The Programming Languages Podcast with Fexingo: Python, Rust, JavaScript, and Modern Coding

How Developers Are Fighting Supply Chain Attacks in 2026


Listen Later

Software supply chain attacks hit a new record in Q1 2026, with the number of malicious packages discovered on public registries up 80 percent year-over-year. Lucas and Luna break down how a single compromised npm package called 'event-stream' in 2018 foreshadowed today's crisis, and examine the new defenses developers are adopting: signature-based attestation from the Sigstore project, dependency pinning with verified lockfiles, and runtime monitoring tools like OpenGuard. They drill into the specific case of the 'user-agent-parse' attack in February 2026, where a typosquatted package exfiltrated AWS credentials from 2000 CI pipelines before being caught. The episode concludes with a practical checklist any team can implement this week to reduce their exposure, including why 'just audit your dependencies' is no longer enough. No abstract warnings: concrete tools, real CVEs, and a realistic threat model for a mid-sized engineering team in mid-2026.

#SupplyChainSecurity #SoftwareSecurity #npm #Sigstore #OpenGuard #Typosquatting #DevOps #CyberSecurity #JavaScript #PythonPackaging #CI/CD #PackageManagement #DependencyHell #Technology #FexingoBusiness #BusinessPodcast #DeveloperTools #OpenSourceSecurity

Keep every episode free: buymeacoffee.com/fexingo

...more
View all episodesView all episodes
Download on the App Store

The Programming Languages Podcast with Fexingo: Python, Rust, JavaScript, and Modern CodingBy Fexingo