How transitive dependencies turn minor packages into major incidents

The recent wave of npm supply chain attacks has highlighted a hard truth about modern software development: organizations rarely run only the code they choose to install. Instead, applications rely on deep and rapidly changing dependency trees, where a single direct dependency can introduce hundreds or even thousands of transitive packages. This complexity creates an expanding and often invisible attack surface that threat actors increasingly exploit through techniques such as malicious package updates, dependency confusion, and maintainer compromise.

This session examines how these attacks propagate through the npm ecosystem and why transitive dependencies make detection and response particularly challenging for platform and security teams. It demystifies dependency resolution, explores real-world attack patterns, and explains why traditional perimeter and repository-level controls are no longer sufficient on their own. Attendees gain a practical understanding of where risk enters the software supply chain and how teams can introduce smarter controls, visibility, and policy enforcement without disrupting developer workflows.