This week on the podcast, we cover the accidental Claude Code source code leak and what it means for users and the wider ecosystem. After that, we discuss the Axios supply chain compromise impacting users of a JavaScript library with over 100 million weekly downloads. We end with our thoughts on Browser Gate, the name given to allegations that Microsoft is illegally harvesting LinkedIn customer data for a competitive advantage.
View Transcript
Marc Laliberte 0:00
Everyone, welcome back to the 443 security simplified. I'm your host, Marc Laliberte, and joining me today is
Corey Nachreiner 0:07
Corey, not leaky, Nachreiner.
Marc Laliberte 0:10
Unlike Corey, today, we'll be discussing a source code leak from a popular AI provider. We will then talk about a supply chain compromise that dang well might be the biggest one, or potentially the most wide impacting one that we've seen in a very long time. And then we will end with browser gate, a complaint filed by a bunch of folks over in the EU alleging that Microsoft is doing even more illegal things about that. Let's go ahead and I don't know, yeah, leak our way in. That sounds great - wait - that doesn't sound good.
Corey Nachreiner 0:43
Trip our way in?
Marc Laliberte 0:44
Yeah, perfect.
Marc Laliberte 0:53
So Corey, I love AI coding software, like we've been using trialing different types. We've got a couple of agreements internally at WatchGuard that some folks have access to, and it is freaking amazing. One thing I don't like about AI coding software is how expensive it is, though. So what would you do if I told you you could get AI coding software for free?
Corey Nachreiner 1:15
Oh, God, I love it. I mean, how is that possible?
Marc Laliberte 1:20
Well, last week, anthropic published version 2.1.88, of Claude code on the node package management index NPM, with one very big oopsie along the way, they accidentally included what's called a source map file, which we'll get into in a second, which effectively leaked over 500,000 lines of code across 2000 type TypeScript source code files that make up the Claude code application
Marc Laliberte 1:51
TypeScript, it's a program language that's built on top of JavaScript that adds like additional features, one of them being static type definitions, meaning, like a normal JavaScript, a variable could be literally anything. It could hold a number, a string, an array, whatever. In TypeScript, you have to have tightly typed variables, like say, this is a string, and if you try and put a array into it, it will throw an error. This is a list, and if you try and put a number into it, it will throw an error. It's to help you find and debug issues in code earlier in the process
Marc Laliberte 2:23
TypeScript, it isn't compiled. It's transpiled, meaning it's translated to JavaScript before execution. And these source map files allow a debugger or like similar application, to display the original TypeScript code in order to help find issues or troubleshoot issues.
Marc Laliberte 2:41
They are not meant to be included in public releases of TypeScript based files, because it is the source code. Big Oopsie.
Marc Laliberte 2:50
Within hours, this source code was forked like 10s of 1000s of times across various GitHub repositories.
Marc Laliberte 2:58
Developers started taking hits at it like I saw a rust port of it. So moving from TypeScript to rust, which quickly became the fastest GitHub repository to receive over 100,000 stars ever, other developers started finding and identifying like the source of bugs that they were running into with performance issues, saw some reports that went into, like, a deep dive on how Claude code manages its memory efficiently too. So it opened up a lot of like, interesting stuff for hackers or hacker minded people to see how it's working under the hood. But this is literally anthropic proprietary information on how the cloud code system works on an endpoint, and while US white hat hacker folks are interested in seeing how things work under the hood, you can imagine how valuable this might be for a black hat hacker folk that
Corey Nachreiner 3:54
Surely they haven't noticed yet,
Marc Laliberte 3:55
exactly, but that's actually a good point. So
Unknown Speaker 4:02
cyber criminals are pretty quick to capitalize on all of this buzz too. They created malicious GitHub repositories that use the source code as a hook to trick people into downloading malware. There's one example where they claim to be basically cloud code rebuilt from the source code with all of the enterprise features unlocked and no messaging limits. It had a release attached to it. That release was a seven zip archive file with a executable in it. The executable, despite being called Claude code X 64 was actually a rust based dropper that dropped either the Vidar info stealer or ghost socks, proxy malware on endpoints.
Unknown Speaker 4:45
But this was a pretty big oopsie, like in reality, the confidentiality of your source code shouldn't dictate whether it's secure or not, but it is absolutely important for protecting intellectual.
