Deep Dive
Shownotes Transcript
Heads up, listener discretion is advised. This story contains depictions of abuse, including self-harm and exploitation of minors. I think a good way to understand this story is to start with the concept of lore books. In certain very dark corners of the internet, lore books are a kind of currency. They're how members join, they're how they earn status, they're how they move up. A lore book is a collection of files, photos, videos, and screenshots documenting harm.
Sometimes physical, always psychological. These are unfortunately some specific examples. A lore book might contain photos of a person cutting a username into their skin, a pet being harmed, or a victim being coerced into something explicit. The more extreme the material, the higher its value inside of these groups. That's a lore book. A portfolio of evidence of abuse.
I think we're all unfortunately aware that there are dark corners of the internet that exist where this kind of exploitation is produced, traded, and consumed. But in those communities, the abuse material is kind of the end goal. It's the product. It's a marketplace for that kind of thing. What makes this weird is that in groups like 764, which is what we're talking about today due to some recent arrests, the abuse isn't the entire point. It's more like a tool.
kind of a mechanism used to manipulate, to initiate, to radicalize, and to indoctrinate someone into joining what's basically a cult. 764 is a decentralized online abuse network where members coerce mostly minors into acts of abuse, self-harm, and violence, and then trade that content as a digital currency. It started on Discord, it spread to Telegram, Roblox, Minecraft,
And while it might look on the surface like a grooming ring, which it is, its structure operates more like an online extremist movement. One that builds loyalty through obedience, tests boundaries through cruelty, and rewards participation through this really rigid hierarchy.
To give a little bit of evidence that we're dealing with something different here, the FBI has now opened more than 250 active investigations into 764. And federal prosecutors are beginning to treat the network not just as a child exploitation ring, but as a domestic terrorism threat due to the extremism and cult-inspired structure it has. It's happening in the US, Canada, Romania, Germany, the UK, Turkey. Victims have been identified across three different continents.
And as dark as it is, I think this story would still land within our wheelhouse as it stands. But here's where it starts to get really odd. This isn't actually the first time we found ourselves circling this group on this show. We just didn't know it at the time. 764 is a small part of a broader ecosystem known as the comm. It's a loose network of cyber criminal cliques that includes like SIM swappers, data brokers, social engineers, classical, just cyber crime, nothing to do with harm or abuse.
many of whom have been tied to really high-profile attacks that we've covered on this show. The Calm, and again, this is not 764, but the larger org, was tied to the MGM Resorts hack, the Snowflake breach, attacks by groups like Lapsus and Scattered Spider. 764 is an online harm cult. Those are cybercrime groups. Some recent reporting from spots like Krebs and Wired has revealed that at times throughout that history, it was the same people in both.
And that overlap kind of really matters because what we're starting to see now is a growing intersection between cybercrime crews and this harm-based extremist model. The circles of the Venn diagram aren't touching too much, but the fact that they're touching it all is alarming. People using extortion tactics developed in cybercrime forums to recruit victims into this cult-like environment.
In April of this year, two alleged court members, Leonidas Vargyanis, a U.S. citizen living in Greece, and Prasan Nepal from North Carolina, were arrested and charged with running one of the group's most violent subgroups, which is why we're talking about it now. So let's dig into it. The rise of 764, from a teenager's discord to a global cult of digital abuse, and the growing convergence between online harm, radicalization, and cybercrime. Here on Hacked.
How you doing, Scott?
Pretty good. Pretty good. This story sounds like it's going to be pretty intense, but I am good. How are you doing? I'm doing okay. I definitely spent quite a bit of time reading about a pretty dark thing, but it's an interesting one and it seems pretty important. I'm intrigued. Obviously, you know that stuff like this exists on the internet. You know that there's dark souls out there. Not the game reference, but no. Yeah.
people reference. There's dark souls out there and there's like corners where those dark souls hide in the internet. So you kind of have a gut check that like if there's something that could happen on the internet, it probably is happening on the internet. I'm fascinated by the overlap to cybercrime. That's where it gets me because to me those two things don't typically go together. Like to me, you know, to me young cyber criminals are
hackers or people that I assume are problem solvers and interested in challenges and overcoming things. And they're kind of pursuing it from that angle. I don't see them. But I guess in every bell curve, there's three standard deviations from the mean either way. So it's like if a community is large enough, you can assume that there's representation from every other community inside of it. I think that's a good way of putting it. Yeah.
In order to do a lot of the stuff we cover on this show, in order to be a problem solver, a hacker, a puzzle kind of cracker, you have to be willing to break things. And there's always, say, 95% of people are willing to break something in order to do that goal. We've kind of seen stories like this where 5% of them are in it for the breaking. I think what this is, is that same ratio, but maybe seen on the social engineering side.
