SlideShare a Scribd company logo
Jarrod Overson - BSidesPDX
Why are imitation attacks such a problem?
Analysis of an OSS supply chain attack
How did millions of developers download malicious
code with no one noticing?
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
npm install [anything]
Jarrod Overson - BSidesPDX
The threat is real
And it's coming from inside
the house.
Jarrod Overson - BSidesPDX
How it happened
What it did
Where it leaves us
1
2
3
Agenda
Jarrod Overson - BSidesPDX
Who am I?
• Director at Shape Security & Google Dev Expert.
• Write/talk/record about JS reverse engineering &
breaking web apps.
• Old-school video game hacker.
• @jsoverson most everywhere
This guy
Jarrod Overson - BSidesPDX
?
Jarrod Overson - BSidesPDX
Ever heard of YKK?
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
You used Shape this week.
We're the reason you log in a lot less and see fewer
CAPTCHAs.
Jarrod Overson - BSidesPDX
How it happened
What it did
Where it leaves us
1
2
3
Agenda
Jarrod Overson - BSidesPDX
JS
It started with a package, event-stream
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
JS
event-stream was maintained by prolific
developer Dominic Tarr
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
JS
Domenic gave ownership to right9ctrl in
September of 2018
*
Jarrod Overson - BSidesPDX
Q: Why?
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
JS
right9ctrl gained trust by committing several
innocent changes.
...b550f5: upgrade dependencies
...37c105: add map and split examples
...477832: remove trailing in split example
...2c2095: better pretty.js example
...a644c5: update readme
event-stream
Jarrod Overson - BSidesPDX
JS
On Sept 9 2018 right9ctrl added a new
dependency and released version 3.3.6
JS
v3.3.6
JS v0.1.0
flatmap-stream
event-stream
Jarrod Overson - BSidesPDX
About that caret...
Jarrod Overson - BSidesPDX
Semantic Versioning (semver)
Major.Minor.Patch e.g. 3.4.9
Breaking changes
New features
Bug fixes
Increasing risk
Jarrod Overson - BSidesPDX
Semver pattern matching
Symbol Example Matches
^ ^0.1.0 0.*.*
~ ~0.1.0 0.1.*
Jarrod Overson - BSidesPDX
JS
right9ctrl then removed flatmap-stream and updated
event-stream to v4.0.0.
v4.0.0
event-stream
Jarrod Overson - BSidesPDX
Note:
Nothing malicious has emerged thus far.
Jarrod Overson - BSidesPDX
Total time between first commit and v4.0.0?
12 days
Jarrod Overson - BSidesPDX
JS
On October 5th 2018 (T+31)
flatmap-stream@0.1.1 was published.
JS
v3.3.6
v0.1.1
flatmap-stream
event-stream
JS v0.1.0
Jarrod Overson - BSidesPDX
JS
event-stream@3.3.6 installed fresh now pulls in
flatmap-stream@0.1.1 because of the ^
JS
v3.3.6
v0.1.1
flatmap-stream
event-stream
Jarrod Overson - BSidesPDX
event-stream@3.3.5 was stable for 2+ years.
JSJS v3.3.6
event-stream
Jarrod Overson - BSidesPDX
A LOT depended on event-stream^3.3.5 and would
get updated to 3.3.6 automatically.
JS
JS
JS
JS
JS
JS
JS
JS
JS
Jarrod Overson - BSidesPDX
Time between flatmap-stream@0.1.1 and exposure:
48 days
Time between malicious control and discovery:
77 days
Jarrod Overson - BSidesPDX
How it happened
What it did
Where it leaves us
1
2
3
Agenda
Jarrod Overson - BSidesPDX
First, how was it discovered?
Payload A used a method deprecated in node v11.0.0
Node v11.0.0 was released 18 days into the exploit.
Unrelated projects started getting deprecation warnings.
Finally someone started putting it together.
Jarrod Overson - BSidesPDX
So how was it discovered?
Luck.
flatmap-stream v0.1.0
flatmap-stream v0.1.1
Jarrod Overson - BSidesPDX
Payload A
The bootstrap.
Jarrod Overson - BSidesPDX
Recap
• The script decrypts and compiles a new module.
• The key comes from a package description somewhere.
• The encrypted JS comes from testData[0].
• The compiled module exports testData[1].
Jarrod Overson - BSidesPDX
What does this mean?
The script only serves its purpose if the code runs
from an npm script in a directory that has a
package.json with a "description" field containing a
specific string that can act as the key.
Jarrod Overson - BSidesPDX
What this means for us
We need to start trolling through package.json files.
😂
Jarrod Overson - BSidesPDX
Strategy
• Iterate through every package.
• Decrypt testData[0].
• Run the decrypted data through a JS Parser.
• If successful then we have a winner.
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
Copay, the Secure Bitcoin Wallet.
Jarrod Overson - BSidesPDX
Payload B
The injector.
Payload B
Payload B
Jarrod Overson - BSidesPDX
npm scripts redux
npm run-script script-name
[0] [1] [2]argv:
Payload B
copay's package.json scripts
Payload B
Jarrod Overson - BSidesPDX
Recap
• Payload B noops unless run in copay's build stage.
• Decrypts payload C just like payload B.
• Injects payload C into a file used in copay's mobile app.
• Payload C is then executed in the mobile app while on a
user's mobile device.
Jarrod Overson - BSidesPDX
Payload C
The final payload.
Payload C
Jarrod Overson - BSidesPDX
Payload C in a nutshell
• Harvested private keys
• Targeted wallets with over 100 BTC or 1000 BCH
• Communicated with third party server copayapi.host
Jarrod Overson - BSidesPDX
How it happened
What it did
Where it leaves us
1
2
3
Agenda
Jarrod Overson - BSidesPDX
This is NOT node/npm specific
Any public repository of code is susceptible.
Jarrod Overson - BSidesPDX
The Good News.
Once the issue was brought to light the community
• responded rapidly
• investigated quickly
• mitigated the issue immediately
• and produced tools to help others right away.
Jarrod Overson - BSidesPDX
The Bad News.
It has happened multiple times since.
The dependency problem is not ideal.
Jarrod Overson - BSidesPDX
This could have been much worse.
event-stream was depended on things like the
- azure-cli
- dozens of build tools and plugins
- Microsoft's monaco editor (the editor for VSCode)
Jarrod Overson - BSidesPDX
This will likely get much worse.
Properly addressing this problem requires rethinking
node, dependencies, and package management.
Hard things with lots of compatibility implications.
Jarrod Overson - BSidesPDX
Jarrod Overson - BSidesPDX
What can you do?
• Audit your dependencies.
• Lock your dependencies.
• Check in your dependencies.
• Think twice before adding dependencies.
Jarrod Overson - BSidesPDX
When in doubt, don't add it.
• Dependencies are risks.
• Risks are gambles.
• You gamble when cost is low and value is high.
Jarrod Overson - BSidesPDX
Why are imitation attacks such a problem?Thank You!
@jsoverson on
bit.ly/jsoverson-youtube

