When a single phished NPM maintainer led to 18 compromised libraries—including Chalk and Debug, downloaded billions of times weekly—it proved one thing: SBOMs alone aren't enough.

In this talk, Docker Captain Mohammad-Ali A'râbi explores how modern supply-chain attacks unfold and how the next generation of tools can prevent a repeat of the September 2025 NPM breach.

What you'll learn:

- 🧠 Understand how the 2025 NPM supply-chain attack happened—and why traditional SBOMs couldn't stop it.
- 📦 Pin & lock dependencies to prevent malicious updates from sneaking in.
- 🧱 Generate, sign, and verify attestations using Docker Scout + Cosign + Rekor.
- 🔒 Adopt zero-trust build pipelines with SLSA levels + OCI 1.1 referrers.
- 🧰 Defend proactively with seven practical strategies: block lifecycle scripts, use hardware keys, and continuously scan with Snyk / Trivy / Scout.
- 🚀 Turn compliance into confidence by making your entire container lifecycle verifiable.