Where more often than not, people are willing to manipulate, betray trust, but it's normally part of a larger project. The betraying of trust and manipulating people and getting control that way isn't the end, it's a mean. And I think what we're seeing here is like, well, what if a community spun up where that was the end? That was the thing they were trying to do was the social coercion. There was no point to it other than the control. Yeah, so I guess to...
to carry on the analogy of breaking into things and breaking things maybe you're just figuring out how to break humans which is kind of what it sounds like there's been some really good um reporting by this wired has done a bunch krebs on security's done a bunch he was really who made the connection between this group and the com which again is to be clear not a harm group this is a cyber cyber crime group um that has connections to this um
But CBC did some really good reporting and to your point, what they found was that it was the reason this is going after minors is mostly just because they're easier to manipulate and to break. Sure. The minor is almost incidental. It seems like if they could be doing it to adults, they would be. It's more about can you trick a person and dominate them in that way remotely over the internet. And kids are just an easy target and this is not a cool group of people. Yeah.
I feel like that's such a, I don't know. I was at the mall yesterday and I was firsthand saw teenage angst. It's not often around me. I'm not often surrounded by minors. But I went to the Apple store to pick something up and got the firsthand display of teenage angst all around me. Yeah.
And I remember those days. I remember junior high, high school. I remember your biochemistry is all messed up and everything's the most important thing. And the funny thing is, when you get old like us, high school, junior high is such a tiny little fraction of your life. But when you're in it, it feels so important, especially because you're biochemically kind of messed up.
You're vulnerable. You're vulnerable, totally. You're really vulnerable. Yeah, it makes things like social engineering a lot easier. And then as we've seen in, again, social engineering and cyber crime contexts, there's like a compression of sunk cost, where you're already two steps into something and it feels like I've already come so far. It's like, no, you've just been on a phone call for 10 minutes. You can hang up, you can back away. You haven't, you're right where you started.
But when you're young, that's accelerated. And then when these groups slowly start to bring people in and indoctrinate them with increasing levels of, well, you've already done this. Now you've already done this. There's a little bit of a cycle that starts to develop. So like I said, we're going to talk about this. Then we're going to take a break. Then we're going to talk about some other stuff on this episode brought to you by Push Security.
So in April, U.S. law enforcement arrested two men accused of leading a group called 7-6 Inferno, which is a faction of 7-6-4, Leonidas and Persan, who I mentioned. According to statements from the Department of Justice, both men helped direct operations targeting minors using blackmail extortion, helped create and distribute these lore books, these graphic packages of evidence of abuse, etc.
traded this content inside of these communities to build credibility and to recruit other peoples into it. The DOJ has labeled this a, I find this interesting language, it's a nihilistic violent extremist network, which is not language that is normally used in these kinds of cases, but is very seemingly accurate to the groups like tactics and ideology. The FBI's counterterrorism division is now looking into it.
It's driven, it looks, there's a good quote from Alison Nixon. She's a researcher at Unit 221B. It's a com-related crime wave that's driven by a small, small number of highly prolific actors. So arrests seem to work because this isn't a huge crew of people, but they are doing this so aggressively and spending so much time in it that there's a relatively small number of people that seem to be behind it. So as I mentioned in the intro,
There's this larger digital ecosystem called the comm. It's an umbrella term that encompasses a bunch of different organizations. A lot of it are just doing cybercrime, data brokering, SIM swapping. But then it starts to intersect with these other groups like cult and courtly society. And I wouldn't even get into all of their names because the names alone are gross. But there's just overlap between these two different groups.
The overlap became especially clear in the aftermath of the 2023 ransomware attack on MGM resorts carried out by Alfie and black cat a 17 year old British hacker using the handle at Holly claimed credit for the intrusion and pretty quickly researchers started discovering that the same Telegram account was active in the 764 linked harm channels Where Holly was actively trading these lore books, which is how we started to see some of these connections and I think
Can you explain the comm to me? Like what makes up the comm? Krebs has a really good answer to that, I think. I'll just quote him here. "Collectively, this archipelago of crime-focused chat communities is known as the comm, and it functions as a kind of distributed cybercriminal social network that facilitates instant connection. But mostly, the comm is a place where cybercriminals go to boast about their exploits and standing within the community or to knock others down a peg or two.
Hmm.
There are action figures. It's a whole thing, the comm. It's an online community. Social network seems like a good term for it. Like a criminal, a dark criminal, I guess it's like a modern manifestation of the dark web. Totally, yeah. With like a dark criminal social network. Yeah, gamification and points and clout. Yeah, chirping each other and bragging and someone else brags back so you get mad and you go, it's exactly that.
