Successfully reported this slideshow.

Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?

1

Share

Oct. 25, 2019
1 like 401 views
Upcoming SlideShare
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
Loading in …3
×
1 of 97
1 of 97

Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?

Oct. 25, 2019
1 like 401 views

1

Share

Download to read offline

Technology

Talk given at BSidesPDX on the node/npm event-stream exploit, how it worked, and what it did.

Talk given at BSidesPDX on the node/npm event-stream exploit, how it worked, and what it did.

Technology

Recommended

More Related Content

Similar to Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?

Security as Code
Ed Bellis
Client-Side Penetration Testing Presentation
Chris Gates
Geecon 2017 Anatomy of Java Vulnerabilities
Steve Poole
XXXsrc 2018 -the record of the past year-
Akio OBATA
Kernel Recipes 2017 - Linux Kernel Release Model - Greg KH
Anne Nicolas
vJUG 2017 "Continuous Delivery with Java and Docker: The Good, the Bad, and t...
Daniel Bryant
2015 08-20-criu support-in_docker_for_native_checkpoint_and_restore
Saied Kazemi
DEF CON 24 - Rich Mogull - pragmatic cloud security
Felipe Prado
I forgot my password – what a secure password reset needs to have and why
Michal Špaček
Ethical hacking for fun and profit
Florent Batard
O'Reilly/Nginx 2016: "Continuous Delivery with Containers: The Trials and Tri...
Daniel Bryant
(SACON) Anant Shrivastava - cloud pentesting
Priyanka Aash
Security as Code: DOES15
Ed Bellis
Continuous mobile automation in build pipeline
dm l
SSL Checklist for Pentesters (BSides MCR 2014)
Jerome Smith
Armo webinar rethinking your cloud security in the shadow of the solar winds ...
LibbySchulze
DevOpsCon 2017 "Continuous Delivery with Containers"
Daniel Bryant
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
eightbit
Eosp spring 2011
Ishwinder Singh
SenchaCon 2016: Expect the Unexpected - Dealing with Errors in Web Apps
Sencha

More from Jarrod Overson

AppSecCali - How Credential Stuffing is Evolving
Jarrod Overson
How Credential Stuffing is Evolving - PasswordsCon 2019
Jarrod Overson
Deepfakes - How they work and what it means for the future
Jarrod Overson
The State of Credential Stuffing and the Future of Account Takeovers.
Jarrod Overson
How to Reverse Engineer Web Applications
Jarrod Overson
The life of breached data and the attack lifecycle
Jarrod Overson
The Life of Breached Data & The Dark Side of Security
Jarrod Overson
Shape Security @ WaffleJS October 16
Jarrod Overson
Graphics Programming for Web Developers
Jarrod Overson
The Dark Side of Security
Jarrod Overson
JavaScript and the AST
Jarrod Overson
ES2015 workflows
Jarrod Overson
Maintainability SFJS Sept 4 2014
Jarrod Overson
Idiot proofing your code
Jarrod Overson
Riot on the web - Kenote @ QCon Sao Paulo 2014
Jarrod Overson
Managing JavaScript Complexity in Teams - Fluent
Jarrod Overson
Real World Web components
Jarrod Overson
Managing JavaScript Complexity
Jarrod Overson
Continuous Delivery for the Web Platform
Jarrod Overson

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Ninety Percent of Everything: Inside Shipping, the Invisible Industry That Puts Clothes on Your Back, Gas in Your Car, and Food on Your Plate Rose George
(4/5)
Free
Carrying the Fire: 50th Anniversary Edition Michael Collins
(4.5/5)
Free
Island of the Lost: An Extraordinary Story of Survival at the Edge of the World Joan Druett
(4/5)
Free
The Basics of Bitcoins and Blockchains: An Introduction to Cryptocurrencies and the Technology that Powers Them (Cryptography, Derivatives Investments, Futures Trading, Digital Assets, NFT) Antony Lewis
(4/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
Einstein's Fridge: How the Difference Between Hot and Cold Explains the Universe Paul Sen
(4.5/5)
Free
After Steve: How Apple Became a Trillion-Dollar Company and Lost its Soul Tripp Mickle
(4.5/5)
Free
The Quiet Zone: Unraveling the Mystery of a Town Suspended in Silence Stephen Kurczy
(4.5/5)
Free
The Wires of War: Technology and the Global Struggle for Power Jacob Helberg
(4/5)
Free
System Error: Where Big Tech Went Wrong and How We Can Reboot Rob Reich
(4.5/5)
Free
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
Liftoff: Elon Musk and the Desperate Early Days That Launched SpaceX Eric Berger
(5/5)
Free
The Science of Time Travel: The Secrets Behind Time Machines, Time Loops, Alternate Realities, and More! Elizabeth Howell
(3/5)
Free
A Brief History of Motion: From the Wheel, to the Car, to What Comes Next Tom Standage
(4/5)
Free
An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel
(4.5/5)
Free
Bitcoin Billionaires: A True Story of Genius, Betrayal, and Redemption Ben Mezrich
(4.5/5)
Free
The Players Ball: A Genius, a Con Man, and the Secret History of the Internet's Rise David Kushner
(4.5/5)
Free
User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang
(4.5/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free

Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?

