ALL YOUR PACKAGES ARE BELONG TO US
Protecting your npm dependencies
@CHRISLAUGHLIN
JavaScript Developer @Rapid7
Jack of all trades master of none
Worst hangover I have ever had
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
CROSSENVS
@CHRISLAUGHLIN
CROSSENVS
August 2nd 2017
Steal env properties
~700 downloads in total (similar attack used on another 40 packages)
Typosquatting package names
EVENT-STREAM
@CHRISLAUGHLIN
EVENT-STREAM
November 26th 2018
Steal Dash Copay Bitcoin wallets
~1,000,000 weekly downloads
Handover of package access
ELECTRON-NATIVE-NOTIFY
@CHRISLAUGHLIN
ELECTRON-NATIVE-NOTIFY
June 6th 2019
Steal bitcoin wallet data ($13 million USD in cryptocurrency )
~600 weekly downloads
Release new version of trusted dependency
@CHRISLAUGHLIN
@CHRISLAUGHLIN
Added to npm v6
Runs after each npm install
All dev, bundled and optional dependencies.
Auto fix by running npm audit fix or run the recommended commands
@CHRISLAUGHLIN
@CHRISLAUGHLIN
Cloud based solution
Integration with multiple source control solutions
On demand or scheduled vulnerability scanning
Weekly reports
Dashboard
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
Integrated dependency checker
Works with dependabot to create PR's to fix issues
Growing vuln database
Potential integration with new package repository
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN
@CHRISLAUGHLIN