AI is creeping into every part of software development — including CI/CD pipelines — and attackers are already abusing it.In this episode of the Secure Disclosure Podcast, we break down:A brand-new vulnerability class called Prompt Pwn, where prompt injection inside GitHub Actions can leak secrets and compromise supply chainsA sophisticated malvertising campaign targeting developers via GitHub Pages and Docker HubAnd the reality behind the cybersecurity job market: is there a skills shortage, a hiring freeze, or both?Featuring security researcher Rein Daelman on AI-driven CI/CD risks, and recruiter Barry Prost on how AI is reshaping cybersecurity hiring, skills, and careers.If you care about AppSec, DevOps, supply chain security, or breaking into cybersecurity in 2025, this one’s for you.More information PromptPwn - https://www.aikido.dev/blog/promptpwnd-github-actions-ai-agents Guiest Linkedin - https://www.linkedin.com/in/rein-daelman/Rent a Recruiter - https://rentarecruiter.com/Guest LinkedIn Barry Prost - https://www.linkedin.com/in/barryprost/Sponsors Aikido Security - https://aikido.devChapters00:00 – Intro02:00 – AI prompt injection in CI/CD, GitHub Actions, Prompt Pwn12:09 – Sponsor Segment12:59 – Malvertising campaigns targeting devs16:39 – Cybersecurity job market with Barry Prost

In this episode of Secure Disclosure, we break down two major cyber-security incidents shaking the industry.First, researcher Charlie Eriksen joins us to reveal how the Shai Hulud “The Second Coming” worm compromised over 800 NPM packages and triggered 30,000+ secret-filled GitHub repos and why the worm can even wipe your machine when containment fails.Then, we sit down with Jérémy Sicon and Quentin Bourgue from sekoia.io to uncover a highly sophisticated phishing campaign abusing Booking.com accounts using PureRAT malware and a sprawling criminal ecosystem.Subscribe for weekly deep dives into the threats shaping our digital world.00:00 – Introduction01:03 – Shahalude: The Second Coming17:07 – Sponsored Segment (Aikido SafeChain)17:10 – Malware-for-Hire: Booking.com Phishing Operation

In this episode of Secure Disclosure, Mackenzie Jackson digs into the surge of malicious VS Code extensions with researcher John Tuckner, founder of Secure Annex. We break down how attackers are shifting toward targeting developers themselves, explore real-world malicious extensions like Ransom Vibe and Sleepy Duck, and discuss why marketplaces like Open VSX are struggling to keep malware out.We also cover new research on secret leaks in top AI companies, and in our Leaders & Legends segment, we speak with Vangelis Stykas (CTO & co-founder of Kumio) about the growing vulnerabilities inside global energy infrastructure, OT security gaps, and the rise of AI-powered pentesting.If you want insights on software supply chain risk, AI security, and critical infrastructure threats—this episode is for you.Links:RansomVibe Technical Blog: https://secureannex.com/blog/ransomvibe/SleepyDuck Technical Blog: https://secureannex.com/blog/sleepyduck-malwareWiz Secrets Inside AI top 50 Research: https://www.wiz.io/blog/forbes-ai-50-leaking-secretsChapters 00:00 — Intro01:07 — Malicious VS Code Extensions (with John Tuckner)15:31 — Secrets Leaking in AI Repositories18:55 — Sponsor Segment19:55 — Leaders & Legends: Securing Critical Infrastructure

Geoffrey De Smet, creator of OptaPlanner and now Timefold.ai, shares how IBM’s acquisition of Red Hat forced him to turn his open-source project into a company. He explains why ChatGPT can’t solve real-world scheduling, what makes heuristic AI different, and how Timefold is saving companies millions of hours through smarter planning.Chapters00:00 – Introduction01:00 – Origins of OptaPlanner03:00 – The First Breakthrough05:00 – Red Hat & The Open Source Journey07:00 – IBM Acquires Red Hat10:00 – Becoming a Founder13:00 – Finding a Co-Founder15:00 – Why ChatGPT Can’t Do Scheduling17:00 – The Math Behind the Madness19:00 – How Timefold Solves Real Problems21:00 – AI Hype Cycles23:00 – Saving Hours and Dollars26:00 – “Would You Rather”29:00 – Closing

