Ransomware doesn’t just freeze computers – it can silence alarms too. And when the Natural History Museum in Paris went dark, thieves helped themselves to €600,000 worth of gold in a daring late-night heist. Meanwhile, developers have a new headache: a worm dubbed “Shai Hulud” has wriggled its way through more than 180 npm packages, quietly stealing secrets.
But it’s not all doom and gloom – unless you count your kitchen appliances turning into ad billboards.
All this and more is discussed in episode 436 of the award-winning “Smashing Security” podcast with cybersecurity veteran and keynote speaker Graham Cluley, and his special guest Zoë Rose.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Well, actually, I haven't got a pick of the week.
Oh, no, that's rubbish.
I've got— excuse me, it's my podcast, not yours. Smashing Security, episode 436, the €600,000 gold heist powered by ransomware with Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 436. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 436. My name's Graham Cluley.
And I'm Zoe Rose.
Ah, Zoe, welcome back to the show. It's been a while. Lovely to have you back on.
Yeah, every time I'm on, something new happens in my life. Now I've got a cat, so.
Oh, fantastic. You know, you don't have to go out and buy a cat just to come on the podcast. You could just say, hey Graham, can I come on the podcast?
What now you tell me? I've got a bloody cat now.
That's your problem, isn't it? Well, before we kick off, let's thank this week's wonderful sponsors, 1Password and Vanta. We'll be hearing more about them later on the show.
This week on Smashing Security, we're not going to be talking about how flights were cancelled or delayed across Europe after a cyberattack targeted Collins Aerospace's Muse software.
You'll hear no discussion of how two UK teenagers have been charged for a cyberattack on Transport for London that resulted in £39 million worth of losses.
And we won't even mention how a US teenager has surrendered to police in Las Vegas and been charged with hacking into casinos as part of the Scattered Spider gang.
So Zoe, what are you going to talk about this week?
This week on Smashing Security, we're not going to be talking about how flights were cancelled or delayed across Europe after a cyberattack targeted Collins Aerospace's Muse software.
You'll hear no discussion of how two UK teenagers have been charged for a cyberattack on Transport for London that resulted in £39 million worth of losses.
And we won't even mention how a US teenager has surrendered to police in Las Vegas and been charged with hacking into casinos as part of the Scattered Spider gang.
So Zoe, what are you going to talk about this week?
Well, I'm going to talk about Sheyhalood, the supply chain attack.
Terrific. And I'll be discussing hackers and heists. All this and much more coming up on this episode of Smashing Security.
Now, chums, if you've been following the cybersecurity headlines lately, you'll know this isn't news to any of you, that ransomware continues to be a big problem.
We've had JLR, you know, when I first heard the headline that JLR had been hit by a ransomware attack, I mixed them up with that pop group, JLS, and I thought maybe they'd been hit instead.
But it turns out JLR is completely different. It's Jaguar Land Rover. They look like they're gonna be shut down for weeks. They're bleeding £72 million every day.
Now, chums, if you've been following the cybersecurity headlines lately, you'll know this isn't news to any of you, that ransomware continues to be a big problem.
We've had JLR, you know, when I first heard the headline that JLR had been hit by a ransomware attack, I mixed them up with that pop group, JLS, and I thought maybe they'd been hit instead.
But it turns out JLR is completely different. It's Jaguar Land Rover. They look like they're gonna be shut down for weeks. They're bleeding £72 million every day.
Bloody hell.
While its production lines are gathering dust. Meanwhile, their suppliers, they've been disrupted.
They've been telling their staff, stay at home, or they've been laid off amid fears that some of these companies may go bust or won't survive. So that was JLR. Pretty nasty stuff.
They've been telling their staff, stay at home, or they've been laid off amid fears that some of these companies may go bust or won't survive. So that was JLR. Pretty nasty stuff.
Yeah. That makes sense though, because some suppliers might only supply to them.
Absolutely.
Totally relevant now.
It'd be a huge customer.
Yeah.
And if that customer isn't ordering new parts—
Yeah.
Because your production line isn't moving, you're no longer making money.
Do they also have a just-in-time production line? I don't know. So it would make even a bigger impact. They're just creating as demand.
I don't know. Anyway, so that's been going on, and we've had this European airports fiasco just this last weekend.
Heathrow, Brussels, Berlin, all brought to their knees because someone decided to attack Collins Aerospace's check-in systems. It caused flight cancellations, delays.
Staff were forced to manually write out boarding passes. Like it was 1975.
It's remarkable how everything grinds to a halt when you're so reliant on technology and that technology is suddenly sort of scooped away from you.
Heathrow, Brussels, Berlin, all brought to their knees because someone decided to attack Collins Aerospace's check-in systems. It caused flight cancellations, delays.
Staff were forced to manually write out boarding passes. Like it was 1975.
It's remarkable how everything grinds to a halt when you're so reliant on technology and that technology is suddenly sort of scooped away from you.
Do you know what? It's funny, because I was thinking back to when I worked in retail many, many years ago. I had to write credit card things on paper because the systems were down.
Oh, yes.
And it's like, I'm using technology that's older than me.
Did you have to use one of those things which went— Yes, I did! Where you had to pull it over and make the copy or whatever it was?
Yeah, yeah. And I was just what is this thing? And they had to teach me how to use it. I'd never seen one before.
Well, anyway, there is one attack that many people listening to this podcast will not have heard about.
You've heard about JLR, you've heard about the airports, but this one hasn't really made the headlines very much outside of France, because in late July, the Muséum national d'histoire naturelle, which is the Natural History Museum, en Paris, in Paris— I'm translating all of this for those people who don't speak baguette— it was hit by what officials diplomatically described as a massive ransomware attack.
A massive attack, as it is known.
And if you thought that dinosaurs were wiped out quickly by a meteorite 65 million years ago, that is nothing compared to how rapidly the museum's computer network got knocked for six when it got hit by this ransomware.
So this attack affected all of the museum's sites.
You've heard about JLR, you've heard about the airports, but this one hasn't really made the headlines very much outside of France, because in late July, the Muséum national d'histoire naturelle, which is the Natural History Museum, en Paris, in Paris— I'm translating all of this for those people who don't speak baguette— it was hit by what officials diplomatically described as a massive ransomware attack.
