DevSec Station

Episoder

• Supply Chain Is More Than Just Dependencies 04.06.2026 7min

  Most developers think software supply chain security starts and ends with dependencies. But modern supply chain attacks don't stop there. Attackers look for paths into your software, and those paths often run through developers, CI/CD systems, build tools, deployment pipelines, and other trusted parts of the software delivery process. This episode is sponsored by Maze. In this episode of DevSec Station, Tanya Janca explains why the software supply chain is much bigger than libraries and pac...
• Malicious Dependencies Aren’t an Accident 20.05.2026 7min

  Malicious dependencies are not accidents. They are often intentionally designed to look trustworthy so developers install them without hesitation. In this episode of DevSec Station, Tanya Janca explains how attackers use typosquatting, dependency confusion, fake packages, and even AI-generated recommendations to compromise developer environments and steal credentials. This episode is sponsored by Maze. You’ll learn: • how malicious packages trick developers • why dependency attacks work...
• NPM Supply Chain Attack: Active Worm Stealing Tokens, SSH Keys, and Credentials 22.04.2026 2min

  🚨 Emergency DevSec Station update. There’s an active npm supply chain attack happening right now. Malicious npm packages are running install scripts that quietly steal: • SSH keys • AWS credentials • GitHub tokens • Browser passwords • Crypto wallets From there, the attack uses your npm publish token to spread into every package you maintain. That’s how this turns into a worm across the npm ecosystem. This is not theoretical. It’s already in the wild. 👉 Immediate...
• How Modern Supply Chain Attacks Really Happen (Step-by-Step Breakdown for Developers) 14.04.2026 10min

  What if a supply chain attack didn’t start with a complex exploit… but something completely normal? A typo. A copy-paste. Even an AI suggestion. In this episode, Tanya Janca breaks down how modern supply chain attacks actually happen inside everyday developer workflows. These attacks aren’t one big moment. They’re a series of small, reasonable decisions that quietly introduce risk. You’ll learn: • Why supply chain attacks are a process, not a single event • How attacke...
• Developers Are Now Targets: How Supply Chain Attacks Actually Reach You 21.03.2026 6min

  Developers are no longer just building software. They’re being targeted directly. In this episode, Tanya Janca explains how supply chain attacks reach developers through everyday tools, packages, and workflows. These attacks don’t feel like attacks at first. They look like normal development work until it’s too late. You’ll learn: • How supply chain attacks reach individual developers • Why developer environments are now high-value targets • Where risk shows up in dail...