Software Engineering Daily – Blocking Software Supply Chain Attacks with Feross Aboukhadijeh

Release Date: December 9, 2025
Guest: Feross Aboukhadijeh, Founder & CEO of Socket
Host: Josh Goldberg

Overview

This episode centers on software supply chain security, with a deep dive into the risks posed by open source dependencies and practical strategies to defend against malicious packages. Feross Aboukhadijeh, an influential open-source developer and security entrepreneur, discusses his journey from early web projects, through open source burnout, to founding Socket—an advanced tool for detecting and preventing supply chain attacks.

Key Discussion Points and Insights

1. Feross's Early Coding Journey and Lessons Learned

Background: Feross describes his entry into coding in high school with PHP, building sites to host Flash animations and share AP notes.
- Quote: “I literally just pasted everything multiple times if I needed to do it in more than one place... But it worked. What really got me excited...was this idea that I can put code online and while I'm sleeping, it's like, working for me.” (03:13)
College Experience: Attended Stanford for CS, self-taught with PHP before realizing the breadth of programming.
- Quote: “It took like a little bit of unlearning to realize, oh, wow, CS and programming is this, like, really broad thing. It's not just PHP and MySQL.” (02:17)
Launch Early: Feross’s advice is to ship projects early, referencing his viral ‘YouTube Instant’ built for a bet.
- Quote: “Just ship things. Don’t think too much about it, like, build stuff in public.” (08:20)
- Memorable moment: Waking up after launching YouTube Instant to find it had gone viral, leading to a job offer from the YouTube CEO. (05:26 – 07:35)

2. Open Source Success and Burnout

Yahoo Acquisition: Experience at Yahoo after a startup sale, frustration at large company bureaucracy.
WebTorrent: Created WebTorrent after leaving Yahoo, aiming to build a peer-to-peer CDN from scratch, open source so “no one can ever take it away from me or from the community.” (12:11)
- Quote: “For the first six months of talking about WebTorrent, it didn’t work...and I was talking about it...doing some cool demos...It was, it wasn't WebTorrent.” (14:54)
Burnout: Open source 'mad science track' at conferences was fun, but later responsibility and issue fatigue led to burnout.
- Quote: “I felt this incredible responsibility to fix every issue...eventually you get to a place where you wake up every morning and it’s like 40 issues opened and you’re like, oh my God, this is not sustainable.” (15:35)
- Reference: The blog “What it feels like to be an open source maintainer” by Nolan Lawson. (17:16)

3. Software Supply Chain Attacks – The Growing Threat

Nature of Attacks: Attackers compromise popular packages to distribute malware, sometimes motivated by money, politics, or simple chaos.
Notorious Incidents: EventStream attack (2017) explained in detail, highlighting the accidental and delayed discovery.
- Quote: “It was always like, oh, we accidentally noticed that, like, this package has been stealing everyone's information for the last two weeks.” (21:32)
Community Blind-Spots:
- Few people read their dependencies’ actual code. (21:05)
- Linus’s Law applies ("many eyeballs make bugs shallow"), but often not quickly enough to prevent damage. Detection lags—malicious packages average 200+ days before takedown. (25:33)

4. Practical Security Lessons for Developers

Top Tip: Use a lock file to freeze exact dependency versions—pinning direct dependencies is not enough.
- Quote: “It locks down the specific versions of every package in your dependency tree...” (22:26)
Vet Dependencies: Do not assume someone else has vetted open source code.
- Quote: “Everyone is assuming that someone else is vetting this code...actually, very few people are opening up the code and looking at it.” (24:00)

5. How Socket Works – Dynamic, AI-Powered Security

Approach: Look for risk signals—
- Sudden new behaviors (accessing network, filesystem, environment variables)
- Install scripts (especially on npm)
- Obfuscation, use of crypto modules, eval patterns
AI Integration: Leveraged GPT-4 to classify code as malicious or benign, combining static signals and LLM analysis for accuracy.
- Quote: “Can LLMs actually look at code patterns and figure out what the code is doing?...with GPT-4...this actually works really well.” (29:46)
Integration: Installs as a bot on Github, Gitlab, or Bitbucket, scanning all PRs and commits for new or updated dependencies and flagging suspicious changes in real time.
- Quote: “Socket will look at all those changes and if there’s any risks, it will leave a comment in the PR and just tell all the folks on the team.” (32:42)

