Liran Tal
💚@nodejs Security WG member | Core team @meanjs, #dockly | Author: 📘Essential Node.js Security ✨ Engineering Manager @nielsen-oss | ❤️#opensource #javascript
Weaponizing open source for protest and profit
Liran Tal
Advocate at
// NodeGoat Core Team
// Node.js WG
Liran Tal
Advocate at
@liran_tal
github.com/lirantal
@liran_tal
Installing npm package introduces an implicit trust on 79 third-party packages and 39 maintainers, creating a surprisingly large attack surface
@liran_tal
src: www.usenix.org/conference/usenixsecurity19/presentation/zimmerman
Your code
Challeneges in managing Open Source Deps at scale
1,538,483
npm's Heavy reuse
Spring web
10 transitive dependencies
Express web
47 transitive dependencies
@liran_tal
src: https://snyk.io/stateofossecurity/
@liran_tal
The Biggest
Invites big risks
Lucrative attack
Open and free-to-publish
Difficult to counter-measure
- Disconnect between SCM and
- Commiter !==
@liran_tal
Weaponizing Open-Source
Typosquatting module names
Compromising maintainer accounts
Malicious modules
@liran_tal
Confusion attacks
Protestware & Fundware
node-ipc npm maintainer sabotages own-code to protest the invasion of Ukraine
source: https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability
March 16, 2022
@liran_tal
node-ipc npm maintainer sabotages own-code to protest the invasion of Ukraine
source: https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability
March 16, 2022
@liran_tal
Why should I care?
node-ipc npm maintainer sabotages own-code to protest the invasion of Ukraine
source: https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability
March 16, 2022
@liran_tal
Why should I care?
4 downloads
A of @vue/cli
//TODO add gif of someone afraid
node-ipc npm maintainer sabotages own-code to protest the invasion of Ukraine
source: https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability
March 16, 2022
@liran_tal
Ok, but what's the worst that can happen ?
WIPES
YOUR
DRIVE
//TODO add gif of someone crying
@liran_tal
WHAT IS HAPPENING ???
//TODO consider adding a next slide of "rewind back..."
node-ipc package status
March 7, 2022, 6:00PM
@liran_tal
10.x version range
9.2 version range
how many downloads
who are ?
node-ipc@10.1.1 published
March 7, 2022, 6:00PM
@liran_tal
show obfusecated code
why is this vector so ? code is not readable.
also mention past similar cases with transpiled code.
raise - he could've just put the code in the npm package, and not in github. they aren't tied
node-ipc@10.1.1 published
March 7, 2022, 6:00PM
@liran_tal
show the readable code
go through it line by line to explain
go through base64 run-down to decipher
create to Belarussian and Russian geolocation
node-ipc@10.1.1 published
March 7, 2022, 6:00PM
@liran_tal
So what would happen if you run it?
show
show a video
peacenotwar published to npm
March 8, 2022, 6:00PM
@liran_tal
peacenotwar published to npm
March 8, 2022, 6:00PM
@liran_tal
"a small, linear increase in direct dependencies leads to a significant, super-linear increase in transitive dependencies"
@liran_tal
Small World with High Risks:
A Study of Threats in the npm
src: www.usenix.org/conference/usenixsecurity19/presentation/zimmerman
2019
@liran_tal
"a small, linear increase in direct dependencies leads to a significant, super-linear increase in transitive dependencies"
@liran_tal
"for the majority of the time the reach of vulnerable unpatched code is between 30% and 40% is alarming"
@liran_tal
The Package Manifest
The package.json
Dependencies
Package vs Version
Explicit package name + version
package.json
debug@4.1.0
debug@2.0.0
debug@4.1.0
debug@2.0.0
Package vs Version
The Package Manifest
The package.json
$ npm run test
"preinstall": "rm -rf /"How do you npx ?
