With a great ecosystem, comes great responsibility, and application security is not one to wave off. Let’s review some black clouds of security horror stories in the Node.js ecosystem, and learn how to mitigate them to build secure JavaScript and Node.js applications.

1. Black Clouds & Silver LiningsBlack Clouds & Silver Linings
in Node.js Security in Node.js Security
Liran TalLiran Tal
Developer Advocate @ SnykDeveloper Advocate @ Snyk
@liran_tal github.com/lirantal
May 2019May 2019

2. @liran_tal
github.com/lirantal
Liran TalLiran Tal
Developer AdvocateDeveloper Advocate

3. 0101 Black Clouds in Node.js SecurityBlack Clouds in Node.js Security
02 02 ||
||
03 03 ||
Common Security VulnerabilitiesCommon Security Vulnerabilities
Silver Linings in Node.js SecuritySilver Linings in Node.js Security
Black Clouds & Silver LiningsBlack Clouds & Silver Linings
in Node.js Securityin Node.js Security

4. src: https://snyk.io/opensourcesecurity-2019

5. Invites big risksInvites big risks
The Biggest RepositoryThe Biggest Repository

6. Invites big risksInvites big risks
The Biggest RepositoryThe Biggest Repository
Lucrative attack playgroundLucrative attack playground

7. Invites big risksInvites big risks
The Biggest RepositoryThe Biggest Repository
Lucrative attack playgroundLucrative attack playground
Open and free-to-publish ecosystemOpen and free-to-publish ecosystem

8. Invites big risksInvites big risks
The Biggest RepositoryThe Biggest Repository
Lucrative attack playgroundLucrative attack playground
Open and free-to-publish ecosystemOpen and free-to-publish ecosystem
Difficult to counter-measureDifficult to counter-measure

9. Black Clouds inBlack Clouds in
Node.js SecurityNode.js Security

10. Malicious ModulesMalicious Modules
Black Clouds inBlack Clouds in
Node.js SecurityNode.js Security

11. Malicious ModulesMalicious Modules
Typosquatting AttacksTyposquatting Attacks
Compromised AccountsCompromised Accounts
Social EngineeringSocial Engineering

12. Malicious ModulesMalicious Modules
timetime
Jan 2015
rimrafallrimrafall

13. rimrafallrimrafall

14. rimrafallrimrafall

15. Malicious ModulesMalicious Modules