So 764 particularly starts with a guy named Bradley Cadenhead. He was a teenager from Stephenville, Texas. He was a troubled guy. Cadenhead founded a Discord server in 2020 named after his zip code prefix 764.
He used aliases like Felix and Brad 764 and created the space where people, obviously minors based on the context, were lured into the community through Minecraft, Roblox, and gradually coerced into increasingly extreme acts, which they were told to document and share there.
Cadenhead was finally arrested in August 2021 after Discord flagged him for 58 times for uploading abuse material. When police seized his phone, they discovered dozens of abuse files and images of his username literally carved into people's bodies. In 2023, he was sentenced to 80 years in prison. 764 is Stephenville, Texas. When I first heard the group name, the first thing I did was convert it to letters. Like so many things are like...
Yeah, sure. Yeah, 764 is GFD, which could mean anything, but I was intrigued to hear that it was based on an area code because I thought it would be something more subvertive. Yeah. It's also not good operation. I'm glad it's not good operational security. This person should not be in the public domain.
And I would imagine that that probably helped lead to his arrest at a certain point. But a postal code isn't exactly on the down low. Exactly. I'm looking up how many people live in Stephenville, Texas.
And there's 20,000 people. It's actually a pretty small pool. Yeah, yeah. We've narrowed it down. Yeah, 100%. And there's a lot of traffic coming from this one house. So Cadenhead gets arrested and a bunch of new people from the community sort of level up into being leaders.
There's recurring motifs here, and I think you can kind of see it in the larger manifest of this, which is like there isn't really... The point of the cult isn't a charismatic leader. The point of the cult isn't a story about what's going to happen to the world. The point of the cult is that we use sadism and harm to control people. It's like a nihilistic kind of philosophical group. And as such, other nihilistic philosophies seem to be drawn to it.
duck slash gore butcher, otherwise known as Angel Louise Almeida, who was also arrested, a Florida man with a violent criminal history, a devoted follower of the Order of the Nine Angles, which is a satanic neo-Nazi cult. It's very interesting to see what other groups are drawn into this. When he was arrested in federal detention, Almeida managed to post from a contraband phone and threatened a courtroom full of people saying, quote, when I get out of here, I'm gonna kill all of y'all.
Sure. Yeah. Just a Cracker Jack crew of folk. Maybe it's my own innocence, but I'm learning so many words right now. I know. And I'm leaving most of them out. That's the really wild thing. I have my notes, and they're made up of a bunch of different documents I had the unpleasant experience of reading. And I'm leaving out...
Again, if you want full kind of, not gross detail, but if you want to really understand this, Krebs' coverage was admittedly very, very good. Wired has done some great work. And there's a 40-minute CBC doc on it that is worth watching. It's a rough watch. Crazy. I'm just like reading about cut signs. Yeah. So let's jump into that then. Why don't we? Why don't we? Because I've unleashed dishonest.
hopefully everybody's having a great morning out there yeah i hope y'all are doing good yeah that was yeah so like you mentioned there's cut side so let's zoom out a little bit on that it's a gamified abuse cult is a pretty good way of understanding this there's social status gained through coercing people into these like increasing levels of brutality and then getting them to post it and those tools uh as part of this like we talked about lore books a little bit
Fan signs, which is their sort of internal language for photos and videos documenting these different acts of like... Abuse. Abuse. Corruption. And then cut signs, which is, as we have alluded to multiple times, the act of carving a username into someone's bod. Or doing it to yourself to prove...
That you've been completely manipulated and are part of the... Which is the sort of escalating levels of obedience that are asked by the structure. Typically, in a few cases, and we'll talk about this, result in people then being asked to... Well, the next act of obedience isn't showing what you'll do. It's getting someone else into this. Totally. It's pyramid scheme. It's pyramid scheme stuff. It's called structure. It's all the exact same psychology. It's that once you've social engineered one person...
Can you social engineer them into social engineering three other people? And the thing kind of continues downward forever. Luckily, luckily is the wrong word. There's a, a brittleness to this because the harm is so extreme that it simply can't spread in the way that certain things would. Most people just won't cut a username into their body. Most people won't just document something that horrific. Which again is why I think minors are targeted. So I read Helter Skelter as a kid.
