"Your software supply chain is compromised"

Software supply chain attacks have moved from theory to day-to-day reality—especially in 2024–2025 with incidents like the xz backdoor, npm worms, and compromised CI/CD actions. This talk will walk through how modern attackers target your dependencies, build systems, and package registries, and what practical defenses DevOps teams can put in place.

We’ll cover real-world examples of attacks against npm and other ecosystems, how malicious code gets into your pipeline (and stays there), and how these patterns affect both federal agencies and commercial environments. From compromised GitHub Actions to poisoned base images, we’ll connect the dots from “one bad dependency” to full cloud compromise.

The second half of the session focuses on mitigation strategies you can actually implement: tightening developer and CI identity, pinning and vetting actions and dependencies, generating SBOMs, signing artifacts, and building a roadmap toward SLSA-style provenance and supply chain resilience.

What we’ll discuss

• Recent software supply chain attacks in 2024–2025 (npm, CI/CD, xz, etc.)
• How attackers abuse package managers and build pipelines
• Specific risks and requirements in federal vs. commercial environments
• Practical defenses for DevOps: from MFA and short-lived tokens to SBOMs and signed builds
• How to start a 30/90-day roadmap for securing your own pipelines

Who should attend

• DevOps engineers, SREs, and platform engineers
• Security engineers and architects supporting CI/CD
• Technical leaders in federal and commercial organizations who need to justify supply chain security investments