More Related Content

What's hot

BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
 BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat Security Conference
 
Oow2013 ef final_4_3
Oow2013 ef final_4_3Oow2013 ef final_4_3
Oow2013 ef final_4_3
Euegene Fedorenko
 
Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...
Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...
Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...
Mail.ru Group
 
Ad, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniquesAd, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniques
Guglielmo Scaiola
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat Security Conference
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELK
Tripwire
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and Protect
Tamas K Lengyel
 
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
CODE BLUE
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
Dan Kaminsky
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat Security Conference
 

What's hot (10)

BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
 BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S... BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
 
Oow2013 ef final_4_3
Oow2013 ef final_4_3Oow2013 ef final_4_3
Oow2013 ef final_4_3
 
Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...
Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...
Станислав Семенов, Data Scientist, Kaggle top-3, «О соревновании Telstra Kagg...
 
Ad, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniquesAd, mimikatz, ata and (awe)some evasion techniques
Ad, mimikatz, ata and (awe)some evasion techniques
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
 
My Bro The ELK
My Bro The ELKMy Bro The ELK
My Bro The ELK
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and Protect
 
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
 

Similar to Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?

JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
Jarrod Overson
 
MongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsMongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & Analytics
Server Density
 
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
Alessandro Cinelli (cirpo)
 
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
Michele Orselli
 
3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo
3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo
3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo
Joe Clarke
 
IT Days - Parse huge JSON files in a streaming way.pptx
IT Days - Parse huge JSON files in a streaming way.pptxIT Days - Parse huge JSON files in a streaming way.pptx
IT Days - Parse huge JSON files in a streaming way.pptx
Andrei Negruti
 
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
MongoDB
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
Felipe Prado
 
MongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and ImplicationsMongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and Implications
MongoDB
 
