The axios npm package was compromised today, one of the top 10 most-used JavaScript libraries, downloaded 83 million times per week. A hijacked maintainer account published poisoned versions that silently install a remote access trojan. And it appears that right now, the maintainers can't take back control of their own package. 🙈 Everyone wants to talk about TeamPCP, but the real story here is industry best practice. Because at this point of the attack chain, the blast radius of every attack shares the same pattern; not following best practice. 🤠 • Pin every dependency to an exact version or commit SHA • Use lockfiles and commit them to source control • Run npm ci (not npm install) in CI/CD pipelines • Treat dependency version changes as a code change, PR, review, and QA • Generate and validate SBOMs at build time; then track them Do not outsource your security posture to a package manager's default settings. If you do not follow these practices, then you are leaving the doors unlocked. TeamPCP (or others) might just walk right in. 😬 NIST told us in 2022 (SP 800-218). CISA and NSA published joint guidance. Google's SLSA framework. OpenSSF best practices. Dan Lorenc has been saying all along, pin dependencies and treat CI/CD like production. Academic researchers ranked pinning as a top-3 defense against supply chain attacks. 🕵 Four years of guidance, five compromised ecosystems, thousands of organizations exposed. We have the frameworks, the tools, the best practices. We have Dependabot, Renovate, lockfiles, hash pinning, SBOM generators. What we may not have, is the discipline to use them. 🤷 🔥 🔥 🔥
