6000 devs installed malware in 18 minutes

本站添加: 2026-06-07

[00:00:00]It feels like the supply chain for software engineering is at its most vulnerable than it's ever [music] been.

[00:00:05]Things like a poisoned VS Code editor extension that was live for 18 minutes getting installed and then leaking thousands of repos would have been much harder before, but AI has made software quite vulnerable. And this is the reality of what's just been happening over the last couple of weeks at large companies [music] like Microsoft. And this is not to defend or blast Microsoft. There's always going to be things that any company or individual can do to reduce the blast radius and have [music] improved security practices. What's more interesting about this is this pattern of increasingly high threat attacks. Like the most recent Shy Halud incident. The latest waves of people stealing [music] maintainer tokens and running inside the actual build systems. But there are still a lot of things that can be done.

[00:00:39]You can [music] pin dependencies and try to commit lock files, run risky installs inside of dev containers [music] or sandbox them, try things like signed commits on protected branches, monitor your CI/CD [music] pipeline, your NPM packages, and also just your billing portals. [music] There shouldn't be an assumption that you can avoid every single malicious package because that's just not realistic. There are a lot of preventive measures that you can [music] try to take that I will also link below in the description of this post.