
Sign up to save your podcasts
Or


Software supply chain attacks hit a new record in Q1 2026, with the number of malicious packages discovered on public registries up 80 percent year-over-year. Lucas and Luna break down how a single compromised npm package called 'event-stream' in 2018 foreshadowed today's crisis, and examine the new defenses developers are adopting: signature-based attestation from the Sigstore project, dependency pinning with verified lockfiles, and runtime monitoring tools like OpenGuard. They drill into the specific case of the 'user-agent-parse' attack in February 2026, where a typosquatted package exfiltrated AWS credentials from 2000 CI pipelines before being caught. The episode concludes with a practical checklist any team can implement this week to reduce their exposure, including why 'just audit your dependencies' is no longer enough. No abstract warnings: concrete tools, real CVEs, and a realistic threat model for a mid-sized engineering team in mid-2026.
#SupplyChainSecurity #SoftwareSecurity #npm #Sigstore #OpenGuard #Typosquatting #DevOps #CyberSecurity #JavaScript #PythonPackaging #CI/CD #PackageManagement #DependencyHell #Technology #FexingoBusiness #BusinessPodcast #DeveloperTools #OpenSourceSecurity
Keep every episode free: buymeacoffee.com/fexingo
By FexingoSoftware supply chain attacks hit a new record in Q1 2026, with the number of malicious packages discovered on public registries up 80 percent year-over-year. Lucas and Luna break down how a single compromised npm package called 'event-stream' in 2018 foreshadowed today's crisis, and examine the new defenses developers are adopting: signature-based attestation from the Sigstore project, dependency pinning with verified lockfiles, and runtime monitoring tools like OpenGuard. They drill into the specific case of the 'user-agent-parse' attack in February 2026, where a typosquatted package exfiltrated AWS credentials from 2000 CI pipelines before being caught. The episode concludes with a practical checklist any team can implement this week to reduce their exposure, including why 'just audit your dependencies' is no longer enough. No abstract warnings: concrete tools, real CVEs, and a realistic threat model for a mid-sized engineering team in mid-2026.
#SupplyChainSecurity #SoftwareSecurity #npm #Sigstore #OpenGuard #Typosquatting #DevOps #CyberSecurity #JavaScript #PythonPackaging #CI/CD #PackageManagement #DependencyHell #Technology #FexingoBusiness #BusinessPodcast #DeveloperTools #OpenSourceSecurity
Keep every episode free: buymeacoffee.com/fexingo