Feross Aboukhadijeh

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor

A malicious actor gained trust over years to inject a backdoor into a core utility. The xz attack reveals a critical, deep-rooted flaw in open source security.

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor
#1about 5 minutes

How the xz backdoor exploited maintainer burnout

The xz attack highlights how maintainer burnout creates opportunities for malicious actors to gain trust and take over critical open source projects.

#2about 4 minutes

A historical parallel with the event-stream NPM hack

The 2017 event-stream hack demonstrates a similar pattern of social engineering and highlights how lucky discoveries often expose these backdoors.

#3about 9 minutes

The growing problem of dependency bloat and rot

Modern package managers encourage massive dependency trees, which often include outdated or unnecessary packages that increase the attack surface.

#4about 10 minutes

Detecting protestware and other malicious behaviors

Automated tooling is essential for detecting malicious code like protestware by analyzing package behavior for suspicious activities like file deletion or network access.

#5about 4 minutes

The critical trade-offs of auto-updating dependencies

While updating dependencies protects against known vulnerabilities, updating too quickly can expose you to new, undiscovered supply chain attacks before the community finds them.

#6about 10 minutes

Taking responsibility for your software supply chain

Developers must take responsibility for their dependencies by using lock files, leveraging analysis tools, and understanding that open source transparency aids discovery but doesn't guarantee immediate safety.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

How malicious actors infiltrate open source projects
02:00 MIN

How malicious actors infiltrate open source projects

Reviewing 3rd party library security easily using OpenSSF Scorecard

How developers can become malware distribution vehicles
02:39 MIN

How developers can become malware distribution vehicles

Stranger Danger: Your Java Attack Surface Just Got Bigger

Developers as an unintentional malware distribution vehicle
03:36 MIN

Developers as an unintentional malware distribution vehicle

Walking into the era of Supply Chain Risks

How attackers exploit developers and packages
05:43 MIN

How attackers exploit developers and packages

Vue3 practical development

Human factors in open source supply chain risk
06:09 MIN

Human factors in open source supply chain risk

Stranger Danger: Your Java Attack Surface Just Got Bigger

Common attacks targeting software developers
05:49 MIN

Common attacks targeting software developers

Vulnerable VS Code extensions are now at your front door

Exploring specific web vulnerabilities and filtering issues
03:17 MIN

Exploring specific web vulnerabilities and filtering issues

WeAreDevelopers LIVE - Chrome for Sale? Comet - the upcoming perplexity browser Stealing and leaking

The critical role of human observation in security
01:07 MIN

The critical role of human observation in security

Answering the Million Dollar Question: Why did I Break Production?

Featured Partners

Related Videos

See all videos
You click, you lose: a practical look at VSCode's security
29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

The attacker's footprint
2:08:06

The attacker's footprint

Antonio de Mello & Amine Abed

Getting under the skin: The Social Engineering techniques
43:56

Getting under the skin: The Social Engineering techniques

Mauro Verderosa

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR
40:38

How to Cause (or Prevent) a Massive Data Breach- Secure Coding and IDOR

Anna Bacher

Securing Your Web Application Pipeline From Intruders
44:30

Securing Your Web Application Pipeline From Intruders

Milecia McGregor

You can’t hack what you can’t see
29:34

You can’t hack what you can’t see

Reto Kaeser

Cyber Security: Small, and Large!
37:32

Cyber Security: Small, and Large!

Martin Schmiedecker

Security Challenges of Breaking A Monolith
45:19

Security Challenges of Breaking A Monolith

Reinhard Kugler

Related Articles

View all articles
Chris Heilmann
Dev Digest 110 - XY marks the spotty security
This time we give you a collection of links about the XZ backdoor, solve the last CODE100 puzzle, announce the next round of it, let you play with colours and explain why Lava lamps are great to keep the web secure.News and ArticlesThe big piece of n...
Dev Digest 110 - XY marks the spotty security
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
Daniel Cranney
Coffee with Developers is Now Available as an Audio Podcast
For the past few years, we’ve had the privilege of meeting fascinating developers and tech professionals from around the world through our Coffee with Developers episodes. While all of the episodes are available in their original video format on our ...
Coffee with Developers is Now Available as an Audio Podcast
Chris Heilmann
Dev Digest 131 - AI'm not sure about OSS
News and ArticlesRust and Typescript are rising stars in programming languages 2024 survey, the State of CSS 2024 survey is open and here is what's new in ECMAScript.In security news, a Microsoft update bricks Linux dual-boot systems, they patched a ...
Dev Digest 131 - AI'm not sure about OSS

From learning to earning

Jobs that call for the skills explored in this talk.