
Sign up to save your podcasts
Or


In February, a maintainer of a widely-used npm package pushed a release that shipped malware to 47,000 downstream applications. The maintainer's GitHub account had been compromised four months earlier. Nobody noticed. It happened again in March. Again in early April. This episode is the supply chain security story the vendors aren't telling you correctly.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📚 WHAT YOU'LL LEARN
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ The 4 Q1 2026 supply chain incidents you may have missed
✅ Maintainer takeover — the 5-step playbook attackers actually use
✅ Why SBOM (Software Bill of Materials) doesn't prevent this
✅ SLSA (pronounced "salsa") levels — and why <1% of enterprise hits Level 3
✅ Sigstore adoption by registry — the ugly numbers
✅ The pragmatic defense playbook for a 50-person shop
✅ What package maintainers need to hear right now
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⏱ CHAPTERS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
0:00 Intro — the February npm incident
0:49 The Q1 2026 timeline — 4 incidents, 4 vectors
2:01 Maintainer takeover — the 5-step template
3:39 SBOM theater vs reality
4:35 SLSA adoption by level
5:39 Sigstore adoption by registry
6:36 The pragmatic defense — what to do this quarter
8:29 To the maintainers watching — enable MFA. Please.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🎯 THE MEMORABLE LINES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
• "An SBOM is a receipt. It's proof you bought the groceries. It does not mean you cooked dinner."
• "94% of enterprise builds are still at SLSA Level 1."
• "If your CI can push to npm, steal crypto wallets, and read your production database — that's not a CI account. That's a supervillain."
• "We are collectively running on trust and good luck."
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🛡 THE PRAGMATIC DEFENSE CHECKLIST
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
• Hard-pin every dependency · no floating ranges
• Dependabot/Renovate with auto-merge OFF · review every diff
• Dependency firewall (JFrog, Cloudsmith, Artifactory)
• Minimize your supply chain — every dep is a trust decision
• Segregate build credentials · principle of least privilege on CI
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📡 TECH UPDATES · THE PODCAST
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔗 techupdates.it-learn.io
🔔 Subscribe for the full EP17–21 run.
Previous → EP17 · The Collapse of SaaS
Up next → EP19 · AI Is Eating the Grid
#TechUpdates #SupplyChainSecurity #npm #SBOM #SLSA #Sigstore #DevSecOps #OpenSource #MaintainerSecurity
By Andres SarmientoIn February, a maintainer of a widely-used npm package pushed a release that shipped malware to 47,000 downstream applications. The maintainer's GitHub account had been compromised four months earlier. Nobody noticed. It happened again in March. Again in early April. This episode is the supply chain security story the vendors aren't telling you correctly.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📚 WHAT YOU'LL LEARN
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ The 4 Q1 2026 supply chain incidents you may have missed
✅ Maintainer takeover — the 5-step playbook attackers actually use
✅ Why SBOM (Software Bill of Materials) doesn't prevent this
✅ SLSA (pronounced "salsa") levels — and why <1% of enterprise hits Level 3
✅ Sigstore adoption by registry — the ugly numbers
✅ The pragmatic defense playbook for a 50-person shop
✅ What package maintainers need to hear right now
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⏱ CHAPTERS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
0:00 Intro — the February npm incident
0:49 The Q1 2026 timeline — 4 incidents, 4 vectors
2:01 Maintainer takeover — the 5-step template
3:39 SBOM theater vs reality
4:35 SLSA adoption by level
5:39 Sigstore adoption by registry
6:36 The pragmatic defense — what to do this quarter
8:29 To the maintainers watching — enable MFA. Please.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🎯 THE MEMORABLE LINES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
• "An SBOM is a receipt. It's proof you bought the groceries. It does not mean you cooked dinner."
• "94% of enterprise builds are still at SLSA Level 1."
• "If your CI can push to npm, steal crypto wallets, and read your production database — that's not a CI account. That's a supervillain."
• "We are collectively running on trust and good luck."
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🛡 THE PRAGMATIC DEFENSE CHECKLIST
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
• Hard-pin every dependency · no floating ranges
• Dependabot/Renovate with auto-merge OFF · review every diff
• Dependency firewall (JFrog, Cloudsmith, Artifactory)
• Minimize your supply chain — every dep is a trust decision
• Segregate build credentials · principle of least privilege on CI
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📡 TECH UPDATES · THE PODCAST
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔗 techupdates.it-learn.io
🔔 Subscribe for the full EP17–21 run.
Previous → EP17 · The Collapse of SaaS
Up next → EP19 · AI Is Eating the Grid
#TechUpdates #SupplyChainSecurity #npm #SBOM #SLSA #Sigstore #DevSecOps #OpenSource #MaintainerSecurity