Unknown Speaker 5:00
Property, and this exposed a lot of really clever, like, actual useful intellectual property from Cloud codes perspective on, like how they manage like context windows and even expose some brand new features that are coming down the line. Like one researcher found a feature flag in there that turns on or off a experimental mode called Dream mode, that basically lets Claude code just constantly think in the background and improve on ideas, even if you're not directly prompting it like a true agent mode,
Unknown Speaker 5:33
Claude or not Claude, but anthropic started issuing DMCA takedown requests to try and take down all those forks, but when your code has been
Unknown Speaker 5:45
forked 20,000 times over the course of like half an hour,
Unknown Speaker 5:49
it's the cat's kind of out of the bag at this moment. Sure, it's been posted to other places besides just the original NPM and yeah, it's going to be hard to take this down. So I thought this was interesting for a couple of reasons, and so one of them was like, we've had a lot of AI either assisted or AI created issues at some big companies lately, like AWS, had some outages that they at least partially attributed to their own AI usage internally. Meta had a what they called a severity, one incident that exposed some customer information, at least internally in the company, that was caused by incorrect instructions given by their own internal AI to a developer. Now, anthropic hasn't said this was like caused or not caused by their own agentic AI use internally. But you can see how a what is really a simple mistake of like, not including these source map files in a like Git ignore file, like, preventing them from getting uploaded to a repository like this. Like, that's a pretty junior level oopsie in this case. And you can see how a junior level developer in the form of agentic AI could potentially make that kind of mistake. So I don't know. I thought, I feel like we're going to start seeing more of these kind of basic issues leading to
Unknown Speaker 7:17
source code leakage or leading to just data theft as more and more people do adopt artificial intelligence, I'm curious on your thoughts, on that Corey like
Unknown Speaker 7:28
you think I'm jumping the gun a bit on blaming AI for this, or maybe for blaming AI, but I do see is the more they automate things like This, the more potential there is for disaster.
Unknown Speaker 7:42
Yeah, I agree. And honestly, data, this type of data leakage is what we worry about most with using AI tools. And can you trust the vendors that are supplying AI enough to when you
Unknown Speaker 7:56
have the right data agreements, not share your data, not share your training prompts, not share your any information and use it in their own training and yet they're leaking their own source code. It doesn't really give you the warm and fuzzies about, Oh, great. I have this data processing agreement where you say you're not using my training data and you're not leaking it to other people, but you just leak your own source code. Can't even manage your own house, right? Especially when, like, anthropic claims that cloud code at this point is almost entirely developed by Claude code itself, and so there is a high likelihood that this was at least, like aI assisted in the source code leak. It makes sense. Yeah, I just listened to the podcast we might have talked about before, where they had the guy that does AI policy that used to be part of open AI, talking about how Claude is mostly Claude coded, yep, now,
Unknown Speaker 8:52
and it was interesting seeing this immediately weaponized for fishing, like it makes total sense, like you're going to have millions of people that are like, at least technology adjacent going, I want to see what the source code looks like and then download malware instead, because they don't know what they're looking at or what they're getting into. By the way, it's not a story we're covering this time, but I might mention it in more detail when we start talking about supply chain attacks and the biggest one you were talking about. But there was another big code leak this week too, and it
Unknown Speaker 9:23
anytime there's a code leak like that, people need to be careful. I mean, I get the curiosity there's of seeing what's in the code leaks, but it is that perfect phishing thing, right? If you're not actually a coder yourself and can't read code, and someone's saying they've packaged up this thing for you from the leak code, I would be very skeptical and very careful, as is already proven by Claude leak being used. I rats. It reminds me of my childhood where I forgot which video game it was. It was probably like Halo.
Unknown Speaker 10:00
Two or something, where, like, before it came out, there was like this, oh, the source code's been leaked, kind of thing. And me and my curiosity went looking for it, and did not end up with the source code for that video game, but did end up with some nice other malware on my computer, because I had no idea what the hell I was doing, because I was 13 years old.
Unknown Speaker 10:20
But you're good at taking advantage of excitement and emotion, and anytime the tech industry sees something as big as a pretty high end source code leak happen, it draws attention, and threat actors know how to leverage the psychology of attention. Yep. So if you are going to go looking for anthropic source code, for Claude code, just be careful of where you're poking around.