A massive attack, as it is known.
And if you thought that dinosaurs were wiped out quickly by a meteorite 65 million years ago, that is nothing compared to how rapidly the museum's computer network got knocked for six when it got hit by this ransomware.
So this attack affected all of the museum's sites.
Interesting.
Apparently it has marine research stations. As part of the museum. I have no idea why.
So I never had them as a client, but I did chat with a museum when I was a consultant, and they were talking about their needs.
Right.
And it's interesting because a museum, you don't realise how many people actually work there.
Right.
Because you also have visiting scientists.
Yes.
And you're visiting people that do restoration.
You have, you know, you have all these different things, and then you've got such data because if you're scanning something because you're trying to figure out what's inside of it, or the images are just massive.
So actually, the amount of data in a museum and the amount of people affected is insane. You would never have guessed it.
You have, you know, you have all these different things, and then you've got such data because if you're scanning something because you're trying to figure out what's inside of it, or the images are just massive.
So actually, the amount of data in a museum and the amount of people affected is insane. You would never have guessed it.
Well, I was surprised as well, because when I was reading this report, it said that this attack had disrupted the work of 600 scientists attached to the museum.
They've lost access to between €30,000 to €50,000 in research funding. So, it has this knock-on effect.
They've lost access to between €30,000 to €50,000 in research funding. So, it has this knock-on effect.
Mm-hmm.
And well, look, I don't know about you, Zoe. I don't know how much you love a museum.
I love museums, especially—
You do?
Especially natural history museums. They're so lovely.
Well, I had really been looking forward to the Natural History Museum in Paris, its upcoming Tropical Autumn: Palms, Treasures and Secrets exhibition.
And I know what you're thinking. Oh no, not the palm exhibition. And I'm afraid, yes, the palm exhibition was disrupted. It has been delayed.
And I know what you're thinking. Oh no, not the palm exhibition. And I'm afraid, yes, the palm exhibition was disrupted. It has been delayed.
I know.
Because of this attack. So you won't be able to go there and check out the beautiful palms and the treasures and the secrets of tropical autumn anymore.
Now, an exhibition, even a palm one, is a big deal for a museum.
Now, an exhibition, even a palm one, is a big deal for a museum.
Yeah, but— Is it? Well, I mean, museums, as far as I'm aware, they're not these big profit machines.
They generally meet what they can, and then, you know, I need support to do research and everything.
And it's critical, I think, to society to know all of this information, historic, current events, record things happening in our society.
So loss of funds, that's quite concerning because generally, if you get money from the government, if you don't use it, you don't get more.
You know, it doesn't come back the next year, right? So I don't know what they're going to do.
They generally meet what they can, and then, you know, I need support to do research and everything.
And it's critical, I think, to society to know all of this information, historic, current events, record things happening in our society.
So loss of funds, that's quite concerning because generally, if you get money from the government, if you don't use it, you don't get more.
You know, it doesn't come back the next year, right? So I don't know what they're going to do.
Yeah, and if you can't show people coming through the doors, you're not going to get as much funding on this. Of course not, because if you don't prove that you're popular...
And also, you know, the thing with museums, there's loads of old stuff in there.
So if you've been to see it once, you're not necessarily gonna think, oh, they'll have added lots more stuff in the last year.
That's why they have regular exhibitions, because if you go to the Louvre, for instance, and you see the Mona Lisa there and everything else, but you look at the Mona Lisa and you say, well, that's very impressive.
You know, a good painting, many people would say, even though it doesn't have eyebrows. You'd say, yeah, he's done—
And also, you know, the thing with museums, there's loads of old stuff in there.
So if you've been to see it once, you're not necessarily gonna think, oh, they'll have added lots more stuff in the last year.
That's why they have regular exhibitions, because if you go to the Louvre, for instance, and you see the Mona Lisa there and everything else, but you look at the Mona Lisa and you say, well, that's very impressive.
You know, a good painting, many people would say, even though it doesn't have eyebrows. You'd say, yeah, he's done—
You're complaining about the lack of eyebrows?
Well, all right, look, there's nothing wrong with not having eyebrows, but if you are a painter and you're painting something—
What if the person he painted didn't have eyebrows? I've got mine tattooed on.
Oh, really?
Yeah.
This is fascinating. You are cybersecurity's equivalent to the Mona Lisa, is what you're saying.
Basically.
But the thing is, an exhibition is a big deal for a museum. It's what draws people in.
For a museum, cancelling an exhibition this Palm exhibition which got cancelled, it's a bit McDonald's running out of chips.
It's humiliating, it costs money, people start asking uncomfortable questions about your competence.
For a museum, cancelling an exhibition this Palm exhibition which got cancelled, it's a bit McDonald's running out of chips.
It's humiliating, it costs money, people start asking uncomfortable questions about your competence.
I imagine researchers are not going to want to go there.
Right, because, well, they haven't got anything for us to have a look at.
Well, no, I meant more because they would want to do that to collaborate and build their research.
Ah, yes, yes, because they're just sick of it. Hahaha! They would say. They are clearly... I don't know why I laughed in a French fashion.
But, "You are clearly amateurs," you would say. And it's not as if French museums haven't been hit by ransomware before. Last year, cybercriminals struck during the Paris Olympics.
They hit a computer system that centralised the financial data from stores located within 40 museums in France, including the Louvre, and they demanded a ransom.
So museums in France getting hit by cybercriminals. And the thing is, when it comes to a ransomware attack, the damage rarely stops where you expect it to, right?
There is the immediate impact and, oh dear, our files are encrypted. Are we gonna recover from a backup? What are we gonna do about the extortion?
Let's close any security holes which maybe the cybercriminals are coming through. There can be serious repercussions on a ransomware attack.
A couple of months ago, a German phone repair and insurance company, they filed for bankruptcy after being hit by ransomware.
But, "You are clearly amateurs," you would say. And it's not as if French museums haven't been hit by ransomware before. Last year, cybercriminals struck during the Paris Olympics.
They hit a computer system that centralised the financial data from stores located within 40 museums in France, including the Louvre, and they demanded a ransom.
So museums in France getting hit by cybercriminals. And the thing is, when it comes to a ransomware attack, the damage rarely stops where you expect it to, right?
