SlideShare a Scribd company logo
Jarrod Overson - BSidesPDX
Why are imitation attacks such a problem?
Analysis of an OSS supply chain attack
How did millions of developers download malicious
code with no one noticing?
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
npm install [anything]
Jarrod Overson - BSidesPDX
The threat is real
And it's coming from inside
the house.
Jarrod Overson - BSidesPDX
How it happened
What it did
Where it leaves us
1
2
3
Agenda
Jarrod Overson - BSidesPDX
Who am I?
• Director at Shape Security & Google Dev Expert.
• Write/talk/record about JS reverse engineering &
breaking web apps.
• Old-school video game hacker.
• @jsoverson most everywhere
This guy
Jarrod Overson - BSidesPDX
?
Jarrod Overson - BSidesPDX
Ever heard of YKK?
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
You used Shape this week.
We're the reason you log in a lot less and see fewer
CAPTCHAs.
Jarrod Overson - BSidesPDX
How it happened
What it did
Where it leaves us
1
2
3
Agenda
Jarrod Overson - BSidesPDX
JS
It started with a package, event-stream
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
JS
event-stream was maintained by prolific
developer Dominic Tarr
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
JS
Domenic gave ownership to right9ctrl in
September of 2018
*
Jarrod Overson - BSidesPDX
Q: Why?
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
JS
right9ctrl gained trust by committing several
innocent changes.
...b550f5: upgrade dependencies
...37c105: add map and split examples
...477832: remove trailing in split example
...2c2095: better pretty.js example
...a644c5: update readme
event-stream
Jarrod Overson - BSidesPDX
JS
On Sept 9 2018 right9ctrl added a new
dependency and released version 3.3.6
JS
v3.3.6
JS v0.1.0
flatmap-stream
event-stream
Jarrod Overson - BSidesPDX
About that caret...
Jarrod Overson - BSidesPDX
Semantic Versioning (semver)
Major.Minor.Patch e.g. 3.4.9
Breaking changes
New features
Bug fixes
Increasing risk
Jarrod Overson - BSidesPDX
Semver pattern matching
Symbol Example Matches
^ ^0.1.0 0.*.*
~ ~0.1.0 0.1.*
Jarrod Overson - BSidesPDX
JS
right9ctrl then removed flatmap-stream and updated
event-stream to v4.0.0.
v4.0.0
event-stream
Jarrod Overson - BSidesPDX
Note:
Nothing malicious has emerged thus far.
Jarrod Overson - BSidesPDX
Total time between first commit and v4.0.0?
12 days
Jarrod Overson - BSidesPDX
JS
On October 5th 2018 (T+31)
flatmap-stream@0.1.1 was published.
JS
v3.3.6
v0.1.1
flatmap-stream
event-stream
JS v0.1.0
Jarrod Overson - BSidesPDX
JS
event-stream@3.3.6 installed fresh now pulls in
flatmap-stream@0.1.1 because of the ^
JS
v3.3.6
v0.1.1
flatmap-stream
event-stream
Jarrod Overson - BSidesPDX
event-stream@3.3.5 was stable for 2+ years.
JSJS v3.3.6
event-stream
Jarrod Overson - BSidesPDX
A LOT depended on event-stream^3.3.5 and would
get updated to 3.3.6 automatically.
JS
JS
JS
JS
JS
JS
JS
JS
JS
Jarrod Overson - BSidesPDX
Time between flatmap-stream@0.1.1 and exposure:
48 days
Time between malicious control and discovery:
77 days
Jarrod Overson - BSidesPDX
How it happened
What it did
Where it leaves us
1
2
3
Agenda
Jarrod Overson - BSidesPDX
First, how was it discovered?
Payload A used a method deprecated in node v11.0.0
Node v11.0.0 was released 18 days into the exploit.
Unrelated projects started getting deprecation warnings.
Finally someone started putting it together.
Jarrod Overson - BSidesPDX
So how was it discovered?
Luck.
flatmap-stream v0.1.0
flatmap-stream v0.1.1
Jarrod Overson - BSidesPDX
Payload A
The bootstrap.
Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?
Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?
Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?
Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?
Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?
Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?
Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?
Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?
Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?
Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?
Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?
Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?
Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?
Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?
Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?
Jarrod Overson - BSidesPDX
Recap
• The script decrypts and compiles a new module.
• The key comes from a package description somewhere.
• The encrypted JS comes from testData[0].
• The compiled module exports testData[1].
Jarrod Overson - BSidesPDX
What does this mean?
The script only serves its purpose if the code runs
from an npm script in a directory that has a
package.json with a "description" field containing a
specific string that can act as the key.
Jarrod Overson - BSidesPDX
What this means for us
We need to start trolling through package.json files.
Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?
😂
Jarrod Overson - BSidesPDX
Strategy
• Iterate through every package.
• Decrypt testData[0].
• Run the decrypted data through a JS Parser.
• If successful then we have a winner.
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Copay, the Secure Bitcoin Wallet.
Jarrod Overson - BSidesPDX
Payload B
The injector.
Payload B
Payload B
Jarrod Overson - BSidesPDX
npm scripts redux
npm run-script script-name
[0] [1] [2]argv:
Payload B
copay's package.json scripts
Payload B
Jarrod Overson - BSidesPDX
Recap
• Payload B noops unless run in copay's build stage.
• Decrypts payload C just like payload B.
• Injects payload C into a file used in copay's mobile app.
• Payload C is then executed in the mobile app while on a
user's mobile device.
Jarrod Overson - BSidesPDX
Payload C
The final payload.
Payload C
Jarrod Overson - BSidesPDX
Payload C in a nutshell
• Harvested private keys
• Targeted wallets with over 100 BTC or 1000 BCH
• Communicated with third party server copayapi.host
Jarrod Overson - BSidesPDX
How it happened
What it did
Where it leaves us
1
2
3
Agenda
Jarrod Overson - BSidesPDX
This is NOT node/npm specific
Any public repository of code is susceptible.
Jarrod Overson - BSidesPDX
The Good News.
Once the issue was brought to light the community
• responded rapidly
• investigated quickly
• mitigated the issue immediately
• and produced tools to help others right away.
Jarrod Overson - BSidesPDX
The Bad News.
It has happened multiple times since.
Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?
Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?
The dependency problem is not ideal.
Jarrod Overson - BSidesPDX
This could have been much worse.
event-stream was depended on things like the
- azure-cli
- dozens of build tools and plugins
- Microsoft's monaco editor (the editor for VSCode)
Jarrod Overson - BSidesPDX
This will likely get much worse.
Properly addressing this problem requires rethinking
node, dependencies, and package management.
Hard things with lots of compatibility implications.
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
What can you do?
• Audit your dependencies.
• Lock your dependencies.
• Check in your dependencies.
• Think twice before adding dependencies.
Jarrod Overson - BSidesPDX
When in doubt, don't add it.
• Dependencies are risks.
• Risks are gambles.
• You gamble when cost is low and value is high.
Jarrod Overson - BSidesPDX
Why are imitation attacks such a problem?Thank You!
@jsoverson on
bit.ly/jsoverson-youtube