Fosdem10
Fosdem10Fosdem10
Fosdem10
wremes
 
Building a Cross Channel Content Delivery Platform with MongoDB
Building a Cross Channel Content Delivery Platform with MongoDBBuilding a Cross Channel Content Delivery Platform with MongoDB
Building a Cross Channel Content Delivery Platform with MongoDB
MongoDB
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
Sergey Gordeychik
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18  "Hacking Electronic Door Access Controllers" Defcon 18  "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
shawn_merdinger
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
Hafez Kamal
 
Codemotion 2015 Infinispan Tech lab
Codemotion 2015 Infinispan Tech labCodemotion 2015 Infinispan Tech lab
Codemotion 2015 Infinispan Tech lab
Ugo Landini
 
How to write clean & testable code without losing your mind
How to write clean & testable code without losing your mindHow to write clean & testable code without losing your mind
How to write clean & testable code without losing your mind
Andreas Czakaj
 
Belfast JUG, SIMD (Vectorial) Operations
Belfast JUG, SIMD (Vectorial) OperationsBelfast JUG, SIMD (Vectorial) Operations
Belfast JUG, SIMD (Vectorial) Operations
Hudson Mendes
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
ShapeBlue
 
IzPack - PoitouJUG
IzPack - PoitouJUGIzPack - PoitouJUG
IzPack - PoitouJUG
julien.ponge
 
Intro to Node.js (for .NET Developers)
Intro to Node.js (for .NET Developers)Intro to Node.js (for .NET Developers)
Intro to Node.js (for .NET Developers)
David Neal
 

Similar to Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing? (20)

JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...
 
MongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & AnalyticsMongoDB: Optimising for Performance, Scale & Analytics
MongoDB: Optimising for Performance, Scale & Analytics
 
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
 
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
BDD - Buzzword Driven Development - Build the next cool app for fun and for.....
 
3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo
3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo
3V0-622 objective-3.1-logical-physical with Joe Clarke @elgwhoppo
 
IT Days - Parse huge JSON files in a streaming way.pptx
IT Days - Parse huge JSON files in a streaming way.pptxIT Days - Parse huge JSON files in a streaming way.pptx
IT Days - Parse huge JSON files in a streaming way.pptx
 
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
Ensuring High Availability for Real-time Analytics featuring Boxed Ice / Serv...
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
 
MongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and ImplicationsMongoDB Schema Design: Practical Applications and Implications
MongoDB Schema Design: Practical Applications and Implications
 
Fosdem10
Fosdem10Fosdem10
Fosdem10
 
Building a Cross Channel Content Delivery Platform with MongoDB
Building a Cross Channel Content Delivery Platform with MongoDBBuilding a Cross Channel Content Delivery Platform with MongoDB
Building a Cross Channel Content Delivery Platform with MongoDB
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18  "Hacking Electronic Door Access Controllers" Defcon 18  "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
 
Codemotion 2015 Infinispan Tech lab
Codemotion 2015 Infinispan Tech labCodemotion 2015 Infinispan Tech lab
Codemotion 2015 Infinispan Tech lab
 
How to write clean & testable code without losing your mind
How to write clean & testable code without losing your mindHow to write clean & testable code without losing your mind
How to write clean & testable code without losing your mind
 
Belfast JUG, SIMD (Vectorial) Operations
Belfast JUG, SIMD (Vectorial) OperationsBelfast JUG, SIMD (Vectorial) Operations
Belfast JUG, SIMD (Vectorial) Operations
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
IzPack - PoitouJUG
IzPack - PoitouJUGIzPack - PoitouJUG
IzPack - PoitouJUG
 
Intro to Node.js (for .NET Developers)
Intro to Node.js (for .NET Developers)Intro to Node.js (for .NET Developers)
Intro to Node.js (for .NET Developers)
 

More from Jarrod Overson

Practical WebAssembly with Apex, wasmRS, and nanobus
Practical WebAssembly with Apex, wasmRS, and nanobusPractical WebAssembly with Apex, wasmRS, and nanobus
Practical WebAssembly with Apex, wasmRS, and nanobus
Jarrod Overson
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is Evolving
Jarrod Overson
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019
Jarrod Overson
 
Deepfakes - How they work and what it means for the future
Deepfakes - How they work and what it means for the futureDeepfakes - How they work and what it means for the future
Deepfakes - How they work and what it means for the future
Jarrod Overson
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.
Jarrod Overson
 
How to Reverse Engineer Web Applications
How to Reverse Engineer Web ApplicationsHow to Reverse Engineer Web Applications
How to Reverse Engineer Web Applications
Jarrod Overson
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
Jarrod Overson
 
The Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of SecurityThe Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of Security
Jarrod Overson
 
Shape Security @ WaffleJS October 16
Shape Security @ WaffleJS October 16Shape Security @ WaffleJS October 16
Shape Security @ WaffleJS October 16
Jarrod Overson
 
Graphics Programming for Web Developers
Graphics Programming for Web DevelopersGraphics Programming for Web Developers
Graphics Programming for Web Developers
Jarrod Overson
 
The Dark Side of Security
The Dark Side of SecurityThe Dark Side of Security
The Dark Side of Security
Jarrod Overson
 
JavaScript and the AST
JavaScript and the ASTJavaScript and the AST
JavaScript and the AST
Jarrod Overson
 
ES2015 workflows
ES2015 workflowsES2015 workflows
ES2015 workflows
Jarrod Overson
 
Maintainability SFJS Sept 4 2014
Maintainability SFJS Sept 4 2014 Maintainability SFJS Sept 4 2014
Maintainability SFJS Sept 4 2014
Jarrod Overson
 
Idiot proofing your code
Idiot proofing your codeIdiot proofing your code
Idiot proofing your code
Jarrod Overson
 
Riot on the web - Kenote @ QCon Sao Paulo 2014
Riot on the web - Kenote @ QCon Sao Paulo 2014Riot on the web - Kenote @ QCon Sao Paulo 2014
Riot on the web - Kenote @ QCon Sao Paulo 2014
Jarrod Overson
 
Managing JavaScript Complexity in Teams - Fluent
Managing JavaScript Complexity in Teams - FluentManaging JavaScript Complexity in Teams - Fluent
Managing JavaScript Complexity in Teams - Fluent
Jarrod Overson
 
Real World Web components
Real World Web componentsReal World Web components
Real World Web components
Jarrod Overson
 
Managing JavaScript Complexity
Managing JavaScript ComplexityManaging JavaScript Complexity
Managing JavaScript Complexity
Jarrod Overson
 
Continuous Delivery for the Web Platform
Continuous Delivery for the Web PlatformContinuous Delivery for the Web Platform
Continuous Delivery for the Web Platform
Jarrod Overson
 

More from Jarrod Overson (20)

Practical WebAssembly with Apex, wasmRS, and nanobus
Practical WebAssembly with Apex, wasmRS, and nanobusPractical WebAssembly with Apex, wasmRS, and nanobus
Practical WebAssembly with Apex, wasmRS, and nanobus
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is Evolving
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019
 
Deepfakes - How they work and what it means for the future
Deepfakes - How they work and what it means for the futureDeepfakes - How they work and what it means for the future
Deepfakes - How they work and what it means for the future
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.
 
How to Reverse Engineer Web Applications
How to Reverse Engineer Web ApplicationsHow to Reverse Engineer Web Applications
How to Reverse Engineer Web Applications
 
The life of breached data and the attack lifecycle
The life of breached data and the attack lifecycleThe life of breached data and the attack lifecycle
The life of breached data and the attack lifecycle
 
The Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of SecurityThe Life of Breached Data & The Dark Side of Security
The Life of Breached Data & The Dark Side of Security
 
Shape Security @ WaffleJS October 16
Shape Security @ WaffleJS October 16Shape Security @ WaffleJS October 16
Shape Security @ WaffleJS October 16
 
Graphics Programming for Web Developers
Graphics Programming for Web DevelopersGraphics Programming for Web Developers
Graphics Programming for Web Developers
 
The Dark Side of Security
The Dark Side of SecurityThe Dark Side of Security
The Dark Side of Security
 
JavaScript and the AST
JavaScript and the ASTJavaScript and the AST
JavaScript and the AST
 
ES2015 workflows
ES2015 workflowsES2015 workflows
ES2015 workflows
 
Maintainability SFJS Sept 4 2014
Maintainability SFJS Sept 4 2014 Maintainability SFJS Sept 4 2014
Maintainability SFJS Sept 4 2014
 
Idiot proofing your code
Idiot proofing your codeIdiot proofing your code
Idiot proofing your code
 
Riot on the web - Kenote @ QCon Sao Paulo 2014
Riot on the web - Kenote @ QCon Sao Paulo 2014Riot on the web - Kenote @ QCon Sao Paulo 2014
Riot on the web - Kenote @ QCon Sao Paulo 2014
 
Managing JavaScript Complexity in Teams - Fluent
Managing JavaScript Complexity in Teams - FluentManaging JavaScript Complexity in Teams - Fluent
Managing JavaScript Complexity in Teams - Fluent
 
Real World Web components
Real World Web componentsReal World Web components
Real World Web components
 
Managing JavaScript Complexity
Managing JavaScript ComplexityManaging JavaScript Complexity
Managing JavaScript Complexity
 
Continuous Delivery for the Web Platform
Continuous Delivery for the Web PlatformContinuous Delivery for the Web Platform
Continuous Delivery for the Web Platform
 

Recently uploaded

Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 

Recently uploaded (20)

Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 

Analysis of an OSS supply chain attack - How did 8 millions developers download an exploit with no one noticing?