Unknown Speaker 10:44
Don't download executable Correct. Read the source instead. But even then, like as we've seen, downloading source code and then opening it up in an IDE and marketing it is trusted, can be enough to
Unknown Speaker 10:58
to kind of screw you as well. So just be careful if you're out there trying to satisfy your curiosity. And in the meantime, I'm looking forward to even more analysis of the source code and like interesting things we can learn from anthropic zone engineering work, because they clearly know what the heck they're doing. Is managing AI agents, and it's been interesting so far. But moving on to what you were just hinting at, Corey. So last week, the ultra popular JavaScript package called Axios, with over 100 million weekly downloads, suffered a supply chain compromise that lasted for about three hours or so. During this time, a threat actor used a compromised maintainer's account to publish two tainted releases, version one, dot 14.1, and version zero, dot 30.4,
Unknown Speaker 11:47
which included a what's called a post install hook, basically something that runs after you install the application that downloads and executes another malicious JavaScript package called plain, Dash crypto.js.
Unknown Speaker 12:01
That JavaScript package is interesting in its own right. It's a dropper that checks the victim's operating system and then downloads a platform specific second stage. So either Apple script for Mac, os PowerShell and VB script for Windows, or Python for Linux, and where, despite being different operating systems and different programming languages, they all implement the exact same remote access Trojan logic down to, like, the command and control communication, the commands that can run and the behaviors for it. So like totally, perfectly ported type of attack. In this case, for that second stage,
Unknown Speaker 12:38
the Trojan that runs it will try and figure out, like what system it's on, some basic info stealing. It's got commands for things like self termination to hide its tracks. Can run arbitrary scripts and shell commands, and it can even run arbitrary applications, either through reflective injection on Windows or just decoding and executing on Mac, ox or Linux. But so the maintainer for the lead maintainer for Axios, published a post mortem on GitHub just a couple days ago. They didn't give a huge amount of details, but they said that they were the victims of a targeted social engineering campaign or attack that led to a remote access Trojan running on their own laptop, which gave the attackers access to the NPM account credentials, basically the keys they would need to upload a new version of Axios. They actually did that two weeks before this attack. This was back in the end of March timeframe, and it wasn't until just a little bit ago that they uploaded this malicious version, I think, on March 31 or so.
Unknown Speaker 13:48
Now this was first detected within minutes by members of the community. They were opening issues on the Axios GitHub project to say, hey, there's malware in here. But the threat actor was using their keys to delete all of those issues too, to try and mask it for as long as they could, up until it was all resolved about three hours after detection, which is pretty dang quick, but like this is one of, if not the most popular JavaScript package there is, like, if you build an application that needs To act as a web client to communicate with other web resources. You are almost certainly going to use Axios under the hood, because it's a really powerful library for this. In fact, that Claude code thing we just talked about, if you downloaded and installed the Claude code, source code, during that three hour window, it uses Axios under the hood, and it would have grabbed this malicious package and compromised your system there too.
Unknown Speaker 14:46
The maintainer had a couple of takeaways, like they noted that they were publishing from their personal account, which was a risk they said could have been avoided. They instead, should have been using like an open ID. Can.
