Defense Against the Dark Arts: NPM Attack

In early September 2025, NPM experienced its biggest supply chain attack. Some 20 highly used packages were compromised, and the attacker managed to steal some crypto before the attack was detected. This attack wasn't the last.

In this talk, we're going to go through what the attacker did and how we can prevent it.

We'll discuss the following, among others:

• How to choose NPM packages,
  
• NPM Audit,
  
• SBOMs and how to generate them,
  
• CVEs and how to detect them,
  
• Extra tips for package maintainers.
  

Vorkenntnisse

Knowing what NPM is.

Lernziele

• Understand how the September 2025 NPM supply chain attack unfolded and what techniques the attacker used.
  
• Learn practical strategies to evaluate and select NPM packages with security in mind.
  
• Apply tools like npm audit, SBOM generation, and CVE scanning to detect vulnerabilities in dependencies.
  
• Recognize common pitfalls in dependency management and supply chain security, and how to mitigate them.