In this episode of The Secure Disclosure, host Mackenzie Jackson dives deep into the evolving intersection of AI, security, and development.First, Paul McCarty from Git Safety breaks down his recent discovery of a malicious npm package that impersonated the Claude CLI tool, hijacking developer workflows and acting as a man-in-the-middle for AI API calls. You can read Paul’s full breakdown here: “Malicious Claude Code Package Analysis” – https://www.getsafety.com/blog-posts/malicious-claude-code-packageNext, Sooraj Shah from Aikido Security joins to unpack findings from the State of AI in Security & Development 2026 Report, which surveyed 450 CISOs about how AI-generated code is reshaping security accountability, visibility, and optimism in the field. Check out the full report here: https://www.aikido.dev/state-of-ai-security-development-2026This episode explores real-world AI supply chain threats, systemic vulnerabilities in npm, and what organizations must do to stay ahead as AI reshapes modern development.Follow the guests:Follow Mackenzie: https://www.linkedin.com/in/advocatemack/Follow Paul: https://www.linkedin.com/in/mccartypaul/Follow Sooraj: https://www.linkedin.com/in/soorajshah/Chapters00:00 Introduction01:19 Paul McCarty on the malicious Claude npm package04:30 How AI tools are creating new attack paths08:06 Systemic issues and trust problems in npm10:44 Sooraj Shah on the State of AI in Security & Development14:01 Accountability, optimism, and the future of AI security

In this episode of Secure Disclosure, host Mackenzie Jackson explores the growing threat of malicious VS Code extensions with Rami McCarthy from Wiz and Charlie Eriksen from Aikido Security, diving into how leaked secrets and clever obfuscation put developers at risk. Later, Patrick Debois, the “Godfather of DevOps,” joins to discuss the rise of AI-native development, how it mirrors past DevOps shifts, and what it means for the future of secure software.Links: Original Post from Aikido: https://www.linkedin.com/feed/update/urn:li:activity:7384986044867256320Wiz Security Research on VS Code https://www.wiz.io/blog/supply-chain-risk-in-vscode-extension-marketplaces Rami McCarthy LinkedIn: https://www.linkedin.com/in/ramimac/Patrick Debois LinkedIn: https://www.linkedin.com/in/patrickdebois/Charlie Erkson Linkedin: https://www.linkedin.com/in/charlie-eriksen-a318578/Chapters00:00 — Introduction01:10 — Malicious VS Code Extensions06:00 — Leaked Secrets & Supply Chain Risk15:00 — npm Security Updates & SafeChain19:00 — The Future of AI Development

In this episode of Cyber & Sake, host Mackenzie Jackson sits down with Maarten Mortier, former CTO of Shopad, now co-founder and managing partner at Entourage VCThey discuss Maarten’s early love for programming, how Ghent became a thriving European tech hub, and why builders make the best investors. Maarten shares his insights into what he looks for during startup due diligence, how AI is reshaping both development and venture capital, and why healthy security should be baked into company culture — not siloed off.This is a deep and candid conversation about technology, product, and philosophy — from scaling startups to the evolving role of AI in coding, investing, and innovation.Pour yourself a glass of sake and join us for an episode that blends code, capital, and curiosity.⏱️ Chapter ListTime Chapter Title00:00 Introductions & Sake Tasting01:10 From Early Coding Days to CTO Success04:07 Why Ghent is Becoming a European Tech Hub07:58 Building and Investing: The Story of Entourage VC11:02 Inside VC Due Diligence and the Founder Relationship18:03 Tech Health, Security, and Red Flags for Startups25:16 What Makes a Real Moat in the Age of AI32:03 AI, Product Building, and the Future of Venture Capital39:36 Final Thoughts, Security Advice & The Sake Game

In this episode of The Secure Disclosure Podcast, host Mackenzie Jackson sits down with Matias Madou, co-founder and CTO of Secure Code Warrior, to explore how developer education is the missing key to secure software. They unpack why we’re still struggling with vulnerabilities like SQL injection in 2025, how AI is reshaping application security, and why critical thinking might be the most important security skill of all. From COBOL to ChatGPT, this is a deep dive into the past, present, and future of secure coding.Chapters 00:00 – The Origin of Secure Code Warrior05:20 – Developers vs. Security: The Real Problem08:10 – AI’s Impact on Application Security13:00 – The Confidence Trap of AI17:00 – Evolving Secure Code Warrior28:00 – Would You Rather: Security Edition