The Hidden Risk in Your Stack [Data Security Decoded]

CyberWire Daily

N2K Networks, Inc.

Tech News, News, Daily News, Technology

4.6 • 1K Ratings

🗓️ 29 December 2025

⏱️ 26 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

While our team is out on winter break, please enjoy this episode of Data Security Decoded from our partners at Rubrik. In this episode of Data Security Decoded, host Caleb Tolin sits down with Hayden Smith, CEO of Hunted Labs, as he breaks down how software supply chain attacks really work, why open source dependencies create unseen exposure, and what modern threat actors are doing to exploit trust at scale. Caleb and Hayden dive deep into real-world attacks, emerging TTPs, AI-powered threat hunting, and what organizations must do today to keep pace. Listeners walk away with a clear picture of the problem—and a practical blueprint for reducing supply chain risk. What You’ll Learn How modern attackers infiltrate open source ecosystems through fake accounts and counterfeit package contributions. Why dependency chains dramatically amplify both exposure and attacker leverage. How to use threat intelligence and threat hunting to proactively evaluate upstream packages before adoption. Where AI-powered code analysis is changing the ability to discover hidden vulnerabilities and suspicious patterns. Why dependency pinning, SBOM discipline, and continuous monitoring now define a strong supply chain posture. Episode Highlights 00:00 — Welcome + Why Software Supply Chain Risk Matters 02:00 — Hayden’s Non-Cyber Passion + Framing Today’s Topic 03:00 — Why Open Source Powers Everything—and Why That Creates Exposure 06:00 — The Real Attack Vector: Contribution as Initial Access 08:00 — Inside the Indonesian “Fake Package” Campaign 10:30 — How to Evaluate Code + Contributor Identity Together 12:00 — Threat Hunting and AI-Enabled Code Interrogation 15:00 — The Challenge of Undisclosed Vulnerabilities in Widely Used Components 16:30 — How Recovery Works When Malware Is Already in Your Stack 19:00 — Continuous Monitoring as the Foundation of Modern Supply Chain Security 22:00 — Pinning, Maintainer Analysis, and Code Interrogation Best Practices 24:00 — Where to Learn More About Hunted Labs Episode Resources Hunted Labs — https://huntedlabs.com Hunted Labs Entercept Hunted Labs “Hunting Ground” research blog Open Source Malware (Paul McCarty) Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript

Click on a timestamp to play from that location

0:00.0	You're listening to the Cyberwire Network, powered by N2K.
0:09.7	We need to start thinking about, especially with the onset of AI, now it's really easy to go and scale and create 30 fake accounts at once.
0:20.4	You need to start thinking about who's this user
0:23.3	account, right? How long have they been around? What's their history with open source? Are they a
0:27.6	legitimate contributor? Or are they just here to, you know, cause a ruckus? And you need to start
0:32.8	inspecting those starting today.
0:42.5	Hello and welcome to another episode of Data Security Decoded.
0:46.0	I'm your host, Caleb Tolan, and if this is your first time joining us, welcome to the show.
0:49.3	Make sure you hit that subscribe button so you're notified when new episodes go live.
0:51.8	And if you're already a subscriber, thanks for coming back.
0:53.7	Give us a rating, drop a comment below.
0:54.5	It really helps us reach listeners like you who are eager to learn more about reducing risk across their business.
0:59.1	Now, a couple of years ago, I read a book by Randy Zuckerberg, yes, Mark Zuckerberg's sister.
1:04.1	It's called Pick 3, and it's all about being well lopsided in your life. Without giving away
1:08.3	too much of the book, there are five core areas that she identifies, and typically most people highly index on one of those five areas, and that is where
1:16.0	your passionista lives. I, for example, am a sleep passionista. Now, I don't know if our guest
1:21.6	would self-describe themselves as a passionista in any way, but I'm going to bestow this title
1:26.5	upon them, and so today I sat down with our third-party risk passionista, Hayden Smith. Hayden is the CEO of Hunted Labs, and we did a deep dive into supply chain attacks. I know we've covered this topic at a high level before, but we really wanted to deep dive into how they operate, where they come from, and what organizations can do to get a grip on this issue. Hayden has a lot of deep expertise in this space, and we had a fascinating conversation about it. Let's dive into it. Thank you, Hayden, for joining us. I'm really excited for you to join us on the Data Security Decoded podcast. Before we dive into the meat of the conversation, what is something not related to cyber that you are
2:00.9	completely obsessed with lately? For me, I'm going to go with crystals and rare minerals. You can see my
2:06.1	amethyst here in the background. I have a little fluorite here that I like to keep on my desk too.
2:13.3	I'm a crystal fanatic to some extent, maybe not a fanatic. I've seen some people who are much bigger fans of myself, or have better collections.
2:20.7	But what are you obsessed with this not related to cyber lately?
	...

Transcript will be available on the free plan in 8 days. Upgrade to see the full transcript now.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from N2K Networks, Inc., and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of N2K Networks, Inc. and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.