Now Playing
Bug Bounty Collapse, FIRESCALE C2 & Double Extortion Dominates
Audio is available on Spreaker — see link below.
A poisoned VS Code extension exposed 3,800 GitHub repositories while TeamPCP's FIRESCALE malware hides C2 instructions in public commit messages. Plus: HackerOne slashes bug bounty payouts 75%, Linus Torvalds warns of a Linux maintainer crisis, and New Jersey's breach law redraws liability.
Audio is available on Spreaker — see link below.
A poisoned VS Code extension just handed attackers the keys to GitHub's internal codebase. That's not a theoretical supply chain risk.
TeamPCP isn't new to this. They've previously compromised tools like Trivy, LiteLLM, and TanStack.
Now for a story that's been building quietly and just became operational. HackerOne has cut bug bounty payouts by seventy-five percent.
The same pressure is hitting open-source directly. Linus Torvalds has described the Linux kernel security mailing list as unmanageable due to AI-generated duplicate reports.
Two more items worth tracking. On ransomware, double extortion is now the dominant playbook.
The two things worth watching closely are the downstream scope of the GitHub PyPI compromise, and whether the full extent of the Copilot and CodeQL internals exposure becomes clearer. Both carry second-order risk that hasn't fully materialized yet.
Chapter summary auto-generated from the verified script. Listen to the full episode for the complete content.