Jenn Gile 0:01

Hello, it is June 4th, and Paul and I are back. Um, we have a uh diverse, interesting agenda for today. We're gonna talk about what's now being called the miasma campaign, but started with Red Hat getting popped. Um, we're gonna talk about Moika, which has also been in the news. We're gonna talk about some research we released. But before we get to that, Paul, what's up?

Paul McCarty 0:32

Yeah, man, it's just a beautiful day here in Queensland, Australia. Get out, mate. Um, the rain has finally bloody stopped and um the sun is out. Um, and I have a guy here digging a trench for me. He's doing it by hand. So this guy is making his money the old-fashioned way, uh, which is good on him.

Jenn Gile 0:50

Um, because I built I don't know if I told you when I was in college, uh, I did a road trip in South Australia, and for whatever reason, like everybody we met were like tradies in Australia. Like I met like a bricklayer, and I don't know, like I it's just not something that you tend to meet here in the US.

Paul McCarty 1:09

I know we are we are a culture and a nation of tradies, and yet at the same time, in a weird state, we also cannot you cannot get tradies to come to your house. Like I've had multiple people say they were coming, giving quotes, and they just then don't show up. True story. And when I talk to them, they're like, Yeah, you're in the too hard bucket. I'm like, well, for a nation of tradies, you sure don't show up very often. Boom.

Jenn Gile 1:31

You know, we have the same thing here. Uh, if your job isn't big enough, a lot of times people won't call you back. Um, yeah, I don't know, they're all often uh self-employed. Hey, shout out to the other self-employed people out there. It's pretty great most of the time, but sometimes it makes things hard to get organized. Anyway, um I just want to say one thing.

Paul McCarty 1:51

The difference, the difference is Australians are polite, and so they won't say no. They'll do the whole quote in front of you or they'll they'll do it all up, right? And then they just won't get back to you like that's the difference.

Miasma campaign

Jenn Gile 2:01

Fun. Okay, we're gonna start with miasma. And um, this kicked off June 1st. Was that three days ago? That sounds right, with um Red Hat getting compromised. Uh, 32 of their cloud services packages that cumulatively average 80,000 weekly downloads were compromised. It was done via uh a GitHub Actions vulnerability. We'll get into that more later. But what I think is the most interesting part about this is where the malware came from. It is an NPM worm. It is the first example we've seen in the wild of Team PCP's open sourced version of the mini shy hulu worm getting used. So there's no indication at this point that it is in fact team PCP. Uh, and given they're not claiming uh any kind of credit, probably not. It's probably a copycat of someone who said, yoink, thank you. Um, but this worm's kind of interesting. It uh, like I said, came in through a GitHub Actions thing. We'll talk about that. It also is multi-ecosystem. So we've got npm, pipy, and surprise, Ruby gems and GitHub. Yeah. And uh I don't think their, you know, open sourced code included a Ruby uh variation. So I think we can make some fair assumptions that this is another example of threat actors likely using LLMs to make some modifications to malware so that it's more um ecosystem agnostic. You know, they're they're out there making sure everybody gets attention. So thank you for that.

Paul McCarty 3:46

Yeah, indeed. I I liked how AdnanCon described this as um Claude, go pack every single TTP into one giant types TypeScript mess. It's like it's just pretty accurate. Um you know, and if you look at, for example, I'm looking at the code right now for the the um the info stealing part of this, right? What it's actually stealing, and this what it's stealing is basically what every other info stealer right now is stealing. And this is something I'm gonna zoom out real quick. We are just seeing so many info stealers popping up, like they're everywhere, and we expected this, right? Because of LLMs and you know, everything else, and you know, open source and everything else, but at the same time, you know, now we have to deal with it, right? But just looking at this section, it's like every info stealer right now is like just grabbing everything, and they just keep adding these. So, you know, now they're grabbing the vault from Hazicor. You know, they're just you know, back in the day, in um Invisible Ferret was uh I got uh our friend Francois uh says there was no Voln in the workflow.

