All Episodes

S2E20 Shadow AI and the Haunted Supply Chain

September 30, 2025 • 33 mins

With Daniela away, Glen and Brian are running the show! 🤡 They kick things off by breaking down a recent NPM (Node Package Manager) supply chain attack that targets open-source developers through social engineering. This spirals into a larger discussion about the "spiderweb of trouble" within modern software supply chains and the massive, often invisible, risks posed by Shadow IT and Shadow AI. The hosts provide practical, actionable advice for organizations trying to govern tools they don't even know their employees are using, emphasizing that the AI genie isn't going back in the bottle.

 

Key Topics Discussed

 

  • (01:55) Announcement: Join Glen, Brian, and Daniela for their social engineering workshop at SaintCon in Utah!

  • (02:30) The NPM Attack: A deep dive into the ongoing supply chain attack where hackers use stolen developer credentials to inject malicious code into widely used open-source packages.

  • (05:15) The Spiderweb of Trouble: How vulnerabilities in small, third-party components can create massive, tangled risks for organizations, even if they aren't using the components directly.

  • (12:18) Software Bill of Materials (SBOM): A crucial tool for vetting vendors and understanding the security maturity of the products you buy. If a vendor can't provide one, that's a red flag. 🚩

  • (14:05) Shadow AI & Shadow IT: The things you don't know about are the scariest. The hosts discuss the risks of unsanctioned apps and AI tools operating within your environment.

  • (17:21) You Can't Just "Turn Off" AI: Why blocking AI is like fighting a house fire with a squirt gun. Governance through policy and training is the only realistic path forward.

  • (29:40) A Cautionary Tale: A classic real-world example of how a critical business process became dependent on unsupported Shadow IT, leading to panic when it inevitably broke.

 

Actionable Advice & Key Takeaways

 

  • Ask for an SBOM: When procuring software, ask vendors for a Software Bill of Materials (SBOM) to get a clear picture of what's inside their product.

  • Create an AI Policy: Since you can't block AI everywhere, focus on governance. Develop a clear Acceptable Use Policy to give employees guardrails for using AI tools safely.

  • Provide Sanctioned Tools: Enable your team to work efficiently by providing a sanctioned, private AI environment where they can safely use sensitive company data.

  • Go Hunting for Shadows: Use DNS monitoring and review company credit card expenses to identify unsanctioned third-party applications and services being used in your organization.

  • Build a Security Culture: Technical controls aren't enough. Foster a strong security culture where employees understand the why behind the policies and feel empowered to make smart decisions about data.

Mark as Played

Advertise With Us

Popular Podcasts

On Purpose with Jay Shetty

On Purpose with Jay Shetty

I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!

Cardiac Cowboys

Cardiac Cowboys

The heart was always off-limits to surgeons. Cutting into it spelled instant death for the patient. That is, until a ragtag group of doctors scattered across the Midwest and Texas decided to throw out the rule book. Working in makeshift laboratories and home garages, using medical devices made from scavenged machine parts and beer tubes, these men and women invented the field of open heart surgery. Odds are, someone you know is alive because of them. So why has history left them behind? Presented by Chris Pine, CARDIAC COWBOYS tells the gripping true story behind the birth of heart surgery, and the young, Greatest Generation doctors who made it happen. For years, they competed and feuded, racing to be the first, the best, and the most prolific. Some appeared on the cover of Time Magazine, operated on kings and advised presidents. Others ended up disgraced, penniless, and convicted of felonies. Together, they ignited a revolution in medicine, and changed the world.

Crime Junkie

Crime Junkie

Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.

Music, radio and podcasts, all free. Listen online or download the iHeart App.

Connect

Explore

iHeart

Live Radio

Podcasts

Artist Radio

Exclusives

News

Features

Events

Contests

Photos

Information

About

Advertise

Blog

Brand Guidelines

Contest Guidelines

Subscription Offers

Jobs

Get the App

Automotive

Home

Mobile

Wearables

© 2025 iHeartMedia, Inc.