In this episode, Matt and Liam dig into the messy reality of software supply-chain attacks, how a seemingly harmless pull request can turn into a compromised release, and why those ✅ green CI badges can lull us into a false sense of security.
We unpack a recent incident involving an NPM package publish that was hijacked via a poisoned PR and stolen publishing token, then zoom out to the wider tactics attackers use (from secrets exfil via build logs to cheeky action scripts). We also talk about what small teams can do today to reduce blast radius without grinding delivery to a halt.
We discuss:
- What actually happened in the recent NX/NPM incident—and why token theft via PR is so dangerous
- Sneaky exfil paths: encoded secrets, console/log leaks, and “helpful” CI steps doing unhelpful things
- The illusion of safety: why “keep the checkmarks green” isn’t a security strategy
- Practical hardening for tiny teams: scoped publish tokens, protected runners, required reviews, and a human-in-the-loop for releases
- Discovery vs. trust: our stance on the Blake template registry (makes discovery easier, doesn’t guarantee safety)
- How to think adversarially about your pipelines without killing dev velocity
🍻 Tonight’s Drinks:
Matt – Oakvale Shiraz
Liam – Young Henry’s Newtowner
🔗 Tonight’s Links:
- The Pull Request that introduced the vulnerable code
- The commit that included the exploit
- NX S1ngularity Postmortem
- Security blog article breaking down the incident
- Affected NPM packages on npmjs.com
- GitHub Actions security hardening documentation
- Blake Template Registry (discovery, not trust!)
- OWASP Supply Chain Security Guide
Any Likes 👍, Shares 📣, Subscriptions 🔔, and Love ❤️ help us keep the mics on.
Cheers! 🍻