Trusting the wrong package. [Only Malware in the Building]
A single compromised open-source package can now trigger a global cyber cascade, as criminal groups like Team PCP weaponize the software supply chain with industrial-scale precision. Unlike traditional attacks that target individuals, these threats exploit the trust we place in automated updates and widely used code libraries—turning every developer’s dependency into a potential backdoor. The episode draws a chilling parallel to the 2000s 'capacitor plague,' where a tiny, invisible defect in a common component caused systems worldwide to fail years later. Today, the threat is digital: malicious code injected into NPM packages, VS Code extensions, and CI/CD pipelines can silently spread through thousands of organizations in minutes. What makes this crisis uniquely dangerous is the rise of AI-assisted development—where LLMs themselves can be poisoned, turning the very tools meant to boost productivity into vectors for exploitation. The hosts argue that the era of blind trust in software has ended, and organizations must now adopt a 'trust but verify' mindset, with rigorous validation, dependency mapping, and tabletop exercises to simulate supply chain breaches. The future of cybersecurity isn’t just about firewalls—it’s about auditing the invisible bricks that build our digital world.
A single compromised open-source package can trigger a global supply chain breach, affecting thousands of organizations simultaneously.
Team PCP is a criminal group industrializing supply chain attacks by recruiting affiliates and advertising on the dark web—like a ransomware gang for code.
Automated CI/CD pipelines are a major risk: if a malicious update slips through, it can be deployed across an entire organization without human review.
Developers using AI tools like LLMs are unknowingly at risk—the AI itself can be poisoned, leading to credential theft or malicious code injection.
Rolling back to a 'safe' version of software doesn’t fix the breach—credentials and access are already compromised, requiring full incident response.
…and 3 more takeaways available in PodZeus
The Cyberstorm That’s Already Here
The episode opens with a satirical news segment depicting a fictional 'cyberstorm' that mirrors real-world supply chain attacks, using the metaphor of a storm system to illustrate how malicious code spreads rapidly across unsecured networks.
The Rise of the Supply Chain Attack
“I think it's inevitable when it was just a matter of time before the criminals are like, hey, that's kind of the way to go.”
How the Attack Works: The CI/CD Pipeline
The episode explains the mechanics of modern supply chain attacks, focusing on how malicious code is injected into CI/CD pipelines and automatically distributed to thousands of users.
The GitHub Breach and the Megalodon Attack
“Team PCP was able to access a GitHub employees account via this Visual Studio Code extension that was compromised.”
The Lego Brick Metaphor: Trust in Code
“What would happen if all of a sudden, you know, one of the Lego bricks that came in your set was capable of listening to everything that you did and you didn't know it and it went out in Lego sets all over the world?”
“And what would happen if all of a sudden, you know, one of the Lego bricks that came in your set was capable of listening to everything that you did and you didn't know it and it went out in Lego sets all over the world?”
“So Team PCP was able to access a GitHub employees account via this Visual Studio Code extension that was compromised, right?”
“Because if you know what they're targeting, then you can shore that up. But if you have no idea what they're doing out there, then you're just running blind.”
Hosts
Team PCP
organization
GitHub
organization
NPM
organization
Capacitor Plague
other
VS Code
product
ThreatLocker
organization
Mythos
product
North Korea
place
Wired
other
Knicks
other
GitHub's plan for Agents — Kyle Daigle, GitHub
1h 23m • 6/2/2026
New Problems Need New Solutions - WAN Show May 29, 2026
3h 25m • 5/30/2026
Calendly.com vs Cal.com: How to Make Calendar Scheduling Easier for Online Meetings
2h 10m • 5/31/2026
147: Vercel Made a Programming Language for Robots
52m • 6/1/2026
From open source hits to OpenAI (Interview)
1h 46m • 6/5/2026
Start discovering podcast insights today
Start with a 7-day trial and explore a growing catalog of popular podcasts. No credit card required.
No credit card required • 7-day trial • Cancel anytime

