A popular nodejs package changed ownership in late 2018 and found itself as the delivery mechanism for malicious code in a dependency manufactured specifically to inject a payload in a mobile application. How did an attacker go from an npm package to a mobile application? How was this exploit found? What purpose did each of the three payloads have? This is just one example of an elaborately simple attack that can take over a developer environment and inject itself into production applications. In this session we will dive into the three payloads of the attack, how they worked, how they were obfuscated, and what their goal ultimately was. There's no reason to assume this is an isolated event and understanding how this occurred and what it did is an important part of staying secure going forward.