- This Week on Absolute AppSec
- Posts
- Episode #306 w/ Paul McCarty
Episode #306 w/ Paul McCarty
We bring on Paul McCarty, the NPM hacker, to discuss software supply-chain security researcher, malware and npm hacking/attacks in the AI-powered era.
Seth Law
January 09, 2026
This week on Absolute AppSec, Seth (@sethlaw) and Ken (@cktricky) are already on winter break, but we’re here to summarize episode #306 with Paul McCarty. As the Head of Research at Safety and lead of the Open Source Malware (OSM) project, Paul has insights to share on the increasingly sophisticated landscape of malicious packages within the NPM ecosystem. His security background includes work at John Deere, Boeing, Regence BlueCross BlueShield, NASA Jet Propulsion Labs, the US Army, and the Queensland Government. He’s also spent over twenty years helping startups with security practices. You might recognize him as a long-time friend of the show and a consistent contributor to the Absolute AppSec community Slack. To see more of Paul, check out his research at the SourceCode RED blog, or find his past guest episodes at https://www.youtube.com/@AbsoluteAppSec/streams. Find us wherever you get your podcasts.
“Microsoft should be spending exponentially more money on the security of NPM. It is the world’s largest software registry and it is a joke […] [T]he fact that it is still the dumpster fire that it is and it’s getting worse is crazy.”
The conversation begins with a technical deep dive into a new variant of the “contagious interview” campaign attributed to the North Korean Lazarus Group. Paul explains how these threat actors are moving away from standard social engineering tactics, such as tricking developers into running PowerShell commands, toward a more stealthy delivery mechanism involving a ‘’’tasks.json’’’ file in Visual Studio Code. This file allows for “remote code execution by design” by triggering automated scripts the moment a developer opens a folder in VS Code or its AI-integrated derivative Cursor.
There is a lot of complexity in this multi-stage attack, which includes the BeaverTail info stealer and a highly obfuscated Python malware dubbed “invisible ferret”. Seth and Ken express significant concern over how quickly new developer tools outpace the security community’s ability to protect them. Seth highlights a critical blindspot in enterprise security: the developer’s workstation is often treated as sacrosanct and left under-protected to avoid interfering with productivity. Ken and Seth both emphasize that, while many organizations focus on vulnerabilities like those in the OWASP Top Ten, malicious packages are 100% real threats that require purpose-built detection tools rather than just standard security advisory databases.
“I wish I could say it’s getting better, but I’m not a nihilist—I know it’s getting worse. The creativity that bad guys have[…], they’ve got a whole new way to reinvigorate their campaigns.
The discussion shifts to the structural failures of major platforms such as GitHub and NPM. Paul reveals that the GitHub timeline is essentially unreliable because Git commit timestamps are generated locally and can be easily faked to make brand-new malicious repositories appear several months old. Ken and Seth agree that Microsoft and GitHub have not invested nearly enough funding or engineering resources into securing the world’s largest software registry, especially given the sheer volume of 1,100 new NPM packages and 140,000 modifications occurring daily. They argue that while small volunteer-run registries like PyPi are making strides, NPM, due to sheer magnitude and the resulting attention it attracts, remains a “dumpster fire” that continues to be a primary target for professional nation-state criminals.
Finally, the group discusses the emerging risks of vibe coding and Model Context Protocol (MCP) servers, which facilitate AI-driven development but often lack proper authentication handshakes and security guardrails. Paul admits his own stance on AI-assisted coding has evolved, noting that it allows experts to build complex security tools quickly, though it simultaneously empowers attackers to create highly professional-looking malicious packages. Seth and Ken conclude that the security industry is currently playing a losing game of catch-up, and they stress the urgent need for developers to be more skeptical of the authors they trust and the tools they integrate into their build pipelines.
This episode is sponsored by DryRun Security. The team over there is celebrating the one-year anniversary of their emergence from stealth mode, and the blog recaps what they’ve learned and built. Also check out their latest white paper that contains good advice for “Building Secure AI Applications.” Visit the link to read more: https://www.dryrun.security/resources/owasp-top-10-llm-building-secure-applications
It’s been rainy lately, even though there should be snow instead. Consequently, I’ve wanted the warmth and protection of a nice hoodie, and Absolute AppSec’s merch store has a whole spate of them! Pick a size and color for yourself or friends below:
The nicest swag is still available in the Absolute AppSec store!
If you have thoughts or predictions for how to protect your apps and work with third-party packages, join the discussion on our Slack. Show topics often originate as discussion points with the Slack audience, and the newsletter incorporates that discussion as well. So, join in there to offer ideas for what you’d like the podcast to cover, as well as pick the brains of a number of industry experts.
Stay Secure,
Seth & Ken
https://www.youtube.com/live/s8-0taf-X_Y - Episode #259 - Special Melbourne Australia Edition with Paul McCarty & Daniel Ting - It’s worth revisiting this episode with Paul and friend of the show Daniel Ting (hoodiepony) when Seth and Ken were running a training in Melbourne a few months back.
https://www.youtube.com/live/aEWYOiVZP90- Episode #276 - w/ Myles Borins - NPM - The recent npm compromises and Paul McCarty’s insights can definitely be enriched by Myles Borins’s deep dive into how GitHub attempted to level up NPM’s security posture over the years.
https://www.youtube.com/watch?v=fnm3mz01kFQ - Episode #165 - Portswigger 2021 Top 10, Supply Chain Attacks, TLS Certs - If you’re looking for ways to protect your applications or customers by finding packages that may be dodgy going forward, there are some good bits of advice in this episode. Be sure to give a listen to Ken recapping six signs that a package may be compromised.
Absolute AppSec Happenings
https://www.elttam.com/blog/plormbing-your-django-orm/ – A guide for ORM Leaks—Happens when developers assume that ORMs are safe from SQL injection, ignoring the possibility that allowing unidentified user inputs into “safe” ORM methods could predate a security risk.
https://skilldeliever.com/your-supabase-is-public – Thousands of Supabase projects are leaking data because devs don’t enable RLS. Add in vibe coding, and you’ve got a recipe for disaster.
https://shehackspurple.ca/2025/11/10/software-supply-chain-bigger-and-scarier-than-we-realize - A long, hard look at software supply chain security, the evolving nature of dependency management, and what we can do to keep potential vulnerabilities from slipping through the cracks.
Upcoming Events
Where in the world are Seth and Ken?
March 21-22, 2026 - BSidesSF - Watch this space for the details regarding a panel with Seth and Ken taking place in San Francisco in March.
April 7-8, 2026 - Harnessing LLMs for Application Security - IN PERSON at Kernel Con. Come join Seth and Ken in Omaha for the Harnessing LLMs course!
April 21-24, 2025 - Next Gen Appsec & Secure Code Review: Black Hat Edition - In person training at Black Hat Asia. After a succesful inaugural version of the 4-day BlackHat exclusive course at BlackHat Europe, Seth and Ken are leading the training again in Singapore. Find more information and register at the link above.