Jenn Gile 4:53

They audit all of them well before the attack. It was most likely Info Steeler, but they abused some gaps in trusted publishing. That's helpful.

Paul McCarty 5:00

Yeah, Francois would know better than I for sure. Um, uh I think um where was I going with this? Oh, yeah, just like the you know, like just watching this kind of claw, just you know, suggesting the same info stealer section. Every, you know, I can't say any naughty words because we're trying to keep this clip, but every bad guy that is writing, you know, malware right now is just seeing the same patterns again and again in these sections is funny. But anyhow, moving on.

Jenn Gile 5:25

Well, not moving on yet, because um it didn't stop at Red Hat, right? It is up to uh over 80 compromise packages. Our friends over at Step published uh a blog yesterday about kind of the second phase of this. Uh they comp uh threat actors, not step, compromised 57 packages. Uh, they said it was across 286 at least malicious versions. So um probably not the last that we'll see of this. I'm not sure if this is uh the same threat actor as the Red Hat one. They're awfully close together. So potentially. What do you think, Paul?

Paul McCarty 6:06

Yeah, I mean, uh Rami Mack and and others are are as you and I, you know, briefly talked about earlier, like are are saying that they're probably the same threat actors. So there's that. Um, and again, I trust Rami. I think that you know, there's the problem is that when Team PCP open sourced this, suddenly they created a world, uh universe where people could be using their tradecraft and evolving their tradecraft, and team PCP could you know not claim uh you know responsibility for it, right? But that just seems like such an odd thing for team PCP to do because they're just such clout chasers, right? They're just constantly talking. So, I mean, in my head, I mean, there's a pretty good possibility that this is some part of the actual team PCP crew, you know, doing this. They just haven't claimed it yet for whatever reason. Maybe it's a part of the crew that you know doesn't like Twitter. I don't know.

Jenn Gile 7:00

Maybe they've been listening to us saying, hey, stop, stop with the self-profit.

Paul McCarty 7:05

Stop yapping.

Jenn Gile 7:06

Uh that's possible. Okay, segueing here. Um, I had a conversation with somebody this morning that's very relevant to this attack. They said, you know, aren't all these account takeovers coming from social engineering campaigns? And I said, you know, that was true to some extent up until uh we'll say the Axios attack in early April, late March timeframe is probably the last time I remember uh a social engineering uh foothold for one of these. And um, what we're now seeing is it's much more likely to be something on the pipeline. So they've moved from the human path being the weak link to the machine path being the weak link. And I think there's a lot of consequences to that change. There's a lot of reasons I'm sure they're doing it, you know, as people understand better what's going on, and perhaps it gets a little bit harder to compromise people through social engineering. Uh, you start to look for alternatives. And certainly uh we know there are big gaps in uh security for pipelines. And yeah, Paul, what do you uh I know you've looked into this a fair bit, you know, about the machine path. What would you share with people?

Paul McCarty 8:20

Yeah, I mean, I think that they're it's true. This is not, you know, using social engineering in any way. I mean, I think we're past that. I think, you know, those days of classic kind of contagious interviewee style, you know, fake recruiter social engineering, you know, are behind us. I think that'll be used with these big spear kind of things like what happened with Jason and and you know um Axios. But um no, this is affecting this is uh this is attacking us, as you said, through CI pipelines, automatic bills. So these are like you know things that we don't have necessarily the amount of visibility on that we should. Um but also too, you know, through attacks on developer, you know, tooling, right? Like the reality is that this is supply chain is a supply chain.

Jenn Gile 9:06

It's a chain.

Paul McCarty 9:07

Yeah, yeah. And part of those, you know, part of that chain is what and I wrote this up years ago when I wrote up the DevSecOps playbook. I, you know, I I I called out the specifically years ago, called out developers, the tools they're using was part of the software supply chain. So yeah, I mean, um affecting the AI tools, Claude and other tools that are running on developers' laptops, um, and in some cases in CI pipelines. Um, also the um you know VS Code and the IDEs that people are using. Um, so I think the it's moved on to a more automated, scalable attack. Um, and those those bygone, you know, those that era of having to social engineer people is mostly behind us, except for those really big whales. I think that's always gonna, you know, and obviously NPM is trying to do stuff about you know uh shrinking that attack surface for those maintainers, etc.