  • 1. Jarrod Overson - BSidesPDX Why are imitation attacks such a problem? Analysis of an OSS supply chain attack How did millions of developers download malicious code with no one noticing? Jarrod Overson - BSidesPDX
  • 2. Jarrod Overson - BSidesPDX
  • 3. Jarrod Overson - BSidesPDX
  • 4. Jarrod Overson - BSidesPDX
  • 5. Jarrod Overson - BSidesPDX npm install [anything]
  • 6. Jarrod Overson - BSidesPDX The threat is real And it's coming from inside the house.
  • 7. Jarrod Overson - BSidesPDX How it happened What it did Where it leaves us 1 2 3 Agenda
  • 8. Jarrod Overson - BSidesPDX Who am I? • Director at Shape Security & Google Dev Expert. • Write/talk/record about JS reverse engineering & breaking web apps. • Old-school video game hacker. • @jsoverson most everywhere This guy
  • 9. Jarrod Overson - BSidesPDX ?
  • 10. Jarrod Overson - BSidesPDX Ever heard of YKK?
  • 11. Jarrod Overson - BSidesPDX
  • 12. Jarrod Overson - BSidesPDX You used Shape this week. We're the reason you log in a lot less and see fewer CAPTCHAs.
  • 13. Jarrod Overson - BSidesPDX How it happened What it did Where it leaves us 1 2 3 Agenda
  • 14. Jarrod Overson - BSidesPDX JS It started with a package, event-stream
  • 15. Jarrod Overson - BSidesPDX
  • 16. Jarrod Overson - BSidesPDX
  • 17. Jarrod Overson - BSidesPDX
  • 18. Jarrod Overson - BSidesPDX
  • 19. Jarrod Overson - BSidesPDX JS event-stream was maintained by prolific developer Dominic Tarr
  • 20. Jarrod Overson - BSidesPDX
  • 21. Jarrod Overson - BSidesPDX
  • 22. Jarrod Overson - BSidesPDX
  • 23. Jarrod Overson - BSidesPDX JS Domenic gave ownership to right9ctrl in September of 2018 *
  • 24. Jarrod Overson - BSidesPDX Q: Why?
  • 25. Jarrod Overson - BSidesPDX
  • 26. Jarrod Overson - BSidesPDX
  • 27. Jarrod Overson - BSidesPDX JS right9ctrl gained trust by committing several innocent changes. ...b550f5: upgrade dependencies ...37c105: add map and split examples ...477832: remove trailing in split example ...2c2095: better pretty.js example ...a644c5: update readme event-stream
  • 28. Jarrod Overson - BSidesPDX JS On Sept 9 2018 right9ctrl added a new dependency and released version 3.3.6 JS v3.3.6 JS v0.1.0 flatmap-stream event-stream
  • 29. Jarrod Overson - BSidesPDX About that caret...
  • 30. Jarrod Overson - BSidesPDX Semantic Versioning (semver) Major.Minor.Patch e.g. 3.4.9 Breaking changes New features Bug fixes Increasing risk
  • 31. Jarrod Overson - BSidesPDX Semver pattern matching Symbol Example Matches ^ ^0.1.0 0.*.* ~ ~0.1.0 0.1.*
  • 32. Jarrod Overson - BSidesPDX JS right9ctrl then removed flatmap-stream and updated event-stream to v4.0.0. v4.0.0 event-stream
  • 33. Jarrod Overson - BSidesPDX Note: Nothing malicious has emerged thus far.
  • 34. Jarrod Overson - BSidesPDX Total time between first commit and v4.0.0? 12 days
  • 35. Jarrod Overson - BSidesPDX JS On October 5th 2018 (T+31) flatmap-stream@0.1.1 was published. JS v3.3.6 v0.1.1 flatmap-stream event-stream JS v0.1.0
  • 36. Jarrod Overson - BSidesPDX JS event-stream@3.3.6 installed fresh now pulls in flatmap-stream@0.1.1 because of the ^ JS v3.3.6 v0.1.1 flatmap-stream event-stream
  • 37. Jarrod Overson - BSidesPDX event-stream@3.3.5 was stable for 2+ years. JSJS v3.3.6 event-stream
  • 38. Jarrod Overson - BSidesPDX A LOT depended on event-stream^3.3.5 and would get updated to 3.3.6 automatically. JS JS JS JS JS JS JS JS JS
  • 39. Jarrod Overson - BSidesPDX Time between flatmap-stream@0.1.1 and exposure: 48 days Time between malicious control and discovery: 77 days
  • 40. Jarrod Overson - BSidesPDX How it happened What it did Where it leaves us 1 2 3 Agenda
