Malicious Packages - they're gonna get ya!
Supply chain security has been all the rage recently - we keep hearing over and over again, about how numerous malicious packages have been found on this package repository or that. This talk gives an overview of malicious packages and the different ways that they can pose a danger: from simple mistakes like mistyping a package name all the way up to well known and loved packages being compromised.
So how can we protect ourselves from these threats? There are various options such as checking package health, source code reviews/scans, or use of tooling such as SCA tools. SCA scans, while very useful for vulnerability scanning, cannot be relied upon to protect against malicious packages. This talk will discuss their blind spots and other options for adding further protection. It will further reinforce that security should always take a multi-layered approach.