Finding malware in self-service templates

Public upstreams like PyPI and npm are no longer just accidental targets; they are the front lines of sophisticated supply chain warfare. Recent high-profile incidents like S1gularity and Shai-Hulud have demonstrated a shift toward aggressive typosquatting and worm-like propagation designed to exfiltrate secrets from build environments.

This session explores how these compromised dependencies silently migrate into internal developer platforms (IDPs) via self-service templates, turning a "golden path" into a security liability. It analyzes the evolution of these attacks and demonstrates practical defense strategies. Attendees will learn how to leverage OpenSSF's Malicious Packages project to automate threat identification and help ensure templates remain a foundation of trust.