PodRocket - A web development podcast from LogRocket

Unpacking the NPM supply chain attacks with Feross Aboukhadijeh

14 snips

Sep 23, 2025

Feross Aboukhadijeh, the founder and CEO of Socket, dives into the alarming rise of NPM supply chain attacks targeting the JavaScript community. He discusses how attackers employed phishing tactics to compromise popular packages like Prettier and 'is,' explaining the vulnerabilities that allowed for these breaches. Feross also highlights risky postinstall scripts and provides practical mitigation strategies to protect against future threats, emphasizing the importance of vigilant practices in the ever-evolving landscape of software security.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ANECDOTE

Phishing Led To Prettier Compromise

Feross's team encountered a phishing email spoofing npm that led to Prettier-related packages being backdoored.
Installing those compromised packages delivered a Windows DLL that stole browser cookies and tokens.

ANECDOTE

'is' Package Gave Attackers Remote Shells

A compromised 'is' package ran cross-platform JavaScript malware that opened a WebSocket to a command server.
The attacker could send back code which the malware executed immediately, giving an interactive remote shell on the victim's machine.

ANECDOTE

NX Used AI Tools To Hunt Secrets

The NX compromise (Aug 27) stole GitHub, NPM tokens, SSH keys and env secrets from developer machines.
The malware even used local AI CLIs like Claude and Gemini to scan files via natural-language prompts and write results to /tmp/inventory.txt.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Feross Aboukhadijeh, founder of Socket, joins us to break down the recent wave of NPM supply chain attacks hitting the JavaScript ecosystem, including how attackers used phishing to target developers, snuck malware into popular packages like Prettier and "is", and even abused tools like Claude, Gemini, and TruffleHog.
We dig into how GitHub Actions vulnerabilities were exploited, what makes postinstall scripts risky, and and what you can do to protect yourself from future attacks.

Links

Website: https://feross.org
X: https://x.com/feross
GitHub: https://github.com/feross
LinkedIn: https://www.linkedin.com/in/feross
YouTube: https://www.youtube.com/channel/UCHM4OEvQDUq8UszyUrdov-w

Resources

npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack: https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack
Compromised files replace npm packages with a combined 2 billion weekly downloads: https://www.techradar.com/pro/security/compromised-files-replace-npm-packages-with-a-combined-2-billion-weekly-downloads
Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware: https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack

Chapters

00:00 Intro: NPM supply chain attacks explained
01:10 What is a software supply chain attack?
02:00 NPM phishing campaign: Fake login pages
03:00 Prettier ecosystem compromised
04:00 The “is” package malware incident
05:30 NX package breach (August 27 attack)
06:40 AI-powered supply chain exploit
08:00 GitHub Actions misconfiguration
12:00 Lessons from recent NPM attacks
20:00 How malicious packages get published
25:00 Why install scripts are so risky
30:00 Limitations of banning install scripts
35:00 Open source maintainer challenges
40:00 Smarter approaches to dependency updates
44:00 The future of open source supply chain security
47:00 Closing thoughts and resources

We want to hear from you!

How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend?

Fill out our listener survey!
Let us know by sending an email to our producer, Em, at emily.kochanek@logrocket.com, or tweet at us at PodRocketPod.

Follow us. Get free stickers.

What does LogRocket do?

LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today.

Special Guest: Feross Aboukhadijeh.