ALL YOUR PACKAGES ARE BELONG TO US
Protecting your npm dependencies
@CHRISLAUGHLIN
Jack of all trades master of none
Worst hangover I have ever had
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
SO WHAT HAPPENED?
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
ESLINT-SCOPE
July 12th 2018
Steal data from .npmrc files
~10,000,000 weekly downloads
The attacker released a new version of the module which added a install script which fetched code from pastebin. This then sent the npmrc contents to the hackers.
Make all contributors enable 2FA
Ensure that you lock down package versions and use a package-lock file
@CHRISLAUGHLIN
EVENT-STREAM
November 26th 2018 (unnoticed for 2 months)
Steal Dash Copay Bitcoin wallets
~1,000,000 weekly downloads
Handover of package access
Ensure that you lock down package versions and use a package-lock file
Rethink how the community manages package ownership?
@CHRISLAUGHLIN
CROSSENVS
August 2nd 2017
Steal env properties
~700 downloads in total (similar attack used on another 40 packages)
Fake packages names that are close to existing packages
Check out the package information before installing
NPM added name checks
@CHRISLAUGHLIN
ELECTRON-NATIVE-NOTIFY
June 6th 2019
Steal bitcoin wallet data ($13 million USD in cryptocurrency )
~600 weekly downloads
Release new version of trusted dependency
Ensure that you lock down package versions and use a package-lock file
@CHRISLAUGHLIN
@CHRISLAUGHLIN
Added to npm v6
Runs after each npm install
All dev, bundled and optional dependencies.
Auto fix by running npm audit fix or run the recommended commands
@CHRISLAUGHLIN
@CHRISLAUGHLIN
Cloud based solution
Integration with multiple source control solutions
On demand or scheduled vulnerability scanning
Weekly reports
Dashboard
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
Linked to your github source
Growing vuln database
Potential integration with new package repository
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN