Room 4

15:00 - 16:00 (UTC-11)

Talk (60 min)

The Good, the Bad, and the NPM Package: Supply Chain Attacks and How to Protect Your App

Open source code makes up 90% of most codebases. How do you know if you can trust your open source dependencies? It is critical to manage your dependencies effectively to reduce risk, but most teams have an ad-hoc process where any developer can introduce dependencies leaving organizations open to risk from malicious dependencies.


Software supply chain attacks have exploded over the past 12 months and they’re only accelerating in 2022 and beyond. We’ll dive into examples of recent supply chain attacks and what concrete steps you can take to protect your team from this emerging threat.

Feross Aboukhadijeh

Feross Aboukhadijeh is a programmer, designer, teacher, and mad scientist. He is currently building WebTorrent, a streaming BitTorrent client for the browser, powered by WebRTC. Before that, he built PeerCDN, a peer-to-peer content delivery network that makes sites faster and cheaper. He is a graduate of Stanford University and he has worked at Quora, Facebook, and Intel. In the past, Feross did research in the Stanford human-computer interaction and computer security labs. He enjoys working on "mad science" — projects that make people say, "Whoa! I didn't know that was possible!".