Git Guardian folks yesterday and they shared a blog with me that was showing some research they did around um using tools like Dependabot and RenovateBot to auto-upgrade. And they had found that those tools were directly responsible of the tools, but the configuration of the tools, uh, were directly responsible for um auto upgrading to malicious versions. Um so you know, look at your auto upgrade policies, pin your dependencies, um, enforce cooldown periods. I know that this is not like uh the most exciting stuff, but it works. It will go a long way toward making sure that you're not the next victim, that your repositories don't go public. And then figuring out how to get a better handle on your secrets location, sprawl to be able to quickly rotate them, kill them off in these circumstances. You know, being able to respond quickly is so key. What else would you add, Paul, in the last, you know, few minutes there?

Paul McCarty 22:30

Yeah. So I mean, I think a lot of the focus in the industry historically has been on keeping that stuff out of CI, right? And yes, you want to run these credential scanners locally too as well. But I want to be very clear bad guys now, both team PCP, DPRK, and others, are targeting the tools on your developer's laptop. And there's shit tons of credentials there. So in this particular case that we're talking about the this latest, you know, these these packages, both Python and and JavaScript packages today that were compromised, they are finding cursor and claud and other tools specifically on your development laptops and going and compromising those and then stealing data out of those. And you know, the reality is that most people don't harden their claud setup, right? So, like for example, uh Trail of Bits has created a really great um uh Dan Guido in his time at Trail of Bits has created this really great resource on GitHub in the GitHub uh Trailer Bits organization. How to how to harden your claw, basically creating files, claud.md files and other files to protect credentials, just kind of generic types of credentials and do other kinds of hardening. How many people have done that? Probably very, very few, right? And so, because of that, bad guys, you know, compromise these machines, whether it's a Python package, NPM package, AI skills, whatever GitHub repos, whatever it is, and then they're immediately going to those places inside of yeah, exactly. This is a great resource. People should be reading this and hardening their you know, their agents, um, but then also spending the time to think, oh hmm, what have I given my agents in the past, right? Like the lovable keeps prompting people to say, give me your secret keys. And you know, one, they need to stop doing that, but you need to think about hmm, how many times have I given Lovable or Claude my secret keys, right? That's in my conversation. Now those conversations are specifically being targeted by these bad guys to be ex-filled and then used.

Jenn Gile 24:25

Well, I uh am gonna end us on perhaps not a high note, but at least it made me smile a little bit. Hey, Tom, over on LinkedIn, when is it gonna stop, Paul? I'm tired of this. Uh, Paul, when is it gonna stop?

Paul McCarty 24:38

I I wrote back. I said, I know, right? Um, this week has been this, I mean this month has been crazy, but you know, I don't know. Yeah, when it stops. It doesn't. It's getting worse.

Jenn Gile 24:49

Well, hopefully we have better news to share next time, but we are at our uh time. So, you know, hit us up in LinkedIn, uh, YouTube, wherever you can find us and tell us what you want to learn about on these. Uh, we'll continue to talk about current events and trends. And, you know, when things are not on fire like they were this year, week, year, Freudian slip. Um Freudian slip. Yeah. Uh, we will talk about like more generically what you can be doing, things you need to understand. I really want to talk about interpreted language malware and how it's different than compiled malware. So that's on my personal list to get to. Uh yeah. So what do you want to hear about? No. So yeah.

Paul McCarty 25:35

See ya, everybody. Take care.