@charlieeriksen.bsky.social
Reposted
I had a chat with @charlieeriksen.bsky.social about the recent NPM attacks
We chat about what happened (now that the dust settled), and we discuss what's next.
Charlie is doing some great work in this space, he understands the problem better than most
We chat about what happened (now that the dust settled), and we discuss what's next.
Charlie is doing some great work in this space, he understands the problem better than most
NPM supply chain attacks with Charlie Eriksen
Josh chats with Charlie Eriksen, a security researcher at Aikido Security. We discuss the recent NPM supply chain attacks that affect hundreds of packages. Charlie shares his experiences dealing with ...
opensourcesecurity.io
November 10, 2025 at 2:58 PM
I had a chat with @charlieeriksen.bsky.social about the recent NPM attacks
We chat about what happened (now that the dust settled), and we discuss what's next.
Charlie is doing some great work in this space, he understands the problem better than most
We chat about what happened (now that the dust settled), and we discuss what's next.
Charlie is doing some great work in this space, he understands the problem better than most
@advocatemack.bsky.social and I interviewed Daniel Pereira, who was the first to notice the Shai Hulud campaign.
www.youtube.com/watch?v=I--i...
www.youtube.com/watch?v=I--i...
Discovering Shai-Hulud and the Struggle to Raise the Alarm: Bad Dependencies ft Daniel Pereira
YouTube video by Aikido Security
www.youtube.com
September 18, 2025 at 6:22 PM
@advocatemack.bsky.social and I interviewed Daniel Pereira, who was the first to notice the Shai Hulud campaign.
www.youtube.com/watch?v=I--i...
www.youtube.com/watch?v=I--i...
I published a blog post with more data on how the Shai-Hulud attack unfolded. Evidence pointing to the fact that most packages were uploaded by the attackers, rather than being organically infected. And the mistakes the attackers made.
www.aikido.dev/blog/bugs-in...
www.aikido.dev/blog/bugs-in...
Bugs in Shai-Hulud: Debugging the Desert
The Shai Hulud worm had some bugs of its own, and required patching by the attackers. We also look at a timeline of events, to see how it unfolded.
www.aikido.dev
September 18, 2025 at 1:08 PM
I published a blog post with more data on how the Shai-Hulud attack unfolded. Evidence pointing to the fact that most packages were uploaded by the attackers, rather than being organically infected. And the mistakes the attackers made.
www.aikido.dev/blog/bugs-in...
www.aikido.dev/blog/bugs-in...
The attackers behind the S1ngularity/Nx attack strike again, this time with Shai Hulud: a proper self-propagating worm targeting the npm ecosystem.
www.aikido.dev/blog/s1ngula...
www.aikido.dev/blog/s1ngula...
S1ngularity/nx attackers strike again
The attackers behind the nx attack have struck again, targeting a large amount of packages
www.aikido.dev
September 16, 2025 at 10:18 AM
The attackers behind the S1ngularity/Nx attack strike again, this time with Shai Hulud: a proper self-propagating worm targeting the npm ecosystem.
www.aikido.dev/blog/s1ngula...
www.aikido.dev/blog/s1ngula...
Yesterday, @advocatemack.bsky.social and I sat down with @bad-at-computer.bsky.social to discuss the incident that occurred on Monday, in which popular packages like debug and chalk were compromised. Here's my take on it, along with the entire ~45-minute conversation.
www.aikido.dev/blog/we-got-...
www.aikido.dev/blog/we-got-...
We Got Lucky: The Supply Chain Disaster That Almost Happened
Eighteen widely used open source packages were compromised, downloaded billions of times and embedded across nearly every cloud environment. The community dodged a bullet. But this close call shows ju...
www.aikido.dev
September 12, 2025 at 2:10 PM
Yesterday, @advocatemack.bsky.social and I sat down with @bad-at-computer.bsky.social to discuss the incident that occurred on Monday, in which popular packages like debug and chalk were compromised. Here's my take on it, along with the entire ~45-minute conversation.
www.aikido.dev/blog/we-got-...
www.aikido.dev/blog/we-got-...
Reposted
Le maintainer: “I’ve been pwned. Sorry everyone, very embarrassing.”