  1. 1. Jarrod Overson - BSidesPDX Why are imitation attacks such a problem? Analysis of an OSS supply chain attack How did millions of developers download malicious code with no one noticing? Jarrod Overson - BSidesPDX
  2. 2. Jarrod Overson - BSidesPDX
  3. 3. Jarrod Overson - BSidesPDX
  4. 4. Jarrod Overson - BSidesPDX
  5. 5. Jarrod Overson - BSidesPDX npm install [anything]
  6. 6. Jarrod Overson - BSidesPDX The threat is real And it's coming from inside the house.
  7. 7. Jarrod Overson - BSidesPDX How it happened What it did Where it leaves us 1 2 3 Agenda
  8. 8. Jarrod Overson - BSidesPDX Who am I? • Director at Shape Security & Google Dev Expert. • Write/talk/record about JS reverse engineering & breaking web apps. • Old-school video game hacker. • @jsoverson most everywhere This guy
  9. 9. Jarrod Overson - BSidesPDX ?
  10. 10. Jarrod Overson - BSidesPDX Ever heard of YKK?
  11. 11. Jarrod Overson - BSidesPDX
  12. 12. Jarrod Overson - BSidesPDX You used Shape this week. We're the reason you log in a lot less and see fewer CAPTCHAs.
  13. 13. Jarrod Overson - BSidesPDX How it happened What it did Where it leaves us 1 2 3 Agenda
  14. 14. Jarrod Overson - BSidesPDX JS It started with a package, event-stream
  15. 15. Jarrod Overson - BSidesPDX
  16. 16. Jarrod Overson - BSidesPDX
  17. 17. Jarrod Overson - BSidesPDX
  18. 18. Jarrod Overson - BSidesPDX
  19. 19. Jarrod Overson - BSidesPDX JS event-stream was maintained by prolific developer Dominic Tarr
  20. 20. Jarrod Overson - BSidesPDX
  21. 21. Jarrod Overson - BSidesPDX
  22. 22. Jarrod Overson - BSidesPDX
  23. 23. Jarrod Overson - BSidesPDX JS Domenic gave ownership to right9ctrl in September of 2018 *
  24. 24. Jarrod Overson - BSidesPDX Q: Why?
  25. 25. Jarrod Overson - BSidesPDX
  26. 26. Jarrod Overson - BSidesPDX
  27. 27. Jarrod Overson - BSidesPDX JS right9ctrl gained trust by committing several innocent changes. ...b550f5: upgrade dependencies ...37c105: add map and split examples ...477832: remove trailing in split example ...2c2095: better pretty.js example ...a644c5: update readme event-stream
  28. 28. Jarrod Overson - BSidesPDX JS On Sept 9 2018 right9ctrl added a new dependency and released version 3.3.6 JS v3.3.6 JS v0.1.0 flatmap-stream event-stream
  29. 29. Jarrod Overson - BSidesPDX About that caret...
  30. 30. Jarrod Overson - BSidesPDX Semantic Versioning (semver) Major.Minor.Patch e.g. 3.4.9 Breaking changes New features Bug fixes Increasing risk
  31. 31. Jarrod Overson - BSidesPDX Semver pattern matching Symbol Example Matches ^ ^0.1.0 0.*.* ~ ~0.1.0 0.1.*
  32. 32. Jarrod Overson - BSidesPDX JS right9ctrl then removed flatmap-stream and updated event-stream to v4.0.0. v4.0.0 event-stream
  33. 33. Jarrod Overson - BSidesPDX Note: Nothing malicious has emerged thus far.
  34. 34. Jarrod Overson - BSidesPDX Total time between first commit and v4.0.0? 12 days
  35. 35. Jarrod Overson - BSidesPDX JS On October 5th 2018 (T+31) flatmap-stream@0.1.1 was published. JS v3.3.6 v0.1.1 flatmap-stream event-stream JS v0.1.0
  36. 36. Jarrod Overson - BSidesPDX JS event-stream@3.3.6 installed fresh now pulls in flatmap-stream@0.1.1 because of the ^ JS v3.3.6 v0.1.1 flatmap-stream event-stream
  37. 37. Jarrod Overson - BSidesPDX event-stream@3.3.5 was stable for 2+ years. JSJS v3.3.6 event-stream
  38. 38. Jarrod Overson - BSidesPDX A LOT depended on event-stream^3.3.5 and would get updated to 3.3.6 automatically. JS JS JS JS JS JS JS JS JS
  39. 39. Jarrod Overson - BSidesPDX Time between flatmap-stream@0.1.1 and exposure: 48 days Time between malicious control and discovery: 77 days
  40. 40. Jarrod Overson - BSidesPDX How it happened What it did Where it leaves us 1 2 3 Agenda
