Feross Aboukhadijeh

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor

A malicious actor gained trust over years to inject a backdoor into a core utility. The xz attack reveals a critical, deep-rooted flaw in open source security.

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor
#1about 5 minutes

How the xz backdoor exploited maintainer burnout

The xz attack highlights how maintainer burnout creates opportunities for malicious actors to gain trust and take over critical open source projects.

#2about 4 minutes

A historical parallel with the event-stream NPM hack

The 2017 event-stream hack demonstrates a similar pattern of social engineering and highlights how lucky discoveries often expose these backdoors.

#3about 9 minutes

The growing problem of dependency bloat and rot

Modern package managers encourage massive dependency trees, which often include outdated or unnecessary packages that increase the attack surface.

#4about 10 minutes

Detecting protestware and other malicious behaviors

Automated tooling is essential for detecting malicious code like protestware by analyzing package behavior for suspicious activities like file deletion or network access.

#5about 4 minutes

The critical trade-offs of auto-updating dependencies

While updating dependencies protects against known vulnerabilities, updating too quickly can expose you to new, undiscovered supply chain attacks before the community finds them.

#6about 10 minutes

Taking responsibility for your software supply chain

Developers must take responsibility for their dependencies by using lock files, leveraging analysis tools, and understanding that open source transparency aids discovery but doesn't guarantee immediate safety.

Related jobs
Jobs that call for the skills explored in this talk.

Angular Developer

Picnic Technologies B.V.
Amsterdam, Netherlands

Intermediate
Senior

Featured Partners

Related Videos

See all videos
You click, you lose: a practical look at VSCode's security29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

The attacker's footprint2:08:06

The attacker's footprint

Antonio de Mello & Amine Abed

Securing Your Web Application Pipeline From Intruders44:30

Securing Your Web Application Pipeline From Intruders

Milecia McGregor

Getting under the skin: The Social Engineering techniques43:56

Getting under the skin: The Social Engineering techniques

Mauro Verderosa

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR40:38

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR

Anna Bacher

Security Challenges of Breaking A Monolith45:19

Security Challenges of Breaking A Monolith

Reinhard Kugler

You can’t hack what you can’t see29:34

You can’t hack what you can’t see

Reto Kaeser

Cyber Security: Small, and Large!37:32

Cyber Security: Small, and Large!

Martin Schmiedecker

From learning to earning

Jobs that call for the skills explored in this talk.

Fullstack Engineer (Secure)

Sysdig
Municipality of Madrid, Spain

Intermediate
React
Unit Testing
Microservices
Software Architecture