In 2022 Open Source Software’s supply chain attacks skyrocketed by 600% using popular libraries and tools as vectors. With 2.1 trillions of packages downloaded in the last year, NPM has become the preferred target of this kind of attacks. We will see the clever techniques and the subtle weaknesses exploited by attackers to allow malicious packages compromise our applications. Moreover we will learn: - what kind of risks we are exposed to - how to mitigate them - some notable supply chain attacks that hit the news Warning: after the talk you will not launch a npm install without fear again.