Please subscribe to our YouTube channel @ https://www.youtube.com/@DevoxxForever
Subscribe to LinkedIn @ https://www.linkedin.com/company/voxxed-days-amsterdam
Follow us on Twitter @ https://twitter.com/voxxedamsterdam

Is your app behaving strangely? Random network calls? Unexpected behavior? It might not be a bug, it might be possessed. In this spooky session, we’ll explore how malicious packages sneak into your codebase like ghosts through an open portal. You’ll learn how typo-squatting, dependency confusion, and supply chain attacks haunt the JavaScript ecosystem, and how to perform a proper exorcism. We’ll go beyond npm audit and explore tools and habits to stop the haunt before it begins. Leave this talk with a toolkit that wards off evil; digital and otherwise.

Devoxx

A conference talk covering JavaScript supply chain security threats and mitigations. Topics include typosquatting (malicious packages with near-identical names), dependency confusion attacks (public packages overriding private registry packages via higher version numbers), backdoors, and transitive dependency risks. Practical defenses covered: pinning dependency versions, committing lock files, scoping private packages, configuring .npmrc and CI/CD pipelines, ignoring pre/post install scripts, and using SCA tools like npm audit, Dependabot, and Snyk. The SLSA framework is introduced as a security maturity checklist. The talk frames security alongside accessibility and performance as core developer responsibilities.

Possessed by Packages: Is Your JavaScript Haunted? by Chris DeMars