Sign up to save your podcasts
Or
Share Unpacking the NPM supply chain attacks with Feross Aboukhadijeh
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Unpacking the NPM supply chain attacks with Feross Aboukhadijeh
Feross Aboukhadijeh, founder of Socket, joins us to break down the recent wave of NPM supply chain attacks hitting the JavaScript ecosystem, including how attackers used phishing to target developers, snuck malware into popular packages like Prettier and "is", and even abused tools like Claude, Gemini, and TruffleHog.
We dig into how GitHub Actions vulnerabilities were exploited, what makes postinstall scripts risky, and and what you can do to protect yourself from future attacks.
Links
Website: https://feross.org
X: https://x.com/feross
GitHub: https://github.com/feross
LinkedIn: https://www.linkedin.com/in/feross
YouTube: https://www.youtube.com/channel/UCHM4OEvQDUq8UszyUrdov-w
Resources
npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack: https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack
Compromised files replace npm packages with a combined 2 billion weekly downloads: https://www.techradar.com/pro/security/compromised-files-replace-npm-packages-with-a-combined-2-billion-weekly-downloads
Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware: https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
Chapters
00:00 Intro: NPM supply chain attacks explained
01:10 What is a software supply chain attack?
02:00 NPM phishing campaign: Fake login pages
03:00 Prettier ecosystem compromised
04:00 The “is” package malware incident
05:30 NX package breach (August 27 attack)
06:40 AI-powered supply chain exploit
08:00 GitHub Actions misconfiguration
12:00 Lessons from recent NPM attacks
20:00 How malicious packages get published
25:00 Why install scripts are so risky
30:00 Limitations of banning install scripts
35:00 Open source maintainer challenges
40:00 Smarter approaches to dependency updates
44:00 The future of open source supply chain security
47:00 Closing thoughts and resources
We want to hear from you!
How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend?
Fill out our listener survey!
Let us know by sending an email to our producer, Elizabeth, at [email protected], or tweet at us at PodRocketPod.
Follow us. Get free stickers.
Follow us on Apple Podcasts, fill out this form, and we’ll send you free PodRocket stickers!
What does LogRocket do?
LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today.
Special Guest: Feross Aboukhadijeh.
View all episodes
By LogRocket
4.9
5858 ratings
Feross Aboukhadijeh, founder of Socket, joins us to break down the recent wave of NPM supply chain attacks hitting the JavaScript ecosystem, including how attackers used phishing to target developers, snuck malware into popular packages like Prettier and "is", and even abused tools like Claude, Gemini, and TruffleHog.
We dig into how GitHub Actions vulnerabilities were exploited, what makes postinstall scripts risky, and and what you can do to protect yourself from future attacks.
Links
Website: https://feross.org
X: https://x.com/feross
GitHub: https://github.com/feross
LinkedIn: https://www.linkedin.com/in/feross
YouTube: https://www.youtube.com/channel/UCHM4OEvQDUq8UszyUrdov-w
Resources
npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack: https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack
Compromised files replace npm packages with a combined 2 billion weekly downloads: https://www.techradar.com/pro/security/compromised-files-replace-npm-packages-with-a-combined-2-billion-weekly-downloads
Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware: https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
Chapters
00:00 Intro: NPM supply chain attacks explained
01:10 What is a software supply chain attack?
02:00 NPM phishing campaign: Fake login pages
03:00 Prettier ecosystem compromised
04:00 The “is” package malware incident
05:30 NX package breach (August 27 attack)
06:40 AI-powered supply chain exploit
08:00 GitHub Actions misconfiguration
12:00 Lessons from recent NPM attacks
20:00 How malicious packages get published
25:00 Why install scripts are so risky
30:00 Limitations of banning install scripts
35:00 Open source maintainer challenges
40:00 Smarter approaches to dependency updates
44:00 The future of open source supply chain security
47:00 Closing thoughts and resources
We want to hear from you!
How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend?
Fill out our listener survey!
Let us know by sending an email to our producer, Elizabeth, at [email protected], or tweet at us at PodRocketPod.
Follow us. Get free stickers.
Follow us on Apple Podcasts, fill out this form, and we’ll send you free PodRocket stickers!
What does LogRocket do?
LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today.
Special Guest: Feross Aboukhadijeh.
More shows like PodRocket
View all
Software Engineering Radio
271 Listeners
Hanselminutes with Scott Hanselman
379 Listeners
The Changelog: Software Development, Open Source
291 Listeners
Software Engineering Daily
624 Listeners
Talk Python To Me
588 Listeners
Soft Skills Engineering
284 Listeners
Thoughtworks Technology Podcast
41 Listeners
Syntax - Tasty Web Development Treats
987 Listeners
REWORK
210 Listeners
CoRecursive: Coding Stories
188 Listeners
The Stack Overflow Podcast
62 Listeners
The Real Python Podcast
141 Listeners
devtools.fm: Developer Tools, Open Source, Software Development
25 Listeners
Oxide and Friends
59 Listeners
Front-End Fire
11 Listeners