Hey everyone—it’s Steve Edwards here, and in this episode of JavaScript Jabber, I’m joined by returning guest Feross Aboukhadijeh, founder of Socket.dev, for a deep dive into the dark and fascinating world of open source supply chain security. From phishing campaigns targeting top NPM maintainers to the now-infamous Chalk library compromise, we unpack the latest wave of JavaScript package attacks and what developers can learn from them.<br /><br />Feross explains how some hackers are even using AI tools like Claude and Gemini as part of their payloads—and how defenders like Socket are fighting back with AI-powered analysis of their own. We also dive into GitHub Actions vulnerabilities, the role of two-factor authentication, and the growing need for “phishing-resistant 2FA.” Whether you’re an open source maintainer or just someone who runs npm install a little too often, this episode will open your eyes to how much happens behind the scenes to keep your code safe.<br /><br />🔗 Links &amp; Resources<ul><li><a href="https://socket.dev" target="_blank" rel="noreferrer noopener">Socket.dev</a> – Protect your open source dependencies</li><li><a href="https://x.com/feross" target="_blank" rel="noreferrer noopener">Feross Aboukhadijeh on X (Twitter)</a></li><li><a href="https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions" target="_blank" rel="noreferrer noopener">GitHub Actions Security Best Practices</a></li><li><a href="https://trufflesecurity.com/blog" target="_blank" rel="noreferrer noopener">TruffleHog Blog</a> – On secrets exposure in Git repos</li></ul><br /><br />Become a supporter of this podcast: <a href="https://www.spreaker.com/podcast/javascript-jabber--6102064/support?utm_source=rss&utm_medium=rss&utm_campaign=rss">https://www.spreaker.com/podcast/javascript-jabber--6102064/support</a>.

JavaScript Jabber

Charles M Wood

Guarding the JavaScript Supply Chain: Preventing NPM Attacks with Feross Aboukhadijeh - JSJ 695

NOV 1, 202560 MIN
JavaScript Jabber

Guarding the JavaScript Supply Chain: Preventing NPM Attacks with Feross Aboukhadijeh - JSJ 695

NOV 1, 202560 MIN

Description

Hey everyone—it’s Steve Edwards here, and in this episode of JavaScript Jabber, I’m joined by returning guest Feross Aboukhadijeh, founder of Socket.dev, for a deep dive into the dark and fascinating world of open source supply chain security. From phishing campaigns targeting top NPM maintainers to the now-infamous Chalk library compromise, we unpack the latest wave of JavaScript package attacks and what developers can learn from them.<br /><br />Feross explains how some hackers are even using AI tools like Claude and Gemini as part of their payloads—and how defenders like Socket are fighting back with AI-powered analysis of their own. We also dive into GitHub Actions vulnerabilities, the role of two-factor authentication, and the growing need for “phishing-resistant 2FA.” Whether you’re an open source maintainer or just someone who runs npm install a little too often, this episode will open your eyes to how much happens behind the scenes to keep your code safe.<br /><br />🔗 Links &amp; Resources<ul><li><a href="https://socket.dev" target="_blank" rel="noreferrer noopener">Socket.dev</a> – Protect your open source dependencies</li><li><a href="https://x.com/feross" target="_blank" rel="noreferrer noopener">Feross Aboukhadijeh on X (Twitter)</a></li><li><a href="https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions" target="_blank" rel="noreferrer noopener">GitHub Actions Security Best Practices</a></li><li><a href="https://trufflesecurity.com/blog" target="_blank" rel="noreferrer noopener">TruffleHog Blog</a> – On secrets exposure in Git repos</li></ul><br /><br />Become a supporter of this podcast: <a href="https://www.spreaker.com/podcast/javascript-jabber--6102064/support?utm_source=rss&utm_medium=rss&utm_campaign=rss">https://www.spreaker.com/podcast/javascript-jabber--6102064/support</a>.