2026-04-26 –, Track 1
In 2026, we saw a sharp increase in large-scale, professional, and highly sophisticated software supply chain attacks. The Aikido Security research team was the first to uncover multiple major incidents, including the Shai-Hulud self-propagating worm, the largest mass compromise of npm packages involving debug and chalk, and even the compromise of an official XRP cryptocurrency SDK. These weren’t isolated mistakes; they signaled a fundamental shift in how supply chain attacks are designed and scaled. In this talk, we break down what these real-world discoveries revealed about modern attacker tradecraft: how worms spread, why tokens are the real target, and how trust is systematically exploited across registries, repositories, IDE extensions, and CI pipelines. Together, these cases show how supply chain attacks have become industrialized, and why the ecosystem is struggling to keep up.
In 2026, software supply chain attacks grew dramatically in scale and sophistication. The Aikido Security research team was the first to uncover several of the most impactful incidents, including the Shai-Hulud self-propagating worm, the largest mass compromise of NPM per weekly downloads (Infected packages totaling over 2 billion weekly downloads), and the backdooring of an official XRP cryptocurrency SDK. Together, these discoveries revealed that supply chain attacks are no longer isolated events, but carefully engineered campaigns designed to scale.
This talk breaks down why attackers increasingly target the software supply chain and what makes it such a powerful leverage point. We’ll examine the anatomy of modern supply chain attacks, including how attackers gain initial access to trusted packages, workflows, and extension ecosystems; how they move laterally by harvesting tokens and abusing CI/CD systems; and what their ultimate objectives are. We’ll also explore why certain ecosystems, such as package registries and IDE extensions, are especially vulnerable, why detecting malicious behavior remains so difficult, and what practical steps organizations and the broader community can take to raise the bar against these threats.
Mackenzie Jackson grew up in a traveling circus in New Zealand (yes, really) and traded juggling fire for something even more dangerous: application security. At Aikido Security, he helps developers understand how hackers actually break things. He’s a former founder and CTO, spoken in 30+ countries, hosts The Disclosure Podcast, and still insists New Zealand makes the best coffee.