There is the immediate impact and, oh dear, our files are encrypted. Are we gonna recover from a backup? What are we gonna do about the extortion?
Let's close any security holes which maybe the cybercriminals are coming through. There can be serious repercussions on a ransomware attack.
A couple of months ago, a German phone repair and insurance company, they filed for bankruptcy after being hit by ransomware.
And how many businesses couldn't run without any income for a certain amount of time, or even just run paying employees essentially for a certain amount of time?
There's a limit to everybody's capability. Budgets are very limited.
There's a limit to everybody's capability. Budgets are very limited.
There's a limit to what people and what firms can put up with. Let's go to Belgium. In 2024, a Belgian brewery suffered what was considered a genuine national emergency.
Yes, Belgium suffered an attack on its critical national infrastructure when it found out its beer supply had been hit. I mean, attacking a country's water supply is one thing.
And so basically what I'm saying, Zoe, is that ransomware is a serious problem and there can be repercussions beyond the actual data encryption.
Yes, Belgium suffered an attack on its critical national infrastructure when it found out its beer supply had been hit. I mean, attacking a country's water supply is one thing.
And so basically what I'm saying, Zoe, is that ransomware is a serious problem and there can be repercussions beyond the actual data encryption.
Well, also the people. I mean, the person that probably, was it phishing related? I don't know, but it could very well have been. That's a very common approach.
How did they feel knowing that they caused this probably big outage? The responding team, the technical team, they're probably overwhelmed and exhausted.
The stress on the employees not knowing what's going to happen to their job, especially in a time right now.
The mental load as well for the employees, for the people responding, all of that together.
On top of the business just trying to sustain itself, those are all going to have a massive impact.
And not just an impact for the next couple of months, for the next couple of years.
How did they feel knowing that they caused this probably big outage? The responding team, the technical team, they're probably overwhelmed and exhausted.
The stress on the employees not knowing what's going to happen to their job, especially in a time right now.
The mental load as well for the employees, for the people responding, all of that together.
On top of the business just trying to sustain itself, those are all going to have a massive impact.
And not just an impact for the next couple of months, for the next couple of years.
It could well do. And this is what the impact has been for this museum of natural history in Paris, because there has been a repercussion.
Last week, Tuesday morning, cleaners went to work as normal to make sure that the Natural History Museum building in the heart of the Jardin des Plantes plant garden in the 5th arrondissement of Paris, 5th bit of Paris, was spick and span.
I guess they were dusting the brontosaurus. You know, that's their kind of job. And imagine quelle horreur that they must have felt in scenes akin to a heist movie.
I don't know what your favourite heist movie is. Ocean's Eleven, Ocean's Twelve, Ocean's Thirteen, One of Our Dinosaurs Is Missing. One of the great movies.
Anyway, in scenes akin to that, a robbery had taken place. Bad guys had broken in. They'd headed to the geology and mineralogy gallery.
They attacked a reinforced display case containing several gold nuggets.
Last week, Tuesday morning, cleaners went to work as normal to make sure that the Natural History Museum building in the heart of the Jardin des Plantes plant garden in the 5th arrondissement of Paris, 5th bit of Paris, was spick and span.
I guess they were dusting the brontosaurus. You know, that's their kind of job. And imagine quelle horreur that they must have felt in scenes akin to a heist movie.
I don't know what your favourite heist movie is. Ocean's Eleven, Ocean's Twelve, Ocean's Thirteen, One of Our Dinosaurs Is Missing. One of the great movies.
Anyway, in scenes akin to that, a robbery had taken place. Bad guys had broken in. They'd headed to the geology and mineralogy gallery.
They attacked a reinforced display case containing several gold nuggets.
Ah, okay. I was, what, are they going to steal a dinosaur?
No, no, no. With an angle grinder and a blowtorch. They broke in. They took the collection worth €600,000.
Hey, bloody hell.
Gold, of course.
It's only going to get more valuable.
Right. And gold is easier to resell than precious stones.
You could just melt it.
Exactly. You just put it in a George Foreman grill. Just put it in something that hot. There's nothing quite— nothing can withstand the heat of molten cheese.
So you just put it in one of those, a piece of gold. You can melt it down. As it probably already has been. And these apparently were scientific specimens.
So you just put it in one of those, a piece of gold. You can melt it down. As it probably already has been. And these apparently were scientific specimens.
I know.
With immeasurable heritage value, I think from all kinds of places around the world, which have been dug up or old examples.
They're now probably in some criminal's mouth, you know, as gold fillings.
They're now probably in some criminal's mouth, you know, as gold fillings.
Oh, I heard about another bracelet, a really, really ancient bracelet that was essentially melted down and sold for 4K or something. But it was worth insane amounts.
They're so depressing.
They're so depressing.
It is. And here's the cybersecurity link.
According to a police source, this criminal team were apparently really well-informed because the alarm and video surveillance systems had been out of service for several weeks due to, and yes, you've guessed correctly, due to the ransomware attack.
According to a police source, this criminal team were apparently really well-informed because the alarm and video surveillance systems had been out of service for several weeks due to, and yes, you've guessed correctly, due to the ransomware attack.
I bet you they're doing an internal audit now as well.
Can you imagine?
Oh, that's so sad.
So ransomware attacking your computer systems may have knock-on effects which you wouldn't have possibly imagined. So—
Well, I have to say, this is a negative, but it is more positive than I thought you were going to say when I was talking about mental health of employees.
So I'm happy it was— I know it's sad, but I'm happy this was the result versus something else being gruesome seen.
So I'm happy it was— I know it's sad, but I'm happy this was the result versus something else being gruesome seen.
Yes.
So it sounds like this wasn't some opportunistic burglar who just stumbled upon a vulnerability while looking for a place to relieve themselves and thought, "I'll just go into the museum for a pee, and ooh, there's some gold which I'll pinch." This appears to be someone who did their homework, realized the ransomware attack had effectively turned their museum into, where it's a barn with the door left swinging open in the wind, you know?
Because systems which normally they would've had there to determine that a burglary was happening there and then and set off the alarms and inform the police, but only actually got spotted by the cleaners the following morning.
So, this is what I'm wondering.
