Sponsored by:
Mackenzie Jackson
NPM Imposters is a fast, team-based game where players must spot malicious NPM packages hiding in plain sight. Each team gets a deck of cards mimicking real npmjs.com pages — some show metadata like stars, downloads, and maintainers; others reveal parts of the package code, like index.js or package.json. The challenge? Identify which packages are safe, suspicious, or outright malicious. Once teams decide, they flip each card to reveal the truth, with a quick explanation based on real-world attacks like event-stream and ua-parser-js. It’s a fun, hands-on way to learn how supply chain attacks happen, and how easily trust can be exploited