Recorded live at Cactus Con, ASU CISO Lester Godsey joins Secure Disclosure to unpack what’s truly new in AI security, and what’s just old problems getting fresh attention. From prompt injection and agentic AI to data classification and privacy, this episode explores how enterprise leaders should think about AI risk in a world where banning it simply isn’t an option.

AI is taking over the boring stuff — recon, noise, and tier-one work — but when it comes to real-world pentesting, business logic flaws, weird edge cases, and creative thinking still belong to humans.

In this episode, Paul Petefish (Evolve Security) and Mackenzie dig into what AI is actually changing in offensive security, why prompt injection is getting weirder, and how “man + machine” is quickly becoming the new normal.

#CyberSecurity #Pentesting #AI #AppSec #LLMSecurity #PromptInjection #InfoSec

AI is overwhelming bug bounty programs with convincing but useless reports — and some major projects are shutting theirs down entirely. In this week’s news brief, we break down the economics behind “AI slop,” why curl pulled the plug on its program, and what this means for ethical hackers. Then we revisit OpenClaw, where security researchers are shifting from criticism to collaboration — and even VirusTotal is stepping in. Is AI breaking security… or reshaping it?

AI is transforming application security, not just by finding vulnerabilities but by fixing them safely. In this episode, sit down with Frederick Ryckbosch and dive into how AI understands code flow, remediates real security issues, and builds trust through testing and feedback loops. A practical look at autofix, dependencies, and the future of secure software development.Read more about AI Autofix: https://www.aikido.dev/features/autofixVideo chapters00:00 Introduction to AI and Application Security02:00 Where AI Is Actually Useful in Security04:10 Understanding Code Flow and Real Vulnerabilities07:10 Can AI Safely Fix Security Issues?10:35 Building Trust With AI Autofix and Feedback Loops12:15 Autofixing Dependencies and Breaking Changes17:55 Trust, Risk, and Guardrails for AI Systems20:35 The Future of Coding With AI

OpenClaw is a powerful new open-source AI agent — and a massive security risk. In this episode, security researcher Paul McCarty joins the show to break down how ClawHub, OpenClaw’s skill registry, is already flooded with malware. We explore how 386 malicious skills were discovered, why AI agents are more dangerous than traditional package managers like npm, how attackers are gaming download stats, and why basic security controls are missing. Plus, updates on the Notepad++ supply chain attack, the Coinbase breach fallout, and a shocking case where penetration testers were prosecuted for doing their jobs.Follow Paul on Social Media - https://www.linkedin.com/in/mccartypaul/Reads Pauls Article on ClawHub - https://opensourcemalware.com/00:00:00 OpenClaw and the Rise of AI Agent Security Risks00:02:14 ClawHub Skills Explained and How Malware Spreads00:03:47 386 Malicious Skills and Real-World Attack Techniques00:06:16 Why OpenClaw Could Be More Dangerous Than npm00:12:16 Gaming Downloads and Making Malware Look Legit00:14:38 How to Secure AI Agent Ecosystems and Use Them Safely

In this episode of Cyber and Saki, Mackenzie sits down with AI expert Matthias Feys from ML6 to chat about how artificial intelligence has gone from niche machine learning projects to the generative AI explosion we see everywhere today.

They dig into what’s changed over the last decade, why tools like ChatGPT have been such a game changer, and what people still get wrong when they treat AI as a magic solution for everything.

The conversation also covers the security side of AI, why you shouldn’t blindly trust these models, and where Matthias is most excited about AI making a real impact, especially in the “boring work” that can finally be automated.

To wrap things up, Mackenzie throws in a hilarious round of “Would You Rather” questions, including vibe coding, AI hackers, and the future of super-intelligence.

A thoughtful, funny, and practical look at where AI is headed, and how we can use it responsibly along the way.

In this episode of Secure Disclosure, we go behind the scenes of the infamous Honey browser extension scandal with special guest J3lte, the engineer who uncovered the data that helped expose what was really happening.

From affiliate link manipulation to massive user tracking across thousands of stores, J3lte breaks down how he reverse-engineered Honey, what he discovered, and why browser extensions can be far more dangerous than most people realize.

Stay tuned for the untold technical story behind one of the biggest consumer security scandals online.

