<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:psc="http://podlove.org/simple-chapters" xmlns:podcast="https://podcastindex.org/namespace/1.0"><channel><title><![CDATA[Signal // Noise]]></title><description><![CDATA[<p><b>Signal // Noise is an epistemic security podcast hosted by Chris Loehr and Bob Miller. Where the incident ends and the analysis begins. Two analysts. One signal.</b></p><p></p><p>Each episode selects a real-world cybersecurity incident and runs it through independent analysis across five AI systems, then synthesizes the findings into a single authoritative report. The goal is simple: separate what is true from what is loud, and deliver intelligence that security professionals and business leaders can act on.</p><p></p><p>Truth. Information integrity. Cognitive security. Resilience.</p>]]></description><link>signaltonoise.irgame.ai</link><generator>Riverside.fm (https://riverside.com)</generator><lastBuildDate>Sun, 05 Jul 2026 10:48:30 GMT</lastBuildDate><atom:link href="https://api.riverside.com/hosting/H7wXy0Eh.rss" rel="self" type="application/rss+xml"/><author><![CDATA[Chris Loehr & Bob Miller]]></author><pubDate>Fri, 08 May 2026 19:20:48 GMT</pubDate><copyright><![CDATA[2026 Chris Loehr & Bob Miller]]></copyright><language><![CDATA[en]]></language><ttl>60</ttl><category><![CDATA[Technology]]></category><category><![CDATA[Education]]></category><itunes:author>Chris Loehr &amp; Bob Miller</itunes:author><itunes:summary>&lt;p&gt;&lt;b&gt;Signal // Noise is an epistemic security podcast hosted by Chris Loehr and Bob Miller. Where the incident ends and the analysis begins. Two analysts. One signal.&lt;/b&gt;&lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;p&gt;Each episode selects a real-world cybersecurity incident and runs it through independent analysis across five AI systems, then synthesizes the findings into a single authoritative report. The goal is simple: separate what is true from what is loud, and deliver intelligence that security professionals and business leaders can act on.&lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;p&gt;Truth. Information integrity. Cognitive security. Resilience.&lt;/p&gt;</itunes:summary><itunes:type>episodic</itunes:type><itunes:owner><itunes:name>Chris Loehr &amp; Bob Miller</itunes:name><itunes:email>info@irgame.ai</itunes:email></itunes:owner><itunes:explicit>yes</itunes:explicit><itunes:category text="Technology"/><itunes:category text="Education"/><itunes:image href="https://hosting-media.riverside.com/media/podcasts/0e6347d2-78af-4283-aed2-2c2aacc4408f/logos/6fe7a6eb-9ead-4aa4-8efe-5e4b75cd24f8.png"/><item><title><![CDATA[Signal//Noise #023 - AI in the Workplace]]></title><description><![CDATA[<p><b>95 percent of corporate AI pilots fail. The bigger problem is where your data goes when they do.</b></p><p></p><p>Companies poured tens of billions into generative AI, yet MIT found that 95 percent of enterprise pilots returned nothing measurable. On this episode of Signal // Noise, Chris Loehr and Bob Miller examine why most AI projects fail and the security problem hiding underneath. When sanctioned pilots stall, employees quietly route real business data through consumer tools, creating ungoverned shadow AI exposure. We run the same story through five AI engines, Claude, ChatGPT, Perplexity, Grok, and Gemini, then compare their analysis on air. Learn the failure pattern, the data governance root cause, and the controls that actually contain the risk.