Syntax Podcast: "Is Running Random Code From npm Safe?"

Socket CEO Feross Aboukhadijeh recently joined Wes Bos and Scott Tolinski, hosts of the Syntax podcast, for an episode titled “Is Running Random Code From npm Safe?”

This episode explores the enormous amount of trust developers place in code downloaded from npm and the importance of modern security tools in protecting this ecosystem from malicious actors and compromised packages.

They discussed the power of systems like npm to amplify open source contributions but also the contrasting fragility of unprotected supply chains in the face of targeted attacks. This is one of the unique challenges of enabling the open source ecosystem to flourish while avoiding excessive bureaucratic hurdles that could hinder contributions.

Feross related a story about how the popular EventStream node package was hijacked to steal users' cryptocurrency. This became a timely reference, as the podcast episode was published the same week that Ledger’s connect-kit, a package used by many crypto frontends, was compromised when an attacker added wallet-draining code that stole an estimated $600K in virtual assets.

Socket’s AI-powered threat detection discovers an estimated 400 malicious packages per week. This episode includes a few wild stories from the npm ecosystem. It also explores Socket's methodology in identifying suspicious packages by scanning for 70+ signals, such as new network requests or automatically running code on installation.

Check out the episode below, along with the complete transcript on the Syntax.fm website.