NPM Supply Chain Attack: Active Worm Stealing Tokens, SSH Keys, and Credentials

Malicious Dependencies Aren’t an Accident

Malicious dependencies are not accidents. They are often intentionally designed to look trustworthy so developers install them without hesitation. In this episode of DevSec Station, Tanya Janca [https://tanyajanca.com] explains how attackers use typosquatting, dependency confusion, fake packages, and even AI-generated recommendations to compromise developer environments and steal credentials.  This episode is sponsored by Maze. [https://mazehq.com/devsec] You’ll learn: • how malicious packages trick developers • why dependency attacks work so well • how attackers abuse trust and speed • why “just be careful” is not an effective defense • practical ways to add safer guardrails to your development workflow Tanya walks through a realistic example of a dependency stealing AWS credentials, explains why this is a workflow problem instead of a developer failure, and shares practical steps you can take immediately to reduce risk in your own projects. One practical action from this episode: Require new dependencies to go through pull request review, and add lightweight checks that help your team verify package names and sources before installation. DevSec Station is a podcast by Tanya Janca, focused on short, practical lessons that help software developers build more secure software. Follow Tanya: • https://shehackspurple.ca [https://shehackspurple.ca ] • https://newsletter.shehackspurple.ca [https://newsletter.shehackspurple.ca] • https://linkedin.com/in/tanya-janca [https://linkedin.com/in/tanya-janca] • https://www.youtube.com/shehackspurple [https://www.youtube.com/shehackspurple] • https://TanyaJanca.com [https://www.youtube.com/shehackspurple]   This episode is sponsored by Maze. One of the biggest problems in security right now is that every vulnerability (or cloud?) scanner says everything is critical, and honestly, no one has time for that. Maze uses AI agents to investigate vulnerabilities in context, so you can focus on the issues that are actually exploitable in your environment, not just theoretically scary. Their AI agents also generate and prioritize fixes that knock out multiple vulnerabilities at once, which is honestly the kind of scaling that security teams need right now. Learn more about Maze mazehq.com/devsec [https://mazehq.com/devsec]

NPM Supply Chain Attack: Active Worm Stealing Tokens, SSH Keys, and Credentials

🚨 Emergency DevSec Station update. There’s an active npm supply chain attack happening right now. Malicious npm packages are running install scripts that quietly steal:  • SSH keys  • AWS credentials  • GitHub tokens  • Browser passwords  • Crypto wallets From there, the attack uses your npm publish token to spread into every package you maintain. That’s how this turns into a worm across the npm ecosystem. This is not theoretical. It’s already in the wild. 👉 Immediate fix:  Run  npm config set ignore-scripts true This disables install scripts and blocks the main attack path. If you work in JavaScript, Node.js, DevSecOps, or application security, take action now and tell your team. Watch the full 60-second breakdown and share this with anyone who installs npm packages. #npmSecurity #SupplyChainAttack #DevSecOps #AppSec #JavaScriptSecurity #CyberSecurityAlert

How Modern Supply Chain Attacks Really Happen (Step-by-Step Breakdown for Developers)

What if a supply chain attack didn’t start with a complex exploit… but something completely normal? A typo.  A copy-paste.  Even an AI suggestion. In this episode, Tanya Janca breaks down how modern supply chain attacks actually happen inside everyday developer workflows. These attacks aren’t one big moment. They’re a series of small, reasonable decisions that quietly introduce risk. You’ll learn:  • Why supply chain attacks are a process, not a single event  • How attackers exploit normal developer behavior  • A simple, step-by-step example of a real attack path  • Why traditional SCA tools often miss real risk  • How to focus on what actually matters 👉 If you do one thing this week:  Run your SCA tool with reachability enabled and fix one real issue. That’s how you start reducing risk. If you work in DevSecOps, application security, or software development, you need to understand this. #SupplyChainSecurity #DevSecOps #AppSec #SecureCoding #SoftwareSecurity #CyberSecurity

Developers Are Now Targets: How Supply Chain Attacks Actually Reach You

Developers are no longer just building software.  They’re being targeted directly. In this episode, Tanya Janca explains how supply chain attacks reach developers through everyday tools, packages, and workflows. These attacks don’t feel like attacks at first. They look like normal development work until it’s too late. You’ll learn:  • How supply chain attacks reach individual developers  • Why developer environments are now high-value targets  • Where risk shows up in daily workflows  • Simple ways to protect yourself without slowing down If you work in JavaScript, DevSecOps, or application security, this shift matters. 👉 Start by reviewing what you install, what runs during install, and what your tools are actually doing behind the scenes. #SupplyChainSecurity #DevSecOps #AppSec #SecureCoding #SoftwareSecurity #DeveloperSecurity