Unpacking the NPM supply chain attacks with Feross Aboukhadijeh

https://is1-ssl.mzstatic.com/image/thumb/Podcasts211/v4/a1/2e/33/a12e339a-9f01-5409-16d7-b489a39bb3ef/mza_5386646504975078773.jpg/600x600bb.jpg

PodRocket

LogRocket

594 episodes

13 hours ago

PodRocket covers everything you need to know about frontend web development on a weekly basis. Join our hosts as they interview experienced developers about all the libraries, frameworks, and tech industry issues they deal with every day.

Technology

RSS

All content for PodRocket is the property of LogRocket and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

Technology

https://assets.fireside.fm/file/fireside-images-2024/podcasts/images/3/3911462c-bca2-48c2-9103-610ba304c673/episodes/a/aa347acf-4511-4eba-a082-f865dc8e8948/cover.jpg?v=1

Unpacking the NPM supply chain attacks with Feross Aboukhadijeh

PodRocket

40 minutes 9 seconds

1 month ago

Unpacking the NPM supply chain attacks with Feross Aboukhadijeh

Feross Aboukhadijeh, founder of Socket, joins us to break down the recent wave of NPM supply chain attacks hitting the JavaScript ecosystem, including how attackers used phishing to target developers, snuck malware into popular packages like Prettier and "is", and even abused tools like Claude, Gemini, and TruffleHog.
We dig into how GitHub Actions vulnerabilities were exploited, what makes postinstall scripts risky, and and what you can do to protect yourself from future attacks.

Links

Website: https://feross.org
X: https://x.com/feross
GitHub: https://github.com/feross
LinkedIn: https://www.linkedin.com/in/feross
YouTube: https://www.youtube.com/channel/UCHM4OEvQDUq8UszyUrdov-w

Resources

npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack: https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack
Compromised files replace npm packages with a combined 2 billion weekly downloads: https://www.techradar.com/pro/security/compromised-files-replace-npm-packages-with-a-combined-2-billion-weekly-downloads
Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware: https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack

Chapters

00:00 Intro: NPM supply chain attacks explained
01:10 What is a software supply chain attack?
02:00 NPM phishing campaign: Fake login pages
03:00 Prettier ecosystem compromised
04:00 The “is” package malware incident
05:30 NX package breach (August 27 attack)
06:40 AI-powered supply chain exploit
08:00 GitHub Actions misconfiguration
12:00 Lessons from recent NPM attacks
20:00 How malicious packages get published
25:00 Why install scripts are so risky
30:00 Limitations of banning install scripts
35:00 Open source maintainer challenges
40:00 Smarter approaches to dependency updates
44:00 The future of open source supply chain security
47:00 Closing thoughts and resources

We want to hear from you!

How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend?

Fill out our listener survey!
Let us know by sending an email to our producer, Em, at emily.kochanek@logrocket.com, or tweet at us at PodRocketPod.

Follow us. Get free stickers.

What does LogRocket do?

LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today.

Special Guest: Feross Aboukhadijeh.