ALL YOUR PACKAGES ARE BELONG TO US
Protecting your npm dependencies
@CHRISLAUGHLIN
WHO AM I?
JavaScript Developer @Rapid7
Jack of all trades master of none
Worst hangover I have ever had
STORY TIME
@CHRISLAUGHLIN
@CHRISLAUGHLIN
High amazon cpu
site running slow
third party vuln reports
strange network ACTIVITY
@CHRISLAUGHLIN
Roll back to previous build
Build and run locally
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
so what happened?
@CHRISLAUGHLIN
I HAVE A CONFESSION TO MAKE
Incidents
@CHRISLAUGHLIN
CROSSENVS
@CHRISLAUGHLIN
CROSSENVS
When:
impact:
aim:
entry:
August 2nd 2017
Steal env properties
~700 downloads in total (similar attack used on another 40 packages)
Typosquatting package names
protection
-
Check out the package information before installing
-
NPM added name checks
EVENT-STREAM
@CHRISLAUGHLIN
EVENT-STREAM
When:
impact:
aim:
entry:
November 26th 2018
Steal Dash Copay Bitcoin wallets
~1,000,000 weekly downloads
Handover of package access
protection
-
Ensure that you lock down package versions and use a package-lock file
-
Rethink how the community manages package ownership?
ELECTRON-NATIVE-NOTIFY
@CHRISLAUGHLIN
ELECTRON-NATIVE-NOTIFY
When:
impact:
aim:
entry:
June 6th 2019
Steal bitcoin wallet data ($13 million USD in cryptocurrency )
~600 weekly downloads
Release new version of trusted dependency
protection
-
Ensure that you lock down package versions and use a package-lock file
tools & workflows
@CHRISLAUGHLIN
npm audit
@CHRISLAUGHLIN
-
Added to npm v6
-
Runs after each npm install
-
All dev, bundled and optional dependencies.
-
Auto fix by running npm audit fix or run the recommended commands
@CHRISLAUGHLIN
@CHRISLAUGHLIN
Snyk.io
-
Cloud based solution
-
Integration with multiple source control solutions
-
On demand or scheduled vulnerability scanning
-
Weekly reports
-
Dashboard
@CHRISLAUGHLIN
@CHRISLAUGHLIN
github
@CHRISLAUGHLIN
-
Integrated dependency checker
-
Works with dependabot to create PR's to fix issues
-
Growing vuln database
-
Potential integration with new package repository
@CHRISLAUGHLIN
@CHRISLAUGHLIN
conclusion
@CHRISLAUGHLIN
Should we stop using NPM?
NO!
Should we start using lock files ?
Yes!
Should we think twice before using npm packages?
Yes!
@CHRISLAUGHLIN
Protecting your npm dependencies
By Chris Laughlin
Protecting your npm dependencies
- 487