Oh you developers! When you build a new application, at what stage do you start thinking about security? Design, development, testing or after deployment ? Or you don't even think of it at all? Most developers and companies believe their built applications are secured by default without taking security into consideration during the software development lifecycle. This negligence has birthed vulnerable software and applications used in the production environment across many industries, ranging from finance, healthcare, telecommunication, manufacturing, aviation and many more. But in reality, 80% of security vulnerabilities stem from poor coding practices, misconfigurations and vulnerabilities libraries or package usage in production applications. These vulnerabilities are the major contributors to the numerous app breaches, data leakage and service disruptions across industries. A good example is the recent cyber-attack on the Node Package Module (NPM) affecting multiple packages used in developing node applications. This is called a supply chain attack. Supply chain attacks have emerged as a major concern for application security. In these attacks, attackers target the tools, libraries, and dependencies that developers rely on. Once compromised, these trusted packages can be distributed to developers and integrated into production code, enabling the attacker to execute arbitrary malicious code.

How the NPM Attack Happened

The recent NPM package attack originated from a phishing mail received by the maintainers of the open source repositories. The phishing tricked the maintainers into updating their two-factor authentication (2FA) credentials by clicking on a link which redirects to a fake domain "npmjs[.]help" mimicking the official npm registry page.

The attacker was able to harvest the credentials entered on the fake webpage and eventually got access to the repositories where other attack techniques like code injections followed. Many packages were compromised including popular packages like chalk, debug, color-convert, ansi-styles and many more.

Impact

The malicious injected codes were executed in client-side browsers when bundled into web applications which leads to credential harvesting via web browser.

Fact

Over 75% of modern applications are made up of third-party code — libraries, packages, and frameworks. If just one of them has a known vulnerability, your entire application can be exposed.

Think about it 🤔

You install a popular NPM package. It has 10 dependencies. Each of them have 5 more dependencies (called downstream packages). Now, you have 50+ potential risk points. This is how supply chain attacks build up. Hence, the need to manage dependencies well. Best Practices for Secure Coding in 2025 In light of the growing threat landscape, developers and organizations must adopt a proactive approach to secure coding.

Here are some best practices to safeguard your applications in 2025:

1. Implement Security in the whole phase of the Development Lifecycle

2. Leverage Secure Coding Standards

3. Use Dependency Scanning and Management Tools like npm audit, OWASP Dependency Check, pip audit, Grype, Aqua Security, Snyk and others.

4. Zero Trust Architecture (ZTA)

5. Security Awareness and Training

6. Avoid the use of vulnerable libraries and packages in your development.