Weaponizing open source for protest and profit


 

Liran Tal

Advocate at 

// NodeGoat Core Team

// Node.js WG

Liran Tal

Advocate at 

@liran_tal

github.com/lirantal

@liran_tal

Installing npm package introduces an implicit trust on 79 third-party packages and 39 maintainers, creating a surprisingly large attack surface

@liran_tal

src: www.usenix.org/conference/usenixsecurity19/presentation/zimmerman

Your code

Challeneges in managing Open Source Deps at scale

1,538,483

npm's Heavy reuse

Spring web

10 transitive dependencies

Express web

47 transitive dependencies

@liran_tal

src: https://snyk.io/stateofossecurity/

@liran_tal

The Biggest

Invites big risks

Lucrative attack

Open and free-to-publish

Difficult to counter-measure

- Disconnect between SCM and

- Commiter !==

@liran_tal

Weaponizing Open-Source

Typosquatting module names

Compromising maintainer accounts

Malicious modules

@liran_tal

Confusion attacks

Protestware & Fundware

node-ipc npm maintainer sabotages own-code to protest the invasion of Ukraine

source: https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability

March 16, 2022

@liran_tal

node-ipc npm maintainer sabotages own-code to protest the invasion of Ukraine

source: https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability

March 16, 2022

@liran_tal

Why should I care?

node-ipc npm maintainer sabotages own-code to protest the invasion of Ukraine

source: https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability

March 16, 2022

@liran_tal

Why should I care?

4 downloads

A of @vue/cli

//TODO add gif of someone afraid

node-ipc npm maintainer sabotages own-code to protest the invasion of Ukraine

source: https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability

March 16, 2022

@liran_tal

Ok, but what's the worst that can happen ?

WIPES

YOUR

DRIVE

//TODO add gif of someone crying

@liran_tal

WHAT IS HAPPENING ???

//TODO consider adding a next slide of "rewind back..."

node-ipc package status

March 7, 2022, 6:00PM

@liran_tal

10.x version range

9.2 version range

how many downloads

who are ?

node-ipc@10.1.1 published

March 7, 2022, 6:00PM

@liran_tal

show obfusecated code

 

why is this vector so ? code is not readable.
also mention past similar cases with transpiled code.

raise - he could've just put the code in the npm package, and not in github. they aren't tied

node-ipc@10.1.1 published

March 7, 2022, 6:00PM

@liran_tal

show the readable code

go through it line by line to explain
go through base64 run-down to decipher

create to Belarussian and Russian geolocation

 

 

node-ipc@10.1.1 published

March 7, 2022, 6:00PM

@liran_tal

So what would happen if you run it?

show

show a video

peacenotwar published to npm

March 8, 2022, 6:00PM

@liran_tal

peacenotwar published to npm

March 8, 2022, 6:00PM

@liran_tal

"a small, linear increase in direct dependencies leads to a significant, super-linear increase in transitive dependencies"

@liran_tal

Small World with High Risks:
A Study of Threats in the npm

src: www.usenix.org/conference/usenixsecurity19/presentation/zimmerman

2019

@liran_tal

"a small, linear increase in direct dependencies leads to a significant, super-linear increase in transitive dependencies"

@liran_tal

"for the majority of the time the reach of vulnerable unpatched code is between 30% and 40% is alarming"

@liran_tal

The Package Manifest

The package.json

Dependencies

Package vs Version

Explicit package name + version

package.json

debug@4.1.0

debug@2.0.0

debug@4.1.0

debug@2.0.0

Package vs Version

The Package Manifest

The package.json

$ npm run test
"preinstall": "rm -rf /"

How do you npx ?