</p><p></p><p><b>WHAT WE COVER</b></p><p></p><p>- The MIT NANDA finding that 95 percent of GenAI pilots show no profit-and-loss impact</p><p>- The "learning gap" and why model quality is not the reason pilots fail</p><p>- How budget goes to sales and marketing while the real return sits in back-office work</p><p>- The build-versus-buy success gap, and the vendor bias to watch for in that claim</p><p>- The shadow AI economy, where over 90 percent of workers use unsanctioned tools</p><p>- How failed adoption becomes ungoverned data exposure</p><p>- Gartner's forecast that 40 percent of agentic AI projects get canceled by 2027</p><p></p><p><b>KEY TAKEAWAYS</b></p><p></p><p>- AI project failure and AI security exposure share one root cause, weak governance</p><p>- You cannot govern AI use you have not inventoried, so discovery comes first</p><p>- Banning consumer AI tools tends to push usage underground rather than stop it</p><p>- The fix for the failure rate and the fix for the risk are the same program of work</p><p></p><p><b>ABOUT THE SHOW</b></p><p></p><p>Signal // Noise is a cybersecurity podcast where Chris Loehr and Bob Miller break down the latest security incidents, threats, and trends.  Subscribe for weekly analysis that helps security professionals and business leaders stay ahead of emerging threats.</p><p></p><p><b>RESOURCES</b></p><p></p><p>- Original article: <a rel="noopener noreferrer nofollow" href="https://trullion.com/blog/why-95-of-ai-projects-fail-and-why-the-5-that-survive-matter/" target="_blank">https://trullion.com/blog/why-95-of-ai-projects-fail-and-why-the-5-that-survive-matter/</a></p><p>- MIT NANDA, The GenAI Divide: State of AI in Business 2025 (via Fortune): <a rel="noopener noreferrer nofollow" href="https://fortune.com/2025/08/18/mit-report-95-percent-generative-ai-pilots-at-companies-failing-cfo" target="_blank">https://fortune.com/2025/08/18/mit-report-95-percent-generative-ai-pilots-at-companies-failing-cfo</a></p><p>- Gartner, Over 40% of Agentic AI Projects Will Be Canceled by End of 2027: <a rel="noopener noreferrer nofollow" href="https://www.gartner.com/en/newsroom/press-releases/2025-06-25-gartner-predicts-over-40-percent-of-agentic-ai-projects-will-be-canceled-by-end-of-2027" target="_blank">https://www.gartner.com/en/newsroom/press-releases/2025-06-25-gartner-predicts-over-40-percent-of-agentic-ai-projects-will-be-canceled-by-end-of-2027</a></p><p>- Supporting files: <a rel="noopener noreferrer nofollow" href="https://tinyurl.com/C-B-QuickPicks" target="_blank">https://tinyurl.com/C-B-QuickPicks</a></p><p></p><p><b>TAGS</b> </p><p></p><p>cybersecurity, infosec, shadow AI, AI governance, generative AI, AI security, MIT AI report, 95 percent AI fail, agentic AI, AI risk, data governance, enterprise AI, AI adoption, CISO, IT security, Claude AI, ChatGPT, Gemini, Perplexity, Grok, AI comparison, Signal Noise podcast</p>]]></description><guid isPermaLink="false">907c5730-23a6-4eee-aa81-cba0607e7166</guid><dc:creator><![CDATA[Chris Loehr & Bob Miller]]></dc:creator><pubDate>Sun, 14 Jun 2026 15:16:56 GMT</pubDate><enclosure url="https://api.riverside.com/hosting-analytics/media/d1f61cae001dec9dfeee5c03885a6ce3ccb303716f1cbd816aeaa26e7b5b9656/eyJlcGlzb2RlSWQiOiI5MDdjNTczMC0yM2E2LTRlZWUtYWE4MS1jYmEwNjA3ZTcxNjYiLCJwb2RjYXN0SWQiOiIwZTYzNDdkMi03OGFmLTQyODMtYWVkMi0yYzJhYWNjNDQwOGYiLCJhY2NvdW50SWQiOiI2OGM4MzVmYWZkNjA1MzI1YzkzMmQ1NzAiLCJwYXRoIjoibWVkaWEvY2xpcHMvNmEyZTJiNGM3NWVkOGM4YzczMmE4ODkyL2JvYi1taWxsZXJzLXN0dWRpby1xd0FvTy1jb21wb3Nlci0yMDI2LTYtMTRfXzYtMTctMTYubXAzIn0=.mp3" length="71609095" type="audio/mpeg"/><podcast:transcript url="https://hosting-media.riverside.com/media/podcasts/0e6347d2-78af-4283-aed2-2c2aacc4408f/episodes/907c5730-23a6-4eee-aa81-cba0607e7166/transcripts.txt" type="text/plain"/><itunes:summary>&lt;p&gt;&lt;b&gt;95 percent of corporate AI pilots fail. The bigger problem is where your data goes when they do.