Malicious packages hiding in plain sight? Welcome to modern open source ecosystems. This talk explores how open source code—once limited to harmless PoCs and bug bounty tools—is increasingly being weaponized as real malware in the npm and PyPI ecosystems. We’ll walk through how these threats have evolved, dive into real examples, and show how you can analyze and understand them, even when they try to hide behind layers of obfuscation.