We've spoken many times in the past about how conventional criminal gangs have turned to cybercrime, maybe 'cause of the vast amounts of money they can make or because it's less risky than getting personally involved.
You know, you don't have to drive your Ford Transit van up to the sub-post office and mug an old lady and, you know, pinch the money from there.
Instead, you can do it all via computers. Could we now see more traditional thieves thinking, you know what, the hackers could help us in our traditional thievery?
So I'm not suggesting necessarily that the ransomware gang behind the July attack were necessarily WhatsApping the gold thieves with updates, "Hey guys, the cameras are down and now's your chance." But—
So it sounds like this wasn't some opportunistic burglar who just stumbled upon a vulnerability while looking for a place to relieve themselves and thought, "I'll just go into the museum for a pee, and ooh, there's some gold which I'll pinch." This appears to be someone who did their homework, realized the ransomware attack had effectively turned their museum into, where it's a barn with the door left swinging open in the wind, you know?
Because systems which normally they would've had there to determine that a burglary was happening there and then and set off the alarms and inform the police, but only actually got spotted by the cleaners the following morning.
So, this is what I'm wondering.
We've spoken many times in the past about how conventional criminal gangs have turned to cybercrime, maybe 'cause of the vast amounts of money they can make or because it's less risky than getting personally involved.
You know, you don't have to drive your Ford Transit van up to the sub-post office and mug an old lady and, you know, pinch the money from there.
Instead, you can do it all via computers. Could we now see more traditional thieves thinking, you know what, the hackers could help us in our traditional thievery?
So I'm not suggesting necessarily that the ransomware gang behind the July attack were necessarily WhatsApping the gold thieves with updates, "Hey guys, the cameras are down and now's your chance." But—
Go, go, go.
Yeah, allons-y.
But what's worrying is the possibility that different criminal enterprises are monitoring each other's activities or just simply reading the newspapers and thinking, "Oh, I wonder how their security is right now." But let's be honest, in my opinion, likelihood is if a company is hit by ransomware, okay, a lot of organizations separate CCTV cameras with their internal infrastructure.
But what's worrying is the possibility that different criminal enterprises are monitoring each other's activities or just simply reading the newspapers and thinking, "Oh, I wonder how their security is right now." But let's be honest, in my opinion, likelihood is if a company is hit by ransomware, okay, a lot of organizations separate CCTV cameras with their internal infrastructure.
They have two separate infrastructures. Not everyone, but I assume most. I could be wrong. But I wouldn't assume if you're hit with ransomware, your camera system is off.
I also feel it's more likely that somebody internal is, hey. Yes.
I also feel it's more likely that somebody internal is, hey. Yes.
Well.
Look what's going on here.
I the way your mind works, Zoe. I think that certainly will be something which the police will be investigating, isn't it?
Well, they'd have to.
Whether it could have been someone internally who knew that the systems were down and had not been replaced by a couple of webcams.
You know, which is the other thing that they could have done.
You know, which is the other thing that they could have done.
They could have. I'm shocked that they didn't. I'm not going to lie. I am absolutely shocked.
You'd have thought you could have Heath Robinson'd some devices up.
You can use an old Android phone, because isn't there an app you can put on it? Somebody's got one in their basement.
A baby monitor. That's all you'd need.
Oh, you could?
Just have a baby monitor.
God, you could do so many things.
There's actually a lot of similarities, aren't there, between a baby in the cot and one of those villains who sort of does all the acrobatics to get past the lasers, to get past the pressure pads.
You know, if you've ever had a child escaping from their little prison cell, which we put them in at night.
You know, if you've ever had a child escaping from their little prison cell, which we put them in at night.
Yeah, my daughter, my youngest, she is a proficient climber. So she could very much steal so many things from a museum without any cameras.
Granted, she probably wouldn't go for gold. She'd probably go for the dinosaurs.
Granted, she probably wouldn't go for gold. She'd probably go for the dinosaurs.
Zoe, what have you got for us this week?
Well, mine is not as exciting.
Oh, I'm sure it is.
No, I'm just talking about the supply chain attack. Let's see if I say it right. Shai Halud, I think.
Shai Halud, I think. Shai Halud.
I don't know, apologies to everyone that I'm butchering the name, but it's the attack where essentially the threat actors were able to compromise over 40 developer accounts and publish more than 700 malicious package versions of the npm registry.
So this is what's called an npm supply chain attack, isn't it?
npm, or Node Package Manager, that's used by developers to download pre-built code so they don't have to write everything from scratch.
And if that pre-built code is compromised, then hackers can compromise the code that developers are using to build their apps rather than attacking applications directly.
npm, or Node Package Manager, that's used by developers to download pre-built code so they don't have to write everything from scratch.
And if that pre-built code is compromised, then hackers can compromise the code that developers are using to build their apps rather than attacking applications directly.
Yes. So essentially your account is compromised. I then see what registries you have. I then deploy under your name malicious things and it attacks more people, which is great.
I mean, if I'm a threat actor, I want a return on my investment, right? So I want to get it in, I want to automate my attack, I want to spread it as far as possible.
So if the original author changes something, you won't know, but you'll still be using it. So you have to validate it's doing what you expect of it.
I mean, if I'm a threat actor, I want a return on my investment, right? So I want to get it in, I want to automate my attack, I want to spread it as far as possible.
So if the original author changes something, you won't know, but you'll still be using it. So you have to validate it's doing what you expect of it.
Right.
But as we know, we're not so good at that. Integrity checks is not something we're the most robust at.
Yeah.
We've had many attacks where, if you remember when the ICO, I think it was ICO that had cryptominer on its own website.
It was a script that they had pulled from a third party but didn't validate.
And so it installed a crypto miner on their website, which if you don't know who the ICO is, that's pretty funny because essentially they're the people that will get mad at you and give you fines if you don't do something you're supposed to be doing.
It was a script that they had pulled from a third party but didn't validate.
And so it installed a crypto miner on their website, which if you don't know who the ICO is, that's pretty funny because essentially they're the people that will get mad at you and give you fines if you don't do something you're supposed to be doing.
If you come into a bit of a pickle when it comes to people's privacy and controlling their data, for instance, you may well find yourself knowing who the ICO are.
Rather more than you wanted to.
Rather more than you wanted to.
