https://tube.grossholtz.net/videos/watch/1748961f-0e02-44f8-afef-f66b0ba59d49 We've seen a huge wave of supply chain attacks in the JS ecosystem (again). This is a real threat to all apps being developed in the JavaScript ecosystem, given that high-download dependencies or tools like Nx are targeted. This video shows what happened (a high-level overview) and most importantly what YOU CAN DO to protect you and your project against it. Links and Resources In the Past: CVEs on Vite https://www.youtube.com/watch?v=ctsfEc9UYU8, Nx got compromised https://www.aikido.dev/blog/popular-nx-packages-compromised-on-npm, Nx postmortem https://nx.dev/blog/s1ngularity-postmortem, S1ngularity attacked again https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again, Tinycolor supply chain attack https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages, Trusted publishing is enabled https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/, Npm docs on trusted publishing https://docs.npmjs.com/trusted-publishers, Npm top packages with provenance status https://github.com/sxzz/npm-top-provenance#untrusted-showing-first-100-of-8784, Kevin's post on high-download packages without trusted publishing https://bsky.app/profile/sxzz.dev/post/3lydmji6nr22k, e18e issue to promote trusted publishing https://github.com/e18e/ecosystem-issues/issues/201, Wes' comment on 2FA https://bsky.app/profile/notwes.bsky.social/post/3lwgx6llchc2o, Daniel Roe's GitHub Action https://github.com/danielroe/provenance-action, Old Nuxt opencollective script https://github.com/nuxt-contrib/opencollective, PNPM never built dependencies setting https://pnpm.io/settings#neverbuiltdependencies, PNPM 10.16 release blog https://pnpm.io/blog/releases/10.16, Chaptermarks 00:00 Intro & Overview 00:59 What has happened - a top-level recap 03:44 What maintainers and package authors can do 06:10 Do we need 2FA for publishing packages? 07:21 How you can protect yourself against these attacks Links marked with * are affiliate links. I get a small commission when you register for the service or buy the product through my link. This helps me keeping the channel running. I only include affiliate links for services or product mentioned that we use ourselves or have good experience with. Mon, 06 Apr 2026 05:13:25 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://tube.grossholtz.net https://tube.grossholtz.net/client/assets/images/icons/icon-512x512.png https://tube.grossholtz.net/videos/watch/1748961f-0e02-44f8-afef-f66b0ba59d49 All rights reserved, unless otherwise specified in the terms specified at https://tube.grossholtz.net/about and potential licenses granted by each content's rightholder.