Jenn Gile 0:03

Hello, Paul. It is uh May 13th on my part of the planet, May 14th for you. Uh we're recording a day earlier than normal because we got stuff going on this week. Uh we have a busy schedule, so we'll air this at our normal time. But uh to anybody listening or watching, uh, we're talking to you from the past.

Paul McCarty 0:25

Or the future, depending on where you're listening to this.

Jenn Gile 0:27

True, true, true. Uh anyway, big week behind us. Um we've got kind of three distinct things we want to talk about. They give us heartburn across the board. Um I think I want to like step away from it for a second. Uh, a mutual friend of ours posted recently online, like, you know, there's a lot of bad going on in tech right now. Like, what are people doing to manage it? And I really liked a lot of the responses that I saw to this. Um, and my response was similar to what I saw from a lot of other people is yeah, there's a lot of not fun things happening in the cybersecurity world right now. And um we all got to do what we can in our little corners. But the thing that keeps me motivated and positive is I talk to people every day who are committed to making it better. And that's a lot of what I heard in the comments was, you know, find your tribe, uh, take a step back from the computer, leave the machine alone for a little bit. Paul, what do you do when you're starting to feel uh a little overwhelmed by what's going on?

Paul McCarty 1:39

I um last night I was stressed. You know, this has been a shit week, and my six-year-old came to me and said, Hey Dad, you want to play some chest? And I said, Do you mean chess? And they said, Yes. And I said, Yes, let's play. And we had an hour and a half game because they are learning. And so that was a it was like at the I was at my most stressful, you know, I've got these presentations to get done for Melbourne B-sides and stuff like that. And man, it was just a perfect thing to just take me on the zone. So there you go.

Jenn Gile 2:09

I love it. Well, let's get back in the zone um and start with Ruby, RubyGems. Um, yesterday, time is funny, it might be a flat circle. Uh, RubyGems had to disable the ability to um sign up for a new account after uh hundreds of bots tried to push packages. We'll share the links in the show notes, but basically Ruby started out with saying it was um a DDoS attack. I'm not sure if that framing is useful. Um it may or may not have actually been a DDoS attack, but the net outcome was they were overwhelmed with tons and tons. Like I think they said 500 packages. Some of them did have malicious code in them. Um yeah, Paul, what do you think about it?

Paul McCarty 3:00

Well, first, um, RubyGems, it's not a large registry, it's also not a small one, but 500 packages to me doesn't sound like a lot. I mean, NPM sees 500 malicious packages a day minimum. Um, but you know, it's still kind of cloudy what's going on here. So the DDoS part of it might be that some of these packages were doing things that DDoSed other services. And I have I've seen some data that supports this, but I haven't verified this. Um and then then you have this other problem about you know, like trust and safety and onboarding, and like all of the platforms have this problem GitHub, GitLab, NPM, PyPy, RubyGems. You want to make it as easy as possible for people to join your platform, but then you know the consequence is that you know, if you make it too easy, you don't have these captures and stuff like that, then bots can join. And oh, there you go. It's been a while since I made a RubyGems account, but last time I did it was pretty easy.

Jenn Gile 3:56

Yeah, and I mean you're still seeing that for a lot of the ecosystem, the broad, all of the ecosystem is much of it was created to be very easy to sign up, you know, reduced friction. Uh developers don't like friction. Uh the marketing and sales people don't like friction. The security people would like some friction. Um yeah, tough balance. Okay, moving on from RubyGems. Um something that happened literally right after we closed out last week's live stream was we found out about a ransomware attack on Canvas, which uh anybody with a kid or who's been in school has probably heard of Canvas. It's used as an online um learning platform for schools. And this is an incredibly broad impact attack. Uh fortunately, my son's school district doesn't seem to use Canvas. So as far as we know, we're not personally affected. But um, Paul, what I heard from you immediately was you guys are.

