npm’s Biggest Supply Chain Attack (and What We Learned)

Sep 15, 2025

Dive into the latest enhancements from Storybook 10, showcasing impressive performance and new testing tools. Uncover the startling details of a major supply chain attack on npm that was triggered by a phishing email. Explore the alarming security vulnerability found in the AI browser Comet, which raises crucial data privacy concerns. Enjoy humorous anecdotes about audio technology innovations and the tech industry reflected in 'Silicon Valley,' while the hosts engage with their community and address your listener queries.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

Storybook's Big ESM Performance Win

Storybook 10 goes ESM-only which dramatically reduces package size and speeds installs and builds.
Moving off CommonJS removed many legacy dependencies and produced large performance gains.

ANECDOTE

Maintainer Click Led To Large npm Supply-Chain Incident

Josh Janon clicked a convincing fake 2FA email and attackers published malicious updates to hugely popular npm packages.
The injected code tried to scrape crypto wallets but the attack netted almost nothing and was shut down within an hour.

INSIGHT

Small Packages Can Break Big Ecosystems

The npm ecosystem's deep dependency trees make single maintainer compromise a systemic risk.
Even small, old packages (like simple-swizzle) can affect millions and become critical attack vectors.

Get the Snipd Podcast app to discover more snips from this episode

Get the app