How malicious packages on npm bypass existing security tools
Paul McCarty
DEF CON 33 (backfill) · Day 1 · Main Stage
In this compelling talk from DEF CON, Paul McCarty, Head of Research at Safety, sheds light on the escalating threat of malicious packages within the open-source ecosystem, particularly **npm**. McCarty argues that traditional security paradigms and tools are woefully inadequate against this modern adversary, which targets developers and CI/CD pipelines with increasing sophistication. He highlights fundamental design flaws in npm, coupled with unique characteristics of interpreted languages like JavaScript, that create a fertile ground for attackers to evade detection.
AI review
McCarty clearly knows this space cold — his OSV.dev contribution record and hands-on package hunting give him genuine credibility, and the talk lands real signal on why current tooling fails against interpreted-language malware. But the content sits at survey level: it maps the problem well without going deep enough on any single technique to give a skilled practitioner something they couldn't piece together from existing Sonatype, Checkmarx, or Socket research blogs.