$ npx create-node-app

Typosquatting Attacks

Compromised Accounts

Social Engineering

Malicious Modules

@liran_tal

Malicious Modules

time

Jan 2017

crossenv

@liran_tal

coffescript      or      coffe-script 

coffeescript

@liran_tal

Malicious Modules

time

Jan 2017

crossenv

May 2018

getcookies

@liran_tal

Malicious Modules

time

Jan 2017

crossenv

May 2018

getcookies

Jul 2018

eslint-scope

@liran_tal

Malicious Modules

time

Jan 2017

crossenv

May 2018

getcookies

Jul 2018

eslint-scope

event-stream

Nov 2018

@liran_tal

Malicious Modules

time

electron-native-notify

 2019

@liran_tal

confusion

 2021

 Semantic Versioning

1.4.6

 Semantic Versioning

Major Change

1.4.6

1.4.6

Breaking API

 Semantic Versioning

Patch, bug fix

1.4.6

1.4.6

fix

Lockfiles

installs based on a dep range is not

package-lock.json

yarn.lock

The blindspot of
lockfile attack vectors

@liran_tal

$ npm install lockfile-lint

Lockfiles

Confusion

substitution of private packages with
malicious from public repositories

Confusion

npm install

package-lock.json

source: https://snyk.io/blog/software-supply-chain-security

{ 
  "nodemon": "latest"
}

npm update

npm ci

.npmrc

well-configured

How deep

hole goes?

image source: https://www.businessintelligenceinfo.com/tag/magic/page/2

what happens when breaks?

package.json

breaking changes in the API

why would break?

package has been compromised

npmjs is unavailable

networking disruptions

maintainer pulled down

???

it's open source.
everyone can do as they please.

what's the worst that can happen?

maintainer pulled down

1. Azer Koçulu maintains 273 npm modules

2. 3/2016 - Lawyer threatened Azer to wave-off Kik 

3. Azer refused, but npm staff changed ownership 

4. As an act of protest Azer removed all of his modules

5. One of those was a little thing called left-pad

1. Reminder: left-pad is now unpublished

2. Cameron Westland pushed a new left-pad@1.0.0

3. Many builds were still broken as they require ^0.0.3

4. npm re-publishes 0.0.3 from backups

5. total time: 2.5

2.1. What if this was a malicious user?

source: https://snyk.io/blog/how-much-do-we-really-know-about-how-packages-behave-on-the-npm-registry

package has been compromised

14%

compromised npm modules

20%

npm total monthly downloads

express

react

debug

request

Compromised Contributors ?

1409

users

had their set to

their

Compromised Contributors ?

Compromised Contributors ?

koa

had their set to

Compromised Contributors ?

Compromised Contributors ?

11%

users

had their password set to

leaked

Compromised Contributors ?

2FA Enabled accounts
since npm >= 5.5.1

2018:    6.89%

@liran_tal

2020:    9.87%

Conclusion?

PLEASE ENABLE 2FA

PLEASE ENABLE 2FA

PLEASE ENABLE 2FA

PLEASE ENABLE 2FA

Readyness 

Why do you need a local npm?

The official might fail

Why do you need a local npm?

Networks disruptions

considerations

Local npm/yarn cache is per dev

Offline and optimal speeds

Why do you need a local npm?

webpack@4.28.3

24 direct dependencies

1,690 total dependencies

1,802 requests to the npm

190MB unzipped on

Why do you need a local npm?

Packages could get yanked

Private package hosting cost

Verdaccio

A Lightweight private npm registry

Automated Dependency  Management 

at scale 

How do you choose packages?

source: https://snyk.io/advisor

Pro Patterns for Teams 

npm ci

yarn install --frozen-lockfile

✅ Speed

✅ Surprise-free builds

{

{

?

what do I get?

{

my is

my CI builds are slow and aren't with devlopment

use nvm

✅ All team members use the same         Node.js version

✅ npm version can be set

{

{

?

what do I get?

{

my is

my developers can't reproduce the bug in production in their envs

$ npm install xyz --ignore-scripts

✅ Script hooks won't be auto-run

❌ May cause grief with other npm run-scripts

{

{

?

what do I get?

{

my is

I am concerned installing Node.js modules will run malicious code

$ npm config set ignore-scripts true

$ snyk test

✅ Understand which deps you use

{

{

?

what do I get?

{

my is

what if I'm using packages with known vulnerabilities?

$ npm audit or owasp check as fallbacks

✅ Get health stats

✅ Test packages for issues

$ npm profile enable-2fa auth-and-writes

✅ Every npm publish or login will           require 2FA to execute 

{

{

solution?

what do I get?

{

my problem is

will someone compromise my npm account and publish malicious code?

enable 2fa

use files: [] in package.json

✅ Avoid accidentally leaking sensitive data to the publish registry

{

{

solution?

what do I get?

{

my problem is

I accidentally leaked some secrets in a config file when I published a pkg

use detect-secrets module in your git hooks

Liran Tal

Developer Advocate at 

@liran_tal

github.com/lirantal

Thank you
& Stay Safe!

Weaponizing open source for protest and profit

By Liran Tal

Weaponizing open source for protest and profit

  • 602