Jenn Gile 9:59

Yeah. I mean, I think social engineering will always be an attack vector. I think it's more of a, you know, tends to be a wide net thing, and you're right, it'll be more targeted. It'll be going, you know, what we saw with uh Axios was a very sophisticated operation. They were not casting a wide net with an email and trying to get everyone, like they targeted a single person very specifically. But yeah, um, we'll see how this continues to evolve and uh hopefully start to see some changes made in pipelines.

Paul McCarty 10:37

Yeah, I agreed. I I think it's worth mentioning. We we talked about it briefly earlier, but just the fact that this is I and I know we keep saying this is evolving, but this is like this this worm and the the the TTPs that this um tradecraft is using is evolving really, really quickly. Um, and automating you know many of these steps that you know that used to be the the threat actor would wait to get the credentials back and then they would kind of sort through them and then do the next stage. Well, now that's just automated. As soon as that gets popped, what we're seeing is within seconds or split seconds, we're seeing suddenly uh you know those credentials are used to go out and find additional stuff, you know, drop things into to um GitHub actions and away they go. So it's all this between the evolution and the iteration and the the automation, that's just like it's just scary. I'm at the point now, true story, I just don't want to use GitHub. Uh straight up, I just don't want to use GitHub. Full stop.

Jenn Gile 11:32

Yeah, I mean, especially after the response that we saw when they were compromised, what a couple weeks ago, by the um NX console VS Code extension. We didn't get a very good explanation. Uh it's been pretty quiet, but also unfortunately, that's the response that you tend to see from bigger companies. Um, we've got a comment here, ex-GitHub employee. I agree, and it breaks my heart. Yeah, it's a bar.

Paul McCarty 12:02

Like me too. I love GitHub. For a lot of people, GitHub was pivotal in my career. This idea, you know, like, and I even though it's owned by Microsoft and I do not have any love for Microsoft. Let me be very clear. I've always had the special place in my heart for GitHub and the people that work there. And I'm just not gonna use it anymore. It's full stop. Like, I'm done.

Jenn Gile 12:26

Taking a stand, time to start migrating. Well, uh, let's talk about the next one on our list. What is it? We talked about trends. Now we're gonna talk about what um our actual data. So I guess it's still trends, but we're gonna talk about trends that I found in looking at open source malware data. So I'm gonna go ahead and drop this blog in the comments.

Paul McCarty 12:47

This is so sick, by the way. I just want to call this out. You did a great job with this.

Jenn Gile 12:50

Thank you. I uh so the backstory here is like maybe a month ago, I was like, Paul, get me a CSV with all of these things. He was like, Why do you want that? It's gonna be great.

Paul McCarty 13:01

And to be clear, I didn't even ask why. I was just like, Yeah, sure, go to town. She was poking the message.

Jenn Gile 13:10

Because we're very responsible with our data. Um, I had Paul export a whole bunch of data from OSM uh starting in January, January through mid um May. And I wanted to know, you know, six months roughly of data. What can that tell us? And it was specifically threat reports.

Paul McCarty 13:30

Yes, threat reports.

Jenn Gile 13:31

I should be really clear about what was what I was looking at. And um, three trends were pretty obvious to me as I started noodling around in there. The first is about packages. So I looked across all of the package ecosystems that we track, uh, both for uh volume as well as velocity of new reports. And I mean, no surprise, NPM continues to be where the lion's share of malicious packages are. But what was very interesting and kind of calls back to an earlier conversation we had here is PyPy is growing at roughly the same rate throughout this period. And we see them kind of like weave back and forth where, you know, one week PyPie will be higher and one week npm will be higher. And I looked a little deeper in that data, and what I found is, you know, there's a couple of edge cases where the reason there's more PyPie is because people were looking more uh diligently at PyPy. But in most of the cases, there's a correlation between when an NPM package and a PyPy package published, and it's that exact circumstance of the threat actors uh being multi-ecosystem. And so I think, you know, based on this data, we can expect to see uh an increase continuing to grow in PyPy. That's what that tells me is you know, most people are very aware of the, dare I say, dangers in NPM. Uh, I don't hear a lot of awareness about PyPy.

