Level: Tehnical

Abstract:
This presentation explores a multi-year research project using Large Language Models (LLMs) to uncover hidden threats in the open-source software supply chain. What began in 2024 as an experiment in automating changelog analysis evolved into one of the most effective techniques we’ve seen for discovering silent vulnerabilities and active malware. Our research even allowed us to observe North Korean APT group Lazarus as they deployed malware in a supply chain attack.

Key findings include:

• Discovery of 1,500+ security vulnerabilities in popular open-source packages
• None had CVEs or public disclosure
• 25% rated high or critical severity
• Included widely used libraries like Axios and Apache eCharts
• Exposure of “silent patching”
• Maintainers fix security issues without public notification
• Users remain vulnerable without realizing they need to update

In parallel, we used LLMs to analyze newly published packages on public registries like NPM, PyPi and the VSCode Marketplace by detecting:

• Suspicious descriptions and metadata
• Unexpected obfuscation
• Unusual dependency patterns
• Behavioral signals combined with traditional scanning

This approach uncovered thousands of malicious packages uploaded monthly, including activity linked to state-sponsored APTs. It also helped uncover multiple high-profile supply chain attacks in 2025, including:

• The compromise of debug and chalk on NPM, delivering malware through packages totaling ~2 billion weekly downloads
• Shai-Hulud, a self-propagating worm on NPM
• The compromise of the official XRP cryptocurrency SDK on NPM
• And many more

The talk provides a technical deep dive into how the LLM-based detection systems were designed, the validation and triage workflows used to reduce false positives, the most impactful discoveries from the research, and what these findings mean for vulnerability disclosure, software supply chain defense, and the growing role of LLMs in real-world threat hunting.

Bio:
Mackenzie Jackson aka Mackenzie is a developer advocate with a passion for DevOps and code security. As the co-founder and former CTO of a health tech startup, he learnt first-hand how critical it is to build secure applications with robust developer operations.
Today as the Developer Advocate at GitGuardian, Mackenzie is able to share his passion for code security with developers and works closely with research teams to show how malicious actors discover and exploit vulnerabilities in code.

Level: Tehnical

Abstract:
Malware development is a process of continuous refinement. In this session, we analyze the evolution of VIPERTUNNEL, a Python-based backdoor used by the UNC2165 (EvilCorp) activity cluster for stealthy persistence and network pivoting.
The core of this talk focuses on the “evolutionary leap” in the malware’s code logic and defensive posture. We will walk through three distinct stages of its development:

1. The Public Phase: Early variants that relied on well-documented, open-source obfuscators (like `pyobfuscate`), which are easily defeated by standard tools.
2. The Prototype: The emergence of a custom-built loader that, while still exhibiting “noisy” cleartext strings and linear execution, signaled a shift toward a private, proprietary framework .
3. The Production Variant: The current “gold standard” used in DragonForce engagements. This version is a multi-layered beast featuring ChaCha20 encryption, BLAKE3 integrity checks, and control-flow flattening to force analysts into a grueling, non-linear reversing process.

We will also explore the “Shared DNA” between VIPERTUNNEL and other tools like the ShadowCoil credential stealer. By analyzing a privately maintained, multi-stage packer common to both, we uncovered unexpected Linux-specific anti-debugging checks buried within Windows-targeted payloads—a clear indicator of modular, cross-platform ambitions by the developers.

Bio:

Evgen Blohm is an experienced DFIR expert who has been involved in responding to a large number of cyber incidents. He is based in Hamburg, Germany and is currently working for InfoGuard AG, where he is also supporting customers with compromise assessments and dark web monitoring.

Level: Advance Subject Matter

Abstract:
Imagine a cozy winter evening, it is snowing outside and you chill on the couch with a cup of tea in your hand.

Then suddenly.. someone hacks your heat pump and turns your home into an igloo. The only thing keeping you warm now is your tea.

I will present my journey into reverse engineering of Orca heat pump and present communication between heat pump’s controller and Orca web portal, how the controller is authenticated, and how the web portal validates and renders controller’s data. A remote takeover of any heat pump was discovered due to multiple weaknesses.

Bio:
Tom Kern is a founding member of NIL Managed Detection and Response service which is now protecting over 250.000 endpoints across Europe. His contributions include technical architecture, detection engineering and automated security operations.