In this episode, we cover four topics:

• Lovable and Vercel incident response failures: Two AI-native platforms had significant security incidents in recent weeks, and both initially responded by minimizing the severity. We break down why Lovable's regression exposed source code and full chat history to any free account holder (the mother of all IDORs), why Vercel's response left paying customers without a single actionable mitigation step, and what good incident response communication actually looks like.
• GitHub RCE via git push: A remote code execution vulnerability sitting in GitHub's codebase for over a decade allowed arbitrary code to be passed and executed via the -o option on a git push. We discuss why this happened, why it is not entirely surprising given Git's design history, and what it means for the ecosystem.
• EDR vs. AI coding agents: Paul's EDR flagged his own development environment as infected while he was refactoring a library with Claude. We unpack why AI agents operating at non-human speed trigger the same behavioral signatures as ransomware, and why this is going to become a bigger problem as agentic coding workflows become the norm.
• Mini Shai Halud by Team PCP: Team PCP's latest campaign compromised the Lightning Python package (15 million downloads per week) and the Intercom npm client (370,000 downloads per week), among others. We cover what makes this campaign notable: Team PCP has adopted the VS Code tasks file persistence technique previously seen only in DPRK-linked campaigns like TasksJacker and Pollen Rider. We also discuss what over 2,000 exfiltration repositories on GitHub mean for affected developers and organizations, and what you should be doing right now if you are worried you are affected.

Episode Resources:

AI Full-Stack Development: The Anti-Patterns Rise Against Us - Part 1
Our research on some security anti-patterns we discovered when auditing how AI tools write code

Mini Shai-Hulud Borrowed Its Best Trick From PolinRider
An analysis of the TeamPCP campaign “mini Shai Hulud, including details on the trick they borrowed from North Korean campaigns like PolinRider and Contagious Interview

Renovate & Dependabot: The New Malware Delivery System
A GitGuardian blog about the way these tools can accidentally auto-install malware

• Bitwarden CLI Compromise: We analyze the recently discovered malicious version (2026.4.0) of the Bitwarden CLI package. We break down how this cloud-native infostealer silently executes via pre-install scripts to harvest credentials across AWS, Azure, GCP, and GitHub, as well as hoovering up AI config files like Claude. We also discuss its exfiltration tactics to a lookalike domain and explain why we are skeptical of the threat actor's claims that this is the "third coming of Shai-Hulud".
• The Danger of npm Lifecycle Scripts: Why are pre-install and post-install scripts such a popular attack path? We discuss how threat actors exploit these convenience features to auto-install malware. We also explore the differences between package managers, noting that while these scripts are off by default in tools like pnpm and bun, they remain on by default in npm.
• OWASP's npm Security Cheat Sheet: We review a 12-point cheat sheet from OWASP covering npm security best practices. We share our thoughts on artifact governance, the realities of responsible disclosure, and why falling for dependency confusion or typo squatting attacks relies more on machine automation than just "dummy" human errors. 
• GenAI and Cross-Ecosystem Attacks: We wrap up with an alarming new trend we observed just this week: threat actors using Generative AI (like Claude) to rapidly translate working malware into different programming languages. This enabled them to deploy malicious packages across multiple ecosystems to target users of a specific company within a coordinated 8-hour window.

Resources:

• bitwarden/cli threat report
• NPM security cheat sheet from OWASP
• Get started with OpenSourceMalware for free