JavaScript Jabber Guarding the JavaScript Supply Chain: Preventing NPM Attacks with Feross Aboukhadijeh - JSJ 695
11 snips
Nov 1, 2025 
Joining the discussion is Feross Aboukhadijeh, founder of Socket.dev, who is a key figure in enhancing JavaScript supply chain security. He sheds light on phishing campaigns that target NPM maintainers, detailing shocking hacks like compromised packages that grant remote access to attackers. Feross explores the dark side of AI in malware, the vulnerabilities of GitHub Actions, and the vital importance of phishing-resistant two-factor authentication. His insights on ongoing threats and Socket’s protective solutions are a must-listen for developers concerned about code safety.
AI Snips
Chapters
Books
Transcript
Episode notes
Phishing Campaign That Compromised Maintainers
- Feross described a phishing campaign that spoofed npm domains and proxied a fake login site to steal credentials.
- Some popular maintainers fell for it and malicious DLLs enabled remote shell-like access via WebSockets.
Protect All Recognized Domains With Email DNS Records
- Set SPF/DMARC records for all domains users recognize so email clients can detect spoofed messages.
- Protect any domain users might trust, even if you don't send mail from it directly.
GitHub Action Exploit Via PR Title Injection
- Feross explained an NX compromise where attackers abused GitHub Actions and shell injection via PR titles to steal tokens.
- The attackers then edited workflows to exfiltrate NPM tokens and publish malicious packages.