Paul McCarty 15:10

Yeah, I mean, I think that I I've been saying, you know, on stage and other places in my writing for ages that while it's obvious that the the total volume is much lower in PyPy, the percentage of growth and the activity is at least the same as npm on a on a percentage basis or greater. Um uh so I you know, I think people think that PyPy is relatively s safe um relative to npm, but you know, there's a bunch of things that they don't do well in in the PyPy world either as well. I really wish, for example, that they verified the metadata inside PyPy, the about the the use, sorry, the the the author, right? It's just that those are free form fields. You can stick anything in there you want to, but I'm going off subject, sorry.

Jenn Gile 15:55

No, that's on subject because I think the point is uh if you use Python, you know, make sure you're applying the same practices to hardening what you're taking from Python as you would for JavaScript, right?

Paul McCarty 16:09

Yeah, and like all these little ways for people to automatically run files in in you know that we didn't know about, like the GYP files and in the um in the uh node space and those path files in Python, which threat actors were using like three or four weeks ago. You know, there's there's a lot of uh uh ways for bad guys to attack us that we aren't necessarily well known, right? So um and the other thing too is that Python is going to be making some changes to you know their tokens or personal tokens, and and um that's good. Um and I think that they're much more responsive than the NPM team certainly is, so good on them. But I'm not surprised to see your data. All of that is just a long-winded way of me saying I'm not surprised to see your data. Yeah, surprisingly.

Jenn Gile 16:52

I wasn't too surprised either. Okay, the second thing I wanted to look at was um popularity of packages because there's been a tremendous amount of attention paid to account takeovers that's compromise a legitimate package. And that's fair because those are often high, you know, download popularity projects. And so I took all the data from that time period again, looking specifically at NPM and PyPy and broke it down based on uh average number of weekly downloads uh, you know, the week that it was reported. And there's an interesting trend. First off, no surprise to me, no surprise to Paul, the vast majority of malware has less than 10,000 downloads a week. And that is indicative of those packages being more likely, not definitely, but more likely to be dependency confusion or typos squat packages that are very specifically targeting a group of people rather than those big Axios takeovers. But what we're seeing over time, if you follow the graph and pop into the blog that I pasted there and you can play with it to your heart's content, um, is you're seeing over the last month for sure, uh more high download packages are being represented in the data. So threat actors are successfully getting access to more potential victims, is what that means. The second part of that analysis was to specifically look at account takeovers because you can't, it's a like a imperfect but okay correlation where you say, well, if it's high download, then it's probably an account takeover, but not always. So I also looked at, you know, what if we tagged as account takeovers? And the line is similar, it's still lower with uh a nice, maybe nice is the wrong word, a spike in March around the time that team PCP really started getting active. And then a secondary spike when Mini Shihalud uh took off. And the number that surprised me, and I really want to look at the data again in maybe like a month or so, is uh around uh May 11th, about 60, 65% of the records that were added during that week to open source malware were account takeovers. And that is a banana's number of records. So it's not that account takeovers are the whole story, but they're definitely a story.