Unknown Speaker 15:00
Direct workflow with immutable release setup, basically programmatically build and deploy these packages, instead of doing it from the same account that they log into to go download other stuff from NPM,
Unknown Speaker 15:13
they mentioned there's no automated way to detect an unauthorized publish to their package like they only found out because the community found out. It's not like they got an alarm saying someone published an update at
Unknown Speaker 15:25
1am your time. That was unexpected. And they also just stated the obvious, saying that open source maintainers with high impact packages are clearly an active target, and I think that is absolutely true. We've seen so many both opportunist, opportunistic and very targeted supply chain compromise recently. And maybe like, can talk a little bit about that one that you were just hinting at as well, too, that resulted in Cisco's source code getting leaked. Just essentially, there was a like, I'm sure we'll talk about it at some point. But there's a SaaS application called TiVi that's, I believe, associated with authentication, but it had a breach, lost a ton of credentials, and Cisco uses it, so the credential leak associated with TiVi was the root cause of getting into Cisco's network, and the threat actor got very deep into Cisco's network and ended up stealing source code again, so worth going in in another session. But TV is a SaaS application used by many companies. Like to me, these are two different types of we're seeing either repositories these, the one we're talking about right now with Axios, very popular or
Unknown Speaker 16:38
popular SaaS applications that lots of big companies use if you can get a credential, that credential being root cause, it kind of reminds me of the Okta breach that MGM suffered from, and many companies ended up having a breach after that, all kind of based on Okta credentials. So it just feels like the digital and supply software supply chain risk is really like our predictions past two years have said becoming the the biggest issue, outside of protecting yourself, one of the biggest things driving problems and breaches. It absolutely is and because, like, if they can get access to this, like, it's really difficult to detect a lot of these types of breaches too, like this, Axios supply chain, one the developer didn't detect it. They were probably asleep, because it was at one in the morning their time. But it was only thanks to the community that anyone spotted it, and this was a smart threat actor that the level of access they had allowed them to even start deleting community messages and all the administration and log cleanup they were doing to try to stay as persistent as possible, it's hard. And for the SaaS applications, too, when you have a provider like Okta or TV, then you trust them. It's a valid credential. There is nothing wrong with the credential. So until you
Unknown Speaker 17:59
know about that other breach you as a victim like you say, it's definitely a hard type of breach to catch when it comes through a supply chain venue. Yep. So if you are a software developer, keep an eye on which version of Axios you may have had installed over the last couple of weeks. If it was one, 14.1 or zero, 30.4 consider your computer compromised and any secrets that touched it compromised, and start an incident response on it. But moving on, Corey, so the last thing I wanted to talk about now I saw this post show up on a bunch of different subreddits I follow, from like cybersecurity to privacy to Microsoft to a few others. And I don't want to spoil it, but it feels like it may not be as like black and white as it comes off at but it's an interesting concern that got leveled by this organization called fair linked, which is claiming to represent a bunch of LinkedIn users and like LinkedIn tool developers that they published on a website called browsergate.eu
Unknown Speaker 19:03
which basically describes what they allege are a bunch of violations of the EU digital markets act. So I don't think we've talked about the EU digital markets act on here before. Maybe one was first ratified back in 2022
Unknown Speaker 19:16
but it's an EU regulation that limits the market power of large digital platforms to try and help develop competition within them. So basically, it labels dominant tech companies as gatekeepers, and then mandates obligations around third party access. So for example, Google is a gatekeeper for Android, Apple is a gatekeeper for iOS. It mandates things like app stores to allow other people to install applications. It mandates rules around interoperability with other applications, and it even mandates data access for authorized organizations,
Unknown Speaker 19:53
even in some cases like personal customer data, to make sure that just because they this company has a monopoly on this market.
Unknown Speaker 20:00
They can't crowd out other organizations that want to help cater to that market too. In 2024
Unknown Speaker 20:06
Microsoft was designated as a gatekeeper for both Windows and LinkedIn. The Act mandates that they provide free, effective, high quality and continuous, real time access to all data that is generated through the use of LinkedIn to authorize third parties. So not like, provide it publicly to everyone, but they can have a vetting process and then say, okay, you are authorized to have access to this data to provide whatever service or tool you want to on top of LinkedIn. I think if you had, like, a recruiting platform like monster.com and they wanted to integrate within LinkedIn. Microsoft has to provide that sort of integration capability with someone like monster.com or some other jobs forum, for example.
Unknown Speaker 20:51
So this browser gate website basically says Microsoft is violating the act. They're accusing them of what they call compliance theater with inadequate API's and misleading public statements, while shutting down companies that want to offer tools built on top of LinkedIn. They go on to allege criminal behavior too. They say that LinkedIn has started injecting malicious code into users web browsers, which downloads a list of over 6000 software products, and then brute forces the detection of each of those products on victim machines too. Basically, it's got this list of potential tools that might interact with or use LinkedIn, and it tries to see if users are using any of them. Does it by directly sending queries to like a standard API that Chrome extensions use tries to fetch known files from extensions that might be installed from their web accessible resources, and it even tries to detect manipulations of the DOM, basically the web page for LinkedIn, which other tools might manipulate in order to provide other services. On top of LinkedIn, they gave some like specifics in there. They basically said it scans for 600 or 762
Unknown Speaker 22:08
LinkedIn specific tools for productivity, content creation and networking, tools that the digital markets act explicitly requires LinkedIn to accommodate. Says it scans for 209 sales and prospecting competitors. These are the tools that would compete with linkedin's own Sales Navigator product, which is a billion dollar a year product, say, 509 job search extensions. And then it looks for VPNs and ad blockers and other security related tools too.
