web02.fireside.fm Tue, 21 Apr 2026 20:17:32 -0500 Fireside (https://fireside.fm) PodRocket - Episodes Tagged with “Security” https://podrocket.logrocket.com/tags/security Tue, 16 Dec 2025 08:00:00 -0500 PodRocket covers everything you need to know about frontend web development on a weekly basis. Join our hosts as they interview experienced developers about all the libraries, frameworks, and tech industry issues they deal with every day. en-us episodic A web development podcast from LogRocket LogRocket PodRocket covers everything you need to know about frontend web development on a weekly basis. Join our hosts as they interview experienced developers about all the libraries, frameworks, and tech industry issues they deal with every day. no front-end, web development, front-end development, frontend development, tech, LogRocket elizabeth.becz@logrocket.com React got hacked with David Mytton http://podrocket.logrocket.com/react2shell-javascript-security-wake-up-call-david-mytton 7c2d0dc8-3318-4c56-a5c6-6f82972df765 Tue, 16 Dec 2025 08:00:00 -0500 LogRocket full LogRocket In this episode, Noel sits down with David Mytton, founder and CEO of Arcjet, to unpack the React2Shell vulnerability and why it became such a serious remote code execution risk for apps using React server components and Next.js. They explain how server-side features introduced in React 19 changed the attack surface, why cloud providers leaned on WAF mitigation instead of instant patching, and what this incident reveals about modern JavaScript supply chain risk. The conversation also covers dependency sprawl, rushed patches, and why security as a feature needs to start long before production. 37:54 no In this episode, Noel sits down with David Mytton, founder and CEO of Arcjet, to unpack the React2Shell vulnerability and why it became such a serious remote code execution risk for apps using React server components and Next.js. They explain how server-side features introduced in React 19 changed the attack surface, why cloud providers leaned on WAF mitigation instead of instant patching, and what this incident reveals about modern JavaScript supply chain risk. The conversation also covers dependency sprawl, rushed patches, and why security as a feature needs to start long before production. Links X: https://x.com/davidmytton Blog: https://davidmytton.blog Resources Multiple Threat Actors Exploit React2Shell: https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182 We want to hear from you! How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend? Fill out our listener survey (https://t.co/oKVAEXipxu)! https://t.co/oKVAEXipxu Let us know by sending an email to our producer, Elizabeth, at elizabeth.becz@logrocket.com (mailto:elizabeth.becz@logrocket.com), or tweet at us at PodRocketPod (https://twitter.com/PodRocketpod). Check out our newsletter (https://blog.logrocket.com/the-replay-newsletter/)! https://blog.logrocket.com/the-replay-newsletter/ Follow us. Get free stickers. Follow us on Apple Podcasts, fill out this form (https://podrocket.logrocket.com/get-podrocket-stickers), and we’ll send you free PodRocket stickers! What does LogRocket do? LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today. (https://logrocket.com/signup/?pdr) Chapters React to Shell vulnerability, React2Shell, React2Shell vulnerability, Reactor Shell vulnerability, React security, React 19, Next.js security, Next.js 15, Next.js 14, Next.js 13, React server components, server functions, server actions, remote code execution, environment variables, crypto miners, data exfiltration, internal infrastructure requests, web application firewall, WAF mitigation, supply chain issues, npm supply chain attacks, Shai-Hulud attacks, dependency tree explosion, dependency updates, semantic versioning, npm install scripts, npm ci, package-lock, GitHub security alerts, Socket security tool, Vercel, Netlify, AWS, Google Cloud, Cloudflare, runtime mitigations, bug bounty program, dev containers, password manager secrets, outbound firewall, secure by design, security as a feature In this episode, Noel sits down with David Mytton, founder and CEO of Arcjet, to unpack the React2Shell vulnerability and why it became such a serious remote code execution risk for apps using React server components and Next.js. They explain how server-side features introduced in React 19 changed the attack surface, why cloud providers leaned on WAF mitigation instead of instant patching, and what this incident reveals about modern JavaScript supply chain risk. The conversation also covers dependency sprawl, rushed patches, and why security as a feature needs to start long before production.

Links

X: https://x.com/davidmytton
Blog: https://davidmytton.blog

Resources

Multiple Threat Actors Exploit React2Shell: https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182

We want to hear from you!

How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend?

Fill out our listener survey! https://t.co/oKVAEXipxu

Let us know by sending an email to our producer, Elizabeth, at elizabeth.becz@logrocket.com, or tweet at us at PodRocketPod.

Check out our newsletter! https://blog.logrocket.com/the-replay-newsletter/

Follow us. Get free stickers.

Follow us on Apple Podcasts, fill out this form, and we’ll send you free PodRocket stickers!

What does LogRocket do?

LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today.