&lt;/b&gt;&lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;p&gt;Companies poured tens of billions into generative AI, yet MIT found that 95 percent of enterprise pilots returned nothing measurable. On this episode of Signal // Noise, Chris Loehr and Bob Miller examine why most AI projects fail and the security problem hiding underneath. When sanctioned pilots stall, employees quietly route real business data through consumer tools, creating ungoverned shadow AI exposure. We run the same story through five AI engines, Claude, ChatGPT, Perplexity, Grok, and Gemini, then compare their analysis on air. Learn the failure pattern, the data governance root cause, and the controls that actually contain the risk.&lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;p&gt;&lt;b&gt;WHAT WE COVER&lt;/b&gt;&lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;p&gt;- The MIT NANDA finding that 95 percent of GenAI pilots show no profit-and-loss impact&lt;/p&gt;&lt;p&gt;- The &quot;learning gap&quot; and why model quality is not the reason pilots fail&lt;/p&gt;&lt;p&gt;- How budget goes to sales and marketing while the real return sits in back-office work&lt;/p&gt;&lt;p&gt;- The build-versus-buy success gap, and the vendor bias to watch for in that claim&lt;/p&gt;&lt;p&gt;- The shadow AI economy, where over 90 percent of workers use unsanctioned tools&lt;/p&gt;&lt;p&gt;- How failed adoption becomes ungoverned data exposure&lt;/p&gt;&lt;p&gt;- Gartner&apos;s forecast that 40 percent of agentic AI projects get canceled by 2027&lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;p&gt;&lt;b&gt;KEY TAKEAWAYS&lt;/b&gt;&lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;p&gt;- AI project failure and AI security exposure share one root cause, weak governance&lt;/p&gt;&lt;p&gt;- You cannot govern AI use you have not inventoried, so discovery comes first&lt;/p&gt;&lt;p&gt;- Banning consumer AI tools tends to push usage underground rather than stop it&lt;/p&gt;&lt;p&gt;- The fix for the failure rate and the fix for the risk are the same program of work&lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;p&gt;&lt;b&gt;ABOUT THE SHOW&lt;/b&gt;&lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;p&gt;Signal // Noise is a cybersecurity podcast where Chris Loehr and Bob Miller break down the latest security incidents, threats, and trends.  Subscribe for weekly analysis that helps security professionals and business leaders stay ahead of emerging threats.&lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;p&gt;&lt;b&gt;RESOURCES&lt;/b&gt;&lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;p&gt;- Original article: &lt;a rel=&quot;noopener noreferrer nofollow&quot; href=&quot;https://trullion.com/blog/why-95-of-ai-projects-fail-and-why-the-5-that-survive-matter/&quot; target=&quot;_blank&quot;&gt;https://trullion.com/blog/why-95-of-ai-projects-fail-and-why-the-5-that-survive-matter/&lt;/a&gt;&lt;/p&gt;&lt;p&gt;- MIT NANDA, The GenAI Divide: State of AI in Business 2025 (via Fortune): &lt;a rel=&quot;noopener noreferrer nofollow&quot; href=&quot;https://fortune.com/2025/08/18/mit-report-95-percent-generative-ai-pilots-at-companies-failing-cfo&quot; target=&quot;_blank&quot;&gt;https://fortune.com/2025/08/18/mit-report-95-percent-generative-ai-pilots-at-companies-failing-cfo&lt;/a&gt;&lt;/p&gt;&lt;p&gt;- Gartner, Over 40% of Agentic AI Projects Will Be Canceled by End of 2027: &lt;a rel=&quot;noopener noreferrer nofollow&quot; href=&quot;https://www.gartner.com/en/newsroom/press-releases/2025-06-25-gartner-predicts-over-40-percent-of-agentic-ai-projects-will-be-canceled-by-end-of-2027&quot; target=&quot;_blank&quot;&gt;https://www.gartner.com/en/newsroom/press-releases/2025-06-25-gartner-predicts-over-40-percent-of-agentic-ai-projects-will-be-canceled-by-end-of-2027&lt;/a&gt;&lt;/p&gt;&lt;p&gt;- Supporting