Defense Against the Dark Arts: NPM Attack
A deep dive into the September 2025 NPM supply chain attack—one of the largest in history—and how to defend your enterprise JavaScript applications.
At enterJS 2026, I will be presenting "Defense Against the Dark Arts: NPM Attack", a session dedicated to understanding and preventing supply chain compromises in the JavaScript ecosystem.
We will analyze the techniques used in the devastating September 2025 NPM attack, which compromised dozens of high-profile packages. More importantly, we'll discuss actionable defense strategies.
What you will learn:
- 🧠 Anatomy of an Attack: How 18+ libraries (including Chalk and Debug) were compromised simultaneously.
- 🛡️ Proactive Defense: Practical strategies for evaluating and selecting NPM packages with a security-first mindset.
- 🧰 Tooling & Workflows: Implementing
npm audit, SBOM generation, and automated CVE scanning in your CI/CD pipeline. - 🤝 Maintainer Best Practices: How to protect your own packages and contribute to a safer ecosystem.
This talk combines technical analysis with live demonstrations of the tools that can help you build a verifiable, trusted software supply chain.
Invite Me to Speak
Available for conferences, workshops, corporate training, and meetups. I can present remotely or travel to your event.