Brian Krebs covered the npm supply chain compromise, featuring insights from our own @charlieeriksen.bsky.social, who broke the news.
Full article → krebsonsecurity.com/2025/09/18-p...
Brian Krebs covered the npm supply chain compromise, featuring insights from our own @charlieeriksen.bsky.social, who broke the news.
Full article → krebsonsecurity.com/2025/09/18-p...
September 9, 2025 at 2:27 PM
Le maintainer: “I’ve been pwned. Sorry everyone, very embarrassing.”
Brian Krebs covered the npm supply chain compromise, featuring insights from our own @charlieeriksen.bsky.social, who broke the news.
Full article → krebsonsecurity.com/2025/09/18-p...
Brian Krebs covered the npm supply chain compromise, featuring insights from our own @charlieeriksen.bsky.social, who broke the news.
Full article → krebsonsecurity.com/2025/09/18-p...
@bad-at-computer.bsky.social Would you be open to chatting with us (@advocatemack.bsky.social) for our Bad Dependencies podcast to discuss your experience as a maintainer? I think it'd be fascinating to hear the more "human" side to this :)
September 9, 2025 at 11:33 AM
@bad-at-computer.bsky.social Would you be open to chatting with us (@advocatemack.bsky.social) for our Bad Dependencies podcast to discuss your experience as a maintainer? I think it'd be fascinating to hear the more "human" side to this :)
The attackers who hit debug and chalk have now also compromised the DuckDB packages. What a weird situation.
www.aikido.dev/blog/duckdb-...
www.aikido.dev/blog/duckdb-...
duckdb npm packages compromised
The popular package duckdb was compromised by same attackers that hit debug and chalk
www.aikido.dev
September 9, 2025 at 7:58 AM
The attackers who hit debug and chalk have now also compromised the DuckDB packages. What a weird situation.
www.aikido.dev/blog/duckdb-...
www.aikido.dev/blog/duckdb-...
Reposted
Yep, I've been pwned. 2FA reset email, looked very legitimate.
Only NPM affected. I've sent an email off to @npmjs.bsky.social to see if I can get access again.
Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.
Only NPM affected. I've sent an email off to @npmjs.bsky.social to see if I can get access again.
Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.
@bad-at-computer.bsky.social Hey. Your npm account seems to have been compromised. 1 hour ago it started posting packages with backdoors to all your popular packages.
September 8, 2025 at 3:15 PM
Yep, I've been pwned. 2FA reset email, looked very legitimate.
Only NPM affected. I've sent an email off to @npmjs.bsky.social to see if I can get access again.
Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.
Only NPM affected. I've sent an email off to @npmjs.bsky.social to see if I can get access again.
Sorry everyone, I should have paid more attention. Not like me; have had a stressful week. Will work to get this cleaned up.
@bad-at-computer.bsky.social Hey. Your npm account seems to have been compromised. 1 hour ago it started posting packages with backdoors to all your popular packages.
September 8, 2025 at 2:16 PM
@bad-at-computer.bsky.social Hey. Your npm account seems to have been compromised. 1 hour ago it started posting packages with backdoors to all your popular packages.
Reposted
Introducing Aikido SafeChain 🔒⛓️
SafeChain wraps every npm, yarn, pnpm, and npx install. It blocks malware in real time, with zero changes to your workflow.
Free. Open Source. Powered by Aikido Intel.
Don’t trust your terminal. Defend it.
SafeChain wraps every npm, yarn, pnpm, and npx install. It blocks malware in real time, with zero changes to your workflow.
Free. Open Source. Powered by Aikido Intel.
Don’t trust your terminal. Defend it.
July 22, 2025 at 3:43 PM
Introducing Aikido SafeChain 🔒⛓️
SafeChain wraps every npm, yarn, pnpm, and npx install. It blocks malware in real time, with zero changes to your workflow.
Free. Open Source. Powered by Aikido Intel.
Don’t trust your terminal. Defend it.
SafeChain wraps every npm, yarn, pnpm, and npx install. It blocks malware in real time, with zero changes to your workflow.
Free. Open Source. Powered by Aikido Intel.
Don’t trust your terminal. Defend it.