Chapters

]]> In this episode, Noel sits down with David Mytton, founder and CEO of Arcjet, to unpack the React2Shell vulnerability and why it became such a serious remote code execution risk for apps using React server components and Next.js. They explain how server-side features introduced in React 19 changed the attack surface, why cloud providers leaned on WAF mitigation instead of instant patching, and what this incident reveals about modern JavaScript supply chain risk. The conversation also covers dependency sprawl, rushed patches, and why security as a feature needs to start long before production.

Links

X: https://x.com/davidmytton
Blog: https://davidmytton.blog

Resources

Multiple Threat Actors Exploit React2Shell: https://cloud.google.com/blog/topics/threat-intelligence/threat-actors-exploit-react2shell-cve-2025-55182

We want to hear from you!

How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend?

Fill out our listener survey! https://t.co/oKVAEXipxu

Let us know by sending an email to our producer, Elizabeth, at elizabeth.becz@logrocket.com, or tweet at us at PodRocketPod.

Check out our newsletter! https://blog.logrocket.com/the-replay-newsletter/

Follow us. Get free stickers.

Follow us on Apple Podcasts, fill out this form, and we’ll send you free PodRocket stickers!

What does LogRocket do?

LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today.

Chapters

]]> Google’s antitrust win, AI mandates, npm attacks and robots.txt http://podrocket.logrocket.com/googles-antitrust-win-ai-mandates-npm-attacks-robots-txt 94e1df24-d1a0-4ea1-983d-0b3085486c50 Thu, 25 Sep 2025 08:00:00 -0400 LogRocket full LogRocket Is the web breaking under the weight of AI crawlers, platform consolidation, and nonstop security breaches? We dive into the state of browsers, developer burnout, and whether tech regulation can actually keep up. In this panel discussion: * We debate if robots.txt and AI licensing standards like RSL can realistically control how AI scrapes the web. * The fallout from DIA’s acquisition by Atlassian and what it means for indie browser innovation in a Chromium-dominated world. * Why Google’s antitrust victory might embolden other tech giants, and what that means for competition. * How supply chain attacks like the NPM malware and Shai Hulud worm are exploiting GitHub workflows and package vulnerabilities. * The pushback against AI mandates at work, including Coinbase’s controversial policy requiring developers to use Copilot. 41:10 no Is the web breaking under the weight of AI crawlers, platform consolidation, and nonstop security breaches? We dive into the state of browsers, developer burnout, and whether tech regulation can actually keep up. In this panel discussion: We debate if robots.txt and AI licensing standards like RSL can realistically control how AI scrapes the web. The fallout from DIA’s acquisition by Atlassian and what it means for indie browser innovation (like the Helium browser, Zen) in a Chromium-dominated world. Why Google’s antitrust victory might embolden other tech giants, and what that means for competition. How supply chain attacks like the NPM malware and Shai Hulud worm are exploiting GitHub workflows and package vulnerabilities. The pushback against AI mandates at work, including Coinbase’s controversial policy requiring developers to use Copilot. Resources Inside the battle for the future of the web: https://www.businessinsider.com/google-microsoft-openai-fight-standards-limit-ai-access-websites-2025-9 The web has a new system for making AI companies pay up: https://www.theverge.com/news/775072/rsl-standard-licensing-ai-publishing-reddit-yahoo-medium The Browser Company, maker of Arc and Dia, is being acquired: https://www.theverge.com/web/770947/browser-company-arc-dia-acquired-atlassian Google stock jumps 8% after search giant avoids worst-case penalties in antitrust case: https://www.cnbc.com/2025/09/02/google-antitrust-search-ruling.html Massive data breach sees 16 million PayPal accounts leaked online - here's what we know, and how to stay safe:https://www.techradar.com/pro/massive-data-breach-sees-16-million-paypal-accounts-leaked-online-heres-what-we-know-and-how-to-stay-safe PayPal’s Glitch Puts €10 Billion on Ice Across European Banks: https://fintechnews.ch/payments/paypal-glitch-freezes-european-banks-10-billion-transactions/77974/ npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack: https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack Compromised files replace npm packages with a combined 2 billion weekly downloads: https://www.techradar.com/pro/security/compromised-files-replace-npm-packages-with-a-combined-2-billion-weekly-downloads Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware: https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack Coinbase CEO explains why he fired engineers who didn’t try AI immediately: https://techcrunch.com/2025/08/22/coinbase-ceo-explains-why-he-fired-engineers-who-didnt-try-ai-immediately/ Chapters We want to hear from you! How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend? Fill out our listener survey (https://t.co/oKVAEXipxu)! Let us know by sending an email to our producer, Elizabeth, at elizabet.becz@logrocket.com (mailto:elizabeth.becz@logrocket.com), or tweet at us at PodRocketPod (https://twitter.com/PodRocketpod). Follow us. Get free stickers. Follow us on Apple Podcasts, fill out this form (https://podrocket.logrocket.com/get-podrocket-stickers), and we’ll send you free PodRocket stickers! What does LogRocket do? LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today. (https://logrocket.com/signup/?pdr) Helium browser, AI training crawlers, robots.txt enforcement, AI content licensing, browser consolidation, DIA acquisition Atlassian, indie browser innovation, Ladybird browser, chromium dominance, Google antitrust ruling, tech regulation limits, platform consolidation, supply chain attacks, NPM malware, debug chalk breach, Shy Ude worm, GitHub secrets exfiltration, developer burnout AI, AI usage mandates, Coinbase AI coding, post-install script vulnerability, digital security breaches 2025, web security awareness Is the web breaking under the weight of AI crawlers, platform consolidation, and nonstop security breaches? We dive into the state of browsers, developer burnout, and whether tech regulation can actually keep up.

