Aviad Hahami

Security Researcher



Speared supply-chain attacks: when an adversary is looking for your company


Security researcher and experienced software engineer with a great passion for algorithms (graph-theory specifically), security research (vulnerability research, bug bounties), chaos engineering (YES!), frontends, backends, web services, systems architecture, infras, clouds(making them rain), and more :) PS - I also DJ ;)


During April, we caught a 2-step malware in the NPM ecosystem that is targeting a specific company. In my talk, I’ll briefly explain the dependency-confusion attack vector and how it is impacting software companies - and then we’ll go over all the technical bits of the malware, its reversing process, and how we interacted with the adversary behind it. I’ll explain what the malware does, how it decoys, cleans up, hides, and when (and why) it deploys the C2 agent (trojan). After that, we’ll go through how we communicated with the adversary and how we found out about sibling malware.