Mackenzie Jackson
Bad Dependencies Podcast
Welcome to Bad Dependencies, the podcast where the digital supply chain gets audited in real-time. Hosted by security researchers Charlie Erikson and Mackenzie Jackson from Aikido Security, this bi-weekly show dives deep into the wildest, weirdest, and most dangerous malware found lurking in package registries like NPM and PyPI. From image-based payloads to AI-generated code noise, nothing is off-limits as Charlie and Mackenzie explore the bleeding edge of software supply chain attacks. Whether you’re a developer, security enthusiast, or just malware-curious, Bad Dependencies will open your ey
Author
Mackenzie Jackson
Category
Podcast website
Latest episode
Jun 17, 2026
Where to listen?
Podcasts in the app Replaio Radio Coming soonPodcasts are coming to the app soon. Install now and be the first to see a whole new take on podcasts
Episodes
Inside the Mastra NPM Attack: Contagious Interviews & Poisoned Dependencies 17.06.2026 21:18
In this episode of Bad Dependencies , host Mackenzie Jackson sits down with security researcher Charlie Eriksen to dissect a massive software supply chain attack hitting the Mastra AI ecosystem. Breaking down how an attacker compromised a maintainer's account to inject a malicious transitive dependency (easy-day-js) across over 140 packages, they explore the sophisticated social engineering ta...
Google API keys keep working after you delete them - Bad Dependencies with Joe Leon 17.06.2026 23:39
In this episode of Bad Dependencies, host Mackenzie Jackson sits down with security researcher Joe Leon to dissect a major shift in Google API key sensitivity. For years treated as benign public identifiers, these same keys became high-risk vectors following the integration of Google Gemini, allowing threat actors to rack up enormous cloud bills and access cached files. Joe reveals his startling d...
GitHub Breach: Inside the Team PCP Supply Chain Breach 21.05.2026 24:54
In this episode of Bad Dependencies, we analyze the reported leak of GitHub's source code and the sale of thousands of its repositories. We map out the chain of events leading up to the incident, including recent compromises of a Visual Studio Code extension and a PyPI package. The discussion covers the tactics of the threat actor group Team PCP, the practical limitations of rapid credential r...
Shai-Hulud is Back: TanStack & Mistral AI Breach by TeamPCP Mini Worm 13.05.2026 23:02
In this episode of Bad Dependencies, we dive into the "wormy" chaos of the latest supply chain attack hitting the JavaScript ecosystem. Join researcher Charlie Eriksen as he breaks down how the threat actor group TeamPCP compromised the widely-used TanStack ecosystem and successfully pivoted into Mistral AI. We explore the technical "perfection" of this attack: a lethal combina...
From Trivy to LiteLLM: The Domino Effect of TeamPCP’s Attack 30.03.2026 24:01
In this episode of Bad Dependencies, Mackenzie and security researcher Charlie Erickson break down a fast-moving software supply chain attack led by Team PCP.Starting with the compromise of Trivy, the attackers leveraged stolen credentials to spread into ecosystems like NPM and LiteLLM, impacting widely used developer tools and AI infrastructure. The conversation explores how the attack evolved, i...
Inside ShaiHulud 2.0: The Supply-Chain Worm That Read Your Secrets 27.11.2025 38:01
In this episode, I sit down with Charlie Eriksen, the researcher who uncovered the Shai Hulud 2.0 campaign, for a deep dive into one of the wildest supply-chain attacks we’ve seen. What began as a strange detection quickly unraveled into a worm that spread across npm, GitHub, and even a compromised Open VSX extension. “Patient Zero” was AsyncAPI, where the attackers exploited a subtle GitHub Actio...
The OpenVSX Supply Chain Attack: Invisible Malware in VS Code - Bad Dependencies Podcast 27.10.2025 22:59
In this episode of Bad Dependencies, Mackenzie Jackson and Charlie Eriksen dive into one of the most sophisticated malware incidents to target developers — the OpenVSX compromise. They unpack how attackers hid malicious code using Unicode obfuscation, discuss the shift from npm to VS Code extension attacks, and explore how the open-source ecosystem is responding. The episode also covers npm’s new...
Discovering Shai-Hulud and the Struggle to Raise the Alarm: Bad Dependencies ft Daniel Pereira 18.09.2025 29:02
In this episode, host Mackenzie Jackson is joined by Charlie Erikson and Daniel Pereira to uncover the story of Shai-Hulud — a self-propagating worm that shook the NPM ecosystem. Like the great sandworm of Arrakis, it surfaced suddenly, exfiltrating secrets and spreading through unsuspecting packages. Daniel recounts his discovery and the frustrating desert-like silence from major platforms as he...
Yep, I Got Pwned: A Candid Chat With The Chalk & Debug Maintainer 17.09.2025 43:26
Charlie Eriksen and I sat down for a candid chat with Josh Junon, the maintainer of chalk and debug, who found himself at the center of one of the largest npm supply-chain attacks. Josh talks openly about: ✅ How the phishing attack actually worked ✅ What it felt like to have his packages hijacked ✅ The lessons for every open source maintainer and company that relies on npmIt’s a rare, first-han...
The NX S1ingularity Attack: Secrets in Plain Sight 29.08.2025 19:53
Charlie Erkson and Mackenzie Jackson return with breaking news on one of the wildest supply chain compromises to date. The popular NX packages —with millions of weekly downloads—were hijacked, and attackers used an LLM-powered malware to crawl systems for secrets like GitHub and NPM tokens. Even stranger, instead of exfiltrating data to a private server, the stolen information was dumped into publ...
Phishing Attacks on NPM, Accidental Stylus Removal and Aikido Safe Chain: Bad Dependencies Episode 4 31.07.2025 27:07
In this Episode Mackenzie and Charlie sit down to discuss exactly what is going on with all the Phishing campaigns against NPM maintainers, what was compromised, and what you can do about it. We also discuss the weird removal by NPM of Stylus, which caused massive build issues and also discuss Aikido Safe-Chain, a new open-source package to keep your dependencies safe.
Bad Dependencies Episode 3: Malware, Bug Bounties, and the Ethics of Offense 08.07.2025 28:25
In this episode of Bad Dependencies, we explore the gray zone of offensive security with researcher Raphael Silva from Checkmarx. Hosts Mackenzie and Charlie break down June’s 4,000+ flagged malicious packages, then chat with Raphael about his real-world experiments planting “malicious-but-not” packages in places like npm and the VS Code Marketplace. From unicode deception to malware hidden in PNG...
Bad Dependencies – Episode 2: The React Native Aria Backdoor Meltdown 20.06.2025 16:11
In this explosive episode of Bad Dependencies, Mackenzie Jackson and Charlie Eriksen uncover a sophisticated malware campaign that compromised 16 popular npm packages—including libraries under the "react-native-aria" scope. The hosts break down how the breach was discovered, what the payload did, and the widespread implications for the JavaScript ecosystem. From obscure obfuscation trick...
Bad Dependencies: JPEGs, JavaScript, and Janky Malware: Image-Based Attacks in NPM 02.06.2025 34:48
In the debut episode of Bad Dependencies, Charlie and Mackenzie unpack some seriously strange cases of malware hidden in plain sight on NPM. They explore how malicious actors are stuffing payloads into image files like JPEGs and PNGs, and how these are being unpacked with clever JavaScript tricks to evade detection. You'll hear how AI-generated decoy code, fake Readme files, and hidden PowerSh...
Similar podcasts
Replaio is not a podcast publisher; show names, artwork and audio belong to their authors and are distributed through public RSS feeds.