In this panel discussion:

  • We debate if robots.txt and AI licensing standards like RSL can realistically control how AI scrapes the web.
  • The fallout from DIA’s acquisition by Atlassian and what it means for indie browser innovation (like the Helium browser, Zen) in a Chromium-dominated world.
  • Why Google’s antitrust victory might embolden other tech giants, and what that means for competition.
  • How supply chain attacks like the NPM malware and Shai Hulud worm are exploiting GitHub workflows and package vulnerabilities.
  • The pushback against AI mandates at work, including Coinbase’s controversial policy requiring developers to use Copilot.

Resources

Inside the battle for the future of the web: https://www.businessinsider.com/google-microsoft-openai-fight-standards-limit-ai-access-websites-2025-9

The web has a new system for making AI companies pay up: https://www.theverge.com/news/775072/rsl-standard-licensing-ai-publishing-reddit-yahoo-medium

The Browser Company, maker of Arc and Dia, is being acquired: https://www.theverge.com/web/770947/browser-company-arc-dia-acquired-atlassian

Google stock jumps 8% after search giant avoids worst-case penalties in antitrust case: https://www.cnbc.com/2025/09/02/google-antitrust-search-ruling.html

Massive data breach sees 16 million PayPal accounts leaked online - here's what we know, and how to stay safe:https://www.techradar.com/pro/massive-data-breach-sees-16-million-paypal-accounts-leaked-online-heres-what-we-know-and-how-to-stay-safe

PayPal’s Glitch Puts €10 Billion on Ice Across European Banks: https://fintechnews.ch/payments/paypal-glitch-freezes-european-banks-10-billion-transactions/77974/

npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack: https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack

Compromised files replace npm packages with a combined 2 billion weekly downloads: https://www.techradar.com/pro/security/compromised-files-replace-npm-packages-with-a-combined-2-billion-weekly-downloads

Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware: https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack

Coinbase CEO explains why he fired engineers who didn’t try AI immediately: https://techcrunch.com/2025/08/22/coinbase-ceo-explains-why-he-fired-engineers-who-didnt-try-ai-immediately/

Chapters

We want to hear from you!

How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend?

Fill out our listener survey!
Let us know by sending an email to our producer, Elizabeth, at elizabet.becz@logrocket.com, or tweet at us at PodRocketPod.

Follow us. Get free stickers.

Follow us on Apple Podcasts, fill out this form, and we’ll send you free PodRocket stickers!

What does LogRocket do?

LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today.

]]> Is the web breaking under the weight of AI crawlers, platform consolidation, and nonstop security breaches? We dive into the state of browsers, developer burnout, and whether tech regulation can actually keep up.

In this panel discussion:

  • We debate if robots.txt and AI licensing standards like RSL can realistically control how AI scrapes the web.
  • The fallout from DIA’s acquisition by Atlassian and what it means for indie browser innovation (like the Helium browser, Zen) in a Chromium-dominated world.
  • Why Google’s antitrust victory might embolden other tech giants, and what that means for competition.
  • How supply chain attacks like the NPM malware and Shai Hulud worm are exploiting GitHub workflows and package vulnerabilities.
  • The pushback against AI mandates at work, including Coinbase’s controversial policy requiring developers to use Copilot.

Resources

Inside the battle for the future of the web: https://www.businessinsider.com/google-microsoft-openai-fight-standards-limit-ai-access-websites-2025-9

The web has a new system for making AI companies pay up: https://www.theverge.com/news/775072/rsl-standard-licensing-ai-publishing-reddit-yahoo-medium

The Browser Company, maker of Arc and Dia, is being acquired: https://www.theverge.com/web/770947/browser-company-arc-dia-acquired-atlassian

Google stock jumps 8% after search giant avoids worst-case penalties in antitrust case: https://www.cnbc.com/2025/09/02/google-antitrust-search-ruling.html

Massive data breach sees 16 million PayPal accounts leaked online - here's what we know, and how to stay safe:https://www.techradar.com/pro/massive-data-breach-sees-16-million-paypal-accounts-leaked-online-heres-what-we-know-and-how-to-stay-safe

PayPal’s Glitch Puts €10 Billion on Ice Across European Banks: https://fintechnews.ch/payments/paypal-glitch-freezes-european-banks-10-billion-transactions/77974/

npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack: https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack

Compromised files replace npm packages with a combined 2 billion weekly downloads: https://www.techradar.com/pro/security/compromised-files-replace-npm-packages-with-a-combined-2-billion-weekly-downloads

Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware: https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack

Coinbase CEO explains why he fired engineers who didn’t try AI immediately: https://techcrunch.com/2025/08/22/coinbase-ceo-explains-why-he-fired-engineers-who-didnt-try-ai-immediately/

Chapters

We want to hear from you!

