Talks

Description During the OWASP Chapter France meetup on 13 October 2025, I walked through the multi-stage supply chain attacks that struck npm in September. This talk breaks down how popular package maintainers were compromised, how the attacks evolved over several days, and what builders can do to harden their JavaScript pipelines. The target: npmjs.com Central registry and default dependency provider for the JavaScript ecosystem Owned by GitHub since 2020, hosting more than 3 million public packages A platform created in 2010 with limited recent improvements to token management and 2FA enforcement, leaving room for abuse Timeline of the attacks 8 September 2025 — First wave “Qix maintainer” Highly realistic phishing email posing as support (npmjs.help) that urged a 2FA reset Maintainer Josh Junon (aka Qix) entered credentials, handing full control to the attacker Attacker pushed booby-trapped releases of widely used packages (2–3 billion downloads per week) Payload: obfuscated wallet drainer malware hidden inside the packages Exposure window: roughly two hours before npm’s security team pulled the malicious versions Affected packages: [email protected] • [email protected] • [email protected] • [email protected] [email protected] • [email protected] • [email protected] • [email protected] [email protected] • [email protected] • [email protected] • [email protected] [email protected] • [email protected] • [email protected] • [email protected] [email protected] • [email protected] • [email protected] 9 September 2025 — Second wave “duckdb_admin” Same phishing lure and payload reused the very next day duckdb_admin account compromised, as confirmed by Socket’s incident report Malicious releases pushed to the DuckDB ecosystem to maximize reach 16 September 2025 — Shai-Hulud worm Automated propagation leveraging stolen npm/GitHub tokens plus targeted phishing Aims: publish compromised releases, exfiltrate secrets, and establish persistence through GitHub Actions Demonstrated chained compromises of maintainers and repository poisoning Deep dive by Wiz: Shai-Hulud npm supply chain attack GitHub response (9 October 2025) Strengthened 2FA: migration toward FIDO security keys and tighter TOTP flows Removal of all 2FA bypass paths for publishing packages Sunset of legacy automation tokens in favor of 90-day fine-grained tokens Expansion of Trusted Publishing via OIDC to sign releases automatically Public roadmap: Our plan for a more secure npm supply chain How to protect your pipelines Lockfiles everywhere: commit package-lock.json / pnpm-lock.yaml to pin dependencies Smarter CLIs: prefer pnpm or other tooling capable of blocking post-install scripts Dedicated monitoring: integrate services like Socket.dev, JFrog Xray, or Snyk for anomaly detection OIDC by default: move publishing and CI/CD authentication to OIDC-based workflows Secret hygiene: keep token lifetimes short, review permissions often, and log every credential use Resources Socket: DuckDB npm account compromised Socket: npm author Qix compromised Wiz: Shai-Hulud npm supply chain attack GitHub: Plan for a more secure npm supply chain Lockfile guide for package-lock.json

Title / Titre English: Rethinking Cloud Security, from Code to Real-time Protection French: Sécurité cloud repensée, du code à la protection en temps réel Description Découvrez comment Ledger, leader des portefeuilles sécurisés de crypto-monnaies, a renforcé la sécurité de son infrastructure Cloud avec Wiz. Grâce à une approche unifiée, de la détection en temps réel à la remédiation automatisée, Ledger a pu simplifier la gestion des risques, assurer une visibilité complète et démocratiser la sécurité auprès de ses équipes. ...

Description As Staff Cloud Security Engineer at Ledger, I share how we protect the infrastructure behind one of the world’s leading cryptocurrency security companies. This case study explores our journey from fragmented security visibility to comprehensive cloud protection across our multi-cloud environment. In this talk, I discuss how Ledger leverages Wiz’s Cloud Native Application Protection Platform (CNAPP) to secure both our internal infrastructure and protect our customers’ sensitive data. We’ll cover practical implementations including: ...

Description Securing the software supply chain can feel overwhelming, especially with dynamic frameworks like SLSA (Supply-chain Levels for Software Artifacts). This beginner-friendly session explores practical strategies to secure your software from build to runtime using cloud-native tools and methodologies. In this comprehensive talk, I demonstrate how to implement robust supply chain security practices within the CNCF ecosystem, covering: ...

Description Navigating the complexities of supply chain security might seem intimidating, especially with evolving frameworks like SLSA (Supply-chain Levels for Software Artifacts). This beginner-friendly session introduces foundational practices required to secure software from build to runtime using CNCF tools. In this talk, I explore practical implementations of supply chain security within the Kubernetes ecosystem, covering: ...