Paul McCarty 19:38

Yeah, I mean, I think you know, no surprise again with team PCP and and um, you know, other attacks, um, like Axios targeting these high volume popular maintainers. I also think that while the data shows that the number of those is, you know, percentage of those is gone up inside of our data set, that that is the group that many of these changes that are happening inside the NPM and ecosystem and other places are most positively going to affect. Cooldown periods, as much as I'm uh a realist about cooldown periods. Um, I came up with a funny um ice tire thing, yes and that's funny. But I mean, cooldown periods absolutely a great precaution and control for these style of attacks, account takeover compromises, right? Because they get they do get found quickly. But as we make these changes to the ecosystem, we'll see those, the percentage of those go down. And also, too, you know, in in I'm getting ahead of myself here, but I think it's important. I, you know, what we're already starting to see is we're starting to see this interesting, you know, these high volume, high impact packages are out there for a relatively short period, and because they have a lot of downloads, weekly downloads, they have that number of downloads in that window is relatively large, right? But then you see also some of these other popular, like events channels, a really good example of this. You see these popular, you know, typosquatting or dependency confusion attacks that are out there much longer. So that if you do the math, if you look at that 18 minutes big versus you know, less popular, but it's out there for weeks, like events channel. I let Microsoft know about this a week and a half ago, right? And it's still up, right?

Jenn Gile 21:19

Yeah, I actually uh I pulled this one up this morning when I was talking with someone, and yep, I just clicked it again. Events channel is still live on npm. This is a confirmed typos squatted package that's targeting uh Node.js users, and it has uh let's see here. Our security policy kicked me out and made me re-log in, which is good. Uh it has a total of a hundred and sixty eight thousand uh downloads. That's not nothing.

Paul McCarty 21:56

Sounds about right.

Jenn Gile 21:58

So um yeah, to your point. Like those point-in-time big spike account takeovers, that's going to get a lot of people in a short amount of time. Um, and it's gonna get the people who don't have cooldown periods in place or who don't have some kind of a you know dependency pinning, dependency management process in place. Uh these more under the radar ones, the reason that they stay up for so long is because they don't have a package maintainers screaming, hey, my stuff got taken over, please fix it. And so yeah, it's really unfortunate that this package is still live, it's still getting downloaded. We reported it, we've posted about it on social media, and it's still live. Um, where was I going with that rant? I don't know.

Paul McCarty 22:49

That's okay. Well, and then there's a third state here. You ready for that we and Jen and I haven't even talked about this yet? So like I'm I'm going off topic again. Um, but uh there's a third state here where we're now starting to see um GitHub accounts and npm accounts that haven't been used in a long time. And um, we'll talk about this in more detail next week. Um, but that uh um that haven't been used in a long time that now have been compromised, and they're using them like they were a born malicious package. So they but basically dump a bunch of malicious uh repos and they start publishing packages under this name. They're using in one case, they're using the guy's actual um uh domain that you know that he has spun up. He's a developer and he's spun up his own. They're using that domain for the X-Fill now. So they've just taken over all of his infrastructure, right?

Jenn Gile 23:35

Yeah, I mean it's a heck of a lot easier to steal that than it is to artificially age something, and you know, still a lot of people are surprised that you can inflate downloads in uh GitHub.

Paul McCarty 23:45

But I I also as a corollary to that, I also noticed that the the price that bad guys were charging for aged GitHub accounts on the dark web now has gone up pretty dramatically. It's gone up by about 8x or 10x now. So they're asking for yeah, they're asking that you used to be able to buy these things for like 12, 15 bucks an account, um, aged accounts, and now they're well over a hundred dollars each. So there you go. Lovely.

Jenn Gile 24:10

Okay, the last piece of data in the analysis that I shared in the comments is specifically about malicious claw hub skills. Um, we had a feeling when this came out in January that this would be a threat actor playground. And uh, Paul, you were not wrong. Uh, you found what was it, 386 malicious skills within like two days. And um Tony's here for it. Let's go. I love this subject. Um yeah, we found almost 400 skills within a couple days. And then by the end of March, we had over 700 in the database. And so I took all of those skills and uh I cheated a little bit. I looked at the name of the skill because that's what threat actors will do, is they'll name it the thing that they want you to think that it is. So I don't have to go look at the skill to know what they're trying to copy. And I broke it down into categories based on what kind of technology were they targeting in that. And there's definitely some like, here's my shocked face. I'm not surprised by, oh my gosh, you know, they went after crypto, really. Um, you know, crypto and finance was number one. Certainly there were some that went after developers, but the like big surprise is that almost a fifth of the skills were targeting somebody in a marketing job. And we know that because they have titles that reference SEO, that reference things about YouTube and social media, um, Plavio, which is a uh popular platform um for like customer marketing. Um there's a ton of stuff that is very obvious.

