Feross Aboukhadijeh, founder of Socket, joins us to break down the recent wave of NPM supply chain attacks hitting the JavaScript ecosystem, including how attackers used phishing to target developers, snuck malware into popular packages like Prettier and "is", and even abused tools like Claude, Gemini, and TruffleHog.
We dig into how GitHub Actions vulnerabilities were exploited, what makes postinstall scripts risky, and and what you can do to protect yourself from future attacks.
Links
Website: https://feross.org
X: https://x.com/feross
GitHub: https://github.com/feross
LinkedIn: https://www.linkedin.com/in/feross
YouTube: https://www.youtube.com/channel/UCHM4OEvQDUq8UszyUrdov-w
Resources
npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack: https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack
Compromised files replace npm packages with a combined 2 billion weekly downloads: https://www.techradar.com/pro/security/compromised-files-replace-npm-packages-with-a-combined-2-billion-weekly-downloads
Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware: https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
Chapters
00:00 Intro: NPM supply chain attacks explained
01:10 What is a software supply chain attack?
02:00 NPM phishing campaign: Fake login pages
03:00 Prettier ecosystem compromised
04:00 The “is” package malware incident
05:30 NX package breach (August 27 attack)
06:40 AI-powered supply chain exploit
08:00 GitHub Actions misconfiguration
12:00 Lessons from recent NPM attacks
20:00 How malicious packages get published
25:00 Why install scripts are so risky
30:00 Limitations of banning install scripts
35:00 Open source maintainer challenges
40:00 Smarter approaches to dependency updates
44:00 The future of open source supply chain security
47:00 Closing thoughts and resources
We want to hear from you!
How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend?
Fill out our listener survey!
Let us know by sending an email to our producer, Em, at emily.kochanek@logrocket.com, or tweet at us at PodRocketPod.
Follow us. Get free stickers.
Follow us on Apple Podcasts, fill out this form, and we’ll send you free PodRocket stickers!
What does LogRocket do?
LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today.
Special Guest: Feross Aboukhadijeh.
