# NPM Supply Chain Attack: Lessons in Security and Human Error Page: https://stenobird.com/podcast/devops-sauna-from-eficode/npm-supply-chain-attack-lessons-in-security-and-human-error Text version: https://stenobird.com/podcast/devops-sauna-from-eficode/npm-supply-chain-attack-lessons-in-security-and-human-error.md Podcast: [DevOps Sauna from Eficode](https://stenobird.com/podcast/devops-sauna-from-eficode) Published: 2025-09-12T08:00:00+00:00 Episode link: https://www.buzzsprout.com/2246063/episodes/17827471-npm-supply-chain-attack-lessons-in-security-and-human-error.mp3 Audio file: https://www.buzzsprout.com/2246063/episodes/17827471-npm-supply-chain-attack-lessons-in-security-and-human-error.mp3 Processing state: failed JSON: https://stenobird.com/v1/public/podcasts/devops-sauna-from-eficode/episodes/npm-supply-chain-attack-lessons-in-security-and-human-error Duration seconds: 987 ## Resource Send us Fan Mail A major security incident shook the JavaScript world when malicious code was discovered in 20 widely used NPM packages, collectively downloaded over 2 billion times per week. In this episode, Pinja and Darren break down what happened, how a phishing email led to the breach, and why human error remains one of the biggest risks in cybersecurity. They explore the scope of the attack, its surprisingly small financial impact, and the broader lessons around open-source trust, depen... ## Actions - request_transcript: `POST https://stenobird.com/v1/public/podcasts/devops-sauna-from-eficode/episodes/npm-supply-chain-attack-lessons-in-security-and-human-error/transcription-requests` — Idempotently request low-priority transcript generation for this episode. - read_markdown: `GET https://stenobird.com/podcast/devops-sauna-from-eficode/npm-supply-chain-attack-lessons-in-security-and-human-error.md` — Read the agent-friendly Markdown representation of this episode resource. A page view does not enqueue transcription. Agents should invoke `request_transcript` explicitly when they need this episode processed. ## Transcript Full transcripts are not published on public pages unless there is a clear rights basis.