How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend?

Fill out our listener survey!
Let us know by sending an email to our producer, Elizabeth, at elizabet.becz@logrocket.com, or tweet at us at PodRocketPod.

Follow us. Get free stickers.

Follow us on Apple Podcasts, fill out this form, and we’ll send you free PodRocket stickers!

What does LogRocket do?

LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today.

]]> Unpacking the NPM supply chain attacks with Feross Aboukhadijeh http://podrocket.logrocket.com/unpacking-npm-supply-chain-attacks-feross-aboukhadijeh aa347acf-4511-4eba-a082-f865dc8e8948 Tue, 23 Sep 2025 08:00:00 -0400 LogRocket full LogRocket Feross Aboukhadijeh, founder of Socket, joins us to break down the recent wave of NPM supply chain attacks hitting the JavaScript ecosystem, including how attackers used phishing to target developers, snuck malware into popular packages like Prettier and "is", and even abused tools like Claude, Gemini, and TruffleHog. We dig into how GitHub Actions vulnerabilities were exploited, what makes postinstall scripts risky, and and what you can do to protect yourself from future attacks. 40:09 no Feross Aboukhadijeh, founder of Socket, joins us to break down the recent wave of NPM supply chain attacks hitting the JavaScript ecosystem, including how attackers used phishing to target developers, snuck malware into popular packages like Prettier and "is", and even abused tools like Claude, Gemini, and TruffleHog. We dig into how GitHub Actions vulnerabilities were exploited, what makes postinstall scripts risky, and and what you can do to protect yourself from future attacks. Links Website: https://feross.org X: https://x.com/feross GitHub: https://github.com/feross LinkedIn: https://www.linkedin.com/in/feross YouTube: https://www.youtube.com/channel/UCHM4OEvQDUq8UszyUrdov-w Resources npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack: https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack Compromised files replace npm packages with a combined 2 billion weekly downloads: https://www.techradar.com/pro/security/compromised-files-replace-npm-packages-with-a-combined-2-billion-weekly-downloads Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware: https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack Chapters 00:00 Intro: NPM supply chain attacks explained 01:10 What is a software supply chain attack? 02:00 NPM phishing campaign: Fake login pages 03:00 Prettier ecosystem compromised 04:00 The “is” package malware incident 05:30 NX package breach (August 27 attack) 06:40 AI-powered supply chain exploit 08:00 GitHub Actions misconfiguration 12:00 Lessons from recent NPM attacks 20:00 How malicious packages get published 25:00 Why install scripts are so risky 30:00 Limitations of banning install scripts 35:00 Open source maintainer challenges 40:00 Smarter approaches to dependency updates 44:00 The future of open source supply chain security 47:00 Closing thoughts and resources We want to hear from you! How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend? Fill out our listener survey (https://t.co/oKVAEXipxu)! Let us know by sending an email to our producer, Elizabeth, at elizabet.becz@logrocket.com (mailto:elizabeth.becz@logrocket.com), or tweet at us at PodRocketPod (https://twitter.com/PodRocketpod). Follow us. Get free stickers. Follow us on Apple Podcasts, fill out this form (https://podrocket.logrocket.com/get-podrocket-stickers), and we’ll send you free PodRocket stickers! What does LogRocket do? LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today. (https://logrocket.com/signup/?pdr) Special Guest: Feross Aboukhadijeh. NPM supply chain attacks, JavaScript ecosystem security, phishing npm credentials, prettier package hack, is package malware, nx build system attack, GitHub Actions vulnerability, Claude and Gemini exploited, trufflehog misuse, crypto wallet drainer, Levenshtein address spoofing, socket malware detection, install scripts NPM, postinstall malware, open source security, AI in security, typo squat packages, package worm propagation, secure software development, dependency vetting tools Feross Aboukhadijeh, founder of Socket, joins us to break down the recent wave of NPM supply chain attacks hitting the JavaScript ecosystem, including how attackers used phishing to target developers, snuck malware into popular packages like Prettier and "is", and even abused tools like Claude, Gemini, and TruffleHog.
We dig into how GitHub Actions vulnerabilities were exploited, what makes postinstall scripts risky, and and what you can do to protect yourself from future attacks.

