BSides Vancouver 2026

The past year saw an explosion of highly effective malicious‑package attacks. Well‑known libraries were compromised, new versions shipped with additions for crypto theft or data exfiltration. Attackers launched different attacks with each building upon the last becoming more effective with each iteration. We bore witness to the first appearance of the great sandworm, followed by a far worse second coming. A simple bit of JavaScript that started with a mere 37 packages, swiftly spread like a worm from one victim to the next. In the end, it compromised an estimated 700 packages and GitHub accounts across more than a thousand organizations. Many recognizable companies had source code and other sensitive artifacts stolen. This talk digs into how these campaigns worked, why they were so effective, with real-world examples of how they slipped into even established security vendors or became pivot points for deeper compromise. We’ll also look at what has actually changed to counter this class of threat, what still hasn’t, and what is effective at protecting against these attacks.