PodRocket

Unpacking the NPM supply chain attacks with Feross Aboukhadijeh

Listen

Cast

Noel MinchowNoel MinchowFeross AboukhadijehFeross Aboukhadijeh

Description

Feross Aboukhadijeh, founder of Socket, joins us to break down the recent wave of NPM supply chain attacks hitting the JavaScript ecosystem, including how attackers used phishing to target developers, snuck malware into popular packages like Prettier and "is", and even abused tools like Claude, Gemini, and TruffleHog.

We dig into how GitHub Actions vulnerabilities were exploited, what makes postinstall scripts risky, and and what you can do to protect yourself from future attacks.

Links

Website: https://feross.org

X: https://x.com/feross

GitHub: https://github.com/feross

LinkedIn: https://www.linkedin.com/in/feross

YouTube: https://www.youtube.com/channel/UCHM4OEvQDUq8UszyUrdov-w

Resources

npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack: https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack

Compromised files replace npm packages with a combined 2 billion weekly downloads: https://www.techradar.com/pro/security/compromised-files-replace-npm-packages-with-a-combined-2-billion-weekly-downloads

Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware: https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack

Chapters

00:00 Intro: NPM supply chain attacks explained

01:10 What is a software supply chain attack?

02:00 NPM phishing campaign: Fake login pages

03:00 Prettier ecosystem compromised

04:00 The “is” package malware incident

05:30 NX package breach (August 27 attack)

06:40 AI-powered supply chain exploit

08:00 GitHub Actions misconfiguration

12:00 Lessons from recent NPM attacks

20:00 How malicious packages get published

25:00 Why install scripts are so risky

30:00 Limitations of banning install scripts

35:00 Open source maintainer challenges

40:00 Smarter approaches to dependency updates

44:00 The future of open source supply chain security

47:00 Closing thoughts and resources

We want to hear from you!

How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend?

Fill out our listener survey!

Let us know by sending an email to our producer, Elizabeth, at elizabet.becz@logrocket.com, or tweet at us at PodRocketPod.

Follow us. Get free stickers.

Follow us on Apple Podcasts, fill out this form, and we’ll send you free PodRocket stickers!

What does LogRocket do?

LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today.

Special Guest: Feross Aboukhadijeh.