DevSec Station

What if a supply chain attack didn’t start with a sophisticated exploit… but with something totally normal? A typo. A copy-paste. An AI suggestion. In this episode, Tanya Janca walks through how modern supply chain attacks actually happen, and why they’re less about “elite hackers” and more about everyday developer workflows. You’ll learn why these attacks are not a single event, but a sequence of small, reasonable decisions that quietly introduce risk into our systems. What You’ll Learn  Why supply chain attacks are a process, not a moment How attackers exploit normal developer behaviour A realistic, step-by-step walk through of a modern attack  Why traditional SCA approaches often fail  How to focus on real risk instead of noiseA Realistic Attack, Step by Step This episode walks through a common pattern seen in real-world incidents:  An attacker identifies a package name used internally  They publish a lookalike or typo-squatted package  Malicious behaviour is hidden in install scripts or dependencies  A developer installs it, often unintentionally  The system continues working… but access is now compromised  Bad / Better / Best: Managing Supply Chain Risk Bad: Ignore supply chain risk or abandon tools due to noise Better: Use SCA, but without context or prioritization Best: Use SCA with reachability or runtime analysis If You Do Just One Thing This Week Run an SCA tool with reachability enabled, and take action on one issue.  Run SCA on your current project  Filter to: high severity + reachable Fix one issue (remove, upgrade, or replace)  Add one guardrail:  Pin versions and use lockfiles  Restrict registries  Fail CI on high + reachable findings You don’t need to fix everything. But you do need to start.   🚉 About DevSec Station DevSec Station is a security-focused podcast for developers. Please like and subscribe. Hosted by Tanya Janca | SheHacksPurple

Welcome to DevSec Station! I’m Tanya Janca (AKA SheHacksPurple), and this podcast is a series of short, practical security lessons for software developers. In this episode we will learn how supply chain attacks unfold in the wild, how to spot potential problems in your own workflows, and what you can do to protect yourself without slowing down too much.