Changelog Master Feed npm under siege (what to do about it) (Changelog & Friends #111)
Oct 3, 2025
Feross Aboukhadijeh, a security researcher and founder of Socket, dives into the alarming rise of supply chain attacks in the npm ecosystem. He discusses recent phishing campaigns, account takeovers, and the innovative ways attackers exploit vulnerabilities. The conversation highlights practical defenses for developers, like avoiding pull_request_target and implementing publish delays. Feross also unveils Socket's new GitHub Actions scanning features and emphasizes the ongoing threat of typosquatting, advocating for a balanced approach to open publishing and security.
AI Snips
Chapters
Transcript
Episode notes
Revoke And Expunge Leaked Secrets
- If you accidentally commit a secret, immediately revoke it and then expunge history via GitHub support.
- Force‑pushing alone doesn't guarantee erasure; contact support to remove cached commit hashes.
Scan GitHub Actions Like Dependencies
- Scan reusable GitHub Actions and their dependency tree like any external package.
- Treat Actions as a supply chain and add scanning for those reusable components.
Vendor Stable Small Dependencies
- Consider vendoring stable, rarely changed dependencies into your repo to remove external risk.
- Inlining unchanged utility packages reduces runtime supply‑chain exposure for critical systems.