files: &lt;a rel=&quot;noopener noreferrer nofollow&quot; href=&quot;https://tinyurl.com/C-B-QuickPicks&quot; target=&quot;_blank&quot;&gt;https://tinyurl.com/C-B-QuickPicks&lt;/a&gt;&lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;p&gt;&lt;b&gt;TAGS&lt;/b&gt; &lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;p&gt;cybersecurity, infosec, shadow AI, AI governance, generative AI, AI security, MIT AI report, 95 percent AI fail, agentic AI, AI risk, data governance, enterprise AI, AI adoption, CISO, IT security, Claude AI, ChatGPT, Gemini, Perplexity, Grok, AI comparison, Signal Noise podcast&lt;/p&gt;</itunes:summary><itunes:explicit>yes</itunes:explicit><itunes:duration>00:37:18</itunes:duration><itunes:image href="https://hosting-media.riverside.com/media/podcasts/0e6347d2-78af-4283-aed2-2c2aacc4408f/logos/6fe7a6eb-9ead-4aa4-8efe-5e4b75cd24f8.png"/><itunes:season>1</itunes:season><itunes:episode>23</itunes:episode><itunes:title>Signal//Noise #023 - AI in the Workplace</itunes:title><itunes:episodeType>full</itunes:episodeType></item><item><title><![CDATA[Signal//Noise #022 - Another Day, Another Shai-Hulud]]></title><description><![CDATA[<p><b>637 malicious npm packages in 22 minutes. Here is what happened, who is at risk, and what to do right now.</b></p><p></p><p>On May 19, 2026, the Shai-Hulud supply chain poisoning campaign hit the npm ecosystem again. A single automated publisher account poisoned 317 package names including high-download AntV and echarts-for-react dependencies, deploying a complete credential theft and self-propagation kill chain against developer workstations and CI/CD pipelines worldwide. </p><p></p><p><b>WHAT WE COVER</b></p><p>- How 637 malicious package versions were published in 22 minutes via automated npm pipeline</p><p>- Three payload variants: lightweight external-ref (defeats static scanning), full-featured embedded credential stealer, and enhanced worm with self-propagation</p><p>- Why the Python Dead-drop C2 hiding in GitHub commit search traffic is nearly undetectable</p><p>- GitHub's response: 640 packages removed and 61,274 npm tokens invalidated</p><p>- Attribution: why SlowMist calls this a probable copycat and why that matters more than the actor identity</p><p></p><p><b>KEY TAKEAWAYS</b></p><p>- npm lifecycle hooks execute with user privileges on install with no sandbox and no confirmation prompt</p><p>- AI coding assistant configuration files are now a viable attacker persistence vector most security programs do not cover</p><p>- Stolen npm OIDC tokens enable self-propagation: your own packages can become infection vectors for your downstream users</p><p></p><p><b>ABOUT THE SHOW</b></p><p>Signal // Noise is a cybersecurity podcast where Chris Loehr and Bob Miller break down the latest security incidents, threats, and trends.  Subscribe for weekly analysis that helps security professionals and business leaders stay ahead of emerging threats.</p><p></p><p><b>RESOURCES</b></p><p>- Original article: <a rel="noopener noreferrer nofollow" href="https://slowmist.medium.com/threat-intelligence-shai-hulud-supply-chain-poisoning-cloud-credential-theft-and-1b8a3a4edd12" target="_blank">https://slowmist.medium.com/threat-intelligence-shai-hulud-supply-chain-poisoning-cloud-credential-theft-and-1b8a3a4edd12</a></p><p>- Microsoft Security Blog (Mini Shai Hulud): <a rel="noopener noreferrer nofollow" href="https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/" target="_blank">https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/</a></p><p>- SlowMist MistEye IOC Platform: <a rel="noopener noreferrer