RubyGems bot attack, ShinyHunters ransom Canvas, and the latest on Mini Shai Hulud

OSV false positives, Crowdstrike takedown of Glassworm infra, and MSFT nukes a researcher

This week Jenn and Paul covered: * OSV false positives from AWS Inspector: AWS's automated malware detection pipeline submitted 157 false positive entries to osv.dev. The entries were merged before anyone caught the errors. When the community began pointing out that some of those "false positives" were actually real malware, AWS started adding some back, making this a mess on both ends. AppSec vendors piled on publicly despite relying on OSV as their primary detection source without contributing to it. Paul publicly thanks Chi Tran's team at AWS Inspector for their contributions overall. * CrowdStrike, Google, and Shadowserver take down Glassworm C2 (including the botnet vs. worm distinction): The operation targeted four infrastructure components: Solana blockchain dead drops, BitTorrent DHT, Google Calendar abuse, and commercial VPS servers. The legal and technical basis for the takedown is unclear and CrowdStrike declined to comment on specifics. Paul explains how blockchain memo fields work as dead drops and how multi-stage attack chains evolve. As part of the discussion, Paul clarifies the technical difference between a botnet (centrally orchestrated persistent access across many machines) and a worm (self-replicating), and ties it to how both Glassworm and DPRK/PolinRider operate. * MSRC, Nightmare Eclipse, and the state of coordinated disclosure: Researcher Nightmare Eclipse published six unpatched Windows zero-days (RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, MiniPlasma) after a breakdown in MSRC's handling of their disclosures. Microsoft's claim that no prior notice was given is contested. Nightmare Eclipse says MSRC knew BlueHammer was coming. Microsoft's MSRC blog post named all six vulnerabilities, invoked its Digital Crimes Unit, and never acknowledged Nightmare Eclipse's claim that Microsoft deleted the account they used to report bugs and paid them nothing. The MSRC post instead triggered a flood of other researchers sharing similar experiences: Gabriel Landau reported MSRC agreed to issue a CVE in exchange for an extended embargo, then patched silently and broke that agreement. Rootsecdev reported a five-month wait followed by a "doesn't meet the bar for servicing" response, while Microsoft silently fixed it anyway. GitHub then banned Nightmare Eclipse's account; GitLab followed suit days later. Paul and Jenn note this reflects a broader, documented pattern of MSRC underinvesting in researcher relationships, not an isolated incident. * Using GitHub as a forward-hunting collection source: Paul and Jenn co-authored a guide with Feedly based on the hunting technique Paul has used to discover campaigns like PolinRider. Workshop may be submitted to DEF CON Adversary Village. Episode Resources: * GitHub PR: OSV false positive withdrawals: AWS Inspector PR #1276 [https://github.com/ossf/malicious-packages/pull/1276] * Blog: CrowdStrike: Inside the Takedown of a Developer-Targeting Botnet [https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/] * Blog: Four Arms, One Monster — GlassWorm Invades GitHub, NPM, Open VSX and VS Code [https://opensourcemalware.com/blog/four-arms-one-monster] * OpenSourceMalware threat reports for Glassworm [https://opensourcemalware.com/?search=%23glassworm] * X post: International Cyber Digest: Microsoft's response to Nightmare-Eclipse zero-day disclosures [https://x.com/IntCyberDigest/status/2060015133716291858] * Blog: MSRC: A Shared Responsibility — Protecting Customers Through Coordinated Vulnerability Disclosure [https://www.microsoft.com/en-us/msrc/blog/2026/05/a-shared-responsibility-protecting-customers-through-coordinated-vulnerability-disclosure] * Guide: How to Collect Intelligence from GitHub on Open Source Malware [https://feedly.com/ti-essentials/posts/how-to-collect-intelligence-from-github-on-open-source-malware]

