
Guarding the JavaScript Supply Chain: Preventing NPM Attacks with Feross Aboukhadijeh - JSJ 695
From JavaScript Jabber by Charles M Wood
November 1, 2025 · 1h 0m
About this episode
This episode explores open source supply chain security and the latest JavaScript package attacks with guest Feross Aboukhadijeh.
Hey everyone—it’s Steve Edwards here, and in this episode of JavaScript Jabber, I’m joined by returning guest Feross Aboukhadijeh, founder of Socket.dev, for a deep dive into the dark and fascinating world of open source supply chain security. From phishing campaigns targeting top NPM maintainers to the now-infamous Chalk library compromise, we unpack the latest wave of JavaScript package attacks and what developers can learn from them. Feross explains how some hackers are even using AI tools like Claude and Gemini as part of their payloads—and how defenders like Socket are fighting back with AI-powered analysis of their own. We also dive into GitHub Actions vulnerabilities, the role of two-factor authentication, and the growing need for “phishing-resistant 2FA.” Whether you’re an open source maintainer or just someone who runs npm install a little too often, this episode will open your eyes to how much happens behind the scenes to keep your code safe. 🔗 Links & Resources Socket.dev – Protect your open source dependencies Feross Aboukhadijeh on X (Twitter) GitHub Actions Security Best Practices TruffleHog Blog – On secrets exposure in Git repos Become a supporter of this…
People in this episode
Host: Steve Edwards
Guest: Feross Aboukhadijeh
Topics covered
- open source supply chain security
- NPM attacks
- JavaScript package security
- AI in cybersecurity
- GitHub Actions vulnerabilities
- two-factor authentication
Keywords
- NPM
- supply chain
- security
- phishing
- two-factor authentication
- AI tools
- GitHub Actions
- open source
Mentioned in this episode
Organizations: Socket.dev, GitHub, TruffleHog
Products: Chalk, Claude, Gemini
More episodes of JavaScript Jabber
- Mongoose 9, AI-Powered Database Tools & the Future of Server-Side JavaScript with Val Karpov - JSJ 703 · February 25, 2026 · 57 min
- Node.js Performance, Kubernetes, and Why “Fast” Isn’t Always Fast - JSJ 702 · February 10, 2026 · 1h 20m
- TanStack Start, AI, and the Future of Frontend Architecture - JSJ 701 · January 30, 2026 · 1h 13m
- What’s New in React 19.2: Compiler, Activity, and the Future of Async React - JSJ 700 · January 8, 2026 · 1h 16m
- Can You Really Trust AI-Generated Code? - JSJ 699 · December 24, 2025 · 47 min
- The Real State of Tech Hiring: AI, Ghosting, and the Developer Drought - JSJ 698 · December 10, 2025 · 1h 5m
Explore listener stats, chart rankings, contacts and more on the JavaScript Jabber podcast page.