Paul McCarty 25:59

A bunch of it was targeting TikTok.

Jenn Gile 26:01

TikTok, you're right. Um so, you know, I think this is part of like a conversation that we're all a little ostrich, you know, head in the sand about where it's like we know developers are a target for malware, we know developers are a target for threat actors, but we also know everybody is being asked to use AI. And uh most of those people don't fall under the umbrella of application security, right? My code that I write as a marketer or a salesperson or finance is not getting scanned in the same way that a developer's code is getting scanned. So I think we'll see more of this. Um it's yeah.

Paul McCarty 26:49

I totally agree. I I think and you know, just very, very briefly, I think that bad guys realize that you know, LLMs and agentic development tools allow people that are not natively software engineers to go and build tools and products and data sets and data. And it makes a lot of sense to be using the distribution of the AI agents, right, and the skills and everything that goes along with it to attack people that are writing code or building products that aren't software engineers, that have other, you know, primary you know roles, whether it's marketing or what have you. So I totally totally makes a lot of sense, right? With the democratization of uh you know agentic software engineering, you know, development, you know, comes a new way to attack people that are not natively software engineers.

Jenn Gile 27:38

Yeah. Uh going back to what we said earlier about the human path versus the machine path, in some ways that's what's happening here. You know, typically marketers were getting targeted more by phishing campaigns, and I'm sure that will continue. But this is a way to target marketers without relying on the same type of social engineering. Anyway, um, we are gonna take a nice chunk of time now and talk about another campaign that's been in the news. And the reason we're gonna take some extra time here is not so much that the malware itself is super interesting, but there's a lot of history. And so you may have heard um, I don't know how many people have named it the way that we have. So we're calling it the Moika campaign. And the reason that we're calling it Moika is because of the um the infrastructure behind it has uh oob.moica.tech as uh part of the infrastructure. And to date, yeah, there's C2. Um, there's over, let's see here, 260 verified threat reports on this campaign. And there's not a lot of agreement in the community about what's going on with it. So I'll give the TLDR and then Paul, I know you have a lot to say about this. The TLDR is uh the account associated with this campaign uh has a history of legitimate activity uh as a bug, sure, uh bug bounty type thing. Um, where it is today, uh, you know, publishing this volume of malware. And some of these have some decent download stats where it's undoubtedly catching people, you know. If this were a legitimate campaign, you don't want that many people running after it. So I'll drop a couple links. And Paul, why don't you wax poetic about Moika?

Paul McCarty 29:36

Yeah, thank you for the opportunity. And we are going to go long today because I think this is important. We've had a long kind of long-term issue with researchers, security researchers, and especially bug bounty researchers, you know, uh building malicious uh NPM packages, and and now they're doing stuff in other ecosystems too as well. And this goes all the way back even before Alex um and Justin dropped the dependency confusion research in 2024. Um, you know, people have been doing this um to collect bounties for a while. So what we have is we have a long-term uh behavior set of um researchers creating malicious packages. Now, there's kind of this accepted that this needs to happen because you know, bug bounty platforms and and programs want to know if they're susceptible to dependency confusion and other kind of software supply chain attacks, right? So there's real genuine validity to security researchers making these things. But we kind of expect that generally they follow a set of guidelines here, right? Which is um that they only harm, it's like the Hippocratic Oath, right? Yeah, exactly. Yeah, they they typically they pull the public IP address and maybe host name and maybe username and maybe a couple other really minor things. But what they don't want to do is they don't want to ex-fill Etsy password, and they don't want to, you know, they don't want to ex-fill important um uh you know data, right? Because then they cross a line, they cross an ethical line. All right, so there's that first. So we have this, we have all these people doing this research. And um in 2024, for three months, I don't know if I mentioned this to you before, uh Jen, but in 2024, um, October through December and into January 2025, I actually I validated the percentage of packages that went into OSV at the time, because at the time I was working a lot on OSV, and seeing what percentage of them I could attribute to a bug bounty researcher. And I saw that the average was somewhere between 25 and 41 percent across those three months, right? So let's just say that in another way somewhere between 25 and 40 plus percent of the malicious packages going through OSV in late 2024 were attributable either directly or you know, and then there's a larger number was you could indirectly attribute to these researchers, so it's a large percentage of what comes into the ecosystem. And then researchers like me and Charlie and everybody else, you know, have to we understand these actors. So then now here we the next thing we want to talk about is we want to talk about these these researchers that have been doing this for a while, and one of them is Darshan. Darshan's been uh JPD is their call sign, and I know Francois is probably giggling to himself right now, but you know, JPD has been doing this for ages. I've been tracking him since 2024 at least. I mean, I've you know got data going back a while, and he's a bug bounty researcher, right? And he just like you know, dependency confusion and to a lesser extent, typo squats are his that's what he does, right? And it must be successful because he's been doing it for ages. He always attributes in each one of his packages his initials, you know, the email address always, you know, because he's always having to create new ones and roll through. So you can basically almost 100% of the time attribute a JPD Darshan uh package back to him, right now.

