Your developers trust npm. Attackers figured that out before your detection stack did. This talk is a ground-up forensic reconstruction of two real npm supply chain campaigns — the NX package compromise in late 2025 and the axios RAT campaign in March 2026 — told entirely from the defender's perspective. Not a theoretical exercise. This is what the logs actually looked like, what the tooling missed, and what finally surfaced the activity. We walk through how a malicious git hook silently drops a RAT onto a developer endpoint the moment they run a routine yarn dlx command, why this technique is specifically engineered to stay quiet in standard endpoint telemetry, and what the attacker does next. The target isn't your servers. It's the MetaMask wallet sitting in your developer's browser profile and the seed phrases cached in their dotfiles. Cloud credentials are secondary — harvested and staged for resale while the crypto moves on-chain. The second half of the talk is pure blue team. We'll share the Humio/LogScale query patterns that actually worked, the CrowdStrike telemetry fields that matter for this attack class, the detection gaps these campaigns deliberately exploit, and a hardening checklist your security team can hand directly to engineering. Real IOCs and detection artifacts from live incident forensics will be released during the session. You will leave with something you can use the same week.
Mohit Bansal leads a security engineering team spanning SecOps, Vulnerability Management, Enterprise Security, Incident Response and security tooling. He brings 10+ years of security experience across application security engineering and leadership roles at multiple high-scale technology... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT Swissôtel Chicago323 E Wacker Dr, Chicago, IL 60601, USA
