Tanya Janca | SheHacksPurple  2d ago

🚨 Emergency DevSec Station Drop

There's an active npm supply chain attack happening right now. Compromised packages are stealing SSH keys, AWS credentials, GitHub tokens, browser passwords, and crypto wallets on install. Then using your publish token to infect every package you maintain.

One command can protect you immediately: npm config set ignore-scripts true
1/2

Show threadTanya Janca | SheHacksPurple  

Do it today, please. Tell your team. Watch the full 60 seconds.

Video link: https://twp.ai/4hpg2D

#AppSec #SupplyChainSecurity #DevSecOps #SecureCoding #npm
2/2

Emergency DevSec Station drop: NPM Worm in the Wild

YouTube
May 10 at 8:18pmWeb
Show threadAdam Shostack  2d ago
@SheHacksPurple If I don't npm update am I safe?
Show threadfellmoon 🏴2d ago
@SheHacksPurple uhm, this is like 2 weeks old? Not wanting to be rude but people should have fixed that by now?... I think I've actually seen that vid of yours when it came out(?)
Show threadTrev 1d ago
@fellmoon @SheHacksPurple people are that slow though, it's okay