A book about Manson. Manson Cult. And I can't help but feel like this is some modern day dark reincarnation of that. 100%. And that used aesthetics of cultural...
for like evil and danger. Like there was a, like an edge lordiness to it. Like you got to talk about the devil and Nazi stuff because that's the scary stuff. And it's like, is it relevant to this? It's like, it's, that's not relevant. It's that it's the scary thing. It's the darkest thing we can think of. And that's kind of all part of it. And it's why you see someone like Gore Butcher wearing his satanic neo-Nazi cult shirt and
And that's the best of his shirts. I'm not even joking. There's worse shirts implicated. You've seen his closet. His closet is part of his evidence. There's literally like two garments of clothing mentioned in the court documents. And the satanic neo-Nazi one is the more tasteful of the two. So we're talking about this because there were these two most recent arrests. We've already talked about a series of other arrests that have taken place. It's still going. There's dozens of these channels still active on Telegram.
reporting on Discord band 130 groups with 34,000 accounts in 2023. There's still, researchers are finding stuff on Instagram and meta platforms that are connected to this. SoundCloud weirdly has, is hosting playlists that seem to reference like
764 lingo. And then Roblox and Minecraft still seem to be the top of the funnel for bringing people into this. It's just a concentrated pool of miners hanging out that you can go to and bring over. Great way to repurpose business development sales lingo.
The top of the funnel. It's like, oh, we use Roblox. Tons of vulnerable 12-year-olds in there. To do what? We move them from there into Discord where we re-socialize them. And then we advance them. The ones that are willing to advance in the queue, we get them into the private Telegram channels. And yeah. Then we document. Harm.
Their journey. Their user journey. Their user journey. So it seemed relevant because of A, that connection to the comm, the larger cybercrime hacking group, and the fact that these two larger figures, Leonidas and Prasan, were recently arrested. They were, according to the U.S. Department of Justice, directing and managing operations for 76410, just one of these subgroups.
They were actively on the ground targeting minors, distributing this material, compiling and trading these lore books. Nepal was arrested in North Carolina on April 22nd. Vargyanis was arrested in Greece on April 29th. The U.S. is currently working on his extradition at the time of recording. The FBI affidavit described both men as core figures in the ongoing structure of 764.
It also references their leadership role across not just that group, but multiple different platforms. They were doing this, I can't say that they were doing this full time, but they were actively organizing across Telegram channels and Discord channels. They were in the games themselves. It's an extension not just of these online communities where social engineering is prominent, but the same kind of thing. I think you were right to bring up Manson, where this nihilistic, violent extremism was
How does it live online? What does it look like in a modern digital context? And it seems like the answer to that is something like 764. Great. Yep. I feel like I don't normally feel like we need to do any kind of public advisory warning-y type thing, but this one seems heavy enough. Sure. Yeah. If you think this could be happening to someone in your life and you're in the States, tips.fbi.gov.
988 suicide crisis hotline. You can call her text. There's 988 lifeline.org. Like if you know someone and you think they need help, please, please try and help. I would imagine that any parent watching this show knows the importance of maintaining a like tech literacy parody with your child, which is tough, but increasingly pretty important. But I think this is also just a really good reminder of that is that you should probably, uh,
you should aspire to know as much about the internet and technology that your kid is using as your kid does. And I know that's not always possible. It certainly wasn't possible when I was a kid. But it's still a pretty dang good idea. Yeah, no kidding. I'm surprised, and this is going to sound terrible, but I'm surprised that the police forces are
and with it enough to engage. I kind of have a perspective on police, which is maybe not accurate, but I don't see them like the Canadian police, the RCMP, American police, and state troopers. I get that the FBI and the NSA and the CIA and Canadian Secret Service has a more tech literate departments,
But for general policing, I'm kind of surprised that they actually have the competency to rip through this. But I guess nowadays, I think back to our campus ethics. Remember when we talked about monitoring of social media by campuses to make sure that they knew the ongoings? And I guess Telegram is probably that new thing.
not for campus protests, but for everything on the internet. You need to be monitoring Telegram channels to see what's going on, what's being planned, what's being discussed. Every group that I can think of that's, I wouldn't call them extremists, but I'll say that they have moderate to extreme views. If there are two standard deviations either way on the bell curve, uses Telegram as a communications platform.
So it's like I imagine the policing and law enforcement departments have really grown their ability to track and monitor Telegram. Yeah, I think the dedicated cybercrime divisions inside of law enforcement are definitely a growing thing. Like I think just a lot of crime takes place on the internet. And then the other thing I would attribute to this is that when you think about like
The thing about trying to keep an online physical abuse, nihilistic death cult secret is that there tends to be a lot of physical evidence of it. Like you have kids with like, again, it's dark, but it's like you have kids with like self-mutilation and dead pets. It's like, there's simply signs that something is wrong. And if all of this happened in a bedroom with a computer and a phone, it's like, yeah, it's
There's evidence. Not even that. That evidence is then collected, categorized, and put into lore books, which are essentially legal evidentiary portfolios. It's like a dossier of evidence. Literally, a portfolio of evidence, I think, is how we describe it in the introduction. It's evidence of a crime that took place, but in a weird way, the victim...