Follow J3lte - https://x.com/j3lte

Original Videos from MegaLag

1st Video https://www.youtube.com/watch?v=vc4yL3YTwWk

2nd Video https://www.youtube.com/watch?v=wwB3FmbcC88

3rd Video https://www.youtube.com/watch?v=qCGT_CKGgFE

Other videos covering the scandal (that are awesome)

The PrimeTime - https://www.youtube.com/watch?v=_acTMUmdY9M

Marques Brownlee - https://www.youtube.com/watch?v=EAx_RtMKPm8

News Links

ClawdBot VS Extensions Malware https://www.aikido.dev/blog/fake-clawdbot-vscode-extension-malware

Contagious Interview Link: https://opensourcemalware.com/blog/contagious-code-fake-font

Chapters

00:00 – The Honey Scandal Returns

02:11 – Users, Merchants, and Hidden Coupon Abuse

03:36 – Meet J3lte: The Engineer Behind the Investigation

05:07 – Discovering 180,000 Stores in Honey’s Data

07:11 – Affiliate Links Without Coupons: No Value Provided

09:49 – Why Browser Extensions Are So Hard to Trust

13:54 – Malware Trend: The Fake Claudebot VS Code Extension

15:57 - Contagious Interview Coverage

18:38 - SoundCloud Hack

Social engineering and phishing are evolving fast, and AI is making attacks harder to spot and quicker to scale. Joseph Carson joins the show to break down the biggest risks for defenders, from deepfakes and perfect-language phishing to rapid data analysis and malware that adapts in real time. The conversation also explores guardrails, regulation, and what AI can and cannot do well, plus a quick round of security themed “Would you rather” questions.Links: Linkedin: https://www.linkedin.com/in/josephcarson/Sponsored Link: https://www.aikido.dev/Chapters00:00 Intro: AI makes phishing harder to detect00:00:28 Welcome and Joe’s background00:01:29 Biggest risks: deepfakes and phishing at scale00:03:03 AI speeds up analysis of stolen data00:04:25 Lower barrier to entry and faster attacker learning00:05:31 Malware and campaigns adapting in real time00:06:28 Why “bad grammar” is no longer a phishing tell00:08:16 Can AI be creative, or is it just probability00:12:56 Guardrails, regulation, and the EU vs US vs China approaches00:29:30 Would you rather: security tradeoffs and tool choices#podcast #thesecuredisclosure #cybersecurity

AI is creeping into every part of software development — including CI/CD pipelines — and attackers are already abusing it.In this episode of the Secure Disclosure Podcast, we break down:A brand-new vulnerability class called Prompt Pwn, where prompt injection inside GitHub Actions can leak secrets and compromise supply chainsA sophisticated malvertising campaign targeting developers via GitHub Pages and Docker HubAnd the reality behind the cybersecurity job market: is there a skills shortage, a hiring freeze, or both?Featuring security researcher Rein Daelman on AI-driven CI/CD risks, and recruiter Barry Prost on how AI is reshaping cybersecurity hiring, skills, and careers.If you care about AppSec, DevOps, supply chain security, or breaking into cybersecurity in 2025, this one’s for you.More information PromptPwn - https://www.aikido.dev/blog/promptpwnd-github-actions-ai-agents Guiest Linkedin - https://www.linkedin.com/in/rein-daelman/Rent a Recruiter - https://rentarecruiter.com/Guest LinkedIn Barry Prost - https://www.linkedin.com/in/barryprost/Sponsors Aikido Security - https://aikido.devChapters00:00 – Intro02:00 – AI prompt injection in CI/CD, GitHub Actions, Prompt Pwn12:09 – Sponsor Segment12:59 – Malvertising campaigns targeting devs16:39 – Cybersecurity job market with Barry Prost

In this episode of Secure Disclosure, we break down two major cyber-security incidents shaking the industry.First, researcher Charlie Eriksen joins us to reveal how the Shai Hulud “The Second Coming” worm compromised over 800 NPM packages and triggered 30,000+ secret-filled GitHub repos and why the worm can even wipe your machine when containment fails.Then, we sit down with Jérémy Sicon and Quentin Bourgue from sekoia.io to uncover a highly sophisticated phishing campaign abusing Booking.com accounts using PureRAT malware and a sprawling criminal ecosystem.Subscribe for weekly deep dives into the threats shaping our digital world.00:00 – Introduction01:03 – Shahalude: The Second Coming17:07 – Sponsored Segment (Aikido SafeChain)17:10 – Malware-for-Hire: Booking.com Phishing Operation