Paul McCarty 4:59

Yeah, we are. Um it's this hits very close to home for us, um, actually, literally, um, in the sense that my kids' school uses this platform. So Canvas is a platform, LMS learning management system platform, owned by a company in Salt Lake City called Instructure. Um, and Instructure has got like 2,014 employees, and they've got like eight security people. So that's a pretty shit security to regular employee ratio instructure. So I'm I'm I'm pointing that out, you know. Um but one of the other frustrations that I've had is that there's just no data about what happened, right? And you know, part of that frustration, right, for me personally is aimed both as a school and the department of education here locally, but also in the government officials and um in the structure itself, none of that they're not talking about what's happening here. So meanwhile, there's a bunch of data sitting in um the the bad guys' hands, which they keep threatening to. This is Shiny Hunters, by the way. Um, in Shiny Hunters' hands, they keep threatening to release, and they they've pushed back the dates a couple times because I think they think that somebody's gonna pay them. Um, but in the meantime, you know, we're hearing nothing from Instructure or um, and and I do know that there is data out there, there is threat intel out there, but people are are um hiding it and keeping it to themselves. And I just want to call that out. That's shit.

Jenn Gile 6:23

When yeah, the impact here um can be really terrible. I mean, this is access to uh potentially messages between um students and other people, so you can start to paint a picture of who trusted adults are in a kid's life. Um, you know, my background, well, before working in tech, I worked for the US government in um passports, and this type of data could potentially make it easier to steal um a child's identity. If you know enough about that child, you could start, you know, trying to get legal documentation in that kid's name. Um, there's a lot of things that this data can be used to do that's harmful to children, harmful to schools. So, yeah, not a great incident response uh experience, right?

Paul McCarty 7:16

Nope. There's I guarantee there's gonna be a class action lawsuit, you know, in the US, if not other places. Um and you know, people are gonna be held accountable. But but um you know, to your point there a second ago, part of this has to do with the fact there's a lot of data in you know in that that around people in protective services and other things, there's a lot of legal protections around that. So this is gonna get really gnarly really quickly.

Jenn Gile 7:44

All right, let's move on to our third and biggest topic. Um mini shy halud. Biggest topic, mini shy halud. Um starting here, there's been some statements or speculation about the connection between mini shy halud and the original Chi Halud campaign in 2025. And um, nobody knows who was behind the 2025 campaign. We know lots of people in the industry. Nobody that we're connected with has a firm grip on who uh was behind that campaign. But I think we have some evidence around why we don't think it was team PCP. So let's talk about some things we know about team PCP. They love the spotlight, they love to take credit, they love to brag. And we saw none of that last year with Shai Halud. So I think, you know, those two things combined, it's unlikely they're connected. Now, why did they choose to name their campaign Mini Chai Halud? We don't know. Um, my theory here would be it's gonna get more clicks if it has a familiar name. You know, it's uh gonna give people maybe a bit of an emotional reaction to the the new campaign because they'll remember, oh, Chai Halud was awful. That was a bad experience for me, that was a bad experience for the industry. That's my theory.

Paul McCarty 9:15

Yeah, I mean, the so look, if we go backwards, the team PCP has um they've admitted that they've um, you know, this latest min mini shy halud thing is theirs. They're you know, they're being very upfront about that. Um they also have never said that they're the original um threat actors. Um, and in fact, there was a there was a um interview that you and I were looking at before this um where um either DMT or one of the other uh leaders of Team PCP was interviewed and was talking about um you know some of their kind of uh uh TTPs. And I they pivoted really, really dramatically in early 2026. And I think people forgotten that. Like they this they this was not in their wheelhouse beforehand, right? And this is something net new, and they're progressing really quickly. And so in this interview, I'm looking at it right now, uh the interviewee admits that they're basically being mentored by somebody else in the in you know that has more specific knowledge around GitHub actions and cash poisoning and some of these things, and so which is where the kind of the sexy part of this is there, you know. I made a post yesterday and somebody was like, Well, the source code for the worm. Oh, this is the other thing. I don't want to get ahead of ourselves. The the worm code is out there, but anyhow they said, Hey, there's nothing really special about the source code. I said, That's not the point, but you know, you can't ignore the fact that this cash poisoning to package ecosystem workflow they've got is very successful, right? And you you don't understand it, right? So um the the attribution by certain researchers um you know to the original Shy Hulu, I there's no evidence to support that at all. Um, this latest one is team PCP effectively copying or regurgitating other methodologies, GTPs.