$ npx create-node-appTyposquatting Attacks
Compromised Accounts
Social Engineering
Malicious Modules
@liran_tal
Malicious Modules
time
Jan 2017
crossenv
@liran_tal
coffescript or coffe-script
coffeescript
@liran_tal
Malicious Modules
time
Jan 2017
crossenv
May 2018
getcookies
@liran_tal
Malicious Modules
time
Jan 2017
crossenv
May 2018
getcookies
Jul 2018
eslint-scope
@liran_tal
Malicious Modules
time
Jan 2017
crossenv
May 2018
getcookies
Jul 2018
eslint-scope
event-stream
Nov 2018
@liran_tal
Malicious Modules
time
electron-native-notify
2019
@liran_tal
confusion
2021
Semantic Versioning
1.4.6
Semantic Versioning
Major Change
1.4.6
1.4.6
Breaking API
Semantic Versioning
Patch, bug fix
1.4.6
1.4.6
fix
Lockfiles
installs based on a dep range is not
package-lock.json
yarn.lock
The blindspot of
lockfile attack vectors
@liran_tal
$ npm install lockfile-lint
Lockfiles
Confusion
substitution of private packages with
malicious from public repositories
Confusion
npm install
package-lock.json
source: https://snyk.io/blog/software-supply-chain-security
{
"nodemon": "latest"
}
npm update
npm ci
.npmrc
well-configured
How deep
hole goes?
image source: https://www.businessintelligenceinfo.com/tag/magic/page/2
what happens when breaks?
package.json
breaking changes in the API
why would break?
package has been compromised
npmjs is unavailable
networking disruptions
maintainer pulled down
???
it's open source.
everyone can do as they please.
what's the worst that can happen?
maintainer pulled down
1. Azer Koçulu maintains 273 npm modules
2. 3/2016 - Lawyer threatened Azer to wave-off Kik
3. Azer refused, but npm staff changed ownership
4. As an act of protest Azer removed all of his modules
5. One of those was a little thing called left-pad
1. Reminder: left-pad is now unpublished
2. Cameron Westland pushed a new left-pad@1.0.0
3. Many builds were still broken as they require ^0.0.3
4. npm re-publishes 0.0.3 from backups
5. total time: 2.5
2.1. What if this was a malicious user?
source: https://snyk.io/blog/how-much-do-we-really-know-about-how-packages-behave-on-the-npm-registry
package has been compromised
14%
compromised npm modules
20%
npm total monthly downloads
express
react
debug
request
Compromised Contributors ?
1409
users
had their set to
their
Compromised Contributors ?
Compromised Contributors ?
koa
had their set to
Compromised Contributors ?
Compromised Contributors ?
11%
users
had their password set to
leaked
Compromised Contributors ?
2FA Enabled accounts
since npm >= 5.5.1
2018: 6.89%
@liran_tal
2020: 9.87%
Conclusion?
PLEASE ENABLE 2FA
PLEASE ENABLE 2FA
PLEASE ENABLE 2FA
PLEASE ENABLE 2FA
Readyness
Why do you need a local npm?
The official might fail
Why do you need a local npm?
Networks disruptions
considerations
Local npm/yarn cache is per dev
Offline and optimal speeds
Why do you need a local npm?
webpack@4.28.3
24 direct dependencies
1,690 total dependencies
1,802 requests to the npm
190MB unzipped on
Why do you need a local npm?
Packages could get yanked
Private package hosting cost
Verdaccio
A Lightweight private npm registry
Automated Dependency Management
at scale
How do you choose packages?
source: https://snyk.io/advisor
Pro Patterns for Teams
npm ci
yarn install --frozen-lockfile
✅ Speed
✅ Surprise-free builds
{
{
?
what do I get?
{
my is
my CI builds are slow and aren't with devlopment
use nvm
✅ All team members use the same Node.js version
✅ npm version can be set
{
{
?
what do I get?
{
my is
my developers can't reproduce the bug in production in their envs
$ npm install xyz --ignore-scripts
✅ Script hooks won't be auto-run
❌ May cause grief with other npm run-scripts
{
{
?
what do I get?
{
my is
I am concerned installing Node.js modules will run malicious code
$ npm config set ignore-scripts true
$ snyk test
✅ Understand which deps you use
{
{
?
what do I get?
{
my is
what if I'm using packages with known vulnerabilities?
$ npm audit or owasp check as fallbacks
✅ Get health stats
✅ Test packages for issues
$ npm profile enable-2fa auth-and-writes
✅ Every npm publish or login will require 2FA to execute
{
{
solution?
what do I get?
{
my problem is
will someone compromise my npm account and publish malicious code?
enable 2fa
use files: [] in package.json
✅ Avoid accidentally leaking sensitive data to the publish registry
{
{
solution?
what do I get?
{
my problem is
I accidentally leaked some secrets in a config file when I published a pkg
use detect-secrets module in your git hooks
Liran Tal
Developer Advocate at
@liran_tal
github.com/lirantal
Thank you
& Stay Safe!
Weaponizing open source for protest and profit
By Liran Tal