nofollow" href="https://enterprise.misteye.io/threat-intelligence/SM-2026-650212" target="_blank">https://enterprise.misteye.io/threat-intelligence/SM-2026-650212</a></p><p>- SafeDep analysis: <a rel="noopener noreferrer nofollow" href="https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/" target="_blank">https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/</a></p><p>- Endor Labs SLSA forgery: <a rel="noopener noreferrer nofollow" href="https://www.endorlabs.com/learn/mini-shai-hulud-returns-42-malicious-npm-packages-fake-sigstore-badges-in-antv-ecosystem-attack" target="_blank">https://www.endorlabs.com/learn/mini-shai-hulud-returns-42-malicious-npm-packages-fake-sigstore-badges-in-antv-ecosystem-attack</a></p><p>- StepSecurity durabletask: <a rel="noopener noreferrer nofollow" href="https://www.stepsecurity.io/blog/microsofts-durabletask-pypi-package-compromised-in-supply-chain-attack" target="_blank">https://www.stepsecurity.io/blog/microsofts-durabletask-pypi-package-compromised-in-supply-chain-attack</a></p><p></p><p><b>TAGS</b></p><p>Mini Shai-Hulud, Shai-Hulud npm, supply chain attack, npm malware, </p>]]></description><guid isPermaLink="false">ee4077a0-6a3f-4381-acde-e72332811832</guid><dc:creator><![CDATA[Chris Loehr & Bob Miller]]></dc:creator><pubDate>Sun, 14 Jun 2026 04:00:32 GMT</pubDate><enclosure url="https://api.riverside.com/hosting-analytics/media/fa98ded7b015399538dce13949cb2c1c32dc07f7b90d762ad03b6d3288eb5e72/eyJlcGlzb2RlSWQiOiJlZTQwNzdhMC02YTNmLTQzODEtYWNkZS1lNzIzMzI4MTE4MzIiLCJwb2RjYXN0SWQiOiIwZTYzNDdkMi03OGFmLTQyODMtYWVkMi0yYzJhYWNjNDQwOGYiLCJhY2NvdW50SWQiOiI2OGM4MzVmYWZkNjA1MzI1YzkzMmQ1NzAiLCJwYXRoIjoibWVkaWEvY2xpcHMvNmEyZTIzYTNkYzVhOTE2MGI3MmYzN2Q4L2JvYi1taWxsZXJzLXN0dWRpby1xd0FvTy1jb21wb3Nlci0yMDI2LTYtMTRfXzUtNDQtMzUubXAzIn0=.mp3" length="49621098" type="audio/mpeg"/><podcast:transcript url="https://hosting-media.riverside.com/media/podcasts/0e6347d2-78af-4283-aed2-2c2aacc4408f/episodes/ee4077a0-6a3f-4381-acde-e72332811832/transcripts.txt" type="text/plain"/><itunes:summary>&lt;p&gt;&lt;b&gt;637 malicious npm packages in 22 minutes. Here is what happened, who is at risk, and what to do right now.&lt;/b&gt;&lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;p&gt;On May 19, 2026, the Shai-Hulud supply chain poisoning campaign hit the npm ecosystem again. A single automated publisher account poisoned 317 package names including high-download AntV and echarts-for-react dependencies, deploying a complete credential theft and self-propagation kill chain against developer workstations and CI/CD pipelines worldwide. &lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;p&gt;&lt;b&gt;WHAT WE COVER&lt;/b&gt;&lt;/p&gt;&lt;p&gt;- How 637 malicious package versions were published in 22 minutes via automated npm pipeline&lt;/p&gt;&lt;p&gt;- Three payload variants: lightweight external-ref (defeats static scanning), full-featured embedded credential stealer, and enhanced worm with self-propagation&lt;/p&gt;&lt;p&gt;- Why the Python Dead-drop C2 hiding in GitHub commit search traffic is nearly undetectable&lt;/p&gt;&lt;p&gt;- GitHub&apos;s response: 640 packages removed and 61,274 npm tokens invalidated&lt;/p&gt;&lt;p&gt;- Attribution: why SlowMist calls this a probable copycat and why that matters more than the actor identity&lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;p&gt;&lt;b&gt;KEY TAKEAWAYS&lt;/b&gt;&lt;/p&gt;&lt;p&gt;- npm lifecycle hooks execute with user privileges on install with no sandbox and no confirmation prompt&lt;/p&gt;&lt;p&gt;- AI coding assistant configuration files are now a viable attacker persistence vector most security programs do not cover&lt;/p&gt;&lt;p&gt;- Stolen npm OIDC tokens enable self-propagation: your own packages can become infection vectors for your downstream users&lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;p&gt;&lt;b&gt;ABOUT THE SHOW&lt;/b&gt;&lt;/p&gt;&lt;p&gt;Signal // Noise is a cybersecurity podcast where Chris Loehr and Bob Miller break down the latest security incidents, threats, and trends.  