DevSec Station

🚨 Emergency DevSec Station update.There’s an active npm supply chain attack happening right now.Malicious npm packages are running install scripts that quietly steal: • SSH keys • AWS credentials • GitHub tokens • Browser passwords • Crypto walletsFrom there, the attack uses your npm publish token to spread into every package you maintain. That’s how this turns into a worm across the npm ecosystem.This is not theoretical. It’s already in the wild.👉 Immediate fix: Run npm config set ignore-scripts trueThis disables install scripts and blocks the main attack path.If you work in JavaScript, Node.js, DevSecOps, or application security, take action now and tell your team.Watch the full 60-second breakdown and share this with anyone who installs npm packages.#npmSecurity #SupplyChainAttack #DevSecOps #AppSec #JavaScriptSecurity #CyberSecurityAlert

What if a supply chain attack didn’t start with a complex exploit… but something completely normal?A typo. A copy-paste. Even an AI suggestion.In this episode, Tanya Janca breaks down how modern supply chain attacks actually happen inside everyday developer workflows.These attacks aren’t one big moment. They’re a series of small, reasonable decisions that quietly introduce risk.You’ll learn: • Why supply chain attacks are a process, not a single event • How attackers exploit normal developer behavior • A simple, step-by-step example of a real attack path • Why traditional SCA tools often miss real risk • How to focus on what actually matters👉 If you do one thing this week: Run your SCA tool with reachability enabled and fix one real issue. That’s how you start reducing risk.If you work in DevSecOps, application security, or software development, you need to understand this.#SupplyChainSecurity #DevSecOps #AppSec #SecureCoding #SoftwareSecurity #CyberSecurity

Developers are no longer just building software. They’re being targeted directly.In this episode, Tanya Janca explains how supply chain attacks reach developers through everyday tools, packages, and workflows.These attacks don’t feel like attacks at first. They look like normal development work until it’s too late.You’ll learn: • How supply chain attacks reach individual developers • Why developer environments are now high-value targets • Where risk shows up in daily workflows • Simple ways to protect yourself without slowing downIf you work in JavaScript, DevSecOps, or application security, this shift matters.👉 Start by reviewing what you install, what runs during install, and what your tools are actually doing behind the scenes.#SupplyChainSecurity #DevSecOps #AppSec #SecureCoding #SoftwareSecurity #DeveloperSecurity