Exactly. So it was hilarious when a few years ago they got a crypto miner installed. So this is not a new thing, right?
But the thing that stood out to me is if you read about it, they say, you know, it's a self-propagating worm.
But the thing I liked is there was many versions of it and the researchers found that throughout the versions, there were slight changes. So, right.
Actually the threat actor is basically doing live testing, deploy it, and then slowly edit a little bit to make it more effective, you know, so they're doing what my dream analyst would do is creating something and then learning, improving the automation, reducing the amount of workload that they have to have the best return on the effort they're putting in.
So, you know, maybe this person is professional.
But the thing that stood out to me is if you read about it, they say, you know, it's a self-propagating worm.
But the thing I liked is there was many versions of it and the researchers found that throughout the versions, there were slight changes. So, right.
Actually the threat actor is basically doing live testing, deploy it, and then slowly edit a little bit to make it more effective, you know, so they're doing what my dream analyst would do is creating something and then learning, improving the automation, reducing the amount of workload that they have to have the best return on the effort they're putting in.
So, you know, maybe this person is professional.
So this is really quite nasty, isn't it? Because this is a worm which is infecting lots of different packages being used by lots and lots of different developers.
It's stealing information from them passwords, special keys, tokens, stuff that lets you get into other places your computer or cloud storage or GitHub accounts.
And then it is publishing those things openly on GitHub.
It's stealing information from them passwords, special keys, tokens, stuff that lets you get into other places your computer or cloud storage or GitHub accounts.
And then it is publishing those things openly on GitHub.
Mm-hmm.
Where more mischief can be made from those credentials.
Yeah, and anybody that's compromised could then ultimately be restarting their attack, because their account is now the initial source, right?
It's a third party, maybe you have an existing relationship with a school or a lawyer, and they get compromised and they send you a phishing email, which happens and is very common, actually.
It's the same idea, you know, I'm the victim and now I'm enabling the attack to go on.
One thing I thought was interesting that I read in one of the articles is the worm targets Linux and macOS.
It's a third party, maybe you have an existing relationship with a school or a lawyer, and they get compromised and they send you a phishing email, which happens and is very common, actually.
It's the same idea, you know, I'm the victim and now I'm enabling the attack to go on.
One thing I thought was interesting that I read in one of the articles is the worm targets Linux and macOS.
Yeah.
And deliberately skips Windows machines. So that's interesting to me because the person knows their target audience.
They're going for developers and the likelihood is they're more likely to be on a Linux or macOS machine.
They're going for developers and the likelihood is they're more likely to be on a Linux or macOS machine.
There's certainly a lot less which is written for Mac and Linux, isn't there, than there is for Windows.
If you look at the millions and millions of pieces of malware which are being written.
And so I think you are more likely to encounter antivirus software, for instance, on a Windows computer than you are on a non-Windows computer.
I wonder if that was also a reason why maybe Windows was ignored.
If you look at the millions and millions of pieces of malware which are being written.
And so I think you are more likely to encounter antivirus software, for instance, on a Windows computer than you are on a non-Windows computer.
I wonder if that was also a reason why maybe Windows was ignored.
It could be. I kind of feel it's probably because the target audience is these developers because they're targeting repos that the people have.
So they're going into their account, they're seeing, okay, what repositories do we have? What secrets do you have here? What can I republish?
What can I then compromise and cause further issue to other people or other systems?
So the target audience are probably more likely to have Linux and Mac, but you're also right in the sense that how many Mac users have you said, do you have antivirus?
And they're, what? No, I have a Mac.
So they're going into their account, they're seeing, okay, what repositories do we have? What secrets do you have here? What can I republish?
What can I then compromise and cause further issue to other people or other systems?
So the target audience are probably more likely to have Linux and Mac, but you're also right in the sense that how many Mac users have you said, do you have antivirus?
And they're, what? No, I have a Mac.
So what should developers be doing to counter this, to make sure that they're not spreading on the infection, or if they have found it, to clean themselves up?
What should the steps be?
What should the steps be?
Yeah, well, I'm going to push it on the company, not just the developers. I mean, the one thing I flagged is automation is super useful, but it also offers threat actors.
So don't count on it being, oh, well, I'll know and I can stop it in time. No, you know, expect that if your system is compromised, you need to react very quickly.
Supply chain attacks, again, are not going away. Threat actors want a return on investment.
So I think integrity checks is very important, making sure that you know where your dependencies are, what they're doing, and what they're supposed to be doing.
You need to know your baselines, right? And also that point that everybody says is, oh, keep things up to date, always update. Well, okay, I'm gonna have an asterisk there.
It is important to keep things up to date, but when it comes to dependencies, you need to be very careful there because what happened here is these packages were compromised and they were also updating to wherever people were making use of them.
And so they were also updating a compromised package. So, yes, update, but validate first.
If you have dependencies, maybe do a couple versions, a version behind or something, or have a robust process to validate that it isn't doing something naughty before installing it into production.
So, I can't remember how long these packages were live, but it wasn't an excessive amount of time, if I remember correctly.
So, having that approach would've theoretically stopped it from being successful for you to install that compromise package.
And then detect possible compromise, they said users are advised to check for new repos or branches. So, you know what you're doing, you know what actions you've taken.
If you don't remember it, it probably wasn't you. So make sure in this specific case, make sure that you recognize all the actions that were taken.
Additionally, they also say you should check for public repositories called, oh, for goodness sake, I'm gonna say this wrong, Shai-Halu or Shai—
So don't count on it being, oh, well, I'll know and I can stop it in time. No, you know, expect that if your system is compromised, you need to react very quickly.
Supply chain attacks, again, are not going away. Threat actors want a return on investment.
So I think integrity checks is very important, making sure that you know where your dependencies are, what they're doing, and what they're supposed to be doing.
You need to know your baselines, right? And also that point that everybody says is, oh, keep things up to date, always update. Well, okay, I'm gonna have an asterisk there.
It is important to keep things up to date, but when it comes to dependencies, you need to be very careful there because what happened here is these packages were compromised and they were also updating to wherever people were making use of them.
And so they were also updating a compromised package. So, yes, update, but validate first.
If you have dependencies, maybe do a couple versions, a version behind or something, or have a robust process to validate that it isn't doing something naughty before installing it into production.