Links

Website: https://feross.org
X: https://x.com/feross
GitHub: https://github.com/feross
LinkedIn: https://www.linkedin.com/in/feross
YouTube: https://www.youtube.com/channel/UCHM4OEvQDUq8UszyUrdov-w

Resources

npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack: https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack
Compromised files replace npm packages with a combined 2 billion weekly downloads: https://www.techradar.com/pro/security/compromised-files-replace-npm-packages-with-a-combined-2-billion-weekly-downloads
Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware: https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack

Chapters

00:00 Intro: NPM supply chain attacks explained
01:10 What is a software supply chain attack?
02:00 NPM phishing campaign: Fake login pages
03:00 Prettier ecosystem compromised
04:00 The “is” package malware incident
05:30 NX package breach (August 27 attack)
06:40 AI-powered supply chain exploit
08:00 GitHub Actions misconfiguration
12:00 Lessons from recent NPM attacks
20:00 How malicious packages get published
25:00 Why install scripts are so risky
30:00 Limitations of banning install scripts
35:00 Open source maintainer challenges
40:00 Smarter approaches to dependency updates
44:00 The future of open source supply chain security
47:00 Closing thoughts and resources

We want to hear from you!

How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend?

Fill out our listener survey!
Let us know by sending an email to our producer, Elizabeth, at elizabet.becz@logrocket.com, or tweet at us at PodRocketPod.

Follow us. Get free stickers.

Follow us on Apple Podcasts, fill out this form, and we’ll send you free PodRocket stickers!

What does LogRocket do?

LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today.

Special Guest: Feross Aboukhadijeh.

]]> Feross Aboukhadijeh, founder of Socket, joins us to break down the recent wave of NPM supply chain attacks hitting the JavaScript ecosystem, including how attackers used phishing to target developers, snuck malware into popular packages like Prettier and "is", and even abused tools like Claude, Gemini, and TruffleHog.
We dig into how GitHub Actions vulnerabilities were exploited, what makes postinstall scripts risky, and and what you can do to protect yourself from future attacks.

Links

Website: https://feross.org
X: https://x.com/feross
GitHub: https://github.com/feross
LinkedIn: https://www.linkedin.com/in/feross
YouTube: https://www.youtube.com/channel/UCHM4OEvQDUq8UszyUrdov-w

Resources

npm Author Qix Compromised via Phishing Email in Major Supply Chain Attack: https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack
Compromised files replace npm packages with a combined 2 billion weekly downloads: https://www.techradar.com/pro/security/compromised-files-replace-npm-packages-with-a-combined-2-billion-weekly-downloads
Shai-Hulud: Ongoing Package Supply Chain Worm Delivering Data-Stealing Malware: https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack

Chapters

00:00 Intro: NPM supply chain attacks explained
01:10 What is a software supply chain attack?
02:00 NPM phishing campaign: Fake login pages
03:00 Prettier ecosystem compromised
04:00 The “is” package malware incident
05:30 NX package breach (August 27 attack)
06:40 AI-powered supply chain exploit
08:00 GitHub Actions misconfiguration
12:00 Lessons from recent NPM attacks
20:00 How malicious packages get published
25:00 Why install scripts are so risky
30:00 Limitations of banning install scripts
35:00 Open source maintainer challenges
40:00 Smarter approaches to dependency updates
44:00 The future of open source supply chain security
47:00 Closing thoughts and resources

We want to hear from you!

How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend?

Fill out our listener survey!
Let us know by sending an email to our producer, Elizabeth, at elizabet.becz@logrocket.com, or tweet at us at PodRocketPod.

Follow us. Get free stickers.

Follow us on Apple Podcasts, fill out this form, and we’ll send you free PodRocket stickers!

What does LogRocket do?

LogRocket provides AI-first session replay and analytics that surfaces the UX and technical issues impacting user experiences. Start understanding where your users are struggling by trying it for free at LogRocket.com. Try LogRocket for free today.

Special Guest: Feross Aboukhadijeh.

]]> Secure by design with Vanessa Villa http://podrocket.logrocket.com/secure-by-design-vanessa-villa 4f1abcca-5d56-4fed-b471-a587b4eb9474 Wed, 14 Feb 2024 08:00:00 -0500 LogRocket full 4 LogRocket We welcome on Vanessa Villa, Developer Advocate at Pangea, to explain what the secure by design movement is about and how it shifts security to the beginning of the development cycle. 30:15 no We welcome on Vanessa Villa, Developer Advocate at Pangea, to explain what the secure by design movement is about and how it shifts security to the beginning of the development cycle. Links https://www.linkedin.com/in/vanessa-villa-tech https://twitter.com/vavillaiot https://pangea.cloud/blog/ We want to hear from you! How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend? Let us know by sending an email to our producer, Emily, at emily.kochanekketner@logrocket.com (mailto:emily.kochanekketner@logrocket.com), or tweet at us at PodRocketPod (https://twitter.com/PodRocketpod). Follow us. Get free stickers. Follow us on Apple Podcasts, fill out this form (https://podrocket.logrocket.com/get-podrocket-stickers), and we’ll send you free PodRocket stickers! What does LogRocket do? LogRocket combines frontend monitoring, product analytics, and session replay to help software teams deliver the ideal product experience. Try LogRocket for free today. (https://logrocket.com/signup/?pdr) Special Guest: Vanessa Villa. Security, web security, secure by design, dev security We welcome on Vanessa Villa, Developer Advocate at Pangea, to explain what the secure by design movement is about and how it shifts security to the beginning of the development cycle.