GitHub popped by malicious VS code extension, npm staged publishing debuts

This week Jenn and Paul cover: * npm Staged Publishing: npm's new feature adds a human approval checkpoint before a package goes live. Real improvement, real caveats. We walk through what it does, where it falls short, and the questions the docs still don't answer. * DPRK Axios-Linked npm Packages: Paul discovered three malicious npm packages tied to the March Axios attacker that have been quietly harvesting credentials since early April. Classic DPRK multi-use attack infrastructure, built to support Contagious Interview and TaskJacker campaigns running in parallel. * TeamPCP's Biggest Maintainer Compromise Yet: Two npm maintainers compromised. One developer maintained over 540 packages. TeamPCP published over 600 malicious versions. Three of the affected packages alone account for more than 5 million weekly downloads. * GitHub Employee Device Compromised via Poisoned VS Code Extension: A malicious Nx Console extension published May 18th made it to a GitHub employee's device, exposing an estimated 3,800 repositories. The credential theft happened seven days earlier through the TanStack compromise. We also cover the CISA "private" repository that was not private, and what both incidents say about secrets management and GitHub permissions defaults. Episode Resources: * npm Staged Publishing documentation [https://docs.npmjs.com/staged-publishing] * Axios attacker strikes again: Three npm packages hiding in plain sight for two months [https://opensourcemalware.com/blog/axios-attacker-additional-npm-packages] * TeamPCP compromises npm maintainer with over 540 packages [https://opensourcemalware.com/blog/teampcp-compromises-npm-maintainer-with-over-540-packages] * OpenSourceMalware threat report: nrwl.angular-console (Nx Console) [https://opensourcemalware.com/vscode/nrwl.angular-console] * Nx Console v18.95.0 postmortem [https://nx.dev/blog/nx-console-v18-95-0-postmortem]

RubyGems bot attack, ShinyHunters ransom Canvas, and the latest on Mini Shai Hulud

Join OpenSourceMalware co-founders Jenn Gile and Paul McCarty for episode four! In this episode: * RubyGems bot attack: Hundreds of bots pushed 500-plus packages to RubyGems, some carrying exploits, forcing the registry to shut down new account signups. Jenn and Paul break down why the DDoS label may be misleading and what this exposes about the friction-vs-safety tradeoff every open source registry faces. * Canvas ransomware by ShinyHunters: ShinyHunters breached Instructure, the company behind the Canvas LMS used by over 30 million students globally, stealing 3.65TB of data including private messages between students and teachers. Instructure said almost nothing publicly for days. Jenn and Paul discuss the data sensitivity risks for minors and close with breaking news: Instructure paid the ransom. * Mini Shai Hulud and TanStack: Team PCP is not connected to the original 2025 Shai Hulud campaign. Paul explains how they used Adnan Khan's GitHub Actions cache poisoning technique to compromise TanStack and 90-plus packages without long-lived credentials, why attestation and trusted publishing didn't stop it, what the CIS country geofencing in the payload actually signals, how malware is now targeting .claude directories on developer machines, why novel malware still dominates the OpenSourceMalware database by volume, and why open sourcing their worm and doing press interviews is likely to hasten Team PCP's capture. Episode Resources: * RubyGems Suspends New Signups After Hundreds of Malicious Packages Are Uploaded [https://thehackernews.com/2026/05/rubygems-suspends-new-signups-after.html] * RubyGems status page [https://status.rubygems.org/incidents/cytf062tkwtt] * OpenSourceMalware RubyGems threat records [https://opensourcemalware.com/?type=package&ecosystem=rubygems] * OpenSourceMalware Mini Shai-Hulud threat records [https://opensourcemalware.com/?search=%23mini-shai-hulud] * Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak [https://thehackernews.com/2026/05/instructure-reaches-ransom-agreement.html] * blog: Mini Shai-Hulud Borrowed Its Best Trick From PolinRider [https://opensourcemalware.com/blog/mini-shai-hulud] * blog: TeamPCP Compromises MistralAI and OpenSearch [https://opensourcemalware.com/blog/teampcp-mistralai-opensearch-compromised] * TanStack npm supply-chain compromise postmortem [https://tanstack.com/blog/npm-supply-chain-compromise-postmortem] * The Monsters in Your Build Cache - GitHub Actions Cache Poisoning [https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/] * TeamPCP interview [https://buymeacoffee.com/insidedarknet/teampcp-interview]

Git hook persistence, Antrea compromise, Dirty Frag, cPanel exploitation, interpreted language malware

