2025-10-04 –, ENG 103
Malicious packages hiding in plain sight? Welcome to modern open source ecosystems. This talk explores how open source code—once limited to harmless PoCs and bug bounty tools—is increasingly being weaponized as real malware in the npm and PyPI ecosystems. We’ll walk through how these threats have evolved, dive into real examples, and show how you can analyze and understand them, even when they try to hide behind layers of obfuscation.
Open source malware has rapidly evolved from harmless scripts into fully operational payloads, stealing credentials, exfiltrating data, dropping binaries and deploying RATs through packages that look just like any other dependency.
In this talk, we’ll explore that evolution and how attackers are using NPM and PyPI as distribution channels for info stealers, backdoors, and more. I’ll demo a few real-world examples and walk through my approach to analyzing them, focusing on source-level static analysis with a touch of dynamic behaviour inspection in a controlled environment.
We’ll also look at some basic obfuscation techniques and show how to cut through them using simple but effective workflows. Whether you’re a developer, researcher, or just malware-curious, you’ll walk away with a better understanding of how these threats operate and how to start pulling them apart.
Don’t trust your package.json or requirements.txt blindly. Get curious, dig in, and help raise the bar for supply chain security.
I am a Senior Security Researcher specializing in open source supply chain security, with a focus on offensive security and malicious packages. Over the past several years, I’ve led security research teams, analyzed a wide range of vulnerabilities, and published articles on malicious package detection, source code analysis, and software supply chain threats.
My professional journey spans offensive security, penetration testing, red teaming, and malware research, supported by certifications such as OSCP and CRTE. I’m passionate about unravelling complex threats, mentoring others in the security community, and advancing secure software practices.
Outside of work, I enjoy hiking and outdoor adventures, solving puzzles with my wife, and finding new challenges, whether in code or the great outdoors, that keep my mind sharp and curious.