The perpetrator of some of the crime is also very, I mean, a much realer sense of the victim. Yeah, yeah, yeah, yeah, yeah, yeah. Yeah. Which gives it that culty vibe. It's extremely. The Manson vibe. It's a heavy one. So we're going to go do some ads now. And then we're going to shake this off. And then we're going to talk about something completely unrelated. I almost feel like we should flip the episode. Yeah. But this is the end story because it is so heavy. Yeah.
Now we're going to talk about this. Now we're going to talk about library vulnerabilities in popular software. It's going to be much more chill, much more fun. Because I don't have the editing capacity to flip-a-roo this whole episode. So we are going to lead with the giant downer, probably. Hopefully you're still here. Hopefully you're still here. And we'll see you after the break. Identity attacks. Phishing. Credential stuffing.
Session Hijacking. Account Takeovers.
Push changes that. They built a lightweight browser extension that observes identity activity in real time, gives you visibility into how identities are being used across your whole organization, like when logins skip multi-factor authentication, when passwords are reused, or when someone unknowingly enters credentials into a spoofed login page.
Then when something risky is detected, Push can enforce protections right there in the browser. No waiting, no tickets. And it's not just about prevention. Push also monitors real-time threats like adversary in the middle attacks, stolen session tokens, and even new techniques like cross-IDP impersonation, where attackers bypass single sign-on and multi-factor authentication by essentially setting up a fake identity provider for your company.
The way to think about it, it's kind of like EDR, but in your browser. Team behind it, they're all offensive security pros. They publish some of the most interesting identity attack research out there, like the software as a service attack matrix, which breaks down exactly how these kinds of threats bypass all those traditional controls. Identity is the new endpoint and Push, our proud sponsor Push, is treating it that way. Check them out at pushsecurity.com.
ED is a real thing. And if it's getting you down, you need HIMS to help your confidence and other things get back up. HIMS provides access to treatments that can help you stay hard and last longer. So you can be ready whenever the mood strikes.
Hymns is changing men's healthcare by providing you with access to affordable sexual health treatments from the comfort of your couch. Hymns provides access to a range of doctor-trusted ED treatments like chewable tablets, Viagra, and Cialis, and their generics for up to 95% less. The process is 100% online. There's no uncomfortable doctor visits.
Just fill out an intake on their site and a medical provider will determine the right treatment option. If prescribed, your medication gets shipped directly to you for free. No insurance is needed and one low price covers everything from treatments to ongoing care. With hundreds of thousands of trusted subscribers, HIMSS can help you find the ED option that works for you.
Start your free online visit today at HIMS.com slash HACT. That's H-I-M-S dot com slash HACT for your personalized ED treatment options. HIMS.com slash HACT. The featured products include compounded products which are not approved nor verified for safety effectiveness or quality by the FDA. Prescription required. See website for details, restrictions, and important safety information. Price varies based on product and subscription plan. The
The Hoover Dam wasn't built in a day. And the GMC Sierra lineup wasn't built overnight. Like every American achievement, building the Sierra 1500 heavy-duty and EV was the result of dedication. A dedication to mastering the art of engineering. That's what this country has done for 250 years.
and what GMC has done for over 100. We are professional grade. Visit GMC.com to learn more. Assembled in Flint and Hamtronick, Michigan and Fort Wayne, Indiana of U.S. and globally sourced parts. As a contractor, I don't pay for materials I don't use. So why would I pay for stuff I don't need in my mobile plan? That's why the new MyBiz plan from Verizon Business is so perfect. Now I can choose exactly what I want and I only pay for what I need.
Right now with MyBizPlan, get our best price as low as $25 a line. Visit verizon.com slash business to get started today. Price per month with five plus lines. Includes auto pay and paper free billing and special intro offer discounts. Taxes, fees, economic adjustment charge and terms apply. Offers end June 10th, 2025. Yeah, so the thing I want to talk about is supply chain attacks into software libraries and packages that people are using in the development of their software applications. Okay. Yeah.
Does that make sense? I think so. When people are developing software, they're using these pre-existing packages, these third-party libraries, and it's a supply chain attack into that thing. Correct. Take me through it. If you're using Python, a big part of using Python is it has all these packages you can install, the Python package index and pip index.
is a way that lets you grab chunks of source code that are containerized to do a specific thing that your application needs to do. So instead of you writing all that code, you can just grab these packages to facilitate it. Same thing with Node. There's a package manager there called Node Package Manager NPM or PNPM if you're using a better one.
