This session is not just a theoretical warning.

Over the past year, npm has evolved from a place where supply chain attacks occur to a place where they occur on a schedule. S1ngularity in August: Then, in September, there was Chalk and Debug, which affected 18 packages and involved billions of weekly downloads. Then came Shai-Hulud, a self-replicating worm that scans machines for secrets and publishes them to a public repository.

Security researchers no longer call this a spike. They call it the new baseline.

In nearly every one of these attacks, nothing appeared to be wrong. The pipeline stayed green. The tests passed. Developers had no idea that their CI secrets, cloud credentials, and deployment tokens had already been exfiltrated. Many still don't know if a compromised version is sitting in their lockfile right now.
Every day, millions of developers run npm install without a second thought. It's muscle memory. That's how modern software is built. It's also how attackers get in.

This talk will show you exactly how, with a live demo of a single malicious package silently draining secrets while everything appears normal. Then, we break down the attack vectors.

Finally, Florian present the part that most security talks skip: a practical, actionable playbook for securing an Azure DevOps pipeline using existing tools, with no additional budget and no measurable impact on your team's velocity.