Subscribe for weekly analysis that helps security professionals and business leaders stay ahead of emerging threats.&lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;p&gt;&lt;b&gt;RESOURCES&lt;/b&gt;&lt;/p&gt;&lt;p&gt;- Original article: &lt;a rel=&quot;noopener noreferrer nofollow&quot; href=&quot;https://slowmist.medium.com/threat-intelligence-shai-hulud-supply-chain-poisoning-cloud-credential-theft-and-1b8a3a4edd12&quot; target=&quot;_blank&quot;&gt;https://slowmist.medium.com/threat-intelligence-shai-hulud-supply-chain-poisoning-cloud-credential-theft-and-1b8a3a4edd12&lt;/a&gt;&lt;/p&gt;&lt;p&gt;- Microsoft Security Blog (Mini Shai Hulud): &lt;a rel=&quot;noopener noreferrer nofollow&quot; href=&quot;https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/&quot; target=&quot;_blank&quot;&gt;https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/&lt;/a&gt;&lt;/p&gt;&lt;p&gt;- SlowMist MistEye IOC Platform: &lt;a rel=&quot;noopener noreferrer nofollow&quot; href=&quot;https://enterprise.misteye.io/threat-intelligence/SM-2026-650212&quot; target=&quot;_blank&quot;&gt;https://enterprise.misteye.io/threat-intelligence/SM-2026-650212&lt;/a&gt;&lt;/p&gt;&lt;p&gt;- SafeDep analysis: &lt;a rel=&quot;noopener noreferrer nofollow&quot; href=&quot;https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/&quot; target=&quot;_blank&quot;&gt;https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/&lt;/a&gt;&lt;/p&gt;&lt;p&gt;- Endor Labs SLSA forgery: &lt;a rel=&quot;noopener noreferrer nofollow&quot; href=&quot;https://www.endorlabs.com/learn/mini-shai-hulud-returns-42-malicious-npm-packages-fake-sigstore-badges-in-antv-ecosystem-attack&quot; target=&quot;_blank&quot;&gt;https://www.endorlabs.com/learn/mini-shai-hulud-returns-42-malicious-npm-packages-fake-sigstore-badges-in-antv-ecosystem-attack&lt;/a&gt;&lt;/p&gt;&lt;p&gt;- StepSecurity durabletask: &lt;a rel=&quot;noopener noreferrer nofollow&quot; href=&quot;https://www.stepsecurity.io/blog/microsofts-durabletask-pypi-package-compromised-in-supply-chain-attack&quot; target=&quot;_blank&quot;&gt;https://www.stepsecurity.io/blog/microsofts-durabletask-pypi-package-compromised-in-supply-chain-attack&lt;/a&gt;&lt;/p&gt;&lt;p&gt;&lt;/p&gt;&lt;p&gt;&lt;b&gt;TAGS&lt;/b&gt;&lt;/p&gt;&lt;p&gt;Mini Shai-Hulud, Shai-Hulud npm, supply chain attack, npm malware, &lt;/p&gt;</itunes:summary><itunes:explicit>yes</itunes:explicit><itunes:duration>00:25:51</itunes:duration><itunes:image href="https://hosting-media.riverside.com/media/podcasts/0e6347d2-78af-4283-aed2-2c2aacc4408f/logos/6fe7a6eb-9ead-4aa4-8efe-5e4b75cd24f8.png"/><itunes:season>1</itunes:season><itunes:episode>22</itunes:episode><itunes:title>Signal//Noise #022 - Another Day, Another Shai-Hulud</itunes:title><itunes:episodeType>full</itunes:episodeType></item><item><title><![CDATA[Signal // Noise #021 - 3rd Party Risk with Eric Tilds]]></title><description><![CDATA[<p>MSPs are absorbing liability they didn't agree to take on — because their vendor contracts let it happen. Here's what to do about it.<br /><br />EPISODE OVERVIEW<br />Signal // Noise #021 brings in a special guest: Eric Tilds, an attorney whose practice represents approximately 500 MSPs and MSSPs worldwide. With third-party software compromises happening weekly, Bob Miller and Chris Loehr sit down with Eric to break down what MSP vendor contracts actually say, why that language is costing service providers, and what a properly negotiated agreement looks like. This is not a legal theory episode. It's a practical session on what needs to change in your document stack right now.