{you are what you depend on}
Olivia Brundage
$ whoami
# PRESENTING ME
prodSec @ GitHub
XO @ 144th CWC, VaARNG
@oliikit
or maybe it's who you trust.
trust.
LET'S
AT THE
LOOK
BAD STUFF.
I'd rather just write code for fun and only worry about supply chain security when I'm actually paid to do so. ~ untitaker
eslint-scope@3.7
eslint-config-eslint@5.0.2
12 July 2018
AI
ACCOUNT TAKEOVER
THIS IS ABOUT HOW SOFTWARE IS CREATED.
AND TRUST.
JAVASCRIPT.
package.json
{
"name": "eslint-scope",
"description": "ECMAScript scope analyzer for ESLint",
"main": "src/index.js",
"version": "3.7.0",
"repository": "eslint/eslint-scope",
"bugs": {
"url": "https://github.com/eslint/eslint-scope/issues"
},
"scripts": {
"test": "node Makefile.js test",
"lint": "node Makefile.js lint",
"postinstall": "node ./bin/helloWorld",
...
},
"dependencies": {
...
},
"devDependencies": {
...
}
}
# PRESENTING CODE
# PRESENTING CODE
Live demo time!!
WCGW?
npm install --ignore-scripts
👎
RUBY.
MINSWAN. 🙇♀️
✨ gems == dependencies
THE BUILD SYSTEM.
🏛️ project gems are installed by a Gemfile
🚧 bundle install
but if your Gemfile is sanitized when processed, your SOL.
gems.rb
puts "Hello World"
# PRESENTING CODE
➕
$ bundle
🟰
✨ mAgiC ✨
less theory. more demo.
# PRESENTING CODE
This method of installing gems was supposed to be deprecated....
PYTHON.
Fun facts
-
pip can either install packages through Wheels files or Source Distribution (sdist)
-
pip will prioritize Wheel distribution over sdist
-
if a Wheel distribution is not found, pip will build from the sdist to compromise wheel
-
sdist builds from methods defined in
setup.py
# PRESENTING CODE
Yes. You know what time it is.
💰🤑💰.
Use of these
techniques.
👩🔬 CI && CD pipelines.
👩👩👦👦 spray campaigns.
🔍 reconnaissance.
Buyer
beware.
👀 hard to target.
🙅 stealth.
FIN.
Code
By oliikit
Code
- 82