Who Watches the NPM Watchers?
Paul McCarty
BSidesSF 2026 · Day 2 · AMC Theatre 09
In his thought-provoking BSides SF talk, "Who Watches the NPM Watchers?", Paul McCarty, co-founder of Open-Source Malware, delves into the critical, yet often unexamined, landscape of NPM package scanning. The presentation uncovers the varying methodologies, motivations, and significant blind spots of organizations tasked with monitoring the world's largest software registry. McCarty’s research employs an innovative approach using "canary packages" to observe and fingerprint the entities — from cloud providers and security vendors to nation-state actors — that are actively scrutinizing the NPM ecosystem.
AI review
McCarty turns a clever but simple premise — canary packages as scanner fingerprints — into genuinely actionable intelligence about who's watching NPM, what they're ignoring, and how badly they leak their own tradecraft. The research is original, the methodology is reproducible, and the findings name names with receipts. Not a world-shaking zero-day, but exactly the kind of unglamorous supply-chain work that needs more oxygen.