The Hidden Threat Inside Every Enterprise: What CISOs Are Missing in the Software Supply Chain, with Koi’s Amit Assaraf

CISOs, are you watching the front door while attackers slip in through the side?

In this episode of Vigilance, Pam Brodt sits down with Amit Assaraf, co-founder and CEO of Koi, to expose a massive blind spot in modern enterprise security: the unmonitored sprawl of extensions, registries, app stores, and marketplaces powering your software supply chain.

Amit recounts how a simple experiment—uploading a lookalike VS Code extension—landed them inside Fortune 500 environments in under 7 days, undetected.

The same path is being used by nation-state actors like Lazarus Group to breach global enterprises.

We cover:

• Why auto-updates and ownership transfers are critical (and overlooked) attack vectors
• How trusted platforms like Chrome, NPM, PyPi, and Hugging Face are being exploited
• Why EDRs and AppSec tools fail to detect these threats
• How Koi is using AI-driven risk engines to monitor and secure 30+ marketplaces—without deploying a single new agent

If you’re a security leader balancing productivity and protection, this conversation will change how you think about supply chain risk.

🔒 Don’t miss this one—it’s the conversation every enterprise CISO needs to hear.

Chapters:

0:00 Intro

2:00 The origin of Koi: a marketplace experiment gone viral

8:00 Why marketplaces are the next major attack surface

13:00 The auto-update problem (Cyberhaven breach case study)

18:00 Most abused platforms: IDEs, browsers, registries

22:00 How Koi scales with automation and AI

27:00 No agents, no friction: how Koi integrates

30:00 Final thoughts for CISOs on balancing risk and velocity

‍