Your app works. Your tests pass. Your code is secure. And yet, your PayPal payout address just changed and the money is no longer going to you.

In this talk, we build a simple online shop together: a clean, modern JavaScript application powered by npm packages that millions of developers trust every day. Everything looks normal. The checkout works. Payments go through. Nothing feels wrong. Then the supply chain gets compromised.

Without touching our repository, without exploiting a bug in our own code, a malicious update in a trusted npm dependency silently rewrites the payment logic and redirects every transaction to an attacker’s account. No server breach. No stolen credentials. Just an innocent npm install. The application wasn’t hacked. The ecosystem it depends on was.

This session is a hands-on, story-driven demonstration of why securing only your own code is no longer enough. Modern software is built on thousands of third-party packages written by people you’ve never met, updated on schedules you don’t control, and executed with full trust in your production environment. When one of those packages is compromised, the blast radius can be massive.

We’ll look at what the malicious code actually looks like once it lands in your dependency tree, why popularity and download counts don’t equal safety, and how supply-chain attacks scale so effectively. From there, we’ll move to defense: practical ways to verify dependencies, lock down your software lifecycle, and automate trust so security doesn’t rely on hope and good intentions.

If you write software, you are already part of the supply chain. This talk shows what happens when that chain breaks and how to make sure you’re not the weakest link.