Links

https://www.linkedin.com/in/vanessa-villa-tech
https://twitter.com/vavillaiot
https://pangea.cloud/blog/

We want to hear from you!

How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend?

Let us know by sending an email to our producer, Emily, at emily.kochanekketner@logrocket.com, or tweet at us at PodRocketPod.

Follow us. Get free stickers.

Follow us on Apple Podcasts, fill out this form, and we’ll send you free PodRocket stickers!

What does LogRocket do?

LogRocket combines frontend monitoring, product analytics, and session replay to help software teams deliver the ideal product experience. Try LogRocket for free today.

Special Guest: Vanessa Villa.

]]> We welcome on Vanessa Villa, Developer Advocate at Pangea, to explain what the secure by design movement is about and how it shifts security to the beginning of the development cycle.

Links

https://www.linkedin.com/in/vanessa-villa-tech
https://twitter.com/vavillaiot
https://pangea.cloud/blog/

We want to hear from you!

How did you find us? Did you see us on Twitter? In a newsletter? Or maybe we were recommended by a friend?

Let us know by sending an email to our producer, Emily, at emily.kochanekketner@logrocket.com, or tweet at us at PodRocketPod.

Follow us. Get free stickers.

Follow us on Apple Podcasts, fill out this form, and we’ll send you free PodRocket stickers!

What does LogRocket do?

LogRocket combines frontend monitoring, product analytics, and session replay to help software teams deliver the ideal product experience. Try LogRocket for free today.

Special Guest: Vanessa Villa.

]]> Security and path traversal with Liran Tal http://podrocket.logrocket.com/security-and-path-traversal ffb2cabe-446a-4695-87a5-fc75f62f2ebd Tue, 23 May 2023 08:00:00 -0400 LogRocket full 3 LogRocket Today, we have Liran Tal, Director of Developer Advocacy at Snyk, to talk about a security risk all developers should know about: path traversal. 23:47 no Today, we have Liran Tal, Director of Developer Advocacy at Snyk, to talk about a security risk all developers should know about: path traversal. Links https://twitter.com/liran_tal https://lirantal.com/ https://github.com/lirantal https://lirantal.com/blog https://www.linkedin.com/in/talliran Tell us what you think of PodRocket We want to hear from you! We want to know what you love and hate about the podcast. What do you want to hear more about? Who do you want to see on the show? Our producers want to know, and if you talk with us, we’ll send you a $25 gift card! If you’re interested, schedule a call with us (https://podrocket.logrocket.com/contact-us) or you can email producer Kate Trahan at kate@logrocket.com (mailto:kate@logrocket.com) Follow us. Get free stickers. Follow us on Apple Podcasts, fill out this form (https://podrocket.logrocket.com/get-podrocket-stickers), and we’ll send you free PodRocket stickers! What does LogRocket do? LogRocket combines frontend monitoring, product analytics, and session replay to help software teams deliver the ideal product experience. Try LogRocket for free today. (https://logrocket.com/signup/?pdr) Special Guest: Liran Tal. security, path traversal Today, we have Liran Tal, Director of Developer Advocacy at Snyk, to talk about a security risk all developers should know about: path traversal.

Links

https://twitter.com/liran_tal
https://lirantal.com/
https://github.com/lirantal
https://lirantal.com/blog
https://www.linkedin.com/in/talliran

Tell us what you think of PodRocket

We want to hear from you! We want to know what you love and hate about the podcast. What do you want to hear more about? Who do you want to see on the show? Our producers want to know, and if you talk with us, we’ll send you a $25 gift card!

If you’re interested, schedule a call with us or you can email producer Kate Trahan at kate@logrocket.com

Follow us. Get free stickers.

Follow us on Apple Podcasts, fill out this form, and we’ll send you free PodRocket stickers!

What does LogRocket do?

LogRocket combines frontend monitoring, product analytics, and session replay to help software teams deliver the ideal product experience. Try LogRocket for free today.

Special Guest: Liran Tal.

]]> Today, we have Liran Tal, Director of Developer Advocacy at Snyk, to talk about a security risk all developers should know about: path traversal.

Links

https://twitter.com/liran_tal
https://lirantal.com/
https://github.com/lirantal
https://lirantal.com/blog
https://www.linkedin.com/in/talliran

Tell us what you think of PodRocket

We want to hear from you! We want to know what you love and hate about the podcast. What do you want to hear more about? Who do you want to see on the show? Our producers want to know, and if you talk with us, we’ll send you a $25 gift card!

If you’re interested, schedule a call with us or you can email producer Kate Trahan at kate@logrocket.com

Follow us. Get free stickers.