<br /><br />WHAT WE COVER<br />- Why fewer than 5 of Eric's 500 MSP clients have their vendor contracts reviewed before signing<br />- How standard vendor liability caps (typically one year of fees paid) leave MSPs exposed when a third-party compromise causes real damage<br />- The three contract clauses that matter most: required security controls, mandatory breach notification, and indemnification<br />- How the IDEsaster supply chain attack pattern connects directly to current third-party compromise risk<br />- The GitHub repository breach carried out by Team PCP — and what it cost downstream<br />- Why "they don't allow contract negotiation" is almost always false, and how to push back<br />- What a vendor management program looks like for a 10-person MSP versus an enterprise shop<br /><br />KEY TAKEAWAYS<br />- Your customer agreement and your vendor agreement need to work together — a gap in either one becomes your liability<br />- If you haven't negotiated security control obligations into your vendor contracts, you likely cannot recover your actual losses<br />- Documenting your vendor vetting process (including SOC reports) is as important as the vetting itself<br />- Small MSPs are not exempt from this exposure — limiting your tool stack is a practical starting point<br />- The community-wide answer is a unified front: MSPs collectively pushing vendors toward responsible contract language<br /><br />ABOUT THE SHOW<br />Signal // Noise is a cybersecurity podcast where Chris Loehr and Bob Miller break down the latest security incidents, threats, and trends. Each incident episode runs the same event through five leading AI analysis tools (Claude, ChatGPT, Perplexity, Grok, and Gemini) and compares results live on air. Subscribe for weekly analysis that helps security professionals and business leaders stay ahead of emerging threats.<br /><br />RESOURCES<br />- Cyber Constitution (free download): <a rel="noopener noreferrer nofollow" href="https://cyberconstitution.org" target="_blank">https://cyberconstitution.org</a><br />- IRGame: <a rel="noopener noreferrer nofollow" href="https://irgame.ai" target="_blank">https://irgame.ai</a><br /><br />TAGS<br />third-party risk, MSP security, supply chain attack, vendor contracts, cybersecurity law, MSP liability, third-party compromise, Team PCP, GitHub breach, IDEsaster, vendor management, cybersecurity podcast, Chris Loehr, Bob Miller, Eric Tilds, Signal to Noise podcast, MSSP, infosec, IT security, contract negotiation</p>]]></description><guid isPermaLink="false">5b107d32-0f5e-4d5a-90ef-0ab3379f7f0d</guid><dc:creator><![CDATA[Chris Loehr & Bob Miller]]></dc:creator><pubDate>Fri, 22 May 2026 23:09:16 GMT</pubDate><enclosure url="https://api.riverside.com/hosting-analytics/media/d8bd747481dfbeec36ffa7e410d693814a816096687b9c9ca94bc0738614faaf/eyJlcGlzb2RlSWQiOiI1YjEwN2QzMi0wZjVlLTRkNWEtOTBlZi0wYWIzMzc5ZjdmMGQiLCJwb2RjYXN0SWQiOiIwZTYzNDdkMi03OGFmLTQyODMtYWVkMi0yYzJhYWNjNDQwOGYiLCJhY2NvdW50SWQiOiI2OGM4MzVmYWZkNjA1MzI1YzkzMmQ1NzAiLCJwYXRoIjoibWVkaWEvY2xpcHMvNmExMGUyODQwYTM3MGQ0MzBiZDQ2OGU1L2JvYi1taWxsZXJzLXN0dWRpby1xd0FvTy1jb21wb3Nlci0yMDI2LTUtMjNfXzEtMTEtMC5tcDMifQ==.mp3" length="58675766" type="audio/mpeg"/><podcast:transcript url="https://hosting-media.riverside.com/media/podcasts/0e6347d2-78af-4283-aed2-2c2aacc4408f/episodes/5b107d32-0f5e-4d5a-90ef-0ab3379f7f0d/transcripts.txt" type="text/plain"/><itunes:summary>&lt;p&gt;MSPs are absorbing liability they didn&apos;t agree to take on — because their vendor contracts let it happen. Here&apos;s what to do about it.