Blocking Software Supply Chain Attacks with Feross Aboukhadijeh

What It Covers

Feross Aboukhadijeh, founder of Socket, discusses open source supply chain attacks where malicious actors compromise popular packages to spread malware. He covers detection methods, security practices, and how attackers exploit dependencies downloaded millions of times weekly.

Key Questions Answered

• •Lock file implementation: Use package manager lock files to freeze exact dependency versions across the entire tree, not just direct dependencies. Pinning only direct dependencies leaves transitive dependencies vulnerable to pulling latest malicious versions at install time.
• •Detection timeline problem: Research shows malicious packages remain undetected for 200+ days on average before community discovery. Attackers exploit the false assumption that open source code gets vetted by others, when shockingly few developers actually review dependency source code before installation.
• •Install script exploitation: NPM install scripts automatically execute code during package installation and appear in nearly all malware attacks. PNPM now restricts these by default, requiring explicit user permission since legitimate uses are rare enough to warrant manual approval without significant friction.
• •AI hallucination attacks: Large language models hallucinate nonexistent package names when generating code. Attackers run LLMs repeatedly to collect these hallucinated names, then register them on package registries to achieve remote code execution when AI tools install the fake dependencies.