The Secure Disclosure

AI agents are transforming cybersecurity, from how access is granted to how attacks unfold. Frank Vukovitz (Delinea) joins Secure Disclosure to unpack the rise of non-human identities, the risks of autonomous agents, and why concepts like least privilege, identity lifecycle management, and continuous monitoring are more critical than ever. The big question: will AI ultimately make us more secure, or less?

Jason Haddix joins the podcast to break down how AI is transforming offensive security — from attacking LLM-powered applications to why he believes 90% of pentests will soon be done by AI. We dive into prompt injection, defending AI systems with layered controls, and how enterprises are (sometimes dangerously) adopting AI internally.We also explore the impact of AI on bug bounty programs, why “fighting AI with AI” is becoming necessary, and what the future holds for human pentesters in an increasingly automated world.

Casey Ellis, founder of Bugcrowd, joins the show to talk about the evolution of bug bounty, how hackers went from outsiders to strategic assets, and why AI-generated bug reports are putting pressure on security teams. We also get into VDPs vs public bounties, pentesting, vulnerability economics, and where security research is headed over the next five years.

AI agents are here, and they’re already transforming how we work. But beneath the hype lies a massive, unsolved security problem.In this episode, Mackenzie Jackson sits down with Johannes Keienburg to unpack the reality of autonomous agents: why they’re so powerful, why they’re so dangerous, and why access control is about to become the biggest challenge in cybersecurity.From broken authorization to “agents without brakes,” they explore how today’s systems are fundamentally unprepared—and what needs to change before things go seriously wrong.

We’re back in the “wild west” — only this time, the apps can be social engineered at machine speed. Live from CactusCon, Brooks McMillin breaks down malicious MCP servers, why we’re repeating the same security mistakes (hello again, broken access control), and why prompt injection probably isn’t going away. We get practical on what to lock down, how to roll out AI tooling safely, and why “AI lipstick” doesn’t change the underlying enterprise risk game.

Recorded live at Cactus Con, ASU CISO Lester Godsey joins Secure Disclosure to unpack what’s truly new in AI security, and what’s just old problems getting fresh attention. From prompt injection and agentic AI to data classification and privacy, this episode explores how enterprise leaders should think about AI risk in a world where banning it simply isn’t an option.

AI is overwhelming bug bounty programs with convincing but useless reports — and some major projects are shutting theirs down entirely. In this week’s news brief, we break down the economics behind “AI slop,” why curl pulled the plug on its program, and what this means for ethical hackers. Then we revisit OpenClaw, where security researchers are shifting from criticism to collaboration — and even VirusTotal is stepping in. Is AI breaking security… or reshaping it?

OpenClaw is a powerful new open-source AI agent — and a massive security risk. In this episode, security researcher Paul McCarty joins the show to break down how ClawHub, OpenClaw’s skill registry, is already flooded with malware. We explore how 386 malicious skills were discovered, why AI agents are more dangerous than traditional package managers like npm, how attackers are gaming download stats, and why basic security controls are missing. Plus, updates on the Notepad++ supply chain attack, the Coinbase breach fallout, and a shocking case where penetration testers were prosecuted for doing their jobs.Follow Paul on Social Media - https://www.linkedin.com/in/mccartypaul/Reads Pauls Article on ClawHub - https://opensourcemalware.com/00:00:00 OpenClaw and the Rise of AI Agent Security Risks00:02:14 ClawHub Skills Explained and How Malware Spreads00:03:47 386 Malicious Skills and Real-World Attack Techniques00:06:16 Why OpenClaw Could Be More Dangerous Than npm00:12:16 Gaming Downloads and Making Malware Look Legit00:14:38 How to Secure AI Agent Ecosystems and Use Them Safely

In this episode of Secure Disclosure, we go behind the scenes of the infamous Honey browser extension scandal with special guest J3lte, the engineer who uncovered the data that helped expose what was really happening.From affiliate link manipulation to massive user tracking across thousands of stores, J3lte breaks down how he reverse-engineered Honey, what he discovered, and why browser extensions can be far more dangerous than most people realize.Stay tuned for the untold technical story behind one of the biggest consumer security scandals online.Follow J3lte - https://x.com/j3lte Original Videos from MegaLag 1st Video https://www.youtube.com/watch?v=vc4yL3YTwWk2nd Video https://www.youtube.com/watch?v=wwB3FmbcC883rd Video https://www.youtube.com/watch?v=qCGT_CKGgFEOther videos covering the scandal (that are awesome) The PrimeTime - https://www.youtube.com/watch?v=_acTMUmdY9MMarques Brownlee - https://www.youtube.com/watch?v=EAx_RtMKPm8 News Links ClawdBot VS Extensions Malware https://www.aikido.dev/blog/fake-clawdbot-vscode-extension-malwareContagious Interview Link: https://opensourcemalware.com/blog/contagious-code-fake-fontChapters 00:00 – The Honey Scandal Returns02:11 – Users, Merchants, and Hidden Coupon Abuse03:36 – Meet J3lte: The Engineer Behind the Investigation05:07 – Discovering 180,000 Stores in Honey’s Data07:11 – Affiliate Links Without Coupons: No Value Provided09:49 – Why Browser Extensions Are So Hard to Trust13:54 – Malware Trend: The Fake Claudebot VS Code Extension15:57 - Contagious Interview Coverage 18:38 - SoundCloud Hack

