Capture the Flag | Dead or alive: Hunt the malicious package
Frontier Stack Inc. has been compromised. A malicious package is buried in their codebase. Join Cloudsmith, Chainguard, and Mend.io for a live Capture the Flag. Hunt the malicious package, and prevent it from getting into your software build.
Speakers
Summary
Dependency attacks are no longer rare events. Malicious packages get published to the npm Registry or the Python Package Index (PyPI) every week, and most teams discover them the same way they discover the rest of their supply chain: too late.
This CTF puts you inside a compromised company, working a live incident with experts from Cloudsmith, Chainguard, and Mend.io at your side. You'll feel the friction of an ungoverned AI software development environment - insecure models, agents and skills. Understand how adversaries are abusing the open source AI ecosystem, and how you can prevent an incident like this within your organisation.
Bring your laptop. Saddle up. Find the outlaw before it hits production. The winner walks away with a Raspberry Pi 5!
What you'll do
Investigate a real dependency attack: Get hands on with SBOMs and AIBOMs. Understand what goes into a modern AI application today, from potentially insecure AI skills, malware hidden in public models, and use open-source scanners like osv-scanner and ClamAV to understand what is safe versus what is not, and prevent Frontier Stack Inc. from being pwned.
See a governed supply chain in action: Get hands-on with model discovery, understanding the hidden risks associated with public ML models and the dependencies they rely on. From secret scanning to malware classification, participants will put on their AppSec hat.