🚨 Emergency DevSec Station drop.
There's an active npm supply chain attack happening right now. Compromised packages are stealing SSH keys, AWS credentials, GitHub tokens, browser passwords, and crypto wallets on install. Then using your publish token to infect every package you maintain.
One command can protect you immediately: npm config set ignore-scripts true
Do it today, please. Tell your team. Watch the full 60 seconds.
#AppSec #SupplyChainSecurity #DevSecOps #SecureCoding #npm

What if a supply chain attack didn’t start with a sophisticated exploit… but with something totally normal?

A typo.
A copy-paste.
An AI suggestion.

In this episode, Tanya Janca walks through how modern supply chain attacks actually happen, and why they’re less about “elite hackers” and more about everyday developer workflows.

You’ll learn why these attacks are not a single event, but a sequence of small, reasonable decisions that quietly introduce risk into our systems.

What You’ll Learn

•  Why supply chain attacks are a process, not a moment
•  How attackers exploit normal developer behaviour
•  A realistic, step-by-step walk through of a modern attack 
•  Why traditional SCA approaches often fail 
•  How to focus on real risk instead of noise

A Realistic Attack, Step by Step

This episode walks through a common pattern seen in real-world incidents:

•  An attacker identifies a package name used internally 
•  They publish a lookalike or typo-squatted package 
•  Malicious behaviour is hidden in install scripts or dependencies 
•  A developer installs it, often unintentionally 
•  The system continues working… but access is now compromised 

Bad / Better / Best: Managing Supply Chain Risk

Bad: Ignore supply chain risk or abandon tools due to noise
Better: Use SCA, but without context or prioritization
Best: Use SCA with reachability or runtime analysis

If You Do Just One Thing This Week

Run an SCA tool with reachability enabled, and take action on one issue.

1.  Run SCA on your current project 
2.  Filter to: high severity + reachable
3.  Fix one issue (remove, upgrade, or replace) 
4.  Add one guardrail: 
   •  Pin versions and use lockfiles 
   •  Restrict registries 
   •  Fail CI on high + reachable findings 

You don’t need to fix everything. But you do need to start.
 

🚉 About DevSec Station

DevSec Station is a security-focused podcast for developers.

Please like and subscribe. Hosted by Tanya Janca | SheHacksPurple

Welcome to DevSec Station! I’m Tanya Janca (AKA SheHacksPurple), and this podcast is a series of short, practical security lessons for software developers. In this episode we will learn how supply chain attacks unfold in the wild, how to spot potential problems in your own workflows, and what you can do to protect yourself without slowing down too much.