Jenn Gile 11:10

Yeah, so to um rewind back the clock a little bit, mini Shai Hulud got launched around April 30th or so. We saw them compromise for SAP packages. Um, that was something we talked about, I think I guess it would have been two weeks ago at this point on the show, uh was successful, but not enormously successful. Then it was quiet for a week or 10 days or so. And we took a breath, we talked about other things, and then uh they compromised Tanstack. Um, and the TANSTAC compromise uh is a little different than what they did with uh SIP. It's different from the things that they did back in March with you know Trivi and um Aqua and Lena Lam. Um the TANSTAC compromise has been very successful for them. It also is an NPM worm. It has compromised, you know, maybe 90 plus packages uh either directly through Tan Stack or through other account takeovers. There's some kind of interesting things going on with this next wave. And like you said earlier, some people are calling it wave six. I don't know that calling it wave six is helpful. And we'll say it's you know the mid-May attack. Um, so I've got some notes on some interesting things in no particular order. Um, the first is that the way they got into Tan Stack was through a GitHub Actions vulnerability. And this is something that we've been seeing this spring. I think it might be the third time that we've seen it in a major account takeover attack. And, you know, they're evolving, they're learning about how to be more effective in getting into a maintainer's account. We saw a lot of social engineering last year. This year is trending more toward exploiting some kind of existing vulnerability to get a token or whatnot. So let's pause there. Anything you have to say, Paul, about the the way that they're compromising lately?

Paul McCarty 13:22

Well, yeah, I mean, it's evolved quickly, um, and it's pretty technical. Basically, this is all based on Adnan Khan's 2024 cash poisoning technique. Um, uh, and he and Ronnie Carta have been like doing every you know every year. I saw him at DEF CON last year where they're dropping some new research and they're gonna do it again this year. Um, I've already been given the heads up. But yeah, I mean basically the and it gets really technical, and we're not gonna go into details here because some of it is like even like confusing for me. But basically, the the what it allows you to do is it allows you to um um create a commit and a PR that then automatically kind of kicks off uh the PR doesn't have to be accepted, you're just creating a PR, and then these kind of actions take place. Um, and then it uses this kind of unique cash poisoning trick. Now, what's special about this one is that it actually didn't use long-lived credentials, it didn't take advantage of like PATS personal access tokens. Um, this is a you know, this is assigned, it uses OIDC. Um, uh, you know, it's like it's the way that you're supposed to do it, right? It's like salsa.

Jenn Gile 14:30

Yeah, you know, we've been talking the last, I don't know, six months or so about how things like trusted publishing, you know, would be helpful because it's all gonna be signed and you're gonna see the attestation. Well, they they did attestation, so they're hearing the message.

Paul McCarty 14:50

Yeah, I mean, the all that does is it guarantees that the you know, there's a pipeline from the GitHub, you know, repository to the artifact that it generates. And so um doesn't, you know, if a bad guy gets in the process, which is what happened here. And so I think you know, like every time we talk about one of these simplistic things, like you know, um, you know, uh not installing packages right away and all these things, these are all great things to do, but in depth, none of these things should be singular. And the problem is I hear a lot of people focusing on you know attestation and all these kind of things as singular pursuits that fix everything, and that's just not the case. And I know you and I'm disagree here.

Jenn Gile 15:27

Well, I mean, you and I agree and disagree, but I think where we agree is there has been a bit of maybe conflation is the right word with account takeovers and the rest of the body of malicious open source that is out there. And a lot of the tips that people are talking about, which to be clear, these are all good things to do, you know, version pinning, um, cooldown periods, yes, you should do them. And they're not going to protect you against 100% of the malicious open source that's out there. I mean, if if you think about these protections as a Venn diagram with like 20 circles, and you know, all the malware is in the middle, they're each touching an edge of the body of malware. Just as a little spoiler, I've been looking at data from uh open source malware on the packages that have been added to the database uh in the last three months. And Paul, this is not gonna surprise you. It continues to be overwhelmingly the volume of malware that's in there is novel. It's not account takeovers. Now that said, account takeovers are absolutely escalating. Uh, most of what we're seeing for account takeovers is team PCP. And it's interesting because uh Lazarus Group, you know, North Korea's uh professional malware factory, they continue to stay a bit more focused on these contagious interview type attacks that are targeting individual developers, whereas team PCP is going this account takeover route. And so it's getting a lot of attention. I don't know where I'm going with that, other than um yes, do these things, but understand the the edges, right?

