Podcast

Alice in Supply Chains - Bonus episode - with guest John Hammond

April 23, 2026

Episode description:

In this special bonus episode, Adrian and Alexandre are joined by John Hammond, one of cybersecurity’s most recognizable YouTube creators and Senior Principal Security Researcher at Huntress, a cybersecurity company dedicated to protecting businesses of all sizes against modern-day cybercrime, for a deep dive into software supply chain attacks using the recent Axios NPM compromise as a case study.

Show notes:

The discussion tackles the viral "stop updating your software" take head-on, with John arguing the real answer is nuance — keep patching Windows and Chrome, but treat CI/CD dependencies very differently. Adrian lays out his case for splitting vulnerability management into two distinct processes: traditional scan-driven work for compliance, and a separate intelligence-driven "VulnOps" function that operates more like incident response. The group also walks through the remarkable social engineering campaign that compromised the Axios maintainer — a patient, weeks-long con involving a fake Slack workspace, rescheduled Teams meetings, and a click-fix payload disguised as an audio troubleshooting step. One striking data point from John: the malicious package detonated 89 seconds after hitting NPM.

‍

The back half turns practical, with a concrete checklist for third-party risk teams and internal dev orgs: pin dependency versions, cache artifacts locally (which saved Tenchi during the Trivy incident, when attackers modified previously released binaries), enforce age-based release gates, separate CI from CD, apply least privilege to pipeline credentials, and maintain an asset inventory that can answer "do we have this package?" in seconds. John closes with homework for listeners: look up the Clean Source Principle.

Show Transcript

Watch or listen to full episodes in English

Recent Episodes

Episode 16

In this April 2026 episode of Alice in Supply Chains, Adrian and Alexandre cover three stories that weren't on anyone's 2026 bingo card — and all of which land on the TPRM analyst's desk.

Episode 15

Hosts Adrian Sanabria (The Defenders Initiative) and Alexandre Sieira (CTO, Tenchi Security) reconvene — both recovering from the notorious con crud — to dig into the biggest stories from a packed month in third-party and supply chain security.

Episode 14

The Alice in Supply Chains Podcast is back for another episode! On it, Adrian Sanabria and Alexandre Sieira share their expert opinions on the most pressing matters in the TPCRM world - as presented on issue #42 of our newsletter of the same name, also launched today! From cyber risk at scale in private equity portfolios, to the evolution of TPCRM in the AI era, to real-world regulatory scrutiny following a major education-sector breach in Canada - this discussion connects the dots between headlines and hard accountability. The takeaway? Third-party risk is no longer an operational checkbox. It’s financial exposure. It’s regulatory pressure. It's a board-level strategy. If you’re responsible for security, risk, compliance, or investment decisions, this episode is your pulse check on where the market is moving.

View all episodes