  • 41. Jarrod Overson - BSidesPDX First, how was it discovered?
  • 42. Payload A used a method deprecated in node v11.0.0
  • 43. Node v11.0.0 was released 18 days into the exploit.
  • 44. Unrelated projects started getting deprecation warnings.
  • 45. Finally someone started putting it together.
  • 46. Jarrod Overson - BSidesPDX So how was it discovered? Luck.
  • 49. Jarrod Overson - BSidesPDX Payload A The bootstrap.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62.
  • 63.
  • 64.
  • 65. Jarrod Overson - BSidesPDX Recap • The script decrypts and compiles a new module. • The key comes from a package description somewhere. • The encrypted JS comes from testData[0]. • The compiled module exports testData[1].
  • 66. Jarrod Overson - BSidesPDX What does this mean? The script only serves its purpose if the code runs from an npm script in a directory that has a package.json with a "description" field containing a specific string that can act as the key.
  • 67. Jarrod Overson - BSidesPDX What this means for us We need to start trolling through package.json files.
  • 68.
  • 69. 😂
  • 70. Jarrod Overson - BSidesPDX Strategy • Iterate through every package. • Decrypt testData[0]. • Run the decrypted data through a JS Parser. • If successful then we have a winner.
  • 71. Jarrod Overson - BSidesPDX
  • 72. Jarrod Overson - BSidesPDX
  • 73. Copay, the Secure Bitcoin Wallet.
  • 74. Jarrod Overson - BSidesPDX Payload B The injector.
  • 77. Jarrod Overson - BSidesPDX npm scripts redux npm run-script script-name [0] [1] [2]argv:
  • 81. Jarrod Overson - BSidesPDX Recap • Payload B noops unless run in copay's build stage. • Decrypts payload C just like payload B. • Injects payload C into a file used in copay's mobile app. • Payload C is then executed in the mobile app while on a user's mobile device.
  • 82. Jarrod Overson - BSidesPDX Payload C The final payload.
  • 84. Jarrod Overson - BSidesPDX Payload C in a nutshell • Harvested private keys • Targeted wallets with over 100 BTC or 1000 BCH • Communicated with third party server copayapi.host
  • 85. Jarrod Overson - BSidesPDX How it happened What it did Where it leaves us 1 2 3 Agenda
  • 86. Jarrod Overson - BSidesPDX This is NOT node/npm specific Any public repository of code is susceptible.
  • 87. Jarrod Overson - BSidesPDX The Good News. Once the issue was brought to light the community • responded rapidly • investigated quickly • mitigated the issue immediately • and produced tools to help others right away.
  • 88. Jarrod Overson - BSidesPDX The Bad News. It has happened multiple times since.
  • 89.
  • 90.
  • 91. The dependency problem is not ideal.
  • 92. Jarrod Overson - BSidesPDX This could have been much worse. event-stream was depended on things like the - azure-cli - dozens of build tools and plugins - Microsoft's monaco editor (the editor for VSCode)
  • 93. Jarrod Overson - BSidesPDX This will likely get much worse. Properly addressing this problem requires rethinking node, dependencies, and package management. Hard things with lots of compatibility implications.
  • 94. Jarrod Overson - BSidesPDX
  • 95. Jarrod Overson - BSidesPDX What can you do? • Audit your dependencies. • Lock your dependencies. • Check in your dependencies. • Think twice before adding dependencies.
  • 96. Jarrod Overson - BSidesPDX When in doubt, don't add it. • Dependencies are risks. • Risks are gambles. • You gamble when cost is low and value is high.
  • 97. Jarrod Overson - BSidesPDX Why are imitation attacks such a problem?Thank You! @jsoverson on bit.ly/jsoverson-youtube