Name: The Secret Life of Malicious Packages & Malicious Package Detection Engineering
Start: 2025-06-19T18:00:00-07:00
End: 2025-06-19T20:00:00-07:00
Location: SFU Venture Labs

**The Secret Life of Malicious Packages** with **Megg Sage**

Supply chain security has been all the rage recently—we keep hearing story after story about malicious packages popping up across various package repositories. This talk dives into the secret life of malicious packages: what they are, where they lurk, how they operate, and the many creative ways they can wreak havoc. From innocent-seeming typosquats to the compromise of trusted, widely-used packages, we’ll explore the full spectrum of threats and real-world examples that show just how sneaky (and dangerous) these packages can be.

So how can we protect ourselves from these threats? There are various options such as checking package health, source code reviews/scans, or use of tooling such as SCA tools. SCA scans, while very useful for vulnerability scanning, cannot be relied upon to protect against malicious packages. This talk will discuss their blind spots and other options for adding further protection. It will further reinforce that security should always take a multi-layered approach.

**About our speaker**
I'm an application security engineer who started out as a web developer. Security drew me in with the endless puzzles and challenges put forth by the field. I love sharing knowledge, particularly when I can both educate and horrify my audience at the same time. After all, what can happen when security goes wrong is pretty scary. I also enjoy working closely with software engineering teams to try to make security work within existing development practices, or at least try to minimize how painful "doing security" can be. When not behind a computer, I can usually be found making some sort of costume piece or shiny object.

============

**Introducing malicious package detection engineering** with **Paul McCarty**

As software supply chain attacks continue to rise in frequency and sophistication, it is crucial for security professionals to adapt their processes to address these threats effectively. One way to do this is to build a detection engineering practice to identify malicious packages as well as identify the threat indicators in those packages. In this talk, we'll examine real detection strategies, covering traditional IOCs like IP addresses and domains found in package-based malware, while also exploring package-specific indicators. Attendees will learn practical approaches to distinguish between accidentally vulnerable code and purposefully malicious packages.

**Paul** is the Head of Research at Safety (safetycli.com) and a DevSecOps OG. He loves software supply chain research and delivering supply chain offensive security training and engagements. He's spent the last two years deep-diving into npm and has made several discoveries about the ecosystem. Paul founded multiple startups starting in the '90s, with UtahConnect, SecureStack in 2017, and SourceCodeRED in 2023. Paul has worked for NASA, Boeing, Blue Cross/Blue Shield, John Deere, the US military, the Australian government and several startups over the last 30 years. Paul is a frequent open-source contributor and author of several DevSecOps, software supply chain and threat modelling projects. He’s currently writing a book entitled “Hacking NPM”, and when he’s not doing that, he’s snowboarding with his wife and 3 amazing kids.

**We would like to thank [Forward Security](https://forwardsecurity.com/) for sponsoring this event.**

Amiran Alavidze

OWASP Vancouver Chapter

OWASP Foundation 

Technology

Open Source

Software Development

OWASP

Information Security

Software Security

Ethical Hacking

Penetration Testing

Cybersecurity

Web Application Security

Application Security

The Secret Life of Malicious Packages & Malicious Package Detection Engineering

SFU Venture Labs

Share

What does your past 12 months of Meetup reveal about you? It's time to relive your personal highlights!

Don't miss your <highlight>2025 recap!</highlight>

OWASP Vancouver Chapter

The Secret Life of Malicious Packages & Malicious Package Detection Engineering

OWASP Vancouver Chapter

Details

Members are also interested in