Liran Tal
💚@nodejs Security WG member | Core team @meanjs, #dockly | Author: 📘Essential Node.js Security ✨ Engineering Manager @nielsen-oss | ❤️#opensource #javascript
@liran_tal
github.com/lirantal
@liran_tal
@liran_tal
src: www.usenix.org/conference/usenixsecurity19/presentation/zimmerman
@liran_tal
src: https://snyk.io/stateofossecurity/
@liran_tal
@liran_tal
@liran_tal
node-ipc npm maintainer sabotages own-code to protest the invasion of Ukraine
source: https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability
March 16, 2022
@liran_tal
node-ipc npm maintainer sabotages own-code to protest the invasion of Ukraine
source: https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability
March 16, 2022
@liran_tal
node-ipc npm maintainer sabotages own-code to protest the invasion of Ukraine
source: https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability
March 16, 2022
@liran_tal
node-ipc npm maintainer sabotages own-code to protest the invasion of Ukraine
source: https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability
March 16, 2022
@liran_tal
@liran_tal
node-ipc package status
March 7, 2022, 6:00PM
@liran_tal
9.2 version range
who are ?
node-ipc@10.1.1 published
March 7, 2022, 6:00PM
@liran_tal
why is this vector so ? code is not readable.
also mention past similar cases with transpiled code.
raise - he could've just put the code in the npm package, and not in github. they aren't tied
node-ipc@10.1.1 published
March 7, 2022, 6:00PM
@liran_tal
go through it line by line to explain
go through base64 run-down to decipher
create to Belarussian and Russian geolocation
node-ipc@10.1.1 published
March 7, 2022, 6:00PM
@liran_tal
show
show a video
peacenotwar published to npm
March 8, 2022, 6:00PM
@liran_tal
peacenotwar published to npm
March 8, 2022, 6:00PM
@liran_tal
@liran_tal
Small World with High Risks:
A Study of Threats in the npm
src: www.usenix.org/conference/usenixsecurity19/presentation/zimmerman
2019
@liran_tal
@liran_tal
@liran_tal
The package.json
Dependencies
package.json
The package.json
$ npm run test
"preinstall": "rm -rf /"
$ npx create-node-app
@liran_tal
Jan 2017
@liran_tal
@liran_tal
Jan 2017
May 2018
@liran_tal
Jan 2017
May 2018
Jul 2018
@liran_tal
Jan 2017
May 2018
Jul 2018
Nov 2018
@liran_tal
2019
@liran_tal
2021
The blindspot of
lockfile attack vectors
@liran_tal
source: https://snyk.io/blog/software-supply-chain-security
{ "nodemon": "latest" }
image source: https://www.businessintelligenceinfo.com/tag/magic/page/2
package.json
source: https://snyk.io/blog/how-much-do-we-really-know-about-how-packages-behave-on-the-npm-registry
@liran_tal
source: https://snyk.io/advisor
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
{
@liran_tal
github.com/lirantal
By Liran Tal