Feross Aboukhadijeh

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor

A malicious actor gained trust over years to inject a backdoor into a core utility. The xz attack reveals a critical, deep-rooted flaw in open source security.

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor
#1about 5 minutes

How the xz backdoor exploited maintainer burnout

The xz attack highlights how maintainer burnout creates opportunities for malicious actors to gain trust and take over critical open source projects.

#2about 4 minutes

A historical parallel with the event-stream NPM hack

The 2017 event-stream hack demonstrates a similar pattern of social engineering and highlights how lucky discoveries often expose these backdoors.

#3about 9 minutes

The growing problem of dependency bloat and rot

Modern package managers encourage massive dependency trees, which often include outdated or unnecessary packages that increase the attack surface.

#4about 10 minutes

Detecting protestware and other malicious behaviors

Automated tooling is essential for detecting malicious code like protestware by analyzing package behavior for suspicious activities like file deletion or network access.

#5about 4 minutes

The critical trade-offs of auto-updating dependencies

While updating dependencies protects against known vulnerabilities, updating too quickly can expose you to new, undiscovered supply chain attacks before the community finds them.

#6about 10 minutes

Taking responsibility for your software supply chain

Developers must take responsibility for their dependencies by using lock files, leveraging analysis tools, and understanding that open source transparency aids discovery but doesn't guarantee immediate safety.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Malware campaigns, cloud latency, and government IT theft
01:06 MIN

Malware campaigns, cloud latency, and government IT theft

Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre

Comparing the security models of browsers and native apps
05:01 MIN

Comparing the security models of browsers and native apps

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

Technical challenges of shipping a cross-platform browser
09:38 MIN

Technical challenges of shipping a cross-platform browser

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

How AI-generated content is overwhelming open source maintainers
06:46 MIN

How AI-generated content is overwhelming open source maintainers

WeAreDevelopers LIVE – You Don’t Need JavaScript, Modern CSS and More

Crypto crime, EU regulation, and working while you sleep
01:15 MIN

Crypto crime, EU regulation, and working while you sleep

Fake or News: Self-Driving Cars on Subscription, Crypto Attacks Rising and Working While You Sleep - Théodore Lefèvre

The trend of browsers depending on online services
06:23 MIN

The trend of browsers depending on online services

Developer Time Is Valuable - Use the Right Tools - Kilian Valkhof

The security risks of AI-generated code and slopsquatting
05:55 MIN

The security risks of AI-generated code and slopsquatting

Slopquatting, API Keys, Fun with Fonts, Recruiters vs AI and more - The Best of LIVE 2025 - Part 2

Using AI to overcome challenges in systems programming
02:49 MIN

Using AI to overcome challenges in systems programming

AI in the Open and in Browsers - Tarek Ziadé

Featured Partners

Related Videos

See all videos
Security Blindspots and How to Learn About Them - Anna Oliveira26:28

Security Blindspots and How to Learn About Them - Anna Oliveira

Anna Oliveira

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

Oops! Stories of supply chain shenanigans43:57

Oops! Stories of supply chain shenanigans

Zbyszek Tenerowicz

Vulnerable VS Code extensions are now at your front door44:11

Vulnerable VS Code extensions are now at your front door

Raul Onitza-Klugman & Kirill Efimov

You click, you lose: a practical look at VSCode's security29:47

You click, you lose: a practical look at VSCode's security

Thomas Chauchefoin & Paul Gerste

What The Hack is Web App Sec?24:01

What The Hack is Web App Sec?

Jackie

Security in modern Web Applications - OWASP to the rescue!26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

Related Articles

View all articles
CH
Chris Heilmann
Dev Digest 110 - XY marks the spotty security
This time we give you a collection of links about the XZ backdoor, solve the last CODE100 puzzle, announce the next round of it, let you play with colours and explain why Lava lamps are great to keep the web secure.News and ArticlesThe big piece of n...
Dev Digest 110 - XY marks the spotty security
DC
Daniel Cranney
Dev Digest 198: 30 years of JS, In-Browser AI, How Attackers Abuse GenAI
Inside last week’s Dev Digest 198 . 🎂 30 years of JavaScript ⏰ How long is a JavaScript second 💻 Clean code in Angular 🤦‍♂️ AI makes different mistakes than humans 👨‍💻 In-browser and offline AI 🟠 Undocumented Hacker News features 🐋 DeepSeek censored...
Dev Digest 198: 30 years of JS, In-Browser AI, How Attackers Abuse GenAI
DC
Daniel Cranney
Dev Digest 188: CfP time, the risks of NPM and IKEA algorithms
Inside last week’s Dev Digest 188 . 🤖 GitHub Copilot CLI is now in public review 💻 Microsoft is bringing ‘vibe working’ to office apps 🎣 Attackers abuse AI tools to generate captchas in fishing attacks ⚠️ When LLMs autonomously attack 🧠 Common cause...
Dev Digest 188: CfP time, the risks of NPM and IKEA algorithms

From learning to earning

Jobs that call for the skills explored in this talk.

DevSecOps

DevSecOps

Xebia
Retortillo de Soria, Spain

GIT
Terraform
Continuous Integration
Amazon Web Services (AWS)