AI is creeping into every part of software development — including CI/CD pipelines — and attackers are already abusing it.In this episode of the Secure Disclosure Podcast, we break down:A brand-new vulnerability class called Prompt Pwn, where prompt injection inside GitHub Actions can leak secrets and compromise supply chainsA sophisticated malvertising campaign targeting developers via GitHub Pages and Docker HubAnd the reality behind the cybersecurity job market: is there a skills shortage, a hiring freeze, or both?Featuring security researcher Rein Daelman on AI-driven CI/CD risks, and recruiter Barry Prost on how AI is reshaping cybersecurity hiring, skills, and careers.If you care about AppSec, DevOps, supply chain security, or breaking into cybersecurity in 2025, this one’s for you.More information PromptPwn - https://www.aikido.dev/blog/promptpwnd-github-actions-ai-agents Guiest Linkedin - https://www.linkedin.com/in/rein-daelman/Rent a Recruiter - https://rentarecruiter.com/Guest LinkedIn Barry Prost - https://www.linkedin.com/in/barryprost/Sponsors Aikido Security - https://aikido.devChapters00:00 – Intro02:00 – AI prompt injection in CI/CD, GitHub Actions, Prompt Pwn12:09 – Sponsor Segment12:59 – Malvertising campaigns targeting devs16:39 – Cybersecurity job market with Barry Prost

In this episode of Secure Disclosure, Mackenzie Jackson digs into the surge of malicious VS Code extensions with researcher John Tuckner, founder of Secure Annex. We break down how attackers are shifting toward targeting developers themselves, explore real-world malicious extensions like Ransom Vibe and Sleepy Duck, and discuss why marketplaces like Open VSX are struggling to keep malware out.We also cover new research on secret leaks in top AI companies, and in our Leaders & Legends segment, we speak with Vangelis Stykas (CTO & co-founder of Kumio) about the growing vulnerabilities inside global energy infrastructure, OT security gaps, and the rise of AI-powered pentesting.If you want insights on software supply chain risk, AI security, and critical infrastructure threats—this episode is for you.Links:RansomVibe Technical Blog: https://secureannex.com/blog/ransomvibe/SleepyDuck Technical Blog: https://secureannex.com/blog/sleepyduck-malwareWiz Secrets Inside AI top 50 Research: https://www.wiz.io/blog/forbes-ai-50-leaking-secretsChapters 00:00 — Intro01:07 — Malicious VS Code Extensions (with John Tuckner)15:31 — Secrets Leaking in AI Repositories18:55 — Sponsor Segment19:55 — Leaders & Legends: Securing Critical Infrastructure

In this episode of The Secure Disclosure, host Mackenzie Jackson dives deep into the evolving intersection of AI, security, and development.First, Paul McCarty from Git Safety breaks down his recent discovery of a malicious npm package that impersonated the Claude CLI tool, hijacking developer workflows and acting as a man-in-the-middle for AI API calls. You can read Paul’s full breakdown here: “Malicious Claude Code Package Analysis” – https://www.getsafety.com/blog-posts/malicious-claude-code-packageNext, Sooraj Shah from Aikido Security joins to unpack findings from the State of AI in Security & Development 2026 Report, which surveyed 450 CISOs about how AI-generated code is reshaping security accountability, visibility, and optimism in the field. Check out the full report here: https://www.aikido.dev/state-of-ai-security-development-2026This episode explores real-world AI supply chain threats, systemic vulnerabilities in npm, and what organizations must do to stay ahead as AI reshapes modern development.Follow the guests:Follow Mackenzie: https://www.linkedin.com/in/advocatemack/Follow Paul: https://www.linkedin.com/in/mccartypaul/Follow Sooraj: https://www.linkedin.com/in/soorajshah/Chapters00:00 Introduction01:19 Paul McCarty on the malicious Claude npm package04:30 How AI tools are creating new attack paths08:06 Systemic issues and trust problems in npm10:44 Sooraj Shah on the State of AI in Security & Development14:01 Accountability, optimism, and the future of AI security

In this episode of Cyber & Sake, host Mackenzie Jackson sits down with Maarten Mortier, former CTO of Shopad, now co-founder and managing partner at Entourage VCThey discuss Maarten’s early love for programming, how Ghent became a thriving European tech hub, and why builders make the best investors. Maarten shares his insights into what he looks for during startup due diligence, how AI is reshaping both development and venture capital, and why healthy security should be baked into company culture — not siloed off.This is a deep and candid conversation about technology, product, and philosophy — from scaling startups to the evolving role of AI in coding, investing, and innovation.Pour yourself a glass of sake and join us for an episode that blends code, capital, and curiosity.⏱️ Chapter ListTime Chapter Title00:00 Introductions & Sake Tasting01:10 From Early Coding Days to CTO Success04:07 Why Ghent is Becoming a European Tech Hub07:58 Building and Investing: The Story of Entourage VC11:02 Inside VC Due Diligence and the Founder Relationship18:03 Tech Health, Security, and Red Flags for Startups25:16 What Makes a Real Moat in the Age of AI32:03 AI, Product Building, and the Future of Venture Capital39:36 Final Thoughts, Security Advice & The Sake Game