Nicholas Zakas
๐ค SpeakerAppearances Over Time
Podcast Appearances
Yeah, thanks for having me.
I think thanks for having me back.
I think I've been here before.
Yeah, that's a good question.
I think it might help to talk a little bit about 2025 and what was going on with NPM then, and then we can jump off from there.
So in September alone, there were 500 packages that were compromised on NPM.
Never mind the rest of the year, just 500 packages in that one month.
And those attacks didn't really look any different than any of the attacks that we've seen before, which was basically like somebody steals some credentials one way or another.
They start publishing compromised packages and they usually add like a pre-install or a post-install script that executes the malicious code.
And then they publish that to the registry and they just wait for people to download it.
And then as it downloads and that pre-install or post-install script runs, like that's when the trouble starts happening.
And we've seen a bunch of different iterations of this.
Sometimes it just is like looking to steal crypto.
Other times it's looking for secrets.
I mean, that was one of the big things last year was running Truffle Hog to discover secrets on the user's machine and then using those secrets to propagate itself.
And I think that we're pretty lucky so far that the damage caused by these packages has been pretty minimal.
I think one person lost like $500 in crypto or something like that.
But it was getting to the point where, to me, it's looking a lot like
somebody or a bunch of somebodies are trying to figure out how to get packages into NPM that will get distributed as quickly as possible to do something that is a lot more damaging than what we've seen so far.
and that was basically what led me to stop and think about what's actually going on with npm what could change and i think more like what could the next attack look like if things don't change and from a maintainer's perspective as well right because you're looking at it from the lens of somebody who's maintaining highly used open source projects over the course of forever right