Jenn Gile 33:09

Well, if he got called out for that, what maybe in January or February, a lot of community, yeah. I mean, not just called out, but a lot of people accused him of malintent.

Paul McCarty 33:19

Yeah, exactly. 104. Now you can find him online, he's on Twitter, he's everywhere else, right? Um, so there's that. Now, here's the thing is that Koi comes along in 2025 and attributes APT level status to old mate Darshan, which I'm sure at some level Darshan was like, Oh, look at me, I'm an APT, but at the same time, like, oh shit, now like I got a bunch of people talking about it.

Jenn Gile 33:39

I'm on everybody's radar, dang it.

Paul McCarty 33:42

And me and a bunch of my other, you know, my peers inside the community are all kind of just like, oh god, um, you know, this is not an APT. This is, you know, what was it, hidden raven or phantom raven, whatever it was, right?

Jenn Gile 33:53

Phantom Raven, I think. Yeah.

Paul McCarty 33:55

Um, so here we are. So we have this history of all this kind of stuff happening, and now Moika comes along. And Moica's deployed, you know, almost 300 packages, um, and uses a lot of the kind of signals that you see in typical bug bounty. They use pox, security research. They actually called, and you pointed out one of them, specifically said bug bounty. They've published packages where they don't actually have a malicious payload. So uh they also number their their dependency confusion uh packages using 99.9, which is a common way because they're trying to come, they're trying to make their highest version, yeah. And there's a bunch of other things that they do that all kind of makes the signal look like this is bug bounty, right? Or or sorry, security researcher. But then you look at the payloads and you're like, some of these payloads are just overtly malicious, they're just ganking credentials. And you know, one of the other researchers has um attributed them to a Russian Nexus. Now, that doesn't mean that you know there's bug bounty researchers in in Russia, but these packages don't look like researcher packages to me, or at least not like the ones that I've seen. And so it's just a weird thing. There's not a lot of high impact here, but I think I wanted to talk about it because it does connect to this legitimate or or semi-legitimate gray area of these bug bounty packages that we've been dealing with you know for years. Um, and you know, we'd call them malicious inside of our ecosystems because you don't want to install one of those, right? Like just because it's targeting, you know, somebody else specifically. Now, here's the thing with Moica: Moica's targeting very specific NPM namespaces, so they're like kind of systematically going through targeting individual organizations. That again looks like bug bounty, but in this case, the payloads don't align to that kind of outcome. So you know, I don't know. It's it's a weird one, and I want to talk about it as really a greater observation about the fact that we have a lot of you know, volume of these malicious packages inside of our ecosystem that are created by people that are ostensibly researchers or really are, and you know, that's part of you know what we have to spend time identifying and and culling.

Jenn Gile 36:08

Weeding through, yeah.

