Adam Baldwin, profile picture
Uploaded byAdam Baldwin
148 views

Attacking open source using abandoned resources

The document discusses the risks associated with open-source software, particularly highlighting abandoned resources that can be exploited through dependency supply chain attacks. It provides insights into vulnerable packages, the prevalence of vulnerabilities in the latest versions, and references various git repositories for demonstration. The author acknowledges contributions from the community and offers resources for further information on the topic.

Technology
Related topics:
Supply Chain Insights

Embed presentation

Download to read offline
Attacking Open Source using Abandoned Resources Speakeasy JS - Feb 05, 2021
Hi, I’m Adam @adam_baldwin evilpacket
Discovery Abandoned Resource Attacks Fun Facts Disclosure
“I wonder if…” “Have you tried it yet” Discovery
https:/ /blog.securityinnovation.com/repo-jacking-exploiting-the-dependency-supply-chain
APP Dependency express@4.3.1 npm Registry Background
APP Dependency Dependency express@4.3.1 npm Registry https:/ /example.com/pkg-1.0.0.tgz File Background
APP Dependency Dependency Dependency express@4.3.1 npm Registry https:/ /example.com/pkg-1.0.0.tgz File github:evilpacket/beep-boop#beta GitHub Repository Background
Attack Overview npm cli GitHub git clone evilpacket/beep-boop github:evilpacket/beep-boop#beta
Attack Overview npm cli GitHub git clone evilpacket/beep-boop redirect -> joemcpwnerson/beep-boop github:evilpacket/beep-boop#beta
Attack Overview npm cli GitHub git clone evilpacket/beep-boop redirect -> joemcpwnerson/beep-boop Git clone joemcpwnerson/beep-boop github:evilpacket/beep-boop#beta
Attack Overview npm cli GitHub git clone evilpacket/beep-boop redirect -> joemcpwnerson/beep-boop Git clone joemcpwnerson/beep-boop Have a repo github:evilpacket/beep-boop#beta
Attack Overview npm cli GitHub git clone evilpacket/beep-boop redirect -> joemcpwnerson/beep-boop Git clone joemcpwnerson/beep-boop Have a repo git checkout #beta github:evilpacket/beep-boop#beta
Attack Overview npm cli GitHub git clone evilpacket/beep-boop redirect -> joemcpwnerson/beep-boop Git clone joemcpwnerson/beep-boop Have a repo git checkout #beta github:evilpacket/beep-boop#beta ATTACKER
Fun Facts ✨ ✨ it’s just numbers
Vulnerable Packages https://evilpacket.net/2021/attacking-oss-using-abandoned-resources/ 754
Vulnerable Packages https://evilpacket.net/2021/attacking-oss-using-abandoned-resources/ 754 Download the list
Vulnerable Package Versions https://evilpacket.net/2021/attacking-oss-using-abandoned-resources/ 6,530
deps vs devDeps https://evilpacket.net/2021/attacking-oss-using-abandoned-resources/ > 50% ⚠
Latest Version Vulnerable https://evilpacket.net/2021/attacking-oss-using-abandoned-resources/ ~ 56% ⚠
Disclosure TL;DR - I’m sorry for the emails Special thanks to a bunch of pesky Hackers, Open Source Maintainers, GitHub Security, and the webpack-cli maintainers…
T.hanks! adam_baldwin evilpacket Questions?

More Related Content

PDF
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
byFrans Rosén
 
PDF
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
byFrans Rosén
 
PDF
Hunting for the secrets in a cloud forest
bySecuRing
 
PDF
DNS hijacking using cloud providers – No verification needed
byFrans Rosén
 
PDF
Debugging Your Plone Site
bycdw9
 
PDF
Distributing UI Libraries: in a post Web-Component world
byRachael L Moore
 
PDF
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
byOWASP
 
PDF
A story of the passive aggressive sysadmin of AEM
byFrans Rosén
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
byFrans Rosén
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
byFrans Rosén
 
Hunting for the secrets in a cloud forest
bySecuRing
 
DNS hijacking using cloud providers – No verification needed
byFrans Rosén
 
Debugging Your Plone Site
bycdw9
 
Distributing UI Libraries: in a post Web-Component world
byRachael L Moore
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
byOWASP
 
A story of the passive aggressive sysadmin of AEM
byFrans Rosén
 

What's hot

PPTX
Building Open-Source React Components
byZack Argyle
 
PPTX
Building Open-source React Components
byZack Argyle
 
PDF
Making it Work Offline: Current & Future Offline APIs for Web Apps
byNatasha Rooney
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
PDF
CPANci: Continuous Integration for CPAN
byMike Friedman
 
PDF
GateKeeper - bypass or not bypass?
byCsaba Fitzl
 
PDF
REST API Pentester's perspective
bySecuRing
 
PDF
T3DD13 - Automated deployment for TYPO3 CMS (Workshop)
byTobias Liebig
 
PDF
21st Century CPAN Testing: CPANci
byMike Friedman
 
PDF
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
byFrans Rosén
 
PPTX
Só o Pentest não resolve!
byAnchises Moraes
 
PDF
Hunting for the secrets in a cloud forest
bySecuRing
 
PDF
OpenRestyを用いてイケイケなサービスを作る方法
bySho Yoshida
 
PDF
Asynchronous WordPress
byAaron Brazell
 
PDF
Asynchronous WordPress
byAaron Brazell
 
PDF
LetSwift 2017 - 토스 iOS 앱의 개발/배포 환경
byMintak Son
 
PDF
20+ Ways To Bypass Your Macos Privacy Mechanisms
bySecuRing
 
PDF
Composer - The missing package manager for PHP
byTareq Hasan
 
PDF
Badge Poser v3.0 - A DevOps Journey
byFabio Cicerchia
 
Building Open-Source React Components
byZack Argyle
 
Building Open-source React Components
byZack Argyle
 
Making it Work Offline: Current & Future Offline APIs for Web Apps
byNatasha Rooney
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
CPANci: Continuous Integration for CPAN
byMike Friedman
 
