Most Recent Episode
The Anatomy of a Modern Supply Chain Attack What if a supply chain attack didn’t start with a sophisticated exploit… but with something totally normal?
A typo.
A copy-paste.
An AI suggestion.
In this episode, Tanya Janca walks through how modern supply chain attacks actually happen, and why t
Time: 10:14
What if a supply chain attack didn’t start with a sophisticated exploit… but with something totally normal?
A typo.
A copy-paste.
An AI suggestion.
In this episode, Tanya Janca walks through how modern supply chain attacks actually happen, and why they’re less about “elite hackers” and more about everyday developer workflows.
You’ll learn why these attacks are not a single event, but a sequence of small, reasonable decisions that quietly introduce risk into our systems.
What You’ll Learn
Why supply chain attacks are a process, not a moment How attackers exploit normal developer behaviour A realistic, step-by-step walk through of a modern attack Why traditional SCA approaches often fail How to focus on real risk instead of noiseA Realistic Attack, Step by Step
This episode walks through a common pattern seen in real-world incidents:
An attacker identifies a package name used internally They publish a lookalike or typo-squatted package Malicious behaviour is hidden in install scripts or dependencies A developer installs it, often unintentionally The system continues working… but access is now compromised
Bad / Better / Best: Managing Supply Chain Risk
Bad: Ignore supply chain risk or abandon tools due to noise
Better: Use SCA, but without context or prioritization
Best: Use SCA with reachability or runtime analysis
If You Do Just One Thing This Week
Run an SCA tool with reachability enabled, and take action on one issue.
Run SCA on your current project Filter to: high severity + reachable Fix one issue (remove, upgrade, or replace) Add one guardrail: Pin versions and use lockfiles Restrict registries Fail CI on high + reachable findings You don’t need to fix everything. But you do need to start.
🚉 About DevSec Station
DevSec Station is a security-focused podcast for developers.
Please like and subscribe. Hosted by Tanya Janca | SheHacksPurple
GUID: Buzzsprout-19017150
Release Date: 14/04/2026, 22:00:00