We know a lot about vulnerable packages in NPM registry. But (surprisingly) few malicious packages have surfaced to date. Makes you feel like you don't really need to protect your project against them. Well, I'm here to destroy that cozy feeling >:D I will demonstrate how a malicious package could affect your application, even if some security measures are already in place. After the exploits, I'll explain how to defend against the attacks without too much hassle. Watch this if you love horror stories! Watch this if you care about avoiding horror stories!