More Related Content

What's hot

BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
 BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat Security Conference
 
Oow2013 ef final_4_3
Oow2013 ef final_4_3Oow2013 ef final_4_3
Oow2013 ef final_4_3
Euegene Fedorenko
 
Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...
Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...
Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...
Mail.ru Group
 
Ad, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniquesAd, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniques
Guglielmo Scaiola
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat Security Conference
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELK
Tripwire
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and Protect
Tamas K Lengyel
 
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
CODE BLUE
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
Dan Kaminsky
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat Security Conference
 

What's hot (10)

BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
 BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
 
Oow2013 ef final_4_3
Oow2013 ef final_4_3Oow2013 ef final_4_3
Oow2013 ef final_4_3
 
Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...
Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...
Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...
 
Ad, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniquesAd, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniques
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELK
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and Protect
 
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
 

Similar to Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?

JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
Jarrod Overson
 
MongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsMongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & Analytics
Server Density
 
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
Michele Orselli
 
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
Alessandro Cinelli (cirpo)
 
3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo
3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo
3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo
Joe Clarke
 
IT Days - Parse huge JSON files in a streaming way.pptx
IT Days - Parse huge JSON files in a streaming way.pptxIT Days - Parse huge JSON files in a streaming way.pptx
IT Days - Parse huge JSON files in a streaming way.pptx
Andrei Negruti
 
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
MongoDB
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
Felipe Prado
 
MongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and ImplicationsMongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and Implications
MongoDB
 
