In this episode of The Secure Disclosure, host Mackenzie Jackson dives into two fascinating conversations at the intersection of cybersecurity, trust, and AI innovation.First, Romain Moisescot from Veriff (https://veriff.com) explores the heated debate around digital identities in the UK, addressing concerns about privacy, government trust, and the rising wave of online fraud. With Veriff’s Identity Fraud Report 2025 (https://www.veriff.com/resources/ebooks/veriff-identity-fraud-report-2025), he shares insights into how fraudsters leverage AI and how digitally native IDs can fight back.Then, at the Cyber Saki Bar, Geoffrey De Smet, co-founder of Timefold.ai (https://timefold.ai), recounts his journey from building an open-source project 19 years ago to launching a company after IBM’s acquisition of Red Hat. Geoffrey breaks down the difference between heuristic AI solvers and LLMs, why scheduling is one of the hardest problems in tech, and how Timefold is freeing the world from “wasteful scheduling.”If you’re curious about the future of digital trust, fraud prevention, and practical AI applications, this is an episode you won’t want to miss.Chapters00:00 – Introduction01:19 – The Digital Identity Dilemma (with Veriff)18:18 – Sponsor Segment: Aikido Security19:02 – Cyber & Sake: Geoffrey De Smet and the Timefold Journey47:31 – Would You Rather48:14 – Closing Thoughts & Farewell

This week on The Secure Disclosure, host Mackenzie Jackson dives into “the largest breach that never really happened” the September npm supply chain compromise that put 2.6 billion weekly downloads at risk but somehow didn’t take down the internet.Joining me are two key voices from the incident:Josh Junon – the maintainer who was phished, unknowingly triggering the chain of events.Charlie Erikson – the security researcher who first discovered and analyzed the malware.Together, we unpack the timeline: the phishing email that started it all, the malware hidden inside foundational packages like debug and chalk, the viral panic that followed, and why the attackers walked away with just $900 in crypto instead of world domination.We also discuss what the breach teaches us about security “working,” luck, and where the ecosystem still leaves maintainers dangerously exposed.SponsorThis episode is brought to you by Aikido Security — your complete code security platform.Check out Aikido: https://aikido.devPrevent supplychain attacks with Aikido SafeChain: https://www.npmjs.com/package/@aikidosec/safe-chainWatch & Listen🎧 Spotify & other platforms: https://creators.spotify.com/pod/profile/thesecuredisclosure/Connect with MeX (Twitter): https://x.com/advocatemackLinkedIn: https://linkedin.com/in/adovcatemackReferencesXKCD Web Comic: https://xkcd.com/2347/Wiz Blog Post: https://www.wiz.io/blog/widespread-npm-supply-chain-attack-breaking-down-impact-scope-across-debug-chalkInsiderPhD YouTube: https://www.youtube.com/c/InsiderPhDInsiderPhD X Post: https://x.com/InsiderPhD/status/1965110610972250550My LinkedIn Post: https://www.linkedin.com/feed/update/urn:li:activity:7373625746822696960/John Hammond Video: https://www.youtube.com/watch?v=4caJw0JJZTQChapters00:00 – Intro00:18 – Setting the stage: the breach that “never really happened”01:31 – Josh Junon: the phishing email that started it all04:39 – Malware injection and Charlie Erikson’s discovery06:58 – The viral panic: LinkedIn posts, headlines, and John Hammond’s roast09:01 – Why the npm compromise looked bigger than it was12:31 – Foundational packages, open-source reliance, and the Nebraska problem16:18 – What really happened: $900 stolen in crypto18:31 – Security win or just luck? Community reactions and InsiderPhD’s take23:09 – The scarier “what ifs” and why attackers underused their access23:40 – Sponsored segment: Aikido Security & SafeChain24:26 – Josh on community support and mental health for maintainers26:23 – Where npm failed and how package managers need to improve28:14 – Outro and reflections

In this episode of Secure Disclosure, host Mackenzie Jackson takes you on a journey through the evolving world of cyber threats and the people on the frontlines. We kick things off with a deep dive into phishing attacks with Jacques Louw and the surprising ways they continue to outsmart defenses in 2025. Then, we unravel the story of a dangerous WhatsApp zero-click vulnerability that, when paired with an Apple iOS flaw, gave attackers full control of victims’ devices, all without a single tap.We also take a lighter turn at the Cyber Sake Bar, where we sit down with the world’s number one competitive hacker, Philippe Dourassov, to talk about the thrill of international hacking competitions, how he accidentally hacked Discord, and why he’s now building his own startup. Along the way, we highlight the crucial role of defense, the impact of AI on modern attacks, and even taste test Japanese vs Californian sake.LinksPush Security Phishing Report - https://pushsecurity.com/resources/phishing-evolutionWhatsApp Vulnerability - https://www.bitdefender.com/en-us/blog/hotforsecurity/whatsapp-zero-click-spyware-attack-android⏱️ Chapters00:00 Intro – Welcome & Overview01:32 The Evolution of Phishing Attacks- Jacques Louw Push Security 21:31 WhatsApp Segment – Zero-Click Vulnerability Deep Dive26:18 Sponsor Segment – Aikido Security Spotlight27:01 Sake Segment – Philippe Dourassov on Competitive Hacking