Unknown Speaker 22:41
They claim that it does like Job profiling. Basically, if they see three people from watchguard.com email addresses all have this one tool detected, then they assume that Watchguard is using that tool as a company, which can give them an unfair advantage too. So basically, they claim that all of this is illegal under both various GDPR provisions the digital market marketplace act as well the E privacy directive, which is the directive that is responsible for all those like cookie acceptance banners that we have on every website these days, and specific privacy laws in Germany, the UK, Even the United States, in California, with CCPA and CIPA.
Unknown Speaker 23:24
But like, the reason I thought this wasn't necessarily black and white is the first thing that stood out to me was this isn't like a person making the claim, or like another company, specific company that's been harmed. This is basically it looks like a law firm that spun up like an LLC in Germany to then create this website to go put them on blast and try and get everyone on the internet to submit, like, claims notifications. It's a regulation version of a patent troll law firm. Like I could see maybe they were like, maybe these are legitimate tools that are trying to compete with LinkedIn, and this is the only way that they can get their message out, but the fact that there's so much like,
Unknown Speaker 24:07
well, now I'm thinking about it. It is a German law firm, and they are very privacy conscious in that country. Maybe there's a reason where they want to protect their identity instead of like, coming out and saying exactly who is behind this particular thing.
Unknown Speaker 24:22
But the other thing is, like,
Unknown Speaker 24:25
there, I think there is some reason to like, want to do fingerprinting for things like VPNs or ad blockers. Like, there's a legitimate reason for a company to try and protect against fraudulent use of their website and tools. But it does sound like it on the face of it, that Microsoft might be going too far with some of this fingerprinting too, and that's where it gets like
Unknown Speaker 24:49
the thing is too even with the legitimate like, even though something's legitimately
Unknown Speaker 24:53
done for some reason, doesn't mean a company can't monetize it in a bad way to a.
Unknown Speaker 25:00
There's a legitimate reason for ISP to see every domain we visit, but at the same time, when we pay for them, we don't want them to sell all that information to the highest bidder and create a personal profile for us that knows our political opinion and everything else. And yet, we know companies do that. So it is one of those dangerous areas where even the legitimate reasons for doing some of this. How do we know they're not doing something to monetize? It beyond the sites be beyond the legitimate reason. And it also like, I think it's another example of how powerful fingerprinting can be within the context of a web browser like Google Chrome, in this case, which, like almost every single web browser, is built off of chromium, anything but keep going, yeah, like it's got a lot of power on the endpoint of figuring out who the user is, ultimately based off of like behaviors, of just like metadata, of the tools they've installed and metadata, I think of anything digital. I remember when the Patriot Act first came out where they can basically start looking at the metadata of internal domestic calls. People are like, Oh, it's not the call. They're not listening into your call. But you don't realize how much metadata, just the number, the location, the tower it went in, how long the call lasted, who the call, who the other number was.
Unknown Speaker 26:21
Like, you say, the browser is the same thing, but with all kinds of secret headers behind the scenes that humans aren't aware contain a crap load of metadata. So yes, agree 100%
Unknown Speaker 26:33
and it's not just browsers. Any digital communication leaves this trail of metadata that you can fingerprint a lot of information from, and the EU has already tried to tackle some of this, like with that E privacy directive. So directive different from regulation directive, meaning each member country has to make their own law for it, versus GDPR, which is a regulation that the entire EU apparatus creates. But basically like the E privacy directive is why we have all those consent banners for cookies, because by default, they shouldn't be able to access files on your file system like a cookie without your consent. And the authors of this browser gate actually point to that as one of the laws that Microsoft is breaking. That by fetching all the Chrome extensions, they are fetching information from the user's endpoint without their consent. That should be a violation of the law. But like, what I'm getting at, aside from that tangent, is this feels like something the EU might need to tackle with something more like pinpointed towards, like browser fingerprinting itself, because it's clear that companies are trying to circumvent, like, the spirit of a lot of these data privacy laws. By going after metadata, instead of just track cookies, they move to super cookies. You make super cookies less effective. They find a new way to get the data. Yep, agree,
Unknown Speaker 27:57
and like, as a privacy conscious individual, like, it is something I personally would support. Like, I don't like, without consent, any website being able, maybe not any, but many of the most powerful websites being able to figure out exactly who I am, just based off of fingerprints like this from my web browser. I do know, half the time they're just trying to find useful marketing information, which could benefit us too. I mean, maybe we do want to see ads that are only showing us stuff we're interested in, not the other crap, but we have to know when they're using that data for things we don't really expect. And people forget how, how powerful marketing data about just you, knowing who you are, what you do, what you prefer.
