DevSec Station

Tanya Janca | SheHacksPurple

DevSec Station is a security focused podcast for software developers who want to create amazing applications. Hosted by Tanya Janca, also known as SheHacksPurple, these short lessons will help you level up.

Episodes

  1. Supply Chain Is More Than Just Dependencies

    4 hrs ago

    Supply Chain Is More Than Just Dependencies

    Most developers think software supply chain security starts and ends with dependencies. But modern supply chain attacks don't stop there. Attackers look for paths into your software, and those paths often run through developers, CI/CD systems, build tools, deployment pipelines, and other trusted parts of the software delivery process. This episode is sponsored by Maze. In this episode of DevSec Station, Tanya Janca explains why the software supply chain is much bigger than libraries and packages, how modern attacks move through trusted systems, and what developers can do to better understand and protect the paths their software travels before it reaches production. You'll learn: • why dependencies are only one part of the supply chain • how attackers move through trusted developer tooling and processes • what "influence" means in a software supply chain context • why supply chain attacks often appear normal until it's too late • how to identify and protect the paths that affect your software Tanya walks through a realistic supply chain attack scenario where no application vulnerability is exploited directly. Instead, an attacker compromises a trusted part of the software delivery process and uses it to influence what gets built and deployed. DevSec Station is a podcast by Tanya Janca (SheHacksPurple), focused on short, practical lessons that help software developers build more secure software. Follow Tanya: • https://shehackspurple.ca • https://youtube.com/@shehackspurple • https://linkedin.com/in/tanya-janca This episode is sponsored by Maze. One of the biggest problems in security right now is that every vulnerability (or cloud?) scanner says everything is critical, and honestly, no one has time for that. Maze uses AI agents to investigate vulnerabilities in context, so you can focus on the issues that are actually exploitable in your environment, not just theoretically scary. Their AI agents also generate and prioritize fixes that knock out multiple vulnerabilities at once, which is honestly the kind of scaling that security teams need right now. Learn more about Maze mazehq.com/devsec

    7 min
  2. Malicious Dependencies Aren’t an Accident

    21 May

    Malicious Dependencies Aren’t an Accident

    Malicious dependencies are not accidents. They are often intentionally designed to look trustworthy so developers install them without hesitation. In this episode of DevSec Station, Tanya Janca explains how attackers use typosquatting, dependency confusion, fake packages, and even AI-generated recommendations to compromise developer environments and steal credentials.  This episode is sponsored by Maze. You’ll learn: • how malicious packages trick developers • why dependency attacks work so well • how attackers abuse trust and speed • why “just be careful” is not an effective defense • practical ways to add safer guardrails to your development workflow Tanya walks through a realistic example of a dependency stealing AWS credentials, explains why this is a workflow problem instead of a developer failure, and shares practical steps you can take immediately to reduce risk in your own projects. One practical action from this episode: Require new dependencies to go through pull request review, and add lightweight checks that help your team verify package names and sources before installation. DevSec Station is a podcast by Tanya Janca, focused on short, practical lessons that help software developers build more secure software. Follow Tanya: • https://shehackspurple.ca • https://newsletter.shehackspurple.ca • https://linkedin.com/in/tanya-janca • https://www.youtube.com/shehackspurple • https://TanyaJanca.com   This episode is sponsored by Maze. One of the biggest problems in security right now is that every vulnerability (or cloud?) scanner says everything is critical, and honestly, no one has time for that. Maze uses AI agents to investigate vulnerabilities in context, so you can focus on the issues that are actually exploitable in your environment, not just theoretically scary. Their AI agents also generate and prioritize fixes that knock out multiple vulnerabilities at once, which is honestly the kind of scaling that security teams need right now. Learn more about Maze mazehq.com/devsec

    8 min

  3. 22 Apr ·  Bonus

    NPM Supply Chain Attack: Active Worm Stealing Tokens, SSH Keys, and Credentials

    🚨 Emergency DevSec Station update. There’s an active npm supply chain attack happening right now. Malicious npm packages are running install scripts that quietly steal:  • SSH keys  • AWS credentials  • GitHub tokens  • Browser passwords  • Crypto wallets From there, the attack uses your npm publish token to spread into every package you maintain. That’s how this turns into a worm across the npm ecosystem. This is not theoretical. It’s already in the wild. 👉 Immediate fix:  Run  npm config set ignore-scripts true This disables install scripts and blocks the main attack path. If you work in JavaScript, Node.js, DevSecOps, or application security, take action now and tell your team. Watch the full 60-second breakdown and share this with anyone who installs npm packages. #npmSecurity #SupplyChainAttack #DevSecOps #AppSec #JavaScriptSecurity #CyberSecurityAlert

    2 min

  4. 14 Apr

    How Modern Supply Chain Attacks Really Happen (Step-by-Step Breakdown for Developers)

    What if a supply chain attack didn’t start with a complex exploit… but something completely normal? A typo.  A copy-paste.  Even an AI suggestion. In this episode, Tanya Janca breaks down how modern supply chain attacks actually happen inside everyday developer workflows. These attacks aren’t one big moment. They’re a series of small, reasonable decisions that quietly introduce risk. You’ll learn:  • Why supply chain attacks are a process, not a single event  • How attackers exploit normal developer behavior  • A simple, step-by-step example of a real attack path  • Why traditional SCA tools often miss real risk  • How to focus on what actually matters 👉 If you do one thing this week:  Run your SCA tool with reachability enabled and fix one real issue. That’s how you start reducing risk. If you work in DevSecOps, application security, or software development, you need to understand this. #SupplyChainSecurity #DevSecOps #AppSec #SecureCoding #SoftwareSecurity #CyberSecurity

    10 min

  5. 21 Mar

    Developers Are Now Targets: How Supply Chain Attacks Actually Reach You

    Developers are no longer just building software.  They’re being targeted directly. In this episode, Tanya Janca explains how supply chain attacks reach developers through everyday tools, packages, and workflows. These attacks don’t feel like attacks at first. They look like normal development work until it’s too late. You’ll learn:  • How supply chain attacks reach individual developers  • Why developer environments are now high-value targets  • Where risk shows up in daily workflows  • Simple ways to protect yourself without slowing down If you work in JavaScript, DevSecOps, or application security, this shift matters. 👉 Start by reviewing what you install, what runs during install, and what your tools are actually doing behind the scenes. #SupplyChainSecurity #DevSecOps #AppSec #SecureCoding #SoftwareSecurity #DeveloperSecurity

    6 min
  • 5 Episodes

About

DevSec Station is a security focused podcast for software developers who want to create amazing applications. Hosted by Tanya Janca, also known as SheHacksPurple, these short lessons will help you level up.

Information

  • Creator
    Tanya Janca | SheHacksPurple
  • Years Active
    2K
  • Episodes
    5
  • Rating
    Clean
  • Copyright
    © 2026 SheHacksPurple
  • Show Website
    DevSec Station

You Might Also Like