Frithjof Hoffmann
I’m a technical sales engineer and cybersecurity professional specializing in software supply-chain security, threat intelligence, and risk management. Based in Moormerland, Germany, I combine deep technical expertise with a strategic, customer-focused approach to help organizations gain visibility, reduce risk, and strengthen resilience across their software ecosystems.
At ReversingLabs, I work with customers and partners across Europe to implement scalable, intelligence-driven solutions that address the growing challenges of modern software development and supply-chain integrity. My work covers areas such as Software Bill of Materials (SBOM) management, malware analysis, and advanced file and binary inspection.
I’m passionate about translating complex cybersecurity topics into clear, actionable strategies that align with business goals. I focus on turning cybersecurity from a reactive defense into a proactive enabler of innovation. I also enjoy engaging in conversations about the evolving threat landscape, the future of software trust, and how automation and AI can strengthen cyber defense.
My goal is to help organizations build not just safer software, but stronger security cultures, where transparency, collaboration, and continuous improvement are at the center of every initiative.
Sessions
In the original Matrix movie, Neo learned Kung Fu through an upload. Imagine if your ML could learn the same way. That's what a pickle file does for ML - "I KNOW KUNG FU" or whatever was in the file that was supposed to be "learned" by your ML model.
What if there was a plot twist where Agent Smith tampered with the Kung Fu module so that it included a fun "bonus" lesson that "taught" Neo to call Agent Smith every time he was trying to find an exit?
That's what's happening in Pickle Files, and that's the setup for ML and AI.
This talk will step through the threat, some examples, and emerging detection capabilities. You will KNOW Kung Fu when it's over.
Open source software is the ultimate neighborhood party—doors open, music playing, people bringing their best dishes (or code). Projects grow fast, the energy is contagious, and everyone benefits from the collective creativity. But in every good party, there’s risk: the friend-of-a-friend-of-a-friend who slips in unnoticed, doesn’t follow the house rules, and eventually leaves you with a hole in the drywall.
In the open source world, that’s dependency hell. It starts with a package you trust—but that package has its own dependencies, which have their own dependencies, and somewhere deep in that chain lurks outdated, vulnerable, or even malicious code. You didn’t invite it, you don’t know it’s there, but it’s living in your codebase rent-free. And attackers love this—because if they compromise just one small link in that long chain, they can crash your entire project.
In this session, we’ll dig into the messy reality of dependency hell and its role in software supply chain security incidents. We’ll examine real-world examples where hidden or neglected dependencies became the entry point for compromise, from typosquatting attacks to maintainer account takeovers. We’ll explore why it’s not just about malicious intent—sometimes the “bad guest” is simply an abandoned project with known CVEs that no one bothered to patch.
Imagine curating an art gallery—you wouldn’t hang just any painting on the wall. Each piece is carefully selected, verified for authenticity, and preserved to ensure a valuable experience for visitors. The same meticulous approach applies to software development.
Secure curation of open source isn’t about stifling creativity; it’s about ensuring that the dependencies we bring into our applications are secure, well-maintained, and reliable. As an art curator protects against forgeries and deterioration, developers must assess third-party components for malware, tampering, vulnerabilities, licensing risks, and long-term sustainability.
This talk will explore why curation is the foundation of secure software supply chains. We’ll discuss practical strategies for evaluating dependencies, maintaining a trusted repository, and leveraging free tools to automate the process. By adopting a safe curation mindset, developers can sleep better at night, knowing their applications rest on a foundation of safe, high-quality components.