Fosdem10
Fosdem10Fosdem10
Fosdem10
wremes
 
Building a Cross Channel Content Delivery Platform with MongoDB
Building a Cross Channel Content Delivery Platform with MongoDBBuilding a Cross Channel Content Delivery Platform with MongoDB
Building a Cross Channel Content Delivery Platform with MongoDB
MongoDB
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
Sergey Gordeychik
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18  "Hacking Electronic Door Access Controllers" Defcon 18  "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
shawn_merdinger
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
Hafez Kamal
 
Codemotion 2015 Infinispan Tech lab
Codemotion 2015 Infinispan Tech labCodemotion 2015 Infinispan Tech lab
Codemotion 2015 Infinispan Tech lab
Ugo Landini
 
How to write clean & testable code without losing your mind
How to write clean & testable code without losing your mindHow to write clean & testable code without losing your mind
How to write clean & testable code without losing your mind
Andreas Czakaj
 
Belfast JUG, SIMD (Vectorial) Operations
Belfast JUG, SIMD (Vectorial) OperationsBelfast JUG, SIMD (Vectorial) Operations
Belfast JUG, SIMD (Vectorial) Operations
Hudson Mendes
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
ShapeBlue
 
IzPack - PoitouJUG
IzPack - PoitouJUGIzPack - PoitouJUG
IzPack - PoitouJUG
julien.ponge
 
Intro to Node.js (for .NET Developers)
Intro to Node.js (for .NET Developers)Intro to Node.js (for .NET Developers)
Intro to Node.js (for .NET Developers)
David Neal
 

Similar to Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing? (20)

JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
 
MongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsMongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & Analytics
 
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
 
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
 
3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo
3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo
3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo
 
IT Days - Parse huge JSON files in a streaming way.pptx
IT Days - Parse huge JSON files in a streaming way.pptxIT Days - Parse huge JSON files in a streaming way.pptx
IT Days - Parse huge JSON files in a streaming way.pptx
 
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
 
MongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and ImplicationsMongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and Implications
 
Fosdem10
Fosdem10Fosdem10
Fosdem10
 
Building a Cross Channel Content Delivery Platform with MongoDB
Building a Cross Channel Content Delivery Platform with MongoDBBuilding a Cross Channel Content Delivery Platform with MongoDB
Building a Cross Channel Content Delivery Platform with MongoDB
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18  "Hacking Electronic Door Access Controllers" Defcon 18  "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
 
Codemotion 2015 Infinispan Tech lab
Codemotion 2015 Infinispan Tech labCodemotion 2015 Infinispan Tech lab
Codemotion 2015 Infinispan Tech lab
 
How to write clean & testable code without losing your mind
How to write clean & testable code without losing your mindHow to write clean & testable code without losing your mind
How to write clean & testable code without losing your mind
 
Belfast JUG, SIMD (Vectorial) Operations
Belfast JUG, SIMD (Vectorial) OperationsBelfast JUG, SIMD (Vectorial) Operations
Belfast JUG, SIMD (Vectorial) Operations
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
IzPack - PoitouJUG
IzPack - PoitouJUGIzPack - PoitouJUG
IzPack - PoitouJUG
 
Intro to Node.js (for .NET Developers)
Intro to Node.js (for .NET Developers)Intro to Node.js (for .NET Developers)
Intro to Node.js (for .NET Developers)
 

More from Jarrod Overson

Practical WebAssembly with Apex, wasmRS, and nanobus
Practical WebAssembly with Apex, wasmRS, and nanobusPractical WebAssembly with Apex, wasmRS, and nanobus
Practical WebAssembly with Apex, wasmRS, and nanobus
Jarrod Overson
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is Evolving
Jarrod Overson
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019
Jarrod Overson
 
Deepfakes - How they work and what it means for the future
Deepfakes - How they work and what it means for the futureDeepfakes - How they work and what it means for the future
Deepfakes - How they work and what it means for the future
Jarrod Overson
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.
Jarrod Overson
 
How to Reverse Engineer Web Applications
How to Reverse Engineer Web ApplicationsHow to Reverse Engineer Web Applications
How to Reverse Engineer Web Applications
Jarrod Overson
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
Jarrod Overson
 
The Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of SecurityThe Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of Security
Jarrod Overson
 
Shape Security @ WaffleJS October 16
Shape Security @ WaffleJS October 16Shape Security @ WaffleJS October 16
Shape Security @ WaffleJS October 16
Jarrod Overson
 