&lt;br /&gt;&lt;br /&gt;EPISODE OVERVIEW&lt;br /&gt;Signal // Noise #021 brings in a special guest: Eric Tilds, an attorney whose practice represents approximately 500 MSPs and MSSPs worldwide. With third-party software compromises happening weekly, Bob Miller and Chris Loehr sit down with Eric to break down what MSP vendor contracts actually say, why that language is costing service providers, and what a properly negotiated agreement looks like. This is not a legal theory episode. It&apos;s a practical session on what needs to change in your document stack right now.&lt;br /&gt;&lt;br /&gt;WHAT WE COVER&lt;br /&gt;- Why fewer than 5 of Eric&apos;s 500 MSP clients have their vendor contracts reviewed before signing&lt;br /&gt;- How standard vendor liability caps (typically one year of fees paid) leave MSPs exposed when a third-party compromise causes real damage&lt;br /&gt;- The three contract clauses that matter most: required security controls, mandatory breach notification, and indemnification&lt;br /&gt;- How the IDEsaster supply chain attack pattern connects directly to current third-party compromise risk&lt;br /&gt;- The GitHub repository breach carried out by Team PCP — and what it cost downstream&lt;br /&gt;- Why &quot;they don&apos;t allow contract negotiation&quot; is almost always false, and how to push back&lt;br /&gt;- What a vendor management program looks like for a 10-person MSP versus an enterprise shop&lt;br /&gt;&lt;br /&gt;KEY TAKEAWAYS&lt;br /&gt;- Your customer agreement and your vendor agreement need to work together — a gap in either one becomes your liability&lt;br /&gt;- If you haven&apos;t negotiated security control obligations into your vendor contracts, you likely cannot recover your actual losses&lt;br /&gt;- Documenting your vendor vetting process (including SOC reports) is as important as the vetting itself&lt;br /&gt;- Small MSPs are not exempt from this exposure — limiting your tool stack is a practical starting point&lt;br /&gt;- The community-wide answer is a unified front: MSPs collectively pushing vendors toward responsible contract language&lt;br /&gt;&lt;br /&gt;ABOUT THE SHOW&lt;br /&gt;Signal // Noise is a cybersecurity podcast where Chris Loehr and Bob Miller break down the latest security incidents, threats, and trends. Each incident episode runs the same event through five leading AI analysis tools (Claude, ChatGPT, Perplexity, Grok, and Gemini) and compares results live on air. Subscribe for weekly analysis that helps security professionals and business leaders stay ahead of emerging threats.&lt;br /&gt;&lt;br /&gt;RESOURCES&lt;br /&gt;- Cyber Constitution (free download): &lt;a rel=&quot;noopener noreferrer nofollow&quot; href=&quot;https://cyberconstitution.org&quot; target=&quot;_blank&quot;&gt;https://cyberconstitution.org&lt;/a&gt;&lt;br /&gt;- IRGame: &lt;a rel=&quot;noopener noreferrer nofollow&quot; href=&quot;https://irgame.ai&quot; target=&quot;_blank&quot;&gt;https://irgame.ai&lt;/a&gt;&lt;br /&gt;&lt;br /&gt;TAGS&lt;br /&gt;third-party risk, MSP security, supply chain attack, vendor contracts, cybersecurity law, MSP liability, third-party compromise, Team PCP, GitHub breach, IDEsaster, vendor management, cybersecurity podcast, Chris Loehr, Bob Miller, Eric Tilds, Signal to Noise podcast, MSSP, infosec, IT security, contract negotiation&lt;/p&gt;</itunes:summary><itunes:explicit>no</itunes:explicit><itunes:duration>00:30:34</itunes:duration><itunes:image href="https://hosting-media.riverside.com/media/podcasts/0e6347d2-78af-4283-aed2-2c2aacc4408f/episodes/5b107d32-0f5e-4d5a-90ef-0ab3379f7f0d/images/59add222-de1a-4f0c-a8e5-ea948afd276a.png"/><itunes:title>Signal // Noise #021 - 3rd Party Risk with Eric Tilds</itunes:title><itunes:episodeType>full</itunes:episodeType></item></channel></rss>