To give you the best possible experience, this site uses cookies. Review our Privacy Policy and Terms of Service to learn more. Got it!
Search a title or topic

Over 20 million podcasts, powered by 

Player FM logo
Artwork

Tech Traci Lee
Content provided by Modern Web. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Modern Web or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://podcastplayer.com/legal.

Similar to Modern Web

Player FM - Podcast App
Go offline with the Player FM app!
Get it on App Store Get it on Google Play

Modern Web « »
How NPM Auto-Updates & Post-Install Scripts Could Hijack Your Org

36:08
 
Play
Playing
Share
 

MP3Episode home
Manage episode 511939794 series 2927306
Content provided by Modern Web. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Modern Web or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://podcastplayer.com/legal.

In this Modern Web Podcast, Rob Ocel and Danny Thompson break down the recent string of NPM supply chain attacks that have shaken the JavaScript ecosystem. They cover the NX compromise, the phishing campaign that hit libraries like Chalk, and the Shy Halood exploit, showing how small changes in dependencies can have massive effects. Along the way, they share practical defenses like using package lock and npm ci, avoiding phishing links, reviewing third party code, applying least privilege, staging deployments, and maintaining incident response plans. They also highlight vendor interventions such as Vercel blocking malicious deployments and stress why companies must support open source maintainers if the ecosystem is to remain secure.

Key Points from this Episode:

- Lock down installs. Pin versions, commit package-lock.json, use npm ci in CI, and disable scripts in CI (npm config set ignore-scripts true) to neutralize post-install attacks.

- Harden people & permissions. Phishing hygiene (never click-through emails), 2FA/hardware keys, least-privilege by default, and separate/purpose-scoped publishing accounts.

- Stage & detect early. Canary/staged deploys, feature flags, and tight observability to catch dependency drift, suspicious network egress, or monkey-patched APIs fast.

- Practice incident response. Two-hour containment target: revoke/rotate tokens, reimage affected machines, roll back artifacts, notify vendors, and run a post-mortem playbook.

Rob Ocel on Linkedin: https://www.linkedin.com/in/robocel/

Danny Thompson on Linkedin: https://www.linkedin.com/in/dthompsondev/

This Dot Labs Twitter: https://x.com/ThisDotLabs

This Dot Media Twitter: https://x.com/ThisDotMedia

This Dot Labs Instagram: https://www.instagram.com/thisdotlabs/

This Dot Labs Facebook: https://www.facebook.com/thisdot/

This Dot Labs Bluesky: https://bsky.app/profile/thisdotlabs.bsky.social

Sponsored by This Dot Labs: https://ai.thisdot.co/

  continue reading

172 episodes

#Tech #Traci Lee
Artwork

How NPM Auto-Updates & Post-Install Scripts Could Hijack Your Org

Modern Web

published

Play Playing
iconShare
 
MP3Episode home
Manage episode 511939794 series 2927306
Content provided by Modern Web. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Modern Web or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://podcastplayer.com/legal.

In this Modern Web Podcast, Rob Ocel and Danny Thompson break down the recent string of NPM supply chain attacks that have shaken the JavaScript ecosystem. They cover the NX compromise, the phishing campaign that hit libraries like Chalk, and the Shy Halood exploit, showing how small changes in dependencies can have massive effects. Along the way, they share practical defenses like using package lock and npm ci, avoiding phishing links, reviewing third party code, applying least privilege, staging deployments, and maintaining incident response plans. They also highlight vendor interventions such as Vercel blocking malicious deployments and stress why companies must support open source maintainers if the ecosystem is to remain secure.

Key Points from this Episode:

- Lock down installs. Pin versions, commit package-lock.json, use npm ci in CI, and disable scripts in CI (npm config set ignore-scripts true) to neutralize post-install attacks.

- Harden people & permissions. Phishing hygiene (never click-through emails), 2FA/hardware keys, least-privilege by default, and separate/purpose-scoped publishing accounts.

- Stage & detect early. Canary/staged deploys, feature flags, and tight observability to catch dependency drift, suspicious network egress, or monkey-patched APIs fast.

- Practice incident response. Two-hour containment target: revoke/rotate tokens, reimage affected machines, roll back artifacts, notify vendors, and run a post-mortem playbook.

Rob Ocel on Linkedin: https://www.linkedin.com/in/robocel/

Danny Thompson on Linkedin: https://www.linkedin.com/in/dthompsondev/

This Dot Labs Twitter: https://x.com/ThisDotLabs

This Dot Media Twitter: https://x.com/ThisDotMedia

This Dot Labs Instagram: https://www.instagram.com/thisdotlabs/

This Dot Labs Facebook: https://www.facebook.com/thisdot/

This Dot Labs Bluesky: https://bsky.app/profile/thisdotlabs.bsky.social

Sponsored by This Dot Labs: https://ai.thisdot.co/

  continue reading

172 episodes

#Tech #Traci Lee

All episodes

×
 
Loading …

Welcome to Player FM!

Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.

 

Similar to Modern Web

Listen to 500+ topics
Player FM - Podcast App
Go offline with the Player FM app!
Get it on App Store Get it on Google Play
icon
Help/FAQ | Advertise with Us
Arts|Business|Comedy|Economics|Entertainment|News|Politics|Religion
Science|Soccer|Sports|Storytelling|Technology|True Crime
Copyright 2025 | Privacy Policy | Terms of Service | | Copyright
Episode being played series thumbnail
icon icon
Speed
Series settings
1x
1x
Volume
100%
icon
icon icon
/

View Player FM in...
Player FM
Browser
Chrome
Safari
Firefox
Listen to this show while you explore
Play