Unknown Speaker 28:39
There's a reason people protect privacy. All of social like that's pre texting. That is a pre texting playground for every social engineer, a social engineer like people who think privacy is not connected to security or and that if you're not a criminal, you don't need to worry about it. I'm sorry if you're out there and you think that you're stupid. It's all that privacy information that the social engineers love that do convince you to do dumb things you shouldn't be doing because you forgot you've already told the whole world who you are behind the scenes and social media and with all this metadata that's being transferred behind the scenes so well said matters to security End of story. So I would at least recommend, like going to browsergate.eu reading through what they've written down and making your own conclusions on this. And if you do agree with what they're saying, their call to action is they've got a pre filled complaint form that you can send to if you're in the EU, every EU Data Protection Authority if you're in California. Similarly there, if you're neither of those, you're kind of screwed, because those are the only places on earth that seem to have good data privacy laws these days. But I would like to see at least something addressing the browser fingerprinting question on what should be legal and what shouldn't be legal with some additional protections.
Unknown Speaker 29:59
I'm also.
Unknown Speaker 30:00
One of the point 1% of the people in the world that still uses Firefox, though. So maybe my opinion isn't super valid, I don't know,
Unknown Speaker 30:09
but if I really done it that much, but so far, script safe and no script are not on the list. So at least I can still use my security extensions. That's That's true. You can still at least use those, but they will know what other tools you're using, and maybe use that for
Unknown Speaker 30:27
competitive advantage when it comes time to asking you for sending you a sales pitch over something,
Unknown Speaker 30:34
and I don't know, I feel like the cat's out of the bag. A bit too much for privacy these days on the internet.
Corey Nachreiner 30:41
I think we all gave it away back in the MySpace days, and it's just continued with every social media network since then. People did not realize why that stuff was free,
Marc Laliberte 30:51
at least in the -
Corey Nachreiner 30:53
normal business, to take all of this data you're happily sharing with them digitally.
Marc Laliberte 30:58
At least in the MySpace days, it was limited to like, what crappy music I really enjoyed listening to.
Corey Nachreiner 31:02
I bet
Corey Nachreiner 31:05
your tastes weren't crappy. Maybe they've changed.
Marc Laliberte 31:08
Parents called it angry music. And, you know, sometimes I still like angry music.
Corey Nachreiner 31:14
I feel like that's every teenager. And like, I agree with you, there's days for that good music,
Marc Laliberte 31:20
but you're right.
Corey Nachreiner 31:22
Yes, actually, things like this make me want to play angry music.
Marc Laliberte 31:26
I agree. Let's go put on some Rage Against the Machine is very fitting for that. Hey
Marc Laliberte 31:37
everyone, thanks again for listening. As always, if you enjoyed today's episode, don't forget to rate, review and subscribe. If you have any questions on today's topics or suggestions for future episode topics, you can reach out to us on blue sky. That's what it's called. I'm at. It's mark.me Corey is at second app, and the both of us,
Corey Nachreiner 31:55
it's not gray sky in Seattle? actually, weird weather today.
Marc Laliberte 32:00
I'm a little jealous. It's cold as hell here in Austin, Texas.
Corey Nachreiner 32:04
Wow, that's a flip.
Marc Laliberte 32:06
It is a flip. And speaking of flip, see you all on the flip side. Thanks again for listening, and you'll hear from us next week. Ciao, ciao.
