Explore the world of software supply chain attacks and learn how to defend against them in this 42-minute conference talk from nullcon. Dive into the sophisticated techniques used by bad actors, such as typo-squatting, repo-jacking, and social engineering, to infiltrate open-source package managers like NPM and PyPI. Discover PACKJ, a data-driven security analysis framework designed to measure and control potential supply chain risks when adopting open-source packages. Learn about the framework's use of static code analysis, dynamic tracing, and metadata checks to detect risky attributes in packages. Gain insights into various attack techniques, including dependency confusion and account hijacking, and understand why manual vetting and vanity stats are insufficient for package security. See a demonstration of the PACKJ tool in action, detecting risky packages and mitigating supply chain attacks, and explore real-world examples like the Colors and Faker attack from January 2022.