{you are what you depend on}
Olivia Brundage
$ whoami
# PRESENTING ME
prodSec @ GitHub
XO @ 144th CWC, VaARNG
![](https://media.slid.es/uploads/705458/images/10541041/pasted-from-clipboard.png)
@oliikit
or maybe it's who you trust.
trust.
LET'S
AT THE
LOOK
BAD STUFF.
![](https://media.slid.es/uploads/705458/images/10540403/pasted-from-clipboard.png)
I'd rather just write code for fun and only worry about supply chain security when I'm actually paid to do so. ~ untitaker
![](https://media.slid.es/uploads/705458/images/10540406/pasted-from-clipboard.png)
eslint-scope@3.7
![](https://media.slid.es/uploads/705458/images/10540410/pasted-from-clipboard.png)
eslint-config-eslint@5.0.2
12 July 2018
![](https://media.slid.es/uploads/705458/images/10540415/pasted-from-clipboard.png)
![](https://media.slid.es/uploads/705458/images/10540424/pasted-from-clipboard.png)
AI
ACCOUNT TAKEOVER
![](https://media.slid.es/uploads/705458/images/10540467/pasted-from-clipboard.png)
THIS IS ABOUT HOW SOFTWARE IS CREATED.
AND TRUST.
![](https://media.slid.es/uploads/705458/images/10541079/pasted-from-clipboard.png)
JAVASCRIPT.
package.json
{
"name": "eslint-scope",
"description": "ECMAScript scope analyzer for ESLint",
"main": "src/index.js",
"version": "3.7.0",
"repository": "eslint/eslint-scope",
"bugs": {
"url": "https://github.com/eslint/eslint-scope/issues"
},
"scripts": {
"test": "node Makefile.js test",
"lint": "node Makefile.js lint",
"postinstall": "node ./bin/helloWorld",
...
},
"dependencies": {
...
},
"devDependencies": {
...
}
}
# PRESENTING CODE
# PRESENTING CODE
![](https://media3.giphy.com/media/Wp1SpsnWTPWwwXaoSV/giphy.gif)
Live demo time!!
WCGW?
npm install --ignore-scripts
👎
RUBY.
MINSWAN. 🙇♀️
✨ gems == dependencies
THE BUILD SYSTEM.
🏛️ project gems are installed by a Gemfile
🚧 bundle install
but if your Gemfile is sanitized when processed, your SOL.
gems.rb
puts "Hello World"
# PRESENTING CODE
➕
$ bundle
🟰
✨ mAgiC ✨
less theory. more demo.
# PRESENTING CODE
![](https://media1.giphy.com/media/CjmvTCZf2U3p09Cn0h/giphy.gif)
This method of installing gems was supposed to be deprecated....
![](https://media3.giphy.com/media/ehVHGCPITWFhYsMrRG/giphy.gif)
PYTHON.
Fun facts
-
pip can either install packages through Wheels files or Source Distribution (sdist)
-
pip will prioritize Wheel distribution over sdist
-
if a Wheel distribution is not found, pip will build from the sdist to compromise wheel
-
sdist builds from methods defined in
setup.py
![](https://media0.giphy.com/media/SVH9y2LQUVVCRcqD7o/giphy.gif)
# PRESENTING CODE
![](https://media3.giphy.com/media/12YhFxiwKI3K5G/giphy.gif)
Yes. You know what time it is.
💰🤑💰.
Use of these
techniques.
👩🔬 CI && CD pipelines.
👩👩👦👦 spray campaigns.
🔍 reconnaissance.
Buyer
beware.
👀 hard to target.
🙅 stealth.
FIN.
![](https://media3.giphy.com/media/3oz8xIsloV7zOmt81G/giphy.gif)
Code
By oliikit
Code
- 114