npm’s Biggest Supply Chain Attack (and What We Learned)

Sep 15, 2025

Dive into the latest enhancements from Storybook 10, showcasing impressive performance and new testing tools. Uncover the startling details of a major supply chain attack on npm that was triggered by a phishing email. Explore the alarming security vulnerability found in the AI browser Comet, which raises crucial data privacy concerns. Enjoy humorous anecdotes about audio technology innovations and the tech industry reflected in 'Silicon Valley,' while the hosts engage with their community and address your listener queries.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

Small Packages Can Break Big Ecosystems

The npm ecosystem's deep dependency trees make single maintainer compromise a systemic risk.
Even small, old packages (like simple-swizzle) can affect millions and become critical attack vectors.

ADVICE

Regenerate Locks And Harden Releases

Regenerate your lockfile and reinstall if you installed packages during the attack window to ensure clean packages.
Audit high-impact packages and enable stricter release controls for widely used modules.

ANECDOTE

AI Browser Followed Hidden Web Instructions

Brave tested Comet (Perplexity's AI browser) and found agents sometimes follow webpage text instructions, even hidden or white-on-white.
That behavior allowed chains like visiting sites and scraping OTPs from logged-in accounts in their test scenarios.

Get the Snipd Podcast app to discover more snips from this episode

Get the app