How NPM Auto-Updates & Post-Install Scripts Could Hijack Your Org

https://is1-ssl.mzstatic.com/image/thumb/Podcasts126/v4/00/6d/88/006d88d6-5a8d-8997-8200-416bee2bf21d/mza_16926420468332467936.jpg/600x600bb.jpg

Modern Web

173 episodes

3 days ago

The modern web is changing fast. Front-end frameworks evolve quickly, standards are emerging and old ones are fading out of favor. There are a lot of things to learn, but knowing the right thing is more critical than learning them all. Modern Web Podcast is an interview-style show where we learn about modern web development from industry experts. We’re committed to making it easy to digest lots of useful information!

Technology

RSS

All content for Modern Web is the property of Modern Web and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

Technology

https://d3t3ozftmdmh3i.cloudfront.net/staging/podcast_uploaded_nologo/41691712/ccb9e5e40065bceb.jpg

How NPM Auto-Updates & Post-Install Scripts Could Hijack Your Org

Modern Web

36 minutes 8 seconds

1 month ago

How NPM Auto-Updates & Post-Install Scripts Could Hijack Your Org

In this Modern Web Podcast, Rob Ocel and Danny Thompson break down the recent string of NPM supply chain attacks that have shaken the JavaScript ecosystem. They cover the NX compromise, the phishing campaign that hit libraries like Chalk, and the Shy Halood exploit, showing how small changes in dependencies can have massive effects. Along the way, they share practical defenses like using package lock and npm ci, avoiding phishing links, reviewing third party code, applying least privilege, staging deployments, and maintaining incident response plans. They also highlight vendor interventions such as Vercel blocking malicious deployments and stress why companies must support open source maintainers if the ecosystem is to remain secure.

Key Points from this Episode:

- Lock down installs. Pin versions, commit package-lock.json, use npm ci in CI, and disable scripts in CI (npm config set ignore-scripts true) to neutralize post-install attacks.

- Harden people & permissions. Phishing hygiene (never click-through emails), 2FA/hardware keys, least-privilege by default, and separate/purpose-scoped publishing accounts.

- Stage & detect early. Canary/staged deploys, feature flags, and tight observability to catch dependency drift, suspicious network egress, or monkey-patched APIs fast.

- Practice incident response. Two-hour containment target: revoke/rotate tokens, reimage affected machines, roll back artifacts, notify vendors, and run a post-mortem playbook.

Rob Ocel on Linkedin: https://www.linkedin.com/in/robocel/

Danny Thompson on Linkedin: https://www.linkedin.com/in/dthompsondev/

This Dot Labs Twitter: https://x.com/ThisDotLabs

This Dot Media Twitter: https://x.com/ThisDotMedia

This Dot Labs Instagram: https://www.instagram.com/thisdotlabs/

This Dot Labs Facebook: https://www.facebook.com/thisdot/

This Dot Labs Bluesky: https://bsky.app/profile/thisdotlabs.bsky.social

Sponsored by This Dot Labs: https://ai.thisdot.co/