

Unpacking the NPM supply chain attacks with Feross Aboukhadijeh
14 snips Sep 23, 2025
Feross Aboukhadijeh, the founder and CEO of Socket, dives into the alarming rise of NPM supply chain attacks targeting the JavaScript community. He discusses how attackers employed phishing tactics to compromise popular packages like Prettier and 'is,' explaining the vulnerabilities that allowed for these breaches. Feross also highlights risky postinstall scripts and provides practical mitigation strategies to protect against future threats, emphasizing the importance of vigilant practices in the ever-evolving landscape of software security.
AI Snips
Chapters
Transcript
Episode notes
Phishing Led To Prettier Compromise
- Feross's team encountered a phishing email spoofing npm that led to Prettier-related packages being backdoored.
- Installing those compromised packages delivered a Windows DLL that stole browser cookies and tokens.
'is' Package Gave Attackers Remote Shells
- A compromised 'is' package ran cross-platform JavaScript malware that opened a WebSocket to a command server.
- The attacker could send back code which the malware executed immediately, giving an interactive remote shell on the victim's machine.
NX Used AI Tools To Hunt Secrets
- The NX compromise (Aug 27) stole GitHub, NPM tokens, SSH keys and env secrets from developer machines.
- The malware even used local AI CLIs like Claude and Gemini to scan files via natural-language prompts and write results to /tmp/inventory.txt.