EPISODE · Jun 3, 2026 · 8 MIN
How Developers Are Fighting Supply Chain Attacks in 2026
from The Programming Languages Podcast with Fexingo: Python, Rust, JavaScript, and Modern Coding · host Fexingo
Software supply chain attacks hit a new record in Q1 2026, with the number of malicious packages discovered on public registries up 80 percent year-over-year. Lucas and Luna break down how a single compromised npm package called 'event-stream' in 2018 foreshadowed today's crisis, and examine the new defenses developers are adopting: signature-based attestation from the Sigstore project, dependency pinning with verified lockfiles, and runtime monitoring tools like OpenGuard. They drill into the specific case of the 'user-agent-parse' attack in February 2026, where a typosquatted package exfiltrated AWS credentials from 2000 CI pipelines before being caught. The episode concludes with a practical checklist any team can implement this week to reduce their exposure, including why 'just audit your dependencies' is no longer enough. No abstract warnings: concrete tools, real CVEs, and a realistic threat model for a mid-sized engineering team in mid-2026. #SupplyChainSecurity #SoftwareSecurity #npm #Sigstore #OpenGuard #Typosquatting #DevOps #CyberSecurity #JavaScript #PythonPackaging #CI/CD #PackageManagement #DependencyHell #Technology #FexingoBusiness #BusinessPodcast #DeveloperTools #OpenSourceSecurity Keep every episode free: buymeacoffee.com/fexingo
What this episode covers
Software supply chain attacks hit a new record in Q1 2026, with the number of malicious packages discovered on public registries up 80 percent year-over-year. Lucas and Luna break down how a single compromised npm package called 'event-stream' in 2018 foreshadowed today's crisis, and examine the new defenses developers are adopting: signature-based attestation from the Sigstore project, dependency pinning with verified lockfiles, and runtime monitoring tools like OpenGuard. They drill into the specific case of the 'user-agent-parse' attack in February 2026, where a typosquatted package exfiltrated AWS credentials from 2000 CI pipelines before being caught. The episode concludes with a practical checklist any team can implement this week to reduce their exposure, including why 'just audit your dependencies' is no longer enough. No abstract warnings: concrete tools, real CVEs, and a realistic threat model for a mid-sized engineering team in mid-2026. #SupplyChainSecurity #SoftwareSecurity #npm #Sigstore #OpenGuard #Typosquatting #DevOps #CyberSecurity #JavaScript #PythonPackaging #CI/CD #PackageManagement #DependencyHell #Technology #FexingoBusiness #BusinessPodcast #DeveloperTools #OpenSourceSecurity Keep every episode free: buymeacoffee.com/fexingo
NOW PLAYING
How Developers Are Fighting Supply Chain Attacks in 2026
No transcript for this episode yet
Similar Episodes
Mar 26, 2026 ·1m
Mar 19, 2026 ·34m
Feb 18, 2026 ·11m
Feb 11, 2026 ·45m