This week on the 322nd episode of Absolute AppSec, Ken Johnson (@cktricky) and Seth Law (@sethlaw) examine critical vulnerabilities, changing security standards, and adaptive defense mechanisms. The core analytical segment of this episode surrounds the Megalodon breach, a campaign that has compromised over 5,000 GitHub repositories. As a way of countering these types of automated supply chain threats, Seth and Ken then praise NPM’s newly released staged package publishing pipelines, which mandate two-factor authentication from human maintainers before releasing packages pushed by automated CI/CD workflows. Finally, Seth and Ken review the emergence of AI-powered honeypots. To find this episode, go to https://www.youtube.com/@AbsoluteAppSec/streams, or find us wherever you get your podcasts. 

The high-profile Megalodon breach is classified as a direct poisoned-pipeline execution attack. Thread actors did not exploit a novel zero-day vulnerability inherent to the GitHub platform itself, despite sensationalized media reports suggesting otherwise. Instead, malicious actors harvested legitimate developer credentials using widespread infostealer malware. They used these stolen credentials to push base64-encoded malicious payloads directly into GitHub Actions YAML files. When the continuous integration and CI/CD pipelines executed these poisoned files, the automated environment exfiltrated sensitive repository tokens and SSH keys. Seth and Ken’s take was that a major weakness facilitating this widespread compromise was a lack of basic repository governance, noting that strict pull-request flows combined with robust branch protection rules would have vastly minimized the attack’s viability by preventing direct commits to default branches. 

The threat research firm Hudson Rock confirmed a direct match between the compromised GitHub accounts and known credentials sitting in illicit infostealer databases. This highly advanced malware significantly lowers the barrier to entry for low-tier threat actors, enabling rapid, automated exploitation across a massive blast radius. In response to these systemic supply chain vulnerabilities, Seth and Ken evaluate a major defensive update introduced by the NPM registry known as “staged publishing,” designed precisely to alter automated, non-interactive CI/CD workflows that automatically push code to production. Under this new paradigm, when a compromised pipeline attempts to publish an updated package, the code is redirected into a visible staging pipeline rather than going live instantly. To finalize the release, a human maintainer must actively prove their presence and validate the deployment via multi-factor authentication (MFA). Seth and Ken look favorably on this mechanism, concluding that while it will inevitably attract targeted social engineering attacks against project maintainers, it introduces a vital layer of friction that will significantly slow down the automated velocity of supply-chain poisoning.

This staging discussion highlights the frustrating fragmentation among global package registries like PyPI and NPM, which forces each ecosystem to reinvent security defenses in total isolation. This "security amnesia" mirrors modern web frameworks that repeatedly reintroduce classic, solved flaws under the guise of optimization. For instance, a recent critical SQL injection flaw found in GoCMS stemmed from textbook raw string interpolation rather than an AI error; a human engineer wrote the catastrophic line back in 2020, and XLab researchers only caught it during live forensics for an active exploit. Looking ahead, the hosts are incredibly excited about the resurgence of AI-powered honeypots as an active defense mechanism. By using LLMs to dynamically simulate realistic, vulnerable environments—like a mock Linux filesystem mimicking a junior developer—defenders can trap adversarial AI scanning agents in an elaborate hall of mirrors. Ken highly praises the economics of this tactic: it uses a fixed-cost predictable architecture on defense while forcing attacking agents to burn massive amounts of expensive API-processing tokens, imposing a punishing financial cost that destroys the attacker's trust in their own automated intelligence.

Sprouts are coming up, so now’s the time to display your solidarity along with your support for the Podcast. Check out the selection of green tees in our merch store. (There are other colors as well). Tee-shirts are great gifts for yourself or your friends:

Whether you are an AI optimist or an AI pessimist, there’s a place for you in our Slack. Sit down, relax, and stay a while.

Stay Secure,

Seth & Ken

https://youtu.be/EbXQiDnPlE0 – Episode #130 - Facebook ‘Breach’ - Ken and Seth break down the Facebook 'Breach', aka data collection and different views on dealing with that data. The discussion continues with privacy data and how far we should trust any social media application.

https://youtu.be/2bs6gQjLZJo – Episode #83 - NPM, Developer Training, React - An early episode featuring Ron Perris that digs into NPM. Discussions on module security, developer interactions, and node security issues.

https://youtube.com/live/PBSxZPyXGRE – Episode #302 - OWASP Global AppSec DC predictions, AI Browser Dangers, MCP Security - Includes a discussion on honeypots as the hosts noted concern over the discovered prompt instructions for Atlas, which direct the ChatGPT agent to use browser history and available APIs to find data from the user's logged-in sites to answer ambiguous queries or fulfill requests. This functionality raises significant security concerns, as the agent's ability to comb the cache and logged-in sites could be exploited, effectively creating a "honeypot for cross-site scripting" with malicious potential like unauthorized money transfers.

Using AI to Secure Its Own Code Is a Ponzi Scheme – This article, that was recently dropped into our slack channel, argues that because AI models are trained on existing, often vulnerable human code, they lack the true context to find deep security flaws. Using AI to validate AI-generated code merely creates a dangerous, superficial loop of self-referential validation that masks underlying risks instead of genuinely fixing them. 

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts – Hackers successfully hijacked high-profile Instagram accounts—including the Obama WHite House and the U.S. Space Force Chief Master Sergeant—by tricking Meta’s AI-powered customer support assistant. Using regional VPNs and a simple exploit, attackers persuaded the chatbot to link targeted accounts to new email addresses, bypassing standard recovery boundaries. Meta has since patched the critical flaw. 

Where in the world are Seth and Ken?

August 1-4, 2026 - AI-Enhanced Secure Code Review: Black Hat Edition - BlackHat USA, Las Vegas - Seth and Ken are bringing a four-day exclusive course to Black Hat. This is an update on the exclusive version of the course offered at Black Hat Europe. Early bird pricing is ongoing, so it’s a great opportunity to get a truly in-depth understanding of Secure-Code Review and how it can be empowered through LLM-tooling. Seth and Ken have innovated industry-leading trainings in both of these topics, so this four-day course promises to provide a lot of valuable insight.

August 10-11, 2026 - Agentic AppSec: Harnessing LLMs - DEF CON Training, Las Vegas - Comprehensive course designed for developers and cybersecurity professionals seeking to harness the power of Agentic AI and Large Language Models (LLMs) to enhance software security and development practices.