Paul McCarty 17:22

100 and I'm glad you brought this up because we hadn't talked about this before the show. But like this is something I was thinking about this morning. Like, I want to create this graphic that shows, like, you know, you're in the fort, you're in Winterfell, and you're preparing to be attacked, and it's one giant thing, right? And it's throwing bricks and it's got high impact. You know, if it throws one of those bricks and it hits the wall of Winterfell, it makes a big hole, it's got big impact. But you only see one of those. Well, you we used to only see one of those per quarter or per month or whatever. And yes, we're seeing more of them now, but still they're the rest are what?

Jenn Gile 17:50

Arrows.

Paul McCarty 17:52

Well, no, but then what you have is you have this cut meanwhile, take the big huge monster that comes once a month out of the way, and meanwhile, what you have is you just have thousands of individuals coming at your walls 24-7, 365. And if they find a hole in, they are just as powerful and successful for your organization as the big ones. And you know, I'm not trying to they're two different risks, right? And it, you know, you bringing that up. I I really wish the the the industry spent more time focusing on this constant onslaught of net new packages, which are successful. So, a good example of this. This morning I saw there's nine packages by this npm account, they're still up. Um, and they in the package.json they pull a python payload, and that python payload is very similar to you know the team PCP info stealer, steals a bunch of stuff. Now, here's the thing is the names of all these things are like ether's address, and like they're there's they're so simplistic around the ether's kind of crypto stuff that you know those are gonna be the name of some people's internal packages, right? So, and I'm trying to figure and the bad guy has unpublished the packages themselves. NPM is not um is not uh taken them off, right? The bad guys unpublished some of these packages, they pulled so you can't get download stats and stuff out of them. And this is what's happening constantly. They only got to be successful for two or three of these like crypto organizations to steal the money, and to that point, DPRK that doesn't do these big account takeover style things stole two billion dollars last year. I can guarantee you that team PCP is not gonna steal a tenth of that with all these big attacks, right? So we have to kind of put that into context.

Jenn Gile 19:33

Before we come back to Team PCP, I want to talk briefly about the evolutions that we're seeing, the innovations that we're seeing, because this is I'm I'm not sure what the right you know metaphor is here, but defenders get better and threat actors shift to doing something else. And some of the things that we're seeing them do include, you know, with an account takeover, perhaps the main package they take over doesn't actually have the malware in it. That's what we saw with Axios. It's in a transitive dependency. Uh, we're gonna be seeing that more, undoubtedly. And that's gonna be harder for people to catch because you're less likely to be scanning the transitive dependencies being called by your primary dependencies. Um, we're seeing uh what were you just talking about? I totally got focused on that. What else are we seeing in terms of evolutions?

Paul McCarty 20:31

The the tasks, the VS Code and the call. Yeah, VS Code tasks.

Jenn Gile 20:35

We saw that hop uh campaign types. So Lazarus Group came up with the tasks uh.json auto execute, which works very similar to the NPM lifecycle script stuff. We saw Team PCP borrow that recently. That helps them with persistence.

Paul McCarty 20:54

I mean, like everybody's using it now, right? And Microsoft made a big deal of like fixing the auto, they're basically turning it off by default. But the reality is that lots of people download the new version of it that doesn't have it turned on by default and then immediately turn it on, or they just upgrade because they've been using VS Code for years and their existing config then turns it on as soon as they get the new version. It's so successful, even after Microsoft fixed it, that everybody is using it now. And the dot claud files thing, those packages I was talking about, they drop files into dot cloud, the dot the hit the hidden dot claud directory. Um, you know, and this wasn't nobody was doing this two months ago.

Jenn Gile 21:36

Yeah, it's moving incredibly fast. Uh, I don't think you said it out loud, but you kind of alluded to it with the Canvas stuff. This is why data sharing within trust groups is so important. You know, we have our own sources. You know, there's no no way we're keeping up with this if we're not. Collecting together, but let's go back to team PCP. There's two more things on the team PCP, no, more than two. Um, geo fencing. Geo fencing has come up as uh something that people think is like significant with the latest team PCP attack. Uh Paul disagrees. Lay it on his Paul.

Paul McCarty 22:21

Well, yeah, it's confusing because the in that interview I was talking about earlier with DMT or whoever it is that was being interviewed, they specifically say they were asked by the interviewer, you know, hey, it looks like you guys have put these the CIS, you know, geofencing. So the CIS countries are the kind of Russian-friendly group of nations. It's Russia, Belarus, um, Azerbaijan, and some of the others. Um uh sorry, I don't I don't have all of them memorized off the top of my head, but um, and this is a common thing you see in Russian malware where it you know checks to see if the if the locale, location, and environments are set up for this.