Paul McCarty 36:09

Weeding through. And is this or like is this like a Russian? I'm just speculating, I'm pulling this out of thin air, but is this like a Russian threat actor trying to pretend like a researcher? I don't know, it just feels weird. And I'm seeing more of these weird ones as people get access to AI and LLMs and it can generate.

Jenn Gile 36:28

Well, that was literally gonna be my question because there's been a lot of talk in the community about AI slop bug bounty stuff, right? Usually it's oriented around um uh CVE, you know, type things. We've seen lots of programs say that, you know, I was reading Hacker One is gonna change their process where it's gonna be leveraged more based on the credibility of the person. You know, if you're a known change researcher, yeah, it's a good change. Um, and frankly, in response to what happened with Microsoft one or two weeks ago burning uh a researcher, but I digress. Um we haven't talked a lot about AI slop malware. What do you think is gonna happen here? You know, there's certainly the threat actors who are using AI to rapidly iterate, but what else are you seeing?

Paul McCarty 37:29

Yeah, I mean this AI slop thing, which I think just to kind of define that really quickly for our audience, is is where basically uh an LLM hallucinates that a package exists. Let's just say events channel. Let's just think that, right? Because this might be an example of that. Events channel is shares a name with um an internal process, but also there's there's an old that there's a 13-year-old package called event channel, which nobody uses, but anyhow, there's so it's just weird. So LLM at some point hallucinates that a package name exists and then suggests it uh to a user, right? And they include it in their package manifest or what have you. And a lot of times this is like more behind the scenes, it's just doing it, nobody ever looks at it, you don't realize, right?

Jenn Gile 38:15

And if I could interrupt, when I was at Endor, we did some research on this last year, and it's a shockingly high number of packages are hallucinating, like hallucinating.

Paul McCarty 38:26

Yeah, I mean the the platforms have gotten better at it, but I think it's kind of it's it's fallen to these kind of niche parts of the ecosystem and where it's much, much harder to attack. So, for example, one of the one one of the ways that I see events channel being picked up is in MC MCP servers. There's a bunch of MC. If you just if you just search on Google, you'll find these you know DIY MCP servers that are calling the events channel um uh package. Why and how did it find that kind of niche? I don't know, but this is this is where it's happening. It's all you know all over the place, and who knows what tools people are using. So bad guys then go and create a package with that name, and suddenly a hallucin something that was a hallucination on the on the the agent's part is now an actual genuine malicious attack inside of your ecosystem, and it happens much more frequently than people think. And in this case, you know, I don't know how this thing is as as popular as it is, um, but it continues and Microsoft dropping the ball because they're dropping the ball everywhere. Um, they haven't taken this thing off of the the registry. Um, it continues to be a fairly effective, you know, uh uh typo squat.

Jenn Gile 39:35

So yeah, it's the world we live in right now. Okay, we took our extra time. Did you get it all out of your system?

Paul McCarty 39:42

Well, not really, but that's okay. I got enough of it out that I feel good. I feel I got a chance to vent about this weird bug bounty researcher fakeness that anyhow.

Jenn Gile 39:52

Well, there'll be enough in the tank for next time, I'm sure.

Paul McCarty 39:56

Right. We got we already are queuing up things to talk about next week, too, as well. So we we got we got a full one.

Jenn Gile 40:01

Yeah. Well, as always, if there's stuff you want to learn about, um, you know, DM us, comment in our videos. I keep an eye on all of that. Uh, we actually had somebody side note um reach out to us on I think last week's video and say that they thought they had been hit by pollen writers. So if you're listening, uh like DM us on one of our socials, we'd love to talk about it. Um, but yeah, we'll be here.

Paul McCarty 40:26

Yeah, I got I still haven't pushed the new blog about the the latest dot zip thing the pollen writer is doing, which is really brutally effective. So I'll get that out of there. Just been busy doing actual stuff.

Jenn Gile 40:38

Well, that is stuff, but you know, well, that's stuff, but like businesses product to develop. Right on, have a great one.

Paul McCarty 40:46

Thanks everybody, appreciate you listening. Cheers.

Jenn Gile 40:49

Bye.