{you are what you depend on}

Olivia Brundage

$ whoami
# PRESENTING ME

prodSec @ GitHub

XO @ 144th CWC, VaARNG

@oliikit

or maybe it's who you trust.

                                    trust.

LET'S

AT THE

LOOK

BAD STUFF.

I'd rather just write code for fun and only worry about supply chain security when I'm actually paid to do so. ~ untitaker

eslint-scope@3.7

eslint-config-eslint@5.0.2

12 July 2018

AI

ACCOUNT TAKEOVER

THIS IS ABOUT HOW SOFTWARE IS CREATED.

AND TRUST.

JAVASCRIPT.

package.json
{
  "name": "eslint-scope",
  "description": "ECMAScript scope analyzer for ESLint",
  "main": "src/index.js",
  "version": "3.7.0",
  "repository": "eslint/eslint-scope",
  "bugs": {
    "url": "https://github.com/eslint/eslint-scope/issues"
  },
  "scripts": {
    "test": "node Makefile.js test",
    "lint": "node Makefile.js lint",
    "postinstall": "node ./bin/helloWorld",
    ...
  },
  "dependencies": {
    ...
  },
  "devDependencies": {
    ...
  }
}
# PRESENTING CODE
# PRESENTING CODE

Live demo time!!

WCGW?
npm install --ignore-scripts

👎

RUBY.

MINSWAN. 🙇‍♀️

✨  gems == dependencies

THE BUILD SYSTEM.

🏛️   project gems are installed by a Gemfile

🚧  bundle install

but if your Gemfile is sanitized when processed, your SOL.

gems.rb
puts "Hello World"
# PRESENTING CODE

$ bundle

🟰

mAgiC

less theory. more demo.
# PRESENTING CODE

This method of installing gems was supposed to be deprecated....

PYTHON.

Fun facts

  • pip can either install packages through Wheels files or Source Distribution (sdist)

  • pip will prioritize Wheel distribution over sdist

  • if a Wheel distribution is not found, pip will build from the sdist to compromise wheel

  • sdist builds from methods defined in setup.py

# PRESENTING CODE

Yes. You know what time it is.

💰🤑💰.

Use of these
techniques.

👩‍🔬  CI && CD pipelines.

 

👩‍👩‍👦‍👦  spray campaigns.

 

🔍  reconnaissance.

Buyer
beware.

👀  hard to target.
 

🙅  stealth.

FIN.

Code

By oliikit