Securing the open source supply chain (Interview)

This week we’re joined by the “mad scientist” himself, Feross Aboukhadijeh…and we’re talking about the launch of Socket — the next big thing in the fight to secure and protect the open source supply chain.

While working on the frontlines of open source, Feross and team have witnessed firsthand how supply chain attacks have swept across the software community and have damaged the trust in open source. Socket turns the problem of securing open source software on its head, and asks…“What if we assume all open source may be malicious?” So, they built a system that proactively detects indicators of compromised open source packages and brings awareness to teams in real-time. We cover the whys, the hows, and what’s next for this ambitious and very much needed project.

Join the discussion

Changelog++ members get a bonus 10 minutes at the end of this episode and zero ads. Join today!

Sponsors:

• Sentry – Working code means happy customers. That’s exactly why teams choose Sentry. From error tracking to performance monitoring, Sentry helps teams see what actually matters, resolve problems quicker, and learn continuously about their applications - from the frontend to the backend. Use the code CHANGELOG and get the team plan free for three months.
• Square – Develop on the platform that sellers trust. There is a massive opportunity for developers to support Square sellers by building apps for today’s business needs. Learn more at developer.squareup.com to dive into the docs, APIs, SDKs and to create your Square Developer account — tell them Changelog sent you.
• Retool – Retool is a low-code platform built specifically for developers that makes it fast and easy to build internal tools. Instead of building internal tools from scratch, the world’s best teams, from startups to Fortune 500s, are using Retool to power their internal apps. Learn more and try it for free at retool.com/changelog
• WorkOS – A platform that gives developers a set of building blocks for quickly adding enterprise-ready features to their application. Add Single Sign-On (Okta, Azure, Google, Microsoft OAuth), sync users from any SCIM directory, HRIS integration, audit trails (SIEM), free magic link sign-in. WorkOS is designed for developers and offers a single, elegant interface that abstracts dozens of enterprise integrations. Learn more and get started at WorkOS.com

Featuring:

• Feross Aboukhadijeh – Website, GitHub, X
• Adam Stacoviak – Website, GitHub, LinkedIn, Mastodon, X
• Jerod Santo – GitHub, LinkedIn, Mastodon, X

Show Notes:

• Socket.dev
• socket.dev/npm/issue
• socket.dev/npm/lists/removed
• socket.dev/npm/package/left-pad
• socket.dev/npm/package/umbrellajs
• socket.dev/npm/package/airbnb-fejax
• Dev corrupts NPM libs ‘colors’ and ‘faker’ breaking thousands of apps
• Popular ‘coa’ NPM library hijacked to steal user passwords
• Popular NPM package UA-Parser-JS poisoned with cryptomining, password-stealing malware
• Vulnerabilities in NPM allowed threat actors to publish new version of any package
• cve.org
• browserslist.dev
• The Changelog #227: Mad science, WebTorrent, WebRTC with Feross Aboukhadijeh
• The Changelog #326: The insider perspective on the event-stream compromise with Dominic Tarr
• JS Party #185: Into the Wormhole with Feross Aboukhadijeh
• JS Party #210: What’s in your package.json? with Tobie Langel

Something missing or broken? PRs welcome!