Join OpenSourceMalware co-founders Jenn Gile and Paul McCarty for episode three, covering the latest threat activity and a deep dive they've been promising since episode one. In this episode: * DPRK Lazarus Group using git hooks: Paul's latest research shows the Contagious Interview / TaskJacker campaign has evolved. The initial loader is still the VS Code task.json file, but it now calls concatenated Git commands that drop malware via pre-commit and post-checkout git hooks, hiding the payload URL from the place researchers have been looking. Post-checkout is particularly clever: it fires every time a developer checks out a branch, and most people never think to audit it. * Antrea Kubernetes project compromise: The Antrea project, a popular Kubernetes CNI dependency, was compromised but so far no malware has been dropped into it. Paul has been tracking the threat actor and reached out proactively to the maintainers. The source of compromise is contested (we have evidence it was through the March Trivy compromise), but the core takeaway stands: threat actors don't always act immediately on stolen credentials. Assume credentials are burned and rotate aggressively. * Dirty Frag Linux local privilege escalation: Dirty Frag is a new vulnerability class discovered and reported by Hyunwoo Kim (@v4bel) that chains two page-cache write vulnerabilities (the xfrm-ESP bug and the RxRPC bug) to obtain root privileges on major Linux distributions. It extends the same bug class as Dirty Pipe and Copy Fail. Because it is a deterministic logic bug rather than a race condition, it doesn’t require precise timing, does not panic the kernel on failure, and has a very high success rate. The embargo broke before a patch or CVE existed. It is already public. * cPanel actively exploited at scale: A critical actively exploited vulnerability in cPanel is hitting organizations below the security poverty line hardest. The infosec press has been quiet, but incident responders are getting hammered. Every geolocation, every crew. If you're doing IR right now, you're not alone. * Deep dive on interpreted language malware vs. compiled malware: Most malicious open source packages are written in JavaScript or Python, and that is not an accident. Jenn and Paul walk through why: no compilation step means the attack artifact ships with variable names and structural intent intact, post-install scripts enable auto-execution at install time, and sandboxes consistently fail against interpreted language malware for structural reasons. They also cover where static analysis fits in and why purpose-built engines outperform LLM-heavy pipelines for this problem. Episode Resources: * DPRK abusing git hooks [https://opensourcemalware.com/blog/dprk-git-hooks-malware] * Antrea project compromise [https://opensourcemalware.com/blog/antrea-compromise2] * Dirty Frag [https://github.com/V4bel/dirtyfrag ]

Lovable and Vercel incidents, GitHub RCE, EDR vs. AI agents, Mini Shai Halud by Team PCP

Join OpenSourceMalware co-founders Jenn Gile and Paul McCarty as they cover a week that had defenders everywhere ready to call it on 2026. In this episode, we cover four topics: * Lovable and Vercel incident response failures: Two AI-native platforms had significant security incidents in recent weeks, and both initially responded by minimizing the severity. We break down why Lovable's regression exposed source code and full chat history to any free account holder (the mother of all IDORs), why Vercel's response left paying customers without a single actionable mitigation step, and what good incident response communication actually looks like. * GitHub RCE via git push: A remote code execution vulnerability sitting in GitHub's codebase for over a decade allowed arbitrary code to be passed and executed via the -o option on a git push. We discuss why this happened, why it is not entirely surprising given Git's design history, and what it means for the ecosystem. * EDR vs. AI coding agents: Paul's EDR flagged his own development environment as infected while he was refactoring a library with Claude. We unpack why AI agents operating at non-human speed trigger the same behavioral signatures as ransomware, and why this is going to become a bigger problem as agentic coding workflows become the norm. * Mini Shai Halud by Team PCP: Team PCP's latest campaign compromised the Lightning Python package (15 million downloads per week) and the Intercom npm client (370,000 downloads per week), among others. We cover what makes this campaign notable: Team PCP has adopted the VS Code tasks file persistence technique previously seen only in DPRK-linked campaigns like TasksJacker and Pollen Rider. We also discuss what over 2,000 exfiltration repositories on GitHub mean for affected developers and organizations, and what you should be doing right now if you are worried you are affected. Episode Resources: AI Full-Stack Development: The Anti-Patterns Rise Against Us - Part 1 [https://opensourcemalware.com/blog/rise-ai-anti-patterns]Our research on some security anti-patterns we discovered when auditing how AI tools write code Mini Shai-Hulud Borrowed Its Best Trick From PolinRider [https://opensourcemalware.com/blog/mini-shai-hulud]An analysis of the TeamPCP campaign “mini Shai Hulud, including details on the trick they borrowed from North Korean campaigns like PolinRider and Contagious Interview Renovate & Dependabot: The New Malware Delivery System [https://blog.gitguardian.com/renovate-dependabot-the-new-malware-delivery-system/]A GitGuardian blog about the way these tools can accidentally auto-install malware