September 17, 2025

Green Checks, Red Flags: Surviving Supply-Chain Attacks

46 minutes

In this episode, Matt and Liam dig into the messy reality of software supply-chain attacks, how a seemingly harmless pull request can turn into a compromised release, and why those ✅ green CI badges can lull us into a false sense of security.

We unpack a recent incident involving an NPM package publish that was hijacked via a poisoned PR and stolen publishing token, then zoom out to the wider tactics attackers use (from secrets exfil via build logs to cheeky action scripts). We also talk about what small teams can do today to reduce blast radius without grinding delivery to a halt.

We discuss:

What actually happened in the recent NX/NPM incident—and why token theft via PR is so dangerous

Sneaky exfil paths: encoded secrets, console/log leaks, and “helpful” CI steps doing unhelpful things

The illusion of safety: why “keep the checkmarks green” isn’t a security strategy

Practical hardening for tiny teams: scoped publish tokens, protected runners, required reviews, and a human-in-the-loop for releases

Discovery vs. trust: our stance on the Blake template registry (makes discovery easier, doesn’t guarantee safety)

How to think adversarially about your pipelines without killing dev velocity

🍻 Tonight’s Drinks:

Matt – Oakvale Shiraz

Liam – Young Henry’s Newtowner

🔗 Tonight’s Links:

The Pull Request that introduced the vulnerable code

The commit that included the exploit

NX S1ngularity Postmortem

Security blog article breaking down the incident

Affected NPM packages on npmjs.com

GitHub Actions security hardening documentation

Blake Template Registry (discovery, not trust!)

OWASP Supply Chain Security Guide

Any Likes 👍, Shares 📣, Subscriptions 🔔, and Love ❤️ help us keep the mics on.

Cheers! 🍻

...more

View all episodes

By Matt Goldman & Liam Elliott

September 17, 2025

Green Checks, Red Flags: Surviving Supply-Chain Attacks

46 minutes

We discuss:

What actually happened in the recent NX/NPM incident—and why token theft via PR is so dangerous

Sneaky exfil paths: encoded secrets, console/log leaks, and “helpful” CI steps doing unhelpful things

The illusion of safety: why “keep the checkmarks green” isn’t a security strategy

Practical hardening for tiny teams: scoped publish tokens, protected runners, required reviews, and a human-in-the-loop for releases

Discovery vs. trust: our stance on the Blake template registry (makes discovery easier, doesn’t guarantee safety)

How to think adversarially about your pipelines without killing dev velocity

🍻 Tonight’s Drinks:

Matt – Oakvale Shiraz

Liam – Young Henry’s Newtowner

🔗 Tonight’s Links:

The Pull Request that introduced the vulnerable code

The commit that included the exploit

NX S1ngularity Postmortem

Security blog article breaking down the incident

Affected NPM packages on npmjs.com

GitHub Actions security hardening documentation

Blake Template Registry (discovery, not trust!)

OWASP Supply Chain Security Guide

Any Likes 👍, Shares 📣, Subscriptions 🔔, and Love ❤️ help us keep the mics on.

Cheers! 🍻

...more

Share Green Checks, Red Flags: Surviving Supply-Chain Attacks

Sign up to save your podcasts

Green Checks, Red Flags: Surviving Supply-Chain Attacks

Green Checks, Red Flags: Surviving Supply-Chain Attacks