Graphics Programming for Web Developers
Graphics Programming for Web DevelopersGraphics Programming for Web Developers
Graphics Programming for Web Developers
Jarrod Overson
 
The Dark Side of Security
The Dark Side of SecurityThe Dark Side of Security
The Dark Side of Security
Jarrod Overson
 
JavaScript and the AST
JavaScript and the ASTJavaScript and the AST
JavaScript and the AST
Jarrod Overson
 
ES2015 workflows
ES2015 workflowsES2015 workflows
ES2015 workflows
Jarrod Overson
 
Maintainability SFJS Sept 4 2014
Maintainability SFJS Sept 4 2014 Maintainability SFJS Sept 4 2014
Maintainability SFJS Sept 4 2014
Jarrod Overson
 
Idiot proofing your code
Idiot proofing your codeIdiot proofing your code
Idiot proofing your code
Jarrod Overson
 
Riot on the web - Kenote @ QCon Sao Paulo 2014
Riot on the web - Kenote @ QCon Sao Paulo 2014Riot on the web - Kenote @ QCon Sao Paulo 2014
Riot on the web - Kenote @ QCon Sao Paulo 2014
Jarrod Overson
 
Managing JavaScript Complexity in Teams - Fluent
Managing JavaScript Complexity in Teams - FluentManaging JavaScript Complexity in Teams - Fluent
Managing JavaScript Complexity in Teams - Fluent
Jarrod Overson
 
Real World Web components
Real World Web componentsReal World Web components
Real World Web components
Jarrod Overson
 
Managing JavaScript Complexity
Managing JavaScript ComplexityManaging JavaScript Complexity
Managing JavaScript Complexity
Jarrod Overson
 
Continuous Delivery for the Web Platform
Continuous Delivery for the Web PlatformContinuous Delivery for the Web Platform
Continuous Delivery for the Web Platform
Jarrod Overson
 

More from Jarrod Overson (20)

Practical WebAssembly with Apex, wasmRS, and nanobus
Practical WebAssembly with Apex, wasmRS, and nanobusPractical WebAssembly with Apex, wasmRS, and nanobus
Practical WebAssembly with Apex, wasmRS, and nanobus
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is Evolving
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019
 
Deepfakes - How they work and what it means for the future
Deepfakes - How they work and what it means for the futureDeepfakes - How they work and what it means for the future
Deepfakes - How they work and what it means for the future
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.
 
How to Reverse Engineer Web Applications
How to Reverse Engineer Web ApplicationsHow to Reverse Engineer Web Applications
How to Reverse Engineer Web Applications
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
 
The Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of SecurityThe Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of Security
 
Shape Security @ WaffleJS October 16
Shape Security @ WaffleJS October 16Shape Security @ WaffleJS October 16
Shape Security @ WaffleJS October 16
 
Graphics Programming for Web Developers
Graphics Programming for Web DevelopersGraphics Programming for Web Developers
Graphics Programming for Web Developers
 
The Dark Side of Security
The Dark Side of SecurityThe Dark Side of Security
The Dark Side of Security
 
JavaScript and the AST
JavaScript and the ASTJavaScript and the AST
JavaScript and the AST
 
ES2015 workflows
ES2015 workflowsES2015 workflows
ES2015 workflows
 
Maintainability SFJS Sept 4 2014
Maintainability SFJS Sept 4 2014 Maintainability SFJS Sept 4 2014
Maintainability SFJS Sept 4 2014
 
Idiot proofing your code
Idiot proofing your codeIdiot proofing your code
Idiot proofing your code
 
Riot on the web - Kenote @ QCon Sao Paulo 2014
Riot on the web - Kenote @ QCon Sao Paulo 2014Riot on the web - Kenote @ QCon Sao Paulo 2014
Riot on the web - Kenote @ QCon Sao Paulo 2014
 
Managing JavaScript Complexity in Teams - Fluent
Managing JavaScript Complexity in Teams - FluentManaging JavaScript Complexity in Teams - Fluent
Managing JavaScript Complexity in Teams - Fluent
 
Real World Web components
Real World Web componentsReal World Web components
Real World Web components
 
Managing JavaScript Complexity
Managing JavaScript ComplexityManaging JavaScript Complexity
Managing JavaScript Complexity
 
Continuous Delivery for the Web Platform
Continuous Delivery for the Web PlatformContinuous Delivery for the Web Platform
Continuous Delivery for the Web Platform
 

Recently uploaded

Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
Ivanti
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
SelfMade bd
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
ZachWylie3
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)
Debmalya Biswas
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
FIDO Alliance
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
Arpan Buwa
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
KIRAN KV
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
FIDO Alliance
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
Zilliz
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 

Recently uploaded (20)

Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 

Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?

