CyberWire Daily – Data Security Decoded

Episode: "The Hidden Risk in Your Stack"

Date: December 29, 2025
Host: Caleb Tolan (A)
Guest: Hayden Smith (B), CEO of Hunted Labs

Episode Overview

This episode delves deep into the escalating risks and complexities of supply chain attacks, especially those leveraging open source software in enterprise environments. Host Caleb Tolan sits down with Hayden Smith, CEO of Hunted Labs, to explore how these attacks happen, why open source creates both opportunity and risk, and how organizations can blend proactive risk management, threat hunting, and AI-powered solutions to secure their software stacks.

Key Discussion Points & Insights

The Critical Role—and Risk—of Open Source Software

• Open Source Ubiquity: Open source software underpins "everything we know and love today," from enterprise apps to AI infrastructure. (B, 03:43)
• Enterprise Dependency: "Most enterprise applications, about 70, 80%, sometimes higher, is all composed of open source software.” (B, 03:59)
• Diverse Maintenance Standards: Each open source component is "maintained to a different standard"—security and compliance can vary wildly.
• Managing, Not Eliminating, Risk: Eliminating open source isn't realistic; organizations must manage its risks through better practices from selection to deployment.

How Supply Chain Attacks Unfold

• Entry Point – Contribution as Attack: The most effective way to attack open source is "to contribute." Attackers create fake or compromised accounts and submit malicious code or packages. (B, 07:08)

• The xz Case & Exploiting Trust: Recent high-profile supply chain attacks (e.g., the xz backdoor) involved attackers building trust and rapport with maintainers before undermining codebases.

• Scale of the Threat: The "Indonesian Foods campaign" published 86,000 fake npm packages—one every seven seconds. (B, 08:42)

• Supply Chain Amplification: Malicious packages often pull in more malicious code, compounding the threat.

  “If you pulled down one package, you're actually pulling down, you know, maybe in this case eight to ten new bad packages.” (B, 09:25)

• AI Automation: Attackers leverage AI to automate the creation of fake accounts and code at scale, making detection tougher.

Vetting Contributors: Lessons from Online Communities

• Moderator Analogy: Vetting is similar to how Reddit mods check community members. Open source needs similar stewarding but faces scale challenges.
• Stewardship Scarcity: Major projects have trusted maintainers—e.g., Linux, CNCF—but most of the open source ecosystem lacks this oversight.
• Enterprise Due Diligence: "It leaves the burden with enterprises to ... do their due diligence on open source before they ... include that piece ... in their application." (B, 11:55)

Threat Hunting, Detection, and AI-Powered Discovery

• Proactive Security: Threat hunting treats detection as “reconnaissance in advance”—scanning not just the code, but the maintainers and accounts behind it. (B, 13:16)
• Targeted Investigation: Instead of “boiling the ocean,” organizations need to track and monitor the set of open source components they rely on.
• AI Models in Threat Hunting: AI is used to interrogate code for “unknown vulnerabilities that maybe someone isn’t disclosing” (referencing an engineer at Huawei withholding vulnerabilities at a boss’s request). (B, 14:38)
• Continuous Monitoring: Regular, intelligent scanning is necessary, as threats can emerge rapidly and without public disclosure.

Recovery and Contingency in Supply Chain Breaches

• Immediate Neutralization: First neutralize the discovered malware/intrusion.
• Pinning Dependencies & Rollbacks: "Pinning your dependencies" helps prevent ingesting automatic updates that might be compromised. Roll back to known good versions as a key recovery strategy. (B, 16:47)
• Complexity at Scale: At large enterprises, identifying and purging all instances of maliciously tainted packages (especially if thousands are involved) can quickly become unmanageable.
• Standard Best Practices: Principles like asset inventory, SBOMs (Software Bill of Materials), vulnerability scanning, and regular backups are crucial.
• Worst Case – Data Exfiltration: Some attacks result in full source code troves being stolen. Backups and incident response plans should anticipate this.

Essential Continuous Monitoring Strategies

• Know Your Dependencies: Have a complete inventory (both open source and proprietary) (B, 21:18)
• Prioritize Critical Packages: Focus scrutiny on most popular or critical open source dependencies.
• Upstream Monitoring: Check whether dependencies are actively maintained or potentially abandoned.
• Interrogate All Updates: Each new release or dependency update needs review for anomalies, especially if coming from previously unknown contributors. (B, 22:35)
• Threat Intelligence Integration: Have live threat intel feeds so you can know, in real-time, when a crisis emerges affecting packages you use.

Notable Quotes & Memorable Moments

On Open Source Dependency

"Most enterprise applications, about 70, 80%, sometimes higher, is all composed of open source software."
— Hayden Smith (03:59)

On the Supply Chain Attack Entry Point

"Ironically, the best way to attack open source is to contribute."
— Hayden Smith (07:13)

On Attack Escalation

"A new fake package full of malware being published every seven seconds ... it will actually source more fake packages."
— Hayden Smith on the Indonesian Foods campaign (08:44 – 09:15)

On Enterprise Responsibility

"It leaves the burden with enterprises to ... do their due diligence on open source before they ... include that piece ... in their application."
— Hayden Smith (11:55)

On Threat Hunting

"We're trying to go out there almost like conduct reconnaissance in advance of using software."
— Hayden Smith (13:18)

On the Challenge of Recovery

"If you rely on 10 critical things ... you better know what they are. You don't want to find out when the attack is already unfolding."
— Hayden Smith (18:58)

On the Need for Continuous Monitoring

"Everything I do or prescribe is really falling into ... the kind of continuous monitoring of the open source that you're consuming and really driving ... using threat intelligence to have that insight available continuously."
— Hayden Smith (23:38)

Timeline of Key Segments

• [00:10] – Setting the stage: Open source, AI, and risks of scale
• [03:05] – Introduction to Hayden Smith; topic focus: supply chain attacks
• [03:43] – Open source as a double-edged sword for enterprises
• [07:06] – Typical entry points for supply chain attacks; real-world examples
• [08:42] – The Indonesian Foods campaign and the scale of fake packages
• [11:14] – The analogy to Reddit moderation & vetting contributors
• [13:13] – Role of threat hunting and AI in identifying and mitigating risk
• [16:42] – Recovery strategies and the challenge of maintaining resilience
• [21:11] – What orgs can do now: Continuous monitoring, inventory, and threat intelligence
• [24:14] – Where to find more: Hunted Labs resources

Resources & Further Learning

• Hunted Labs: huntedlabs.com
• The Hunting Ground: Security research and supply chain intel

Episode Takeaways

• Supply chain attacks targeting open source are growing in frequency, scale, and sophistication, often exploiting trust and automation.
• Enterprises cannot blindly trust upstream packages or contributors; due diligence, threat hunting, and real-time monitoring are essential.
• AI is both a tool for attackers (automation) and defenders (code interrogation, anomaly detection).
• Continuous monitoring, dependency inventory, and integrating threat intelligence into dev and security workflows are critical for defense.
• Even a single malicious package can cascade into massive organizational crises; layered defense and rapid response are crucial.