But essentially there's boatloads of open source source code that gets included in tons of production systems. It's something like 80% of most contemporarily developed program systems use 80% of this code is coming from packages that they're including. So it's become a target. It's become an attack vector. So a lot of nation states, especially North Korea, have been looking at and compromising or
publishing their own packages for very basic things that they know a lot of users are going to want to do. And inside of that code package is malware, a remote access Trojan, crypto thief, username credential grabbers, you name it. Okay, so just so I understand here, when we talk about, so the malware comes, someone has hacked one of these third-party packages.
- Just so I understand, is the goal to hack the developer that's using it or is the goal to get the compromise into the software that the developer is shipping out into the general public? - Correct. The second one. - The latter. - Oh, that's worse. That's the worst one. I ordered them in escalating worseness. - You can do it both ways, but typically it is the latter way. The bigger impact is to have it in the latter.
So this just happened again, which is what threw this into my eyes. So in just this month, actually, a package RAND user agent was compromised and included in it was a remote access Trojan. So like a full-blown Trojan to get remote access to people's computers was embedded in specific versions of this package. Okay. And just so I understand, something like RAND user agent, broadly speaking, what is that?
So when you do a web request to a web server, it comes in with a user agent. And essentially this package, I think, allowed applications to generate random user agent keys. So like when you submit a request or like a web server retrieves a request, it also tags it as what the user agent token is. And usually it's like Chrome, Mac, like you've seen them before, guaranteed. Okay.
This was a package to facilitate doing that. I think the package had been deprecated so the lead developer that had built it had just walked away from it. It wasn't maintaining it and somebody grabbed the maintenance of it and then immediately stuffed a rat in it, a remote access Trojan.
Sure. I'm slacking you an XKCD comic that this reminds me of, which is just one illustration, and it's this mountain of Lego brick-shaped things.
and it says, all modern digital infrastructure. And then the whole thing is being held up by this narrow, skinny little brick labeled, a project some random person in Nebraska has been thanklessly maintaining since 2003. And I'm reminded of that in this. That is modern software development. Open source software dev and package development and library development is tons of that. It's boatloads of people tirelessly building a specific library that allows for specific things and then...
You get GitHub stars for it. That's the social media clout. It also means that I spend 60 hours a week maintaining this thing for free so that all of these companies can utilize it for profit.
Oh, I have so many questions. Ask away. But that's the like, oh man, I'm really reticent to connect this back to the first story, but like what a positive use of the gamification of the desire for clout. Like in a positive way, like clout doesn't even really feel like it captures it. It's like you genuinely want to come like contribute to something positive in the world and help people make things. Yes. Okay. So these third party packages, right?
This scaffolding for modern technology is becoming a new attack vector for getting people into it. And I, for getting into people's systems and then getting disseminated out into the world. What, like without just rethinking how software development happens, which seems like it's quite dependent on these things. Very. How do you, like, what is the, what then is the answer? Like, is it just be really, really careful with all of your dependencies? Like, is there an answer to this or is it more of just a warning?
I think if you're a big, if you're a commercial enterprise that makes commercial products, you're probably pinning certain versions of it. Maybe you get this package or probably a bunch of packages and you're taking them at a specific version, like 2.1.8 or something.
You've done a code review of it to make sure. In an ideal sense, you've done a code review to make sure there's no remote access Trojan embedded in it. And then you're consistently from that moment on maintaining your own fork of that package. So fork is a term that means you grab the source code at that point and you take ownership of it for yourself. So now that it's integrated into your system,
you're going to be the one that maintains that package's source code. Oh, I see. You take a little bit of accountability for the dependency in a weird way. Because the other thing is, if your system depends on
some package and the package maintainer decides to change the entire programming interface for it and you just have it auto-updating in your build script, it could just shatter your system. Good code, good CICD.
And good maintenance and security protocol would be to probably take a snapshot of the code base from that library, review it, and then consistently maintain it for yourselves. But again, that's a lot more work than just letting the guy from Nebraska toil over it.
Keep supporting that one Lego brick. Your question's interesting because it's like one of the most notable of this style of attack actually happened. It was one of the first ones in 2018. And there was a widely used node package called EventStream, approximately 2 million downloads per week. So that shows you the scale of development activity that was being used on it. And the main maintainer and the person that developed it just got burnt out on it and just wanted out.
So they were like, you know what, I'm going to deprecate it, pass it off if anybody else wants to take ownership and publishing rights to it and wants to take over the responsibility of developing and maintaining this library. And they transferred it to a user called Right9Control, who was like, you know what, I'll take it. And the first thing they did was embed a crypto mining, like a crypto mining.