  • 1. Jarrod Overson - BSidesPDX Why are imitation attacks such a problem? Analysis of an OSS supply chain attack How did millions of developers download malicious code with no one noticing? Jarrod Overson - BSidesPDX
  • 2. Jarrod Overson - BSidesPDX
  • 3. Jarrod Overson - BSidesPDX
  • 4. Jarrod Overson - BSidesPDX
  • 5. Jarrod Overson - BSidesPDX npm install [anything]
  • 6. Jarrod Overson - BSidesPDX The threat is real And it's coming from inside the house.
  • 7. Jarrod Overson - BSidesPDX How it happened What it did Where it leaves us 1 2 3 Agenda
  • 8. Jarrod Overson - BSidesPDX Who am I? • Director at Shape Security & Google Dev Expert. • Write/talk/record about JS reverse engineering & breaking web apps. • Old-school video game hacker. • @jsoverson most everywhere This guy
  • 9. Jarrod Overson - BSidesPDX ?
  • 10. Jarrod Overson - BSidesPDX Ever heard of YKK?
  • 11. Jarrod Overson - BSidesPDX
  • 12. Jarrod Overson - BSidesPDX You used Shape this week. We're the reason you log in a lot less and see fewer CAPTCHAs.
  • 13. Jarrod Overson - BSidesPDX How it happened What it did Where it leaves us 1 2 3 Agenda
  • 14. Jarrod Overson - BSidesPDX JS It started with a package, event-stream
  • 15. Jarrod Overson - BSidesPDX
  • 16. Jarrod Overson - BSidesPDX
  • 17. Jarrod Overson - BSidesPDX
  • 18. Jarrod Overson - BSidesPDX
  • 19. Jarrod Overson - BSidesPDX JS event-stream was maintained by prolific developer Dominic Tarr
  • 20. Jarrod Overson - BSidesPDX
  • 21. Jarrod Overson - BSidesPDX
  • 22. Jarrod Overson - BSidesPDX
  • 23. Jarrod Overson - BSidesPDX JS Domenic gave ownership to right9ctrl in September of 2018 *
  • 24. Jarrod Overson - BSidesPDX Q: Why?
  • 25. Jarrod Overson - BSidesPDX
  • 26. Jarrod Overson - BSidesPDX
  • 27. Jarrod Overson - BSidesPDX JS right9ctrl gained trust by committing several innocent changes. ...b550f5: upgrade dependencies ...37c105: add map and split examples ...477832: remove trailing in split example ...2c2095: better pretty.js example ...a644c5: update readme event-stream
  • 28. Jarrod Overson - BSidesPDX JS On Sept 9 2018 right9ctrl added a new dependency and released version 3.3.6 JS v3.3.6 JS v0.1.0 flatmap-stream event-stream
  • 29. Jarrod Overson - BSidesPDX About that caret...
  • 30. Jarrod Overson - BSidesPDX Semantic Versioning (semver) Major.Minor.Patch e.g. 3.4.9 Breaking changes New features Bug fixes Increasing risk
  • 31. Jarrod Overson - BSidesPDX Semver pattern matching Symbol Example Matches ^ ^0.1.0 0.*.* ~ ~0.1.0 0.1.*
  • 32. Jarrod Overson - BSidesPDX JS right9ctrl then removed flatmap-stream and updated event-stream to v4.0.0. v4.0.0 event-stream
  • 33. Jarrod Overson - BSidesPDX Note: Nothing malicious has emerged thus far.
  • 34. Jarrod Overson - BSidesPDX Total time between first commit and v4.0.0? 12 days
  • 35. Jarrod Overson - BSidesPDX JS On October 5th 2018 (T+31) flatmap-stream@0.1.1 was published. JS v3.3.6 v0.1.1 flatmap-stream event-stream JS v0.1.0
  • 36. Jarrod Overson - BSidesPDX JS event-stream@3.3.6 installed fresh now pulls in flatmap-stream@0.1.1 because of the ^ JS v3.3.6 v0.1.1 flatmap-stream event-stream
  • 37. Jarrod Overson - BSidesPDX event-stream@3.3.5 was stable for 2+ years. JSJS v3.3.6 event-stream
  • 38. Jarrod Overson - BSidesPDX A LOT depended on event-stream^3.3.5 and would get updated to 3.3.6 automatically. JS JS JS JS JS JS JS JS JS
  • 39. Jarrod Overson - BSidesPDX Time between flatmap-stream@0.1.1 and exposure: 48 days Time between malicious control and discovery: 77 days