6. Trends and Evolving Threats in the Supply Chain

Supply Chain Risks Expanding: Attacks are now targeting Chrome, Firefox, VS Code extensions—places where extension selling and compromised maintenance are rampant.
- Quote: “Some of the same types of supply chain attacks that’ve affected npm are now starting to affect all these other ones.” (36:19)
AI Models as Attack Surfaces:
- LLMs can hallucinate insecure or non-existent packages—attackers register those package names to hijack agent-based workflows.
- Quote: “If you can basically predict what the LLM is going to hallucinate, you can go register all those names and just like you would squat on a domain name...” (38:12)

7. Defensive Posture and Industry Realities

Security As Afterthought: The rush to adopt AI (at board and C-level pressure) means security often lags.
- Quote: “There’s a lot of pressure to...just use all the stuff, you know, and not to worry so much about security.” (41:02)
Emerging Tools and Features:
- Newer package managers (pnpm, Deno) have stronger defaults (e.g., blocking install scripts, permission models)—but adoption among large apps is limited due to real-world complexity.
- Quote: “Node and Deno’s permissions model...it's not really used in my experience at least in real world applications...” (42:09)

Notable Quotes & Memorable Anecdotes

On shipping early:
“What I think worked in this case was I just, like, put it out there. It didn't really matter that it was, like, pretty bad code. I, like, put it out there and then I improved after I saw that people actually cared.” (08:20, Feross)
On supply chain realities:
“At the end of the day, all this code gets bundled together and run in a single process...so it doesn't really matter if you wrote this code and then someone else wrote that other code. Like ultimately you're shipping all that code together to production and...you're responsible for what it does.” (26:28, Feross)
On extension attacks:
“Folks will just sell their extension to somebody else...they often don’t necessarily know that the person buying it is going to change the behavior in a malicious way.” (36:41, Feross)
On LLMs and novel supply chain attack vectors:
“LLMs can also just write insecure code, or specifically they can install dependencies that are insecure. In some cases they hallucinate package names that don’t even exist...what attackers have started doing is like running the LLMs and...register all those [hallucinated] names.” (37:58, Feross)
On open source burnout:
“I didn’t promise it would never have a defect. And so it’s actually okay. It’s actually enough to give a one time gift. You don’t have to give a permanent SaaS subscription of your time as a gift to the whole world.” (17:32, Feross)

Important Timestamps

03:13: Feross’s first web project; learning by doing over code quality.
05:26 – 07:35: The YouTube Instant story and lessons on rapid iteration and viral growth.
14:16 – 17:16: WebTorrent’s open journey, conference appearances, and open source burnout.
18:39: Introduction to software supply chain security and the birth of Socket.
22:26: Security best practices—using lock files and why they matter.
28:16 – 32:05: How Socket works—malware heuristics, AI integration, real-time package scanning.
34:29 – 36:03: Dependabot/renovate PRs, timing delays, and the role of Socket in CI workflows.
36:19 – 39:48: Chrome extensions, extension sales, and new attack landscapes, including LLMs.
41:02: Security challenges in the age of fast-moving AI adoption.
42:09: Emerging package manager security models (pnpm, Deno).
43:58 – end: Lighthearted discussion on Feross’s two cats, Butter and Cream.

Closing:

Feross shares his contact details and expresses openness to conversations about open source and security.
Blog: feross.org
Socket: socket.dev
Email: feross@socket.dev

For further exploration, listeners are encouraged to consider their software supply chain posture, try out tools like Socket for automated vigilance, and remember: “You’re responsible for what your code does—even if you didn’t write every line.”

