Hi, I'm Tanya Janka, also known as SheX Purple, and I'm interrupting our regular DevSec station programming because I don't feel that this can wait. There's an active NPM supply chain attack happening right now. I know there's been a lot of them recently, but this one is a big one, and I wanted to tell you about it. Packages that look completely normal and legitimate are being compromised and published with malicious versions that are stealing your credentials. It's the moment that you run NPM install when it steals it via post-install script. They're taking SSH keys, AWS credentials, GitHub tokens, browser passwords, crypto wallets, literally everything that it can grab, it is stealing from you. And then it will use your published token to infect every single package that you maintain. I would call this attack a worm. So here's what I would like you to do right now. If you could open your terminal and run the following command, which obviously you will decide for yourself, but this is a request, not a demand. npm config set, ignore dash scripts. True. What this will mean is that post-install scripts don't run anymore. So I just want you to run one command which tells npm to never automatically run a post-install script again without your explicit permission. I realize that occasionally a legitimate package will break as a result of this. I that's it might sound weird, but I want this. Um, this will be friction, and I want us to treat it as a feature, a security feature, not a bug. It's alerting you that something's happening. It means that you have to consciously decide to trust the script before it runs on your machine. Um, that's how this would work from now on. So instead of post-install scripts that are potentially malicious running automatically, the post-install script would come to your attention. You review it and decide that it is good. Um, I would hope that you could set this for every org, for every project, for every developer on your team. That is what I would like. I want you to set it for yourself today. Um I'd like you to talk to your team about setting it for everyone as soon as possible. Um, on top of this, if you could run a software composition analysis tool, also known as SCA, um, they can catch these sort of things fairly often, fairly quickly. If you could do both, you'd get even better results. Uh, thank you very much. Um, I will be back with your regularly scheduled programming next episode. Thank you.