  • 40. Jarrod Overson - BSidesPDX How it happened What it did Where it leaves us 1 2 3 Agenda
  • 41. Jarrod Overson - BSidesPDX First, how was it discovered?
  • 42. Payload A used a method deprecated in node v11.0.0
  • 43. Node v11.0.0 was released 18 days into the exploit.
  • 44. Unrelated projects started getting deprecation warnings.
  • 45. Finally someone started putting it together.
  • 46. Jarrod Overson - BSidesPDX So how was it discovered? Luck.
  • 49. Jarrod Overson - BSidesPDX Payload A The bootstrap.
  • 65. Jarrod Overson - BSidesPDX Recap • The script decrypts and compiles a new module. • The key comes from a package description somewhere. • The encrypted JS comes from testData[0]. • The compiled module exports testData[1].
  • 66. Jarrod Overson - BSidesPDX What does this mean? The script only serves its purpose if the code runs from an npm script in a directory that has a package.json with a "description" field containing a specific string that can act as the key.
  • 67. Jarrod Overson - BSidesPDX What this means for us We need to start trolling through package.json files.
  • 69. 😂
  • 70. Jarrod Overson - BSidesPDX Strategy • Iterate through every package. • Decrypt testData[0]. • Run the decrypted data through a JS Parser. • If successful then we have a winner.
  • 71. Jarrod Overson - BSidesPDX
  • 72. Jarrod Overson - BSidesPDX
  • 73. Copay, the Secure Bitcoin Wallet.
  • 74. Jarrod Overson - BSidesPDX Payload B The injector.
  • 77. Jarrod Overson - BSidesPDX npm scripts redux npm run-script script-name [0] [1] [2]argv:
  • 81. Jarrod Overson - BSidesPDX Recap • Payload B noops unless run in copay's build stage. • Decrypts payload C just like payload B. • Injects payload C into a file used in copay's mobile app. • Payload C is then executed in the mobile app while on a user's mobile device.
  • 82. Jarrod Overson - BSidesPDX Payload C The final payload.
  • 84. Jarrod Overson - BSidesPDX Payload C in a nutshell • Harvested private keys • Targeted wallets with over 100 BTC or 1000 BCH • Communicated with third party server copayapi.host
  • 85. Jarrod Overson - BSidesPDX How it happened What it did Where it leaves us 1 2 3 Agenda
  • 86. Jarrod Overson - BSidesPDX This is NOT node/npm specific Any public repository of code is susceptible.
  • 87. Jarrod Overson - BSidesPDX The Good News. Once the issue was brought to light the community • responded rapidly • investigated quickly • mitigated the issue immediately • and produced tools to help others right away.
  • 88. Jarrod Overson - BSidesPDX The Bad News. It has happened multiple times since.
  • 91. The dependency problem is not ideal.
  • 92. Jarrod Overson - BSidesPDX This could have been much worse. event-stream was depended on things like the - azure-cli - dozens of build tools and plugins - Microsoft's monaco editor (the editor for VSCode)
  • 93. Jarrod Overson - BSidesPDX This will likely get much worse. Properly addressing this problem requires rethinking node, dependencies, and package management. Hard things with lots of compatibility implications.
  • 94. Jarrod Overson - BSidesPDX
  • 95. Jarrod Overson - BSidesPDX What can you do? • Audit your dependencies. • Lock your dependencies. • Check in your dependencies. • Think twice before adding dependencies.
  • 96. Jarrod Overson - BSidesPDX When in doubt, don't add it. • Dependencies are risks. • Risks are gambles. • You gamble when cost is low and value is high.
  • 97. Jarrod Overson - BSidesPDX Why are imitation attacks such a problem?Thank You! @jsoverson on bit.ly/jsoverson-youtube