In this episode of Bad Dependencies, we explore the gray zone of offensive security with researcher Raphael Silva from Checkmarx. Hosts Mackenzie and Charlie break down June’s 4,000+ flagged malicious packages, then chat with Raphael about his real-world experiments planting “malicious-but-not” packages in places like npm and the VS Code Marketplace. From unicode deception to malware hidden in PNGs, this episode unpacks the ethics of bug bounties, the dangers of going too far, and how easy it is to slip past marketplace defenses—until a random security guy in Poland catches you first.00:00 – Intro & Weather Woes00:50 – Malware Madness: 4,000+ Packages Flagged02:00 – Offensive Security 10104:00 – The Ethics of Fake Malware06:00 – Where Researchers Cross the Line10:00 – Common Pitfalls & Accidental Exposure12:05 – Guest Joins: Raphael Silva from Checkmarx13:50 – Malicious-but-Not: ExpressJS-Session Deep Dive17:30 – Why Target VS Code Extensions?22:20 – Unicode Tricks, Copycats & What’s Next

In this explosive episode of Bad Dependencies, Mackenzie Jackson and Charlie Eriksen uncover a sophisticated malware campaign that compromised 16 popular npm packages—including libraries under the "react-native-aria" scope. The hosts break down how the breach was discovered, what the payload did, and the widespread implications for the JavaScript ecosystem. From obscure obfuscation tricks to potential state-sponsored tactics, this is a deep dive into one of the most alarming supply chain attacks of 2025. Plus, the duo discusses a case of open-source copycatting following their first episode and gives insight into how threat detection has evolved.00:00 Welcome & Catching Up 01:00 react-native-aria Malware Discovery 05:10 Repeat Offender: The Same Threat Actor 06:30 Offscreen Obfuscation & Reverse Shell Payload 07:40 Potential Fallout 08:50 GitHub Compromises & Wider Infection Vectors 10:30 Who’s Behind It? 11:40 Copycat Incident: The LLM Confusion 13:10 The Power & Risks of Sharing 14:30 Closing Remarks & Threat Feed

In the debut episode of Bad Dependencies, Charlie and Mackenzie unpack some seriously strange cases of malware hidden in plain sight on NPM. They explore how malicious actors are stuffing payloads into image files like JPEGs and PNGs, and how these are being unpacked with clever JavaScript tricks to evade detection.You'll hear how AI-generated decoy code, fake Readme files, and hidden PowerShell scripts are being used to disguise the true intent of packages — from base64 blobs in JPEGs to fake "fingerprinting" logic that serves no purpose other than distraction.Expect deep dives into packages like node-wave-http, axios-fingerprint, and expressjs-session, with behind-the-scenes insights on how attackers are setting the stage for future payload delivery. Plus, discover why Discord and Cloudflare are often abused for hosting malware — and what makes Windows such a popular target for these campaigns.If you've ever wondered how bad dependencies make it past package registry checks — or how to spot them — this episode is for you.00:00 - Welcome to Bad Dependencies01:10 - Hiding Malware in Images: NodeWave HTTP04:59 - Malicious JPEG Unpacks via PowerShell07:09 - Why Hackers Use Discord for Malware Delivery09:06 - Why NPM & GitHub Don’t Catch This Stuff11:00 - A Legit App or Malware Decoy? The OSU Twist12:34 - AI-Generated Code as Distraction Noise14:44 - Obscure Pre-flight Checks & Fake Logic17:09 - Alternate Payloads Hosted on Cloudflare22:00 - PNG with Base64-Encoded Eval Exploit26:30 - This Just Sends System Info: Bug Bounty Play?30:59 - Detecting Malware with Entropy Analysis