So, I can't remember how long these packages were live, but it wasn't an excessive amount of time, if I remember correctly.
So, having that approach would've theoretically stopped it from being successful for you to install that compromise package.
And then detect possible compromise, they said users are advised to check for new repos or branches. So, you know what you're doing, you know what actions you've taken.
If you don't remember it, it probably wasn't you. So make sure in this specific case, make sure that you recognize all the actions that were taken.
Additionally, they also say you should check for public repositories called, oh, for goodness sake, I'm gonna say this wrong, Shai-Halu or Shai—
Shayhalud, I think.
Shayhalud.
That's my guess. Listeners, don't us if we got it wrong.
I apologize. Shayhalud, migration, I think was the other one. That also contains your organization's name. Review your audit logs, look for any suspicious API calls.
That's what the researchers specifically recommended.
That's what the researchers specifically recommended.
Right, cybersecurity. Bit of a faff, isn't it? Everyone nods along in the board meeting, then quietly hopes someone else is dealing with it while they go and put the kettle on.
Well, that is where Vanta comes on. Think of them as your mate at school who actually did their homework and then lets you copy it.
They'll help you get things like ISO 27001 sorted without the headaches And they don't stop there. SOC 2, GDPR, HIPAA, even the shiny new IS 42001. Vanta's got you covered.
Instead of drowning in spreadsheets and tick box questionnaires, Vanta automates the boring bit, centralizes your security workflows, even helps you manage vendor risk, meaning you can spend less time panicking about audits and more time worrying about what really matters.
Like whether you've run out of biscuits in the canteen. And here's the clincher. Because you're a Smashing Security listener, Vanta's offering you $1,000 off if you book a demo.
You can't say fairer than that. So go on, give yourself a break.
Head over to vanta.com/smashing, take the demo, claim your discount, let Vanta deal with all the dull compliance grind.
Vanta, the first ever enterprise-ready trust management platform. One place to automate compliance workflows, centralize, and scale your security program.
Learn more at vanta.com/smashing, and thanks to Vanta for supporting the show. How many SaaS applications are your colleagues using right now?
If you can't keep count, don't worry, you're not alone. SaaS sprawl and shadow IT are everywhere. And that's where Trellica by 1Password comes in.
Trellica discovers every app in use across your company, whether it's officially managed or someone quietly signed up for it with the company credit card.
Trellica by 1Password gives you the tools to assess risk, manage access, and enforce security best practices across the board. No more abandoned accounts just waiting to be hacked.
No more paying for licenses that nobody uses. No more scrambling when an employee leaves and you're not sure what they still have access to.
With Trellica, you can securely onboard and offboard staff, reduce unnecessary costs, and stay on top of compliance. Now, I've used 1Password for years.
I love how it takes the headache out of security. And now with Trellica, they are tackling one of the messiest problems in modern IT, SaaS sprawl.
Trellica by 1Password is trusted by businesses of every size, and it's backed by 1Password's rock-solid security. So what are you waiting for?
Take the first step to cleaning up your SaaS landscape, secure credentials, and protect every application, even unmanaged shadow IT. Learn more at 1password.com/smashing.
That's 1password.com/smashing. And welcome back. And you join us at our favorite part of the show, the part of the show that we call Pick of the Week.
Well, that is where Vanta comes on. Think of them as your mate at school who actually did their homework and then lets you copy it.
They'll help you get things like ISO 27001 sorted without the headaches And they don't stop there. SOC 2, GDPR, HIPAA, even the shiny new IS 42001. Vanta's got you covered.
Instead of drowning in spreadsheets and tick box questionnaires, Vanta automates the boring bit, centralizes your security workflows, even helps you manage vendor risk, meaning you can spend less time panicking about audits and more time worrying about what really matters.
Like whether you've run out of biscuits in the canteen. And here's the clincher. Because you're a Smashing Security listener, Vanta's offering you $1,000 off if you book a demo.
You can't say fairer than that. So go on, give yourself a break.
Head over to vanta.com/smashing, take the demo, claim your discount, let Vanta deal with all the dull compliance grind.
Vanta, the first ever enterprise-ready trust management platform. One place to automate compliance workflows, centralize, and scale your security program.
Learn more at vanta.com/smashing, and thanks to Vanta for supporting the show. How many SaaS applications are your colleagues using right now?
If you can't keep count, don't worry, you're not alone. SaaS sprawl and shadow IT are everywhere. And that's where Trellica by 1Password comes in.
Trellica discovers every app in use across your company, whether it's officially managed or someone quietly signed up for it with the company credit card.
Trellica by 1Password gives you the tools to assess risk, manage access, and enforce security best practices across the board. No more abandoned accounts just waiting to be hacked.
No more paying for licenses that nobody uses. No more scrambling when an employee leaves and you're not sure what they still have access to.
With Trellica, you can securely onboard and offboard staff, reduce unnecessary costs, and stay on top of compliance. Now, I've used 1Password for years.
I love how it takes the headache out of security. And now with Trellica, they are tackling one of the messiest problems in modern IT, SaaS sprawl.
Trellica by 1Password is trusted by businesses of every size, and it's backed by 1Password's rock-solid security. So what are you waiting for?
Take the first step to cleaning up your SaaS landscape, secure credentials, and protect every application, even unmanaged shadow IT. Learn more at 1password.com/smashing.
That's 1password.com/smashing. And welcome back. And you join us at our favorite part of the show, the part of the show that we call Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like.
It doesn't have to be security-related necessarily. Now, my Pick of the Week this week, well, actually, I haven't got a Pick of the Week. What? No. That's rubbish.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like.
It doesn't have to be security-related necessarily. Now, my Pick of the Week this week, well, actually, I haven't got a Pick of the Week. What? No. That's rubbish.
I've got, well, excuse me, it's my podcast, not yours.
Instead, I've got a nitpick of the week. Because sometimes something comes along and I think, well, that's terrible. What an awful thing.
Now, I'm grateful to say that this has not affected me personally, but it has affected other people on the internet.
Because some people somehow accidentally spent $2,000 on a smart fridge. Now, I already think that was a bit silly, wasn't it?
Now, I'm grateful to say that this has not affected me personally, but it has affected other people on the internet.
