Submit to your local DSC chapter CFPSubmit now!


Supply Chain Attacks – Focused on NPM attacks

with Danish Tariq, Hassan Khan Yusufzai


In an era of escalating supply chain attacks, this presentation sheds light on the threats posed to open-source software, particularly the NPM ecosystem. We explore the ‘What, Why, and How’ of these attacks and their consequences, emphasizing the need for preemptive measures.

The talk drills down into the vulnerability of NPM packages, especially their susceptibility to account takeovers when maintainers’ email addresses expire. Despite sounding trivial, this issue can have catastrophic ramifications, affecting countless applications. Our research involves scanning 2.1 million NPM packages, identifying vulnerabilities, and gauging their impact through download statistics.

We present our methodology and introduce an open-source script to automate vulnerability identification. Additionally, we discuss the history of NPM dependency attacks, illustrate recent vulnerabilities, and share strategies to fortify against such threats. Attendees will leave with a heightened awareness of open-source security, the ability to identify vulnerable NPM dependencies, and the means to protect their organisations.

This presentation addresses a pressing gap in current security practices, providing valuable insights for defending against NPM package vulnerabilities.

This event is proudly organised in partnership with Mobsquad

Join the Community!

If you haven’t joined the Discord community, please do so! You can find us on Discord at:


Danish Tariq

Security Engineer at Confidential

About Danish Tariq

Danish Tariq is a seasoned Security Engineer and Researcher with over 8 years of cybersecurity expertise. He’s renowned for his proficiency in Penetration Testing and Vulnerability Assessments, having contributed to bug bounty programs for industry giants like Microsoft, Apple, and Nokia.

Danish presented at BlackHat MEA 2022, addressing Supply-Chain Attacks, and gained recognition in “The Register” for his security insights. He holds certifications including Certified Ethical Hacker, Certified Vulnerability Assessor (CVA), Certified AppSec Practitioner, and Certified Network Security Specialist (CNSS).

As an Ex-Chapter Leader at OWASP and a Moderator at OWASP 2022 Global AppSec APAC, Danish remains dedicated to advancing cybersecurity practices. His recent research contributions include CVEs, notably CVE-2022-2848 and CVE-2022-25523.

Hassan Khan Yusufzai

Senior Security Engineer

About Hassan Khan Yusufzai

Hassan Khan is a Senior Security Researcher with an OSCP certification and a track record of excellence. He’s a recognized name in cybersecurity, having earned spots in the Security Hall of Fame for Google, Twitter, and Microsoft in 2017. Hassan contributes his expertise to HackerOne and Bugcrowd, conducts extensive research on WordPress Security, and emerged as the champion of the HackFest Capture The Flag (CTF) competition. Notably, he’s the developer of essential security tools like and an npm scanner designed to thwart account hijacking. Hassan Khan is a stalwart defender of digital security.

We use cookies to ensure you get the best experience on our website.Read Privacy Policy