Rise of Supply Chain Attacks Targeting Developers via Malicious Open-Source Packages and Extensions

The video features Roland Dell Lu, CRO and co-founder of Aikido Security, discussing the rise of supply chain attacks targeting developers through malicious open-source packages, Chrome extensions, and VS Code extensions. Aikido Security, founded in October 2020, scans 100,000 packages daily—up from 30,000 a year prior—due to increased attacker focus on this attack surface, with malware typically remaining active for only 30 minutes to 3 days before detection. Traditional endpoint security tools (e.g., McAfee, CrowdStrike) fail to detect JavaScript-based threats like NPM or VS Code extensions, as they focus on compiled executables. Aikido’s solution acts as a firewall/proxy, enforcing minimum age requirements (e.g., 24–48 hours) for packages to block most malware, while also using static and dynamic scanning (including 'controlled detonation' in isolated environments) to identify malicious behavior. The company highlights that package managers like NPM or PyPI could mitigate risks by implementing verification processes, similar to Apple’s App Store review system, but currently lack the infrastructure to handle the volume. Dell Lu emphasizes that attackers exploit developer machines as a 'treasure trove' of sensitive data, with AI likely accelerating the creation of malicious packages. The discussion also touches on threat actors like Lazarus (targeting cryptocurrency) and Team PCP, though Dell Lu advocates minimizing their visibility.