Because some people somehow accidentally spent $2,000 on a smart fridge. Now, I already think that was a bit silly, wasn't it?
I already know where this is going.
People have been paying thousands and thousands of dollars for Samsung smart fridges. And these fridges have been updated.
And the update has meant that you are no longer able to opt out of adverts on your flipping smart fridge. I'm not sure why anyone would ever buy a Samsung device in the first place.
Their TVs can be just as bad at trying to inject ads to you.
But yes, so someone up on Reddit posted an image of what is actually appearing on people's screen, warning them that they're now going to be having ads playing inside their kitchen all the time and not being able to stop them.
And I just don't know why firms are doing this.
I mean, can the meager amount of money which Samsung is making from these ads be worth the damage which is done to their reputation and customers?
Who will go out into the streets and start screaming to the top of their lungs, never ever buy a Samsung smart device because at some point they will make it display ads.
By the way, I'm sure this isn't just a Samsung problem, but they will do for today. So I think it's awful.
And the update has meant that you are no longer able to opt out of adverts on your flipping smart fridge. I'm not sure why anyone would ever buy a Samsung device in the first place.
Their TVs can be just as bad at trying to inject ads to you.
But yes, so someone up on Reddit posted an image of what is actually appearing on people's screen, warning them that they're now going to be having ads playing inside their kitchen all the time and not being able to stop them.
And I just don't know why firms are doing this.
I mean, can the meager amount of money which Samsung is making from these ads be worth the damage which is done to their reputation and customers?
Who will go out into the streets and start screaming to the top of their lungs, never ever buy a Samsung smart device because at some point they will make it display ads.
By the way, I'm sure this isn't just a Samsung problem, but they will do for today. So I think it's awful.
I think it's normalized. Prime also started showing ads and you have to pay more to not get ads on Prime.
Well, you know, that's fair enough, you know, but—
No, not fair enough. That's rubbish.
No, no, no, no, no. I think, I think, excuse me, I think it is fair enough.
You can decide whether you want to fill Geoff Bezos' pockets every month or Walt Disney, well, it's not Walt Disney anymore, or which of these streaming, there you are paying month to month, right?
And you're saying, yes, I will give you my $12 or whatever it may be. And I don't know what it is now.
I have no idea because I've cancelled all those streaming services myself because I hate the billionaires. But you could do that.
And if they say, well, you can carry on paying us, but you're going to get slightly worse quality, or you can pay us even more and you'll get ad-free, that is a decision you can make.
However, if you spend $2,000 on a fridge, you expect it to be a flipping fridge and to not change.
You do not expect to have to pay a subscription for the fridge, and you do not expect them to basically change the deal having bought the fridge and say, well, no, actually, this thing which you bought is now going to do something you never wanted it to do in the first place.
I think that's the difference.
You can decide whether you want to fill Geoff Bezos' pockets every month or Walt Disney, well, it's not Walt Disney anymore, or which of these streaming, there you are paying month to month, right?
And you're saying, yes, I will give you my $12 or whatever it may be. And I don't know what it is now.
I have no idea because I've cancelled all those streaming services myself because I hate the billionaires. But you could do that.
And if they say, well, you can carry on paying us, but you're going to get slightly worse quality, or you can pay us even more and you'll get ad-free, that is a decision you can make.
However, if you spend $2,000 on a fridge, you expect it to be a flipping fridge and to not change.
You do not expect to have to pay a subscription for the fridge, and you do not expect them to basically change the deal having bought the fridge and say, well, no, actually, this thing which you bought is now going to do something you never wanted it to do in the first place.
I think that's the difference.
I am not surprised though. I'm not surprised because everything is moving towards adverts. I mean, I literally, I bought a telly, but I purposely did not buy an actual telly.
I have a display basically. It is not intelligent. It plugs in. I mean, don't get me wrong, there are limitations. It's not the best in the world.
So if you're really, really critical about high-quality cinema, you probably wouldn't use it.
I have a display basically. It is not intelligent. It plugs in. I mean, don't get me wrong, there are limitations. It's not the best in the world.
So if you're really, really critical about high-quality cinema, you probably wouldn't use it.
Anyway, Samsung, you and your smart fridges. I love it. You are awarded my nitpick of the week. Zoe, what's your pick of the week?
Well, mine is a pick and a nitpick actually at the same time.
Oh, well, hello.
I like that word. So my pick of the week is a Bosch cordless multifunction tool.
Hang on, what is a Bosch cordless multifunction tool? Is it like a Swiss Army knife? What is it?
It is a power tool that you can put on so many different heads that it can do so many different things. It has a little tiny sander if you want to get in the really tight corners.
It's got things you can cut wood with, things you can cut metal with, all these different attachments. It is small as well.
So if you're someone like me who, I mean, I have a house, so I've got little renovations I've got to do here or there, but I'm not a professional tradesperson, so I don't really need a million different tools, right?
I can get by with small things here and there.
This one was actually quite useful for me because I'm currently trying to get carpet glue off my stairs, and that is a bloody nightmare.
And so this tool was really good for basically scraping it off and then I could sand it down. And then I also can sand down the tight corners.
I could cut the, in the garden, I have to do some gardening. So it's cutting the very thick branches because I want not a tree, but a big bush. So it's been really helpful.
My nitpick of it is it is Bosch, so it does not have the greatest battery, but I think they have the standard battery so you can use other branded batteries, I'm pretty sure.
It's got things you can cut wood with, things you can cut metal with, all these different attachments. It is small as well.
So if you're someone like me who, I mean, I have a house, so I've got little renovations I've got to do here or there, but I'm not a professional tradesperson, so I don't really need a million different tools, right?
I can get by with small things here and there.
This one was actually quite useful for me because I'm currently trying to get carpet glue off my stairs, and that is a bloody nightmare.
And so this tool was really good for basically scraping it off and then I could sand it down. And then I also can sand down the tight corners.
I could cut the, in the garden, I have to do some gardening. So it's cutting the very thick branches because I want not a tree, but a big bush. So it's been really helpful.
My nitpick of it is it is Bosch, so it does not have the greatest battery, but I think they have the standard battery so you can use other branded batteries, I'm pretty sure.
