I’m seeing reports of attackers using AI to generate thousands of "typosquatted" packages that look like legitimate libraries. They even use LLMs to write fake documentation and GitHub stars to make them look real. How are you vetting your dependencies in 2025 to ensure you’re not accidentally importing a "poisoned" package that exfiltrates your build secrets?
3 answers
We’ve implemented a "Private Repository" policy for all external packages. Nothing gets pulled directly from npm or PyPI. Instead, we have a curated Artifactory mirror. When a dev wants a new library, it has to pass a 48-hour "quarantine" where we run behavioral analysis on the code to see if it makes unexpected network calls. We also use a tool that cross-references the package's "Creation Date" and "Contributor History." If a package suddenly gets 5,000 stars but was only created 3 days ago by a brand-new user, it’s an immediate red flag.
Michelle, that 48-hour quarantine sounds like it would really frustrate developers who want to move fast. Do you have an "Emergency Whitelist" for well-known packages like React or Express?
We use "Pinning" with hashes for every single dependency. Even if an attacker compromises a legitimate package version, they can’t overwrite our build because the hash won't match.
Hash pinning is the most underrated security practice. It’s simple, effective, and prevents so many supply chain attacks from ever reaching production.
Alan, yes, we have a "Verified Vendor" list for major frameworks that bypass the quarantine. For everything else, we find that the 48-hour delay is a small price to pay for security. To keep devs happy, we’ve actually built a "Pre-Approved" catalog of over 1,000 common libraries so they rarely have to wait for something new. It’s about building a "Walled Garden" that still feels big enough to play in.