Jenn Gile 22:58

But we saw this with the you know, maybe poorly labeled but glassworm stuff back in February or so, right? We saw an attack that we loosely attributed to Russian actors based on some geofencing.

Paul McCarty 23:12

Correct. And so a lot of people saw this, and that it was asked in the interview, and then the person being interviewed, the part of Team PCP, said, Well, you know, we're a big crew, and some of our, they're not a big crew. Um, some of our people live in places where we put that in. I and I immediately I just smelled that. I was like, that's bullshit, right? That's not true. Um, sorry, it's not true. Um uh because why do you think they're doing it? Well, it's funny. I saw one of my friends post. I I he thinks it's just them saying, going to Claude or whatever agent of choice they're using and saying, hey, build me malware, um, don't make any mistakes. And so it's just pulling in the CIS stuff as part of it. It just wound up in there. Yeah, as a best practice. Like if you know, if you operate anywhere close to Russia, just put this in by definition. Um, and Claude's just assuming they're Russian or Russian align. Um, I so I think that could be very true. I it's also interesting that in the interview they specifically, you know, said they put that in their cells. So who knows what the true truth is.

Jenn Gile 24:10

Well, and you mentioned in our previous conversation about the typos that you're seeing in the payloads. There's evidence of two things going on with Team PCP. One, they're clearly using AI.

unknown 24:24

Yep.

Paul McCarty 24:24

They're moving. They say that explicitly, they say that themselves. They're using AI.

Jenn Gile 24:29

And they're being mentored. So there's two things that are coming together that's helping them be faster. And sometimes you end up with tells through AI that don't actually mean what you think they mean.

Paul McCarty 24:43

100%. I think all vibe coding, well, it's legitimate vibe coding that we we're seeing increasingly, or bad malicious vibe coding or vibe hacking, what's happening is you're you're building on your laptop and you're pushing directly to prod, basically, right? And so because of that, you missed the kind of staging checks that you had in typical kind of um, you know, CI continuous integration uh processes that find these things and then you know don't then stop them, right? This is not happening. And so we're seeing a lot of these payloads either don't go boom, right? Because they messed up and typoed something.

Jenn Gile 25:20

Yeah, they should have somebody, you know, doing PR review for them, right?

Paul McCarty 25:24

Right, 100%. Well, they're probably using Claude too as well, right? Do not put Claude in your for God's sakes, do not put Claude in your because there's a tax on Claude in your CI. But anyhow, yeah, so I mean I think that's really ultimately what it comes down to, Jen, is that they're vibe coding and they're pushing quickly, they're iterating quickly, and you know, and this is stuff.

Jenn Gile 25:41

Yep. So the place that we want to wrap up on team PCP is around them open sourcing their worm and some observations that we have about the interview that somebody gave. And again, these people like attention. These are both attention-grabbing mechanisms, but open sourcing their worm also will make attribution more difficult in the future.

Paul McCarty 26:12

This chasing clout thing has got them done. And I know they meant, you know, this interview, they mentioned that. They're asked, you know, are you worried about getting popped? And they say, well, this could be a life-changing event or life-ending event or something like that. But I don't think it's really kind of computed because these people are pretty young and they, you know, probably really bad things have never happened to them. But um, I'm making some assumptions here. But um, the reality is that by open sourcing that, you know, every OSINT forensic detective in the world is going to be looking at that source code and finding little tells, right? Things like the dot gitignore file, you know, Mac OS specifically, all kinds of little things like that. These two GitHub repos that they use to push these compromised GitHub repos. You know that GitHub and everybody else has got telemetry they're looking at, right? And so every time you put one of these things out there, every time you do one of these interviews, and in the at the end of this interview, the inner person being interviewed says, Yeah, I put out false intel all the time after you know, after presenting an interview, which is pretty candid, right? So it's like, uh, all right, was the whole interview a false flag? I don't think so. Um, so I guess what I wanted to say is team PCP, you know, I'm certainly not a supporter. What you're doing is wrong and illegal, but like you are hastening your demise, your eventual capture with all this stuff. And I know you've heard that from other people, but like straight up, like I don't know why you're doing all these interviews and publishing all this stuff because it's just gonna hasten your capture. And trust me, prison sucks. It sucks, regardless of what country you're in. It still sucks, and that's in your future.