Like a crypto theft, like Trojan into it, or like malware into it. Sure. It was all just to get down to one crypto. It was to get crypto mining into other people's systems or to break into a crypto wallet? Break into crypto wallets. Then here's the thing. It's bad, but it's fascinating. 2018, the...
He was selective. He only wanted, or they, I should say, they only wanted wallets that had more than 100 bitcoins in them. Yep, okay, big fish. But 2018, so I don't know what the value was then. Let's call it 20,000. So that's still a lot of money. Where today, 100 bitcoins is like $10 million. Is that right? Jesus, 100 bitcoins? No. Oh, maybe. Yeah. 100 bitcoin value. I think it's 100k.
Yeah. Yeah. 140K. Or I guess CAD, yeah. Yeah, yeah. 100,000 US. So yeah, it's a... Jesus. Anyway, so the... Yeah, it was like the first thing. It was like the next iteration of the library that came out had this crypto-thieving malware in it. And it would just... Any computer that it was installed on, it would scan for a crypto wallet, identify whether it had more than 100 Bitcoins, steal the keys to the wallet, and send it back to home. Hmm. Hmm.
We've talked about the different AI development environments on this show before. And I know you and I have just talked a lot about Cursor. But there was one of these with Cursor too. There's a commonly used package
for cursor that I guess was treated as one of these little avenues for a compromise. I think that was to steal API creds, if I'm not mistaken. I'd have to look that one up. It wasn't as big and as impactful. I think the biggest one ever was in 2021. UA parser JS, so like a JavaScript parser.
Parse user agent strings, same kind of style of thing. So the user agent coming in from the server, this was an automated thing that would grab the string and parse it into its components. So you could tell whether it was a OSX or like what its OS was, what the agent was, what version the agent was.
And they saw tainted versions of it starting in 2021. Some of them actually went as far as to include a .exe in them, which was an actual crypto miner that would run on the computer of the person that had installed the package.
So again, cryptocurrency at the heart of the South. And again, I think of the person in Nebraska, it's like maintainers are human beings. People get burnt out. People that are maintaining long-term projects get stressed. You don't know what's happening in people's lives. And a person that's tirelessly defending and maintaining something can be as targeted by a thing like social engineering as anybody else can.
it's easy when these projects are depended on by so many people to kind of think of them as like, well, it's the wisdom of the crowd. I'm sure someone's on this. And it's like, that's not necessarily a reasonable conclusion. Well, it is such a big part of the community, like the development community. There's so much leverage. Like the value of some of these languages and platforms and frameworks comes down to the accessibility of free tools for them. Like if you think about Python, right?
Python's become the machine learning AI baby. And it's because it's just an amazing set of libraries that are just given out for free to use in that space. So it becomes so much easier. If you imagine having to rewrite something like PyTorch and PyChance from scratch just to utilize these things, it would take forever. So to facilitate community growth and innovation,
A lot of these packages do that. You can build an app really quickly because if you think of an app like a recipe, if you had to make eggs... Yeah, if you had to mill flour every time you wanted to make bread, the process is a lot more complicated, but there's some downstairs. Exactly. So that's the thing. A lot of these packages are just there. And what you're seeing now is because it is such a stress, I would never...
I would love to be a contributor and actually might be becoming a contributor to an open source package because the open source app I was building, some guys from San Francisco released it already. So like, why would I, why would I rush to do it? But anyway, the, what you're seeing now is like major companies like Meta, Microsoft, like Visual Studio Code is a Microsoft maintained product.
The React framework for node and web development is a meta-maintained framework. And it's like a lot of these massive enterprises now are actually the ones releasing and maintaining a lot of the bigger packages. Which is good. Yeah, I mean, there's just something to be said for like...
One person can burn out and can slip up, but hopefully, I mean, what large organization could get compromised in a hack? That's never happened. To talk about size and scale, like UAParserJS, when that one got compromised, injected with malware and crypto miners...
it was doing 7 million weekly downloads. So it's like 7 million developers essentially downloading that package. And actually the most recent one that I mentioned, the other user agent one, they actually didn't release the name of it. It kind of got found out because they were RAND user agent because it was in so many production systems that they wanted to give the developers time to remove the Remote Access Trojan
before anybody really found out what it was. Okay, so what have we learned here? Open source is cool and useful and kind of a gift that we give each other, but there's potential for vulnerabilities there. Yeah. It seems like a lot of the big ones are nation-state style, like North Korea's.
kind of cybercrime department, for lack of better terms, is big on using this style of attack. And like we've talked about it on the show before, because it just, it gives them, it opens a lot of doors at once. You know, you put a piece of malware in one place and then somebody else is distributing that for you. All of a sudden you've got malware all over the place.