Does it display adverts to you while you're—
It does not. It is not intelligent. Which brings in the whole, if you're clumsy, don't use it because it does not have a safety.
Oh.
Yeah.
It's not for me. I'm quite clumsy.
Fair enough. I would not recommend it if you have young children around. I wouldn't recommend it if you've got an annoying pet.
I wouldn't recommend it if you are clumsy, because you turn it on and it does not turn off until you turn it off or the battery runs out.
I wouldn't recommend it if you are clumsy, because you turn it on and it does not turn off until you turn it off or the battery runs out.
Oh.
So yeah.
Some serious damage could be done with it.
Yes, but it is super useful.
Alright, but it's the Bosch Cordless Multifunction Tool.
Yeah, I loved it. I loved it. Unfortunately, I did get it off Amazon. I know, I know, but I just, it was the only option and I needed something.
Come on, Zoe.
I know, I know, judge me all you want.
I am.
That is a fair point, but yeah.
Never mind. It's still your pick of the week. And that just about wraps up the show for this week. Thank you so much, Zoe, for joining us.
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way to do that?
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way to do that?
Check out my website, rosesec.com, or I'm most frequent on BlueSky or LinkedIn, but I'm not that frequent, to be fair. So my website's probably better.
And of course we are on social media as well. You can find me, Graham Cluley, on LinkedIn or follow Smashing Security on Bluesky.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of 436 or so episodes, check out smashingsecurity.com. Until next time, from me, cheerio, bye-bye.
Bye. You've been listening to Smashing Security with me, Graham Cluley, and I'm grateful to Zoe Rose for joining us this week.
And of course, to this episode's sponsors, 1Password and Vanta, and to all of the chums who've signed up for the Smashing Security Plus over on Patreon.
They include Elbow, Orboros, G'don, Bobby Hendrix, Jamie Forster, Nate M, Nigel Scott, Roy Tate, Steve Lupton, Jay, Khajitan Kazmrrsh, Ask Leo, Sean, Dr.
Herbalist, Yuri Taraday, Justin Dale, Lisa, Andrew Davison, Amanda, Matt Cotton, Ryan Houle, Mark Norman, Bravo Whiskey, Robert Martin, and Bree Bustle.
If you'd like your name to be read out from time to time on the credits at the end of the show, well, that is just one of the pleasures of signing up for Smashing Security Plus for as little as $5 a month.
You get your name read out every now and then, as well as early access to Smashing Security episodes, and your episodes of Smashing Security won't come with any adverts, so you may well like that.
Now, I realize that times are tough for many people, so don't feel too bad about not being able to support the show financially. You can support us in other ways.
So subscribe, give 5-star reviews, all of that stuff which social media people are always saying to you.
Or just, you know, be really old-fashioned and go up to someone and say, hey, I say, old fellow, have you tried the Smashing Security podcast?
Maybe grab their phone from them from their hands and subscribe to the podcast on their behalf. Actually, maybe you should ask permission first.
Whatever it is that you do, it's all really, really appreciated. I'm very, very grateful indeed that anybody listens to these podcasts, let alone supports them. So thanks very much.
Well, I will catch you again next week when we'll have yet another guest. So until then, cheerio, bye-bye.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of 436 or so episodes, check out smashingsecurity.com. Until next time, from me, cheerio, bye-bye.
Bye. You've been listening to Smashing Security with me, Graham Cluley, and I'm grateful to Zoe Rose for joining us this week.
And of course, to this episode's sponsors, 1Password and Vanta, and to all of the chums who've signed up for the Smashing Security Plus over on Patreon.
They include Elbow, Orboros, G'don, Bobby Hendrix, Jamie Forster, Nate M, Nigel Scott, Roy Tate, Steve Lupton, Jay, Khajitan Kazmrrsh, Ask Leo, Sean, Dr.
Herbalist, Yuri Taraday, Justin Dale, Lisa, Andrew Davison, Amanda, Matt Cotton, Ryan Houle, Mark Norman, Bravo Whiskey, Robert Martin, and Bree Bustle.
If you'd like your name to be read out from time to time on the credits at the end of the show, well, that is just one of the pleasures of signing up for Smashing Security Plus for as little as $5 a month.
You get your name read out every now and then, as well as early access to Smashing Security episodes, and your episodes of Smashing Security won't come with any adverts, so you may well like that.
Now, I realize that times are tough for many people, so don't feel too bad about not being able to support the show financially. You can support us in other ways.
So subscribe, give 5-star reviews, all of that stuff which social media people are always saying to you.
Or just, you know, be really old-fashioned and go up to someone and say, hey, I say, old fellow, have you tried the Smashing Security podcast?
Maybe grab their phone from them from their hands and subscribe to the podcast on their behalf. Actually, maybe you should ask permission first.
Whatever it is that you do, it's all really, really appreciated. I'm very, very grateful indeed that anybody listens to these podcasts, let alone supports them. So thanks very much.
Well, I will catch you again next week when we'll have yet another guest. So until then, cheerio, bye-bye.
Host:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Guest:
Zoë Rose:
@rosesec.bsky.social
Episode links:
- EU cyber agency says airport software held to ransom by criminals – BBC News.
- Teenagers charged over cyber attack on TfL costing millions of pounds – Sky News.
- Teen arrested on suspicion of Vegas Strip attack that cost $100M – SF Gate.
- Paris: cyber-attack hits Natural History Museum, cancels exhibition – Sortira Paris.
- Cybersécurité : le Grand Palais et plusieurs musées dont le Louvre victimes d’une attaque par rançongiciel – Le Parisien.
- “Des pièces de collection nationale”: le directeur du Muséum d’histoire naturelle de Paris indique que les pépites d’or volées ont “une valeur inestimable” – BFMTV.
- Shai-Hulud Supply Chain Attack: Worm Used to Steal Secrets, 180+ NPM Packages Hit – Security Week.
- Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware – Wiz.
- 180+ NPM Packages Hit in Major Supply Chain Attack – Ox.
- Samsung confirms ads will now be shown on its $1,800+ fridges – UniLad.
- Bosch Cordless Multifunction Tool – Bosch.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsored by:
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
- Trelica by 1Password – Access Governance for every SaaS app. Discover, manage, and optimize access for any of your SaaS apps – whether managed or unmanaged.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