Jenn Gile 27:48

Hopefully they listen.

Paul McCarty 27:51

Too late now, man.

Jenn Gile 27:53

I know the cat's out of the bag. Uh pun intended, they like cats. Um they do. Well done.

Paul McCarty 28:01

I hadn't noticed that until you had to remind me. The pun was not obvious to me. Haven't had enough coffee.

Jenn Gile 28:08

Put that cat back. Okay. Anything else you want to hit on?

Paul McCarty 28:12

The cat has bolted from the the we're still on cats. Um, no, I mean, I think the the source code, you know, is is interesting. Um, you know, I've looked at it, I've analyzed it. Um, a lot of people have, and some people, when I posted about it on LinkedIn, said there's nothing special about it. And that's not the point, right? The point is that the the source code itself now is mostly not important because you know AI can just generate, you can just say, here's the things you say in natural language, and it goes and builds those. So the actual specific things. And so GitHub removing it from GitHub is kind of silly because you know, somebody just can generate a new version of it. Um, but I think it's important to take a look at it and understand are there things there behaviorally that we can detect and do. And that's one of the things that I'm you know spending some time on.

Jenn Gile 29:00

What do you think we need to be doing as an industry outside of defenders and threat hunters? Because we have a set of tools out there that are clearly making this easier for you know everyone from Team PCP to Lazarus Group to threat actors that we don't even know who they are yet because they're doing a good job of staying hidden. And again, going back into the data that I've been looking at, something like 75-78% of the packages we added to the database in the last quarter, we have no attribution. So think about that. That's it's a small percentage that we know where it's coming from from a like definitive stance. But anyway, um, you know, the SCMs, the infrastructure providers, the AI model providers. What do you think needs to happen, Paul? Wave your magic wand.

Paul McCarty 29:58

Oh man, there's so many. That's like such an open-ended thing. Well, uh, the first is that we do like in this era of vibe coding, we need to double down. Like, all right, so in this time where like magic happens all around us because of AI, we need to fall back to these earlier principles. So I think it's kind of ironic that part of the solution here is us falling back to these like 90s era and 20 2000s era things, like isolation and DMZs and like you know, in separation, networking, all these simplistic things that actually you know provide some actual protection now. Um, the making sure that when you're using CI at every stage that you're checking the packages and the the um components that you're using, it's not just packages, GitHub repos and stuff like that, against some sort of make sure you're using CI, right?

Jenn Gile 30:44

I mean, we've seen it. Well, that was my point. That was my first point, yeah. Completely not doing it.

Paul McCarty 30:49

100%. Yeah, I mean, vibe coding is is naturally um does not you know, it doesn't work well with CI in the way it's built. You know, use lovable or use any of these tools, it's not built to work with genuine CI, like you know, like creating a secondary database for test and staging, you know, is difficult to do in these platforms, so people just don't do it. Um, but yeah, I mean, back to my point about the you know, staging and stuff like that, is like test use something like the OSM threat feed to verify that these packages or these GitHub repos or whatever it is you're trying to pull aren't known bad and do that everywhere. Do that on your developer's laptop, do that on CI, do it everywhere. Um, because that you know, we just have to fall back to these kind of you know earlier more what might be seen as more simplistic controls. We know the power now yeah. 100%, 100%. Yeah, uh there's a lot more I can say about that, but we'll leave that for a special special edition episode.

Jenn Gile 31:47

Special rant.

Paul McCarty 31:49

Special rant. You and I you and I both need to get going. I need to go to B Sides Melbourne. Um, and your head.

Jenn Gile 31:57

Yeah, I'm gonna go get together for dinner with uh some of the folks that are here at the clutch event. And actually, as we were talking, I was getting text messages from my son and my husband. My son's uh track team won their relay waste. So I gotta go check in with them and hear about the relay. Anyway, uh hope everyone has a good week.

Paul McCarty 32:18

Oh what one last thing. I just got to notice that uh Instructure paid the ransom. So really shiny hunters has removed the data and it's not gonna get out there. So, you know, government, Australian government and instruction audio, you can you can continue to pretend like you can keep this under cover, right? The class action lawsuit is coming for all y'all.

Jenn Gile 32:42

And on that note, mic drop. We're out.

Paul McCarty 32:45

Boom, bam, boom.

Jenn Gile 32:47

All right, later.

Paul McCarty 32:49

So yeah, take care.