Yeah, sure. You wouldn't believe who's baking cookies with this flour that we put on all the shelves. It would shock you who's off. Yeah, right. No, it's shrewd. And it's like stacked sort of like, I'm trying to think of like the word to use for this.
It's like a transitive dependency where you got it into a thing that got it into a thing that got it into a thing. And you're like, I didn't even know where this was going to end up. And now this vulnerability in this one package is inside of another thing. It's inside of another thing that's inside of the White House. Totally. Yeah. Fun is the wrong word, but there would probably be something kind of neat about being like, you wouldn't believe where it showed up today. If you were, like for fun activities, if you were the person that was like,
had done this, having it like its callbacks, like when it calls home to tell you where it is, mapping that and getting to watch the 3D connected state diagram of like as it spreads. Spread around the world. It would be like fascinating to watch. But no, I think that this is going to be a place where I think AI is going to become really successful in both ways because I think
The more people that are writing code and developing stuff without actually knowing what they're doing is going to increase the attack vector. But I think that you're going to see platforms and production environments and IDEs get really intense with AI code reviews, looking for potential vulnerabilities, looking for fingerprints of
GitHub at some point will automatically fingerprint whether there's any kind of sus code in your stuff. I imagine they're already probably building that. We saw that stuff at DEF CON where there was that massive multi-organization challenge going on, having AIs find vulnerabilities in code and then patch them. I think you'll see some of that same implementation come to some of these code repositories, code submission, CICD.
pipelines, things like that. I'm wondering how this is going to sit with people. The darkest story we've maybe ever told and the most like, just so you know, there's a fascinating thing going on with these dependent code packages. It's like, normally we like to find a nice middle ground between the tech and the human and boy, did it
Is there just a chasm there today? I don't know. To me, the code one is... I love it. The first story, 764, pretty dark. Learned a lot of new terms that I didn't care to know about. Gore butcher. Gore butcher. Code dependency, supply chain attacking?
fascinating to me. I agree. It's the tools that you use. These are the tools used to create modern tools. And it's like, well, what if the hammer was actually evil? It's like, well, that's interesting. Yeah, exactly. And the thing is, too, is you talked about it, you brought it up, like burnout of project maintainers. Totally. It's a lot of thankless work. And you spend...
It's like the meme deal. You give me 1,500 hours a year of free work. I give you angry comments in GitHub issues. And it's like, that's what it is. Somebody complaining about how the code's broken in a specific way. And it's like, that's your payback for it. And some stars, some thumbs ups. And to me, that's the thing. It's like, as these maintainers burn out,
as they transition away from them and hand over the keys to the project to other people to take over the thankless role of pushing the stone up the hill. Those people could be the North Korean cybercrime division. And especially if it's a large enough package that's in so many things. It's like one piece of local, like one package that would be used on local applications that if it was big enough...
could push malware and remote access Trojans to millions of PCs. And it's like, that's such an interesting supply chain attack that could have such a big output. I can see why somebody like North Korea has prioritized it. This is a goofy note to end on.
I love sci-fi. And there's a trope in sci-fi of like the imagined sci-fi world where they still have the futuristic technology, but they're so far ahead of it that they've forgotten how it was created. Like Warhammer 40K. That's a big thing in that like lore universe of like, we have these dreadnoughts. Why don't you have new ones? Because we forgot how to make them long ago because we were too busy murdering each other.
And it's fascinating to imagine a world where there's all of these software dependencies that were developed by people at some point in the past and handed off and handed off and handed off. And you have people using them that don't entirely maybe know what's in them and how they work anymore at this stage because of how they learn to develop software in the modern age. It's like it's an interesting world to imagine where we're building things out of parts we don't totally understand. Oh, yeah. Well, like the...
And some of those packages are so small. Some of the most common node packages are basic functions that just don't exist in the base language. So somebody writes one function that does something, checks if an array has some specific constraint, and that package gets used 13 million times because instead of people rewriting the one function that does it, they just include the package because it's like somebody else does it. And it's like if those...
Things like that. Some of the packages that North Korea was building were things like that. Things that are just easy use if you're kind of, I don't want to say too lazy, but you didn't want to rewrite work that had already been done for you. You didn't want to mill your own flour. It's extremely natural and reasonable to want to use those pre-existing tools. It's super obvious to go after them if you're that kind of a nation state actor. Totally. Yeah.
We could talk about vibe coding and how that's going to affect this, but there's no point. I think everybody kind of understands. Yeah, we all got a gist. Well, everybody, I hope you enjoyed this conversation about codependency, supply chain attacks, and internet death cults. We sure had fun. I'm going to go lay on the couch for 40 minutes. Go stare at a wall. As always, this was a pleasure. Thank you all for listening, and we'll catch you in the next one. Take care.
Bye.