In this episode of Secure Disclosure, host Mackenzie Jackson unpacks the NX breach with malware researcher Charlie Ericson and GitGuardian’s Guillaume Valadon, revealing how stolen tokens exposed thousands of secrets on GitHub. Analyst James Berthoty then offers an exclusive preview of Lacio Tech’s Cloud Security Report, cutting through the AI hype to highlight real trends. Finally, Ashish Rajan joins the Cyber & Saki segment to share his vision for the future of cloud security.00:00 – Introduction01:15 – The NX Breach Explained06:25 – Secrets in Public Repos20:47 – Cloud Security Report Sneak Peek with James Berthoty36:25 – Cyber & Saki with Ashish Rajan

In this episode of The Secure Disclosure, host Mackenzie Jackson is joined by Darktrace VP Nathaniel Jones to unpack the newly discovered AutoColor malware exploiting SAP NetWeaver vulnerabilities. We also cover the WinRAR zero-day actively exploited by RomCom APT and wrap up with an unforgettable interview with Len No, a real cyborg hacker with 11 implants who demonstrates what’s possible when the human body meets hacking.

Timestamps & Chapters:

00:00 – Intro

01:07 – AutoColor used in SAP NetWeaver Vuln

18:39 – Sponsor: Aikido Security

19:25 – WinRAR Zero-Day

23:30 – Interview with Len Noe

In this episode, we bring you insights from Black Hat and DEF CON 2025. We start with a breakdown of Erlang OTP CVE-2025-32433, a critical remote code execution flaw scoring a perfect 10, and why it’s being exploited in real-world infrastructure.Next, we sit down with Dustin Lehr, author of the Security Champions Program Success Guide, to discuss how to build effective security champion programs inside organizations — from finding the right people to measuring success.Finally, at the Cyber Sake Bar, we chat with Steve Giguere from Lera about the growing field of AI security. We explore risks like prompt injection, agentic AI systems, and what securing AI models really means for modern applications.Perfect for anyone interested in cybersecurity, secure development, and the future of AI security.00:00 – Intro & Hacker Summer Camp Recap01:22 – Critical Vulnerability: Erlang OTP CVE-2025-3243307:04 – Interview with Dustin Lehr: Building Security Champions29:00 – Sponsor Segment: Aikido Security & Safechain29:45 – Cyber and Sake with Steve Giguere: Securing AI Models44:09 – Prompt Injections, Agentic AI & Closing Thoughts

In this episode of Disclosure, Mackenzie Jackson takes listeners deep into the fast-evolving—and increasingly risky—world of AI-assisted coding. First, security researcher Wout Debaenst exposes a massive vulnerability in Base44’s AI coding platform that made private applications accessible to anyone with minimal effort, highlighting how “vibe coding” can create the next wave of supply chain attacks.Next, malware researcher Charlie Ericson returns to reveal a fresh PyPI phishing campaign eerily similar to last week’s npm compromise, underscoring the fragility of our open-source ecosystems.Finally, Mackenzie heads to the Cyber Sake Bar for a candid conversation with Khachatur Virabyan, co-founder of Trag, exploring how AI can change code quality. Along the way, they sip sake, swap war stories, and debate the future of software development in the age of AI.00:00 - Introduction1:19 - Base44 Breach & The Risks of AI Coding Platforms 09:24 - PyPI Phishing Campaign and Open Source Security Gaps 17:08 - AI-Assisted Code Quality with Trag 34:02 - Cybersecurity “Would You Rather” and Closing

In this episode, we talk to Visha Bernard, Chief Hacker at Eye Security, about the catastrophic SharePoint vulnerability that was exploited by suspected nation-state actors.We cover how Eye Security’s team discovered the exploit, the flawed patching timeline from Microsoft, how Google Gemini was used to find a bypass, and what organizations must do now to secure their SharePoint servers.From government targets to AI-assisted exploitation, this is a deep dive into one of the most severe security incidents of the year.Chapters00:00 Introduction to the SharePoint Vulnerability01:00 Eye Security's Initial Discovery03:30 Uncovering the Zero-Day Exploit05:30 Internet-Wide Scanning and Findings07:00 Patch Analysis and Flaws10:00 Emergency Fix and Security Research12:00 Threat Actor Attribution13:20 Advice for Organizations and Closing Remarks