Open source is the core of modern software, and lately it is under sustained attack. Self-propagating worms are weaponizing stolen developer credentials to infect packages automatically. State-sponsored actors are hijacking maintainer accounts on libraries with hundreds of millions of weekly downloads. Open source security tools themselves have been compromised. AI is accelerating both the volume and sophistication of malicious publishing. This session looks at what has changed and why it matters for the way we build and ship software. We’ll walk through the basic practices most teams still skip, the tooling layer that catches what those practices miss, and the enterprise controls that quietly protected the orgs that had them. We’ll also touch on where AI is starting to show up on the defender’s side, and on the practical changes teams can make in their pipelines and developer environments to reduce real exposure without slowing delivery down.