Software Engineering Daily – Blocking Software Supply Chain Attacks with Feross Aboukhadijeh

Release Date: December 9, 2025
Guest: Feross Aboukhadijeh, Founder & CEO of Socket
Host: Josh Goldberg

Overview

Key Discussion Points and Insights

1. Feross's Early Coding Journey and Lessons Learned

Background: Feross describes his entry into coding in high school with PHP, building sites to host Flash animations and share AP notes.
- Quote: “I literally just pasted everything multiple times if I needed to do it in more than one place... But it worked. What really got me excited...was this idea that I can put code online and while I'm sleeping, it's like, working for me.” (03:13)
College Experience: Attended Stanford for CS, self-taught with PHP before realizing the breadth of programming.
- Quote: “It took like a little bit of unlearning to realize, oh, wow, CS and programming is this, like, really broad thing. It's not just PHP and MySQL.” (02:17)
Launch Early: Feross’s advice is to ship projects early, referencing his viral ‘YouTube Instant’ built for a bet.
- Quote: “Just ship things. Don’t think too much about it, like, build stuff in public.” (08:20)
- Memorable moment: Waking up after launching YouTube Instant to find it had gone viral, leading to a job offer from the YouTube CEO. (05:26 – 07:35)

2. Open Source Success and Burnout

Yahoo Acquisition: Experience at Yahoo after a startup sale, frustration at large company bureaucracy.
WebTorrent: Created WebTorrent after leaving Yahoo, aiming to build a peer-to-peer CDN from scratch, open source so “no one can ever take it away from me or from the community.” (12:11)
- Quote: “For the first six months of talking about WebTorrent, it didn’t work...and I was talking about it...doing some cool demos...It was, it wasn't WebTorrent.” (14:54)
Burnout: Open source 'mad science track' at conferences was fun, but later responsibility and issue fatigue led to burnout.
- Quote: “I felt this incredible responsibility to fix every issue...eventually you get to a place where you wake up every morning and it’s like 40 issues opened and you’re like, oh my God, this is not sustainable.” (15:35)
- Reference: The blog “What it feels like to be an open source maintainer” by Nolan Lawson. (17:16)

3. Software Supply Chain Attacks – The Growing Threat

Nature of Attacks: Attackers compromise popular packages to distribute malware, sometimes motivated by money, politics, or simple chaos.
Notorious Incidents: EventStream attack (2017) explained in detail, highlighting the accidental and delayed discovery.
- Quote: “It was always like, oh, we accidentally noticed that, like, this package has been stealing everyone's information for the last two weeks.” (21:32)
Community Blind-Spots:
- Few people read their dependencies’ actual code. (21:05)
- Linus’s Law applies ("many eyeballs make bugs shallow"), but often not quickly enough to prevent damage. Detection lags—malicious packages average 200+ days before takedown. (25:33)

4. Practical Security Lessons for Developers

Top Tip: Use a lock file to freeze exact dependency versions—pinning direct dependencies is not enough.
- Quote: “It locks down the specific versions of every package in your dependency tree...” (22:26)
Vet Dependencies: Do not assume someone else has vetted open source code.
- Quote: “Everyone is assuming that someone else is vetting this code...actually, very few people are opening up the code and looking at it.” (24:00)

5. How Socket Works – Dynamic, AI-Powered Security

Approach: Look for risk signals—
- Sudden new behaviors (accessing network, filesystem, environment variables)
- Install scripts (especially on npm)
- Obfuscation, use of crypto modules, eval patterns
AI Integration: Leveraged GPT-4 to classify code as malicious or benign, combining static signals and LLM analysis for accuracy.
- Quote: “Can LLMs actually look at code patterns and figure out what the code is doing?...with GPT-4...this actually works really well.” (29:46)
Integration: Installs as a bot on Github, Gitlab, or Bitbucket, scanning all PRs and commits for new or updated dependencies and flagging suspicious changes in real time.
- Quote: “Socket will look at all those changes and if there’s any risks, it will leave a comment in the PR and just tell all the folks on the team.” (32:42)

6. Trends and Evolving Threats in the Supply Chain

Supply Chain Risks Expanding: Attacks are now targeting Chrome, Firefox, VS Code extensions—places where extension selling and compromised maintenance are rampant.
- Quote: “Some of the same types of supply chain attacks that’ve affected npm are now starting to affect all these other ones.” (36:19)
AI Models as Attack Surfaces:
- LLMs can hallucinate insecure or non-existent packages—attackers register those package names to hijack agent-based workflows.
- Quote: “If you can basically predict what the LLM is going to hallucinate, you can go register all those names and just like you would squat on a domain name...” (38:12)