  41. 41. Jarrod Overson - BSidesPDX First, how was it discovered?
  42. 42. Payload A used a method deprecated in node v11.0.0
  43. 43. Node v11.0.0 was released 18 days into the exploit.
  44. 44. Unrelated projects started getting deprecation warnings.
  45. 45. Finally someone started putting it together.
  46. 46. Jarrod Overson - BSidesPDX So how was it discovered? Luck.
  47. 47. flatmap-stream v0.1.0
  48. 48. flatmap-stream v0.1.1
  49. 49. Jarrod Overson - BSidesPDX Payload A The bootstrap.
  50. 50. Jarrod Overson - BSidesPDX Recap • The script decrypts and compiles a new module. • The key comes from a package description somewhere. • The encrypted JS comes from testData[0]. • The compiled module exports testData[1].
  51. 51. Jarrod Overson - BSidesPDX What does this mean? The script only serves its purpose if the code runs from an npm script in a directory that has a package.json with a "description" field containing a specific string that can act as the key.
  52. 52. Jarrod Overson - BSidesPDX What this means for us We need to start trolling through package.json files.
  53. 53. 😂
  54. 54. Jarrod Overson - BSidesPDX Strategy • Iterate through every package. • Decrypt testData[0]. • Run the decrypted data through a JS Parser. • If successful then we have a winner.
  55. 55. Jarrod Overson - BSidesPDX
  56. 56. Jarrod Overson - BSidesPDX
  57. 57. Copay, the Secure Bitcoin Wallet.
  58. 58. Jarrod Overson - BSidesPDX Payload B The injector.
  59. 59. Payload B
  60. 60. Payload B
  61. 61. Jarrod Overson - BSidesPDX npm scripts redux npm run-script script-name [0] [1] [2]argv:
  62. 62. Payload B
  63. 63. copay's package.json scripts
  64. 64. Payload B
  65. 65. Jarrod Overson - BSidesPDX Recap • Payload B noops unless run in copay's build stage. • Decrypts payload C just like payload B. • Injects payload C into a file used in copay's mobile app. • Payload C is then executed in the mobile app while on a user's mobile device.
  66. 66. Jarrod Overson - BSidesPDX Payload C The final payload.
  67. 67. Payload C
  68. 68. Jarrod Overson - BSidesPDX Payload C in a nutshell • Harvested private keys • Targeted wallets with over 100 BTC or 1000 BCH • Communicated with third party server copayapi.host
  69. 69. Jarrod Overson - BSidesPDX How it happened What it did Where it leaves us 1 2 3 Agenda
  70. 70. Jarrod Overson - BSidesPDX This is NOT node/npm specific Any public repository of code is susceptible.
  71. 71. Jarrod Overson - BSidesPDX The Good News. Once the issue was brought to light the community • responded rapidly • investigated quickly • mitigated the issue immediately • and produced tools to help others right away.
  72. 72. Jarrod Overson - BSidesPDX The Bad News. It has happened multiple times since.
  73. 73. The dependency problem is not ideal.
  74. 74. Jarrod Overson - BSidesPDX This could have been much worse. event-stream was depended on things like the - azure-cli - dozens of build tools and plugins - Microsoft's monaco editor (the editor for VSCode)
  75. 75. Jarrod Overson - BSidesPDX This will likely get much worse. Properly addressing this problem requires rethinking node, dependencies, and package management. Hard things with lots of compatibility implications.
  76. 76. Jarrod Overson - BSidesPDX
  77. 77. Jarrod Overson - BSidesPDX What can you do? • Audit your dependencies. • Lock your dependencies. • Check in your dependencies. • Think twice before adding dependencies.
  78. 78. Jarrod Overson - BSidesPDX When in doubt, don't add it. • Dependencies are risks. • Risks are gambles. • You gamble when cost is low and value is high.
  79. 79. Jarrod Overson - BSidesPDX Why are imitation attacks such a problem?Thank You! @jsoverson on bit.ly/jsoverson-youtube

×