ALL YOUR PACKAGES ARE BELONG TO US

Protecting your npm dependencies

@CHRISLAUGHLIN

WHO AM I? 

JavaScript Developer @Rapid7

Jack of all trades master of none

Worst hangover I have ever had

STORY TIME

@CHRISLAUGHLIN

@CHRISLAUGHLIN

High amazon cpu 

site running slow

third party vuln reports 

strange network ACTIVITY  

@CHRISLAUGHLIN

Roll back to previous build 

Build and run locally 

@CHRISLAUGHLIN

@CHRISLAUGHLIN

@CHRISLAUGHLIN

so what happened?

@CHRISLAUGHLIN

I HAVE A CONFESSION TO MAKE

Incidents

@CHRISLAUGHLIN

CROSSENVS

@CHRISLAUGHLIN

CROSSENVS

When: 

impact: 

aim: 

entry: 

August 2nd 2017

Steal env properties

~700 downloads in total (similar attack used on another 40 packages)

Typosquatting package names

protection 

  • Check out the package information before installing

  • NPM added name checks

EVENT-STREAM

@CHRISLAUGHLIN

EVENT-STREAM

When: 

impact: 

aim: 

entry: 

November 26th 2018

Steal Dash Copay Bitcoin wallets

~1,000,000 weekly downloads

Handover of package access

protection

  • Ensure that you lock down package versions and use a package-lock file

  • Rethink how the community manages package ownership?

ELECTRON-NATIVE-NOTIFY

@CHRISLAUGHLIN

ELECTRON-NATIVE-NOTIFY

When: 

impact: 

aim: 

entry: 

June 6th 2019

Steal bitcoin wallet data ($13 million USD in cryptocurrency )

~600 weekly downloads

Release new version of trusted dependency

protection 

  • Ensure that you lock down package versions and use a package-lock file

tools & workflows

@CHRISLAUGHLIN

npm audit

@CHRISLAUGHLIN

  • Added to npm v6

  • Runs after each npm install

  • All dev, bundled and optional dependencies.

  • Auto fix by running npm audit fix or run the recommended commands

@CHRISLAUGHLIN

@CHRISLAUGHLIN

Snyk.io

  • Cloud based solution

  • Integration with multiple source control solutions

  • On demand or scheduled vulnerability scanning

  • Weekly reports

  • Dashboard  

@CHRISLAUGHLIN

@CHRISLAUGHLIN

github

@CHRISLAUGHLIN

  • Integrated dependency checker

  • Works with dependabot to create PR's to fix issues

  • Growing vuln database

  • Potential integration with new package repository

@CHRISLAUGHLIN

@CHRISLAUGHLIN

conclusion

@CHRISLAUGHLIN

Should we stop using NPM?

NO!

Should we start using lock files ?

Yes!

Should we think twice before using npm packages?

Yes!

@CHRISLAUGHLIN

Protecting your npm dependencies

By Chris Laughlin

Protecting your npm dependencies

  • 159

More from Chris Laughlin