7. Defensive Posture and Industry Realities

Security As Afterthought: The rush to adopt AI (at board and C-level pressure) means security often lags.
- Quote: “There’s a lot of pressure to...just use all the stuff, you know, and not to worry so much about security.” (41:02)
Emerging Tools and Features:
- Newer package managers (pnpm, Deno) have stronger defaults (e.g., blocking install scripts, permission models)—but adoption among large apps is limited due to real-world complexity.
- Quote: “Node and Deno’s permissions model...it's not really used in my experience at least in real world applications...” (42:09)

Notable Quotes & Memorable Anecdotes

On shipping early:
“What I think worked in this case was I just, like, put it out there. It didn't really matter that it was, like, pretty bad code. I, like, put it out there and then I improved after I saw that people actually cared.” (08:20, Feross)
On supply chain realities:
“At the end of the day, all this code gets bundled together and run in a single process...so it doesn't really matter if you wrote this code and then someone else wrote that other code. Like ultimately you're shipping all that code together to production and...you're responsible for what it does.” (26:28, Feross)
On extension attacks:
“Folks will just sell their extension to somebody else...they often don’t necessarily know that the person buying it is going to change the behavior in a malicious way.” (36:41, Feross)
On LLMs and novel supply chain attack vectors:
“LLMs can also just write insecure code, or specifically they can install dependencies that are insecure. In some cases they hallucinate package names that don’t even exist...what attackers have started doing is like running the LLMs and...register all those [hallucinated] names.” (37:58, Feross)
On open source burnout:
“I didn’t promise it would never have a defect. And so it’s actually okay. It’s actually enough to give a one time gift. You don’t have to give a permanent SaaS subscription of your time as a gift to the whole world.” (17:32, Feross)

Important Timestamps

03:13: Feross’s first web project; learning by doing over code quality.
05:26 – 07:35: The YouTube Instant story and lessons on rapid iteration and viral growth.
14:16 – 17:16: WebTorrent’s open journey, conference appearances, and open source burnout.
18:39: Introduction to software supply chain security and the birth of Socket.
22:26: Security best practices—using lock files and why they matter.
28:16 – 32:05: How Socket works—malware heuristics, AI integration, real-time package scanning.
34:29 – 36:03: Dependabot/renovate PRs, timing delays, and the role of Socket in CI workflows.
36:19 – 39:48: Chrome extensions, extension sales, and new attack landscapes, including LLMs.
41:02: Security challenges in the age of fast-moving AI adoption.
42:09: Emerging package manager security models (pnpm, Deno).
43:58 – end: Lighthearted discussion on Feross’s two cats, Butter and Cream.

Closing:

Feross shares his contact details and expresses openness to conversations about open source and security.
Blog: feross.org
Socket: socket.dev
Email: feross@socket.dev

wavePod

Blocking Software Supply Chain Attacks with Feross Aboukhadijeh

Powered by Wave AI

Summary

Software Engineering Daily – Blocking Software Supply Chain Attacks with Feross Aboukhadijeh

Overview

Key Discussion Points and Insights

1. Feross's Early Coding Journey and Lessons Learned

2. Open Source Success and Burnout

3. Software Supply Chain Attacks – The Growing Threat

4. Practical Security Lessons for Developers

5. How Socket Works – Dynamic, AI-Powered Security

6. Trends and Evolving Threats in the Supply Chain

7. Defensive Posture and Industry Realities

Notable Quotes & Memorable Anecdotes

Important Timestamps

Closing:

Summary

Software Engineering Daily – Blocking Software Supply Chain Attacks with Feross Aboukhadijeh

Overview

Key Discussion Points and Insights

1. Feross's Early Coding Journey and Lessons Learned

2. Open Source Success and Burnout

3. Software Supply Chain Attacks – The Growing Threat

4. Practical Security Lessons for Developers

5. How Socket Works – Dynamic, AI-Powered Security

6. Trends and Evolving Threats in the Supply Chain

7. Defensive Posture and Industry Realities

Notable Quotes & Memorable Anecdotes

Important Timestamps

Closing: