Sign up to save your podcasts
Or
Share The Hidden Threat Inside Every Enterprise: What CISOs Are Missing in the Software Supply Chain, with Koi’s Amit Assaraf
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The Hidden Threat Inside Every Enterprise: What CISOs Are Missing in the Software Supply Chain, with Koi’s Amit Assaraf
CISOs, are you watching the front door while attackers slip in through the side?
In this episode of Vigilance, Pam Brodt sits down with Amit Assaraf, co-founder and CEO of Koi, to expose a massive blind spot in modern enterprise security: the unmonitored sprawl of extensions, registries, app stores, and marketplaces powering your software supply chain.
Amit recounts how a simple experiment—uploading a lookalike VS Code extension—landed them inside Fortune 500 environments in under 7 days, undetected.
The same path is being used by nation-state actors like Lazarus Group to breach global enterprises.
We cover:
- Why auto-updates and ownership transfers are critical (and overlooked) attack vectors
- How trusted platforms like Chrome, NPM, PyPi, and Hugging Face are being exploited
- Why EDRs and AppSec tools fail to detect these threats
- How Koi is using AI-driven risk engines to monitor and secure 30+ marketplaces—without deploying a single new agent
If you’re a security leader balancing productivity and protection, this conversation will change how you think about supply chain risk.
🔒 Don’t miss this one—it’s the conversation every enterprise CISO needs to hear.
Chapters:
0:00 Intro
2:00 The origin of Koi: a marketplace experiment gone viral
8:00 Why marketplaces are the next major attack surface
13:00 The auto-update problem (Cyberhaven breach case study)
18:00 Most abused platforms: IDEs, browsers, registries
22:00 How Koi scales with automation and AI
27:00 No agents, no friction: how Koi integrates
30:00 Final thoughts for CISOs on balancing risk and velocity
View all episodes
By Pam Brodt
5
22 ratings
CISOs, are you watching the front door while attackers slip in through the side?
In this episode of Vigilance, Pam Brodt sits down with Amit Assaraf, co-founder and CEO of Koi, to expose a massive blind spot in modern enterprise security: the unmonitored sprawl of extensions, registries, app stores, and marketplaces powering your software supply chain.
Amit recounts how a simple experiment—uploading a lookalike VS Code extension—landed them inside Fortune 500 environments in under 7 days, undetected.
The same path is being used by nation-state actors like Lazarus Group to breach global enterprises.
We cover:
- Why auto-updates and ownership transfers are critical (and overlooked) attack vectors
- How trusted platforms like Chrome, NPM, PyPi, and Hugging Face are being exploited
- Why EDRs and AppSec tools fail to detect these threats
- How Koi is using AI-driven risk engines to monitor and secure 30+ marketplaces—without deploying a single new agent
If you’re a security leader balancing productivity and protection, this conversation will change how you think about supply chain risk.
🔒 Don’t miss this one—it’s the conversation every enterprise CISO needs to hear.
Chapters:
0:00 Intro
2:00 The origin of Koi: a marketplace experiment gone viral
8:00 Why marketplaces are the next major attack surface
13:00 The auto-update problem (Cyberhaven breach case study)
18:00 Most abused platforms: IDEs, browsers, registries
22:00 How Koi scales with automation and AI
27:00 No agents, no friction: how Koi integrates
30:00 Final thoughts for CISOs on balancing risk and velocity