GateKeeper - bypass or not bypass?
byCsaba Fitzl
 
REST API Pentester's perspective
bySecuRing
 
T3DD13 - Automated deployment for TYPO3 CMS (Workshop)
byTobias Liebig
 
21st Century CPAN Testing: CPANci
byMike Friedman
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
byFrans Rosén
 
Só o Pentest não resolve!
byAnchises Moraes
 
Hunting for the secrets in a cloud forest
bySecuRing
 
OpenRestyを用いてイケイケなサービスを作る方法
bySho Yoshida
 
Asynchronous WordPress
byAaron Brazell
 
Asynchronous WordPress
byAaron Brazell
 
LetSwift 2017 - 토스 iOS 앱의 개발/배포 환경
byMintak Son
 
20+ Ways To Bypass Your Macos Privacy Mechanisms
bySecuRing
 
Composer - The missing package manager for PHP
byTareq Hasan
 
Badge Poser v3.0 - A DevOps Journey
byFabio Cicerchia
 

More from Adam Baldwin

PDF
JavaScript Supply Chain Security
byAdam Baldwin
 
PDF
Building a Threat Model & How npm Fits Into It
byAdam Baldwin
 
PDF
Hunting for malicious modules in npm - NodeSummit
byAdam Baldwin
 
PDF
Continuous Security - Thunderplains 2016
byAdam Baldwin
 
PDF
Continuous Security
byAdam Baldwin
 
PDF
Nodevember 2015
byAdam Baldwin
 
PDF
The Art of Identifying Vulnerabilities - CascadiaFest 2015
byAdam Baldwin
 
PDF
Node Day - Node.js Security in the Enterprise
byAdam Baldwin
 
PDF
Node Security Project - LXJS 2013
byAdam Baldwin
 
PDF
Security First - Adam Baldwin
byAdam Baldwin
 
PDF
JSConf 2013 Builders vs Breakers
byAdam Baldwin
 
KEY
EV1LSHA - Misadventures in the land of Lua
byAdam Baldwin
 
KEY
Writing an (in)secure webapp in 3 easy steps
byAdam Baldwin
 
PDF
Pony Pwning Djangocon 2010
byAdam Baldwin
 
JavaScript Supply Chain Security
byAdam Baldwin
 
Building a Threat Model & How npm Fits Into It
byAdam Baldwin
 
Hunting for malicious modules in npm - NodeSummit
byAdam Baldwin
 
Continuous Security - Thunderplains 2016
byAdam Baldwin
 
Continuous Security
byAdam Baldwin
 
Nodevember 2015
byAdam Baldwin
 
The Art of Identifying Vulnerabilities - CascadiaFest 2015
byAdam Baldwin
 
Node Day - Node.js Security in the Enterprise
byAdam Baldwin
 
Node Security Project - LXJS 2013
byAdam Baldwin
 
Security First - Adam Baldwin
byAdam Baldwin
 
JSConf 2013 Builders vs Breakers
byAdam Baldwin
 
EV1LSHA - Misadventures in the land of Lua
byAdam Baldwin
 
Writing an (in)secure webapp in 3 easy steps
byAdam Baldwin
 
Pony Pwning Djangocon 2010
byAdam Baldwin
 

Recently uploaded

PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
PDF
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PDF
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
PDF
JCB_3CX_SPECS (24 págs) companywrench.com .pdf
byAquilesOyarzn1
 
PDF
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
PDF
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
PDF
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
PDF
Fortinet Certified Fundamentals in Cybersecurity
byVICTOR MAESTRE RAMIREZ
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
PDF
A Simple Guide to Real Estate Tokenization on XRP Ledger.pdf
byemmajoh2025
 
PDF
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
PDF
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
PPTX
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PPTX
Code Like Bro -A guide for better Coding
byMadan Panthi
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
Real-Time AI at Scale Masterclass: Feature Store at Scale
byScyllaDB
 
JCB_3CX_SPECS (24 págs) companywrench.com .pdf
byAquilesOyarzn1
 
Parental Control App for Phones_ The Complete 2026 Guide for Safer, Smarter P...
byRyan Cooper
 
Afsar Ahmed - Digital Marketing Portfolio
byAfsar Ahmed
 
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
AI-Powered Alert Analysis with ClickHouse - DB Mastery Jan'26
byAlkin Tezuysal
 
Fortinet Certified Fundamentals in Cybersecurity
byVICTOR MAESTRE RAMIREZ
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
A Simple Guide to Real Estate Tokenization on XRP Ledger.pdf
byemmajoh2025
 
Quick Learn Laravel for Beginner from Zero to Survive
byiDev Semarang
 
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Code Like Bro -A guide for better Coding
byMadan Panthi
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
Web3 - Applications and Architectures - History and Horizons
byGokul Alex
 

Attacking open source using abandoned resources