ALL YOUR PACKAGES ARE BELONG TO US

Protecting your npm dependencies

@CHRISLAUGHLIN

WHO AM I? 

Lead UI Engineer @Rapid7

 

Opensource contributor 

 

Site point author

 

Podcast guest  

Jack of all trades master of none

Worst hangover I have ever had

@CHRISLAUGHLIN

STORY TIME

@CHRISLAUGHLIN

@CHRISLAUGHLIN

@CHRISLAUGHLIN

@CHRISLAUGHLIN

@CHRISLAUGHLIN

@CHRISLAUGHLIN

SO WHAT HAPPENED?

@CHRISLAUGHLIN

i have a confession to make

Incidents

@CHRISLAUGHLIN

@CHRISLAUGHLIN

ESLINT-SCOPE

When: 

impact: 

aim: 

entry: 

protection: 

July 12th 2018

Steal data from .npmrc files

~10,000,000 weekly downloads

The attacker released a new version of the module which added a install script which fetched code from pastebin. This then sent the npmrc contents to the hackers.

  • Make all contributors enable 2FA

  • Ensure that you lock down package versions and use a package-lock file

@CHRISLAUGHLIN

EVENT-STREAM

When: 

impact: 

aim: 

entry: 

protection: 

November 26th 2018 (unnoticed for 2 months)

Steal Dash Copay Bitcoin wallets

~1,000,000 weekly downloads

Handover of package access

  • Ensure that you lock down package versions and use a package-lock file

  • Rethink how the community manages package ownership?

@CHRISLAUGHLIN

CROSSENVS

When: 

impact: 

aim: 

entry: 

protection: 

August 2nd 2017

Steal env properties

~700 downloads in total (similar attack used on another 40 packages)

Fake packages names that are close to existing packages

  • Check out the package information before installing

  • NPM added name checks

@CHRISLAUGHLIN

ELECTRON-NATIVE-NOTIFY

When: 

impact: 

aim: 

entry: 

protection: 

June 6th 2019

Steal bitcoin wallet data ($13 million USD in cryptocurrency )

~600 weekly downloads

Release new version of trusted dependency

  • Ensure that you lock down package versions and use a package-lock file

tools & workflows

@CHRISLAUGHLIN

npm audit

@CHRISLAUGHLIN

  • Added to npm v6

  • Runs after each npm install

  • All dev, bundled and optional dependencies.

  • Auto fix by running npm audit fix or run the recommended commands

@CHRISLAUGHLIN

@CHRISLAUGHLIN

Snyk.io

  • Cloud based solution

  • Integration with multiple source control solutions

  • On demand or scheduled vulnerability scanning

  • Weekly reports

  • Dashboard  

@CHRISLAUGHLIN

@CHRISLAUGHLIN

github

@CHRISLAUGHLIN

  • Linked to your  github source

  • Growing vuln database

  • Potential integration with new package repository

@CHRISLAUGHLIN

@CHRISLAUGHLIN

conclusion

@CHRISLAUGHLIN

Questions?

@CHRISLAUGHLIN

NIDC 2019 - All your packages are belong to us

By Chris Laughlin

NIDC 2019 - All your packages are belong to us

  • 27

More from Chris Laughlin