Follow us on Apple Podcasts, fill out this form, and we’ll send you free PodRocket stickers!

What does LogRocket do?

LogRocket combines frontend monitoring, product analytics, and session replay to help software teams deliver the ideal product experience. Try LogRocket for free today.

Special Guest: Liran Tal.

]]> Azure security with Sarah Young http://podrocket.logrocket.com/azure-security ee272d76-65eb-4c70-a970-d0675dc9fa0d Fri, 28 Oct 2022 08:00:00 -0400 LogRocket full 2 LogRocket Sarah Young is a Senior Cloud Security Advocate at Microsoft. Sarah joins us today to talk about Azure security, Zero Trust principles, and important investments in the security ecosystem. 36:30 no Sarah Young is a Senior Cloud Security Advocate at Microsoft. Sarah joins us today to talk about Azure security, Zero Trust principles, and important investments in the security ecosystem. Links https://twitter.com/_sarahyo https://www.sarahyoung.io https://ignite.microsoft.com https://azure.microsoft.com Tell us what you think of PodRocket We want to hear from you! We want to know what you love and hate about the podcast. What do you want to hear more about? Who do you want to see on the show? Our producers want to know, and if you talk with us, we’ll send you a $25 gift card! If you’re interested, schedule a call with us (https://podrocket.logrocket.com/contact-us) or you can email producer Kate Trahan at kate@logrocket.com (mailto:kate@logrocket.com) Follow us. Get free stickers. Follow us on Apple Podcasts, fill out this form (https://podrocket.logrocket.com/get-podrocket-stickers), and we’ll send you free PodRocket stickers! What does LogRocket do? LogRocket combines frontend monitoring, product analytics, and session replay to help software teams deliver the ideal product experience. Try LogRocket for free today. (https://logrocket.com/signup/?pdr) Special Guest: Sarah Young. Azure, Microsoft, Cloud Security, Security, Zero Trust Sarah Young is a Senior Cloud Security Advocate at Microsoft. Sarah joins us today to talk about Azure security, Zero Trust principles, and important investments in the security ecosystem.

Links

https://twitter.com/_sarahyo
https://www.sarahyoung.io
https://ignite.microsoft.com
https://azure.microsoft.com

Tell us what you think of PodRocket

We want to hear from you! We want to know what you love and hate about the podcast. What do you want to hear more about? Who do you want to see on the show? Our producers want to know, and if you talk with us, we’ll send you a $25 gift card!

If you’re interested, schedule a call with us or you can email producer Kate Trahan at kate@logrocket.com

Follow us. Get free stickers.

Follow us on Apple Podcasts, fill out this form, and we’ll send you free PodRocket stickers!

What does LogRocket do?

LogRocket combines frontend monitoring, product analytics, and session replay to help software teams deliver the ideal product experience. Try LogRocket for free today.

Special Guest: Sarah Young.

]]> Sarah Young is a Senior Cloud Security Advocate at Microsoft. Sarah joins us today to talk about Azure security, Zero Trust principles, and important investments in the security ecosystem.

Links

https://twitter.com/_sarahyo
https://www.sarahyoung.io
https://ignite.microsoft.com
https://azure.microsoft.com

Tell us what you think of PodRocket

We want to hear from you! We want to know what you love and hate about the podcast. What do you want to hear more about? Who do you want to see on the show? Our producers want to know, and if you talk with us, we’ll send you a $25 gift card!

If you’re interested, schedule a call with us or you can email producer Kate Trahan at kate@logrocket.com

Follow us. Get free stickers.

Follow us on Apple Podcasts, fill out this form, and we’ll send you free PodRocket stickers!

What does LogRocket do?

LogRocket combines frontend monitoring, product analytics, and session replay to help software teams deliver the ideal product experience. Try LogRocket for free today.

Special Guest: Sarah Young.

]]> 1Password with Andrew Beyer http://podrocket.logrocket.com/1password b32672cd-8ba9-4f13-8c0f-e9fbb508e64d Wed, 20 Apr 2022 08:00:00 -0400 LogRocket full 2 LogRocket In this episode, we talk to Andrew Beyer, senior engineering manager at 1Password, about how 1Password helps people generate and store unique passwords, how 1Password's engineering org has evolved, and the future of passwords. 40:07 no In this episode, we talk to Andrew Beyer, senior engineering manager at 1Password, about how 1Password helps people generate and store unique passwords, how 1Password's engineering org has evolved, and the future of passwords. Links https://1password.com/ https://twitter.com/firebeyer https://www.w3.org/community/webextensions/ https://www.future.1password.com/ https://1password.com/jobs/ Review us Reviews are what help us grow and tailor our content to what you want to hear. Give us a review here (https://ratethispodcast.com/podrocket). Contact us https://podrocket.logrocket.com/contact-us @PodRocketpod (https://twitter.com/PodRocketpod) What does LogRocket do? LogRocket combines frontend monitoring, product analytics, and session replay to help software teams deliver the ideal product experience. Try LogRocket for free today. (https://logrocket.com/signup/?pdr) Special Guest: Andrew Beyer. security, web development, 1password, frontend In this episode, we talk to Andrew Beyer, senior engineering manager at 1Password, about how 1Password helps people generate and store unique passwords, how 1Password's engineering org has evolved, and the future of passwords.

Links

https://1password.com/
https://twitter.com/firebeyer
https://www.w3.org/community/webextensions/
https://www.future.1password.com/
https://1password.com/jobs/

Review us

Reviews are what help us grow and tailor our content to what you want to hear. Give us a review here.

Contact us

https://podrocket.logrocket.com/contact-us
@PodRocketpod

What does LogRocket do?

LogRocket combines frontend monitoring, product analytics, and session replay to help software teams deliver the ideal product experience. Try LogRocket for free today.

Special Guest: Andrew Beyer.

]]> In this episode, we talk to Andrew Beyer, senior engineering manager at 1Password, about how 1Password helps people generate and store unique passwords, how 1Password's engineering org has evolved, and the future of passwords.

Links

https://1password.com/
https://twitter.com/firebeyer
https://www.w3.org/community/webextensions/
https://www.future.1password.com/
https://1password.com/jobs/

Review us

Reviews are what help us grow and tailor our content to what you want to hear. Give us a review here.

Contact us

https://podrocket.logrocket.com/contact-us
@PodRocketpod

What does LogRocket do?

LogRocket combines frontend monitoring, product analytics, and session replay to help software teams deliver the ideal product experience. Try LogRocket for free today.

Special Guest: Andrew Beyer.

]]> Open-source supply chain security with Feross Aboukhadijeh http://podrocket.logrocket.com/socket ea6c356b-f4fb-4e9f-a286-14f603f5b706 Tue, 22 Mar 2022 08:00:00 -0400 LogRocket full 2 LogRocket Feross Aboukhadijeh is the creator of WebTorrent, StandardJS, and Wormhole. We talked to Feross about Wormhole back in June and he joins us now to talk about Socket.dev, a new security company that can protect your most critical apps from supply chain attacks. 44:08 no Feross Aboukhadijeh is the creator of WebTorrent, StandardJS, and Wormhole. We talked to Feross about Wormhole back in June and he joins us now to talk about Socket.dev, a new security company that can protect your most critical apps from supply chain attacks. Links https://twitter.com/feross https://socket.dev https://socket.dev/npm/category/removed https://socketdev.notion.site/Join-the-Socket-Team https://webtorrent.io https://standardjs.com https://wormhole.app https://podrocket.logrocket.com/wormhole Review us Reviews are what help us grow and tailor our content to what you want to hear. Give us a review here (https://ratethispodcast.com/podrocket). Contact us https://podrocket.logrocket.com/contact-us @PodRocketpod (https://twitter.com/PodRocketpod) What does LogRocket do? LogRocket combines frontend monitoring, product analytics, and session replay to help software teams deliver the ideal product experience. Try LogRocket for free today. (https://logrocket.com/signup/?pdr) Special Guest: Feross Aboukhadijeh. security, open source, web development, Feross Aboukhadijeh is the creator of WebTorrent, StandardJS, and Wormhole. We talked to Feross about Wormhole back in June and he joins us now to talk about Socket.dev, a new security company that can protect your most critical apps from supply chain attacks.

Links

https://twitter.com/feross
https://socket.dev
https://socket.dev/npm/category/removed
https://socketdev.notion.site/Join-the-Socket-Team
https://webtorrent.io
https://standardjs.com
https://wormhole.app
https://podrocket.logrocket.com/wormhole

Review us

Reviews are what help us grow and tailor our content to what you want to hear. Give us a review here.

Contact us

https://podrocket.logrocket.com/contact-us
@PodRocketpod

What does LogRocket do?

LogRocket combines frontend monitoring, product analytics, and session replay to help software teams deliver the ideal product experience. Try LogRocket for free today.

Special Guest: Feross Aboukhadijeh.

]]> Feross Aboukhadijeh is the creator of WebTorrent, StandardJS, and Wormhole. We talked to Feross about Wormhole back in June and he joins us now to talk about Socket.dev, a new security company that can protect your most critical apps from supply chain attacks.

Links

https://twitter.com/feross
https://socket.dev
https://socket.dev/npm/category/removed
https://socketdev.notion.site/Join-the-Socket-Team
https://webtorrent.io
https://standardjs.com
https://wormhole.app
https://podrocket.logrocket.com/wormhole

Review us

Reviews are what help us grow and tailor our content to what you want to hear. Give us a review here.

Contact us

https://podrocket.logrocket.com/contact-us
@PodRocketpod

What does LogRocket do?

LogRocket combines frontend monitoring, product analytics, and session replay to help software teams deliver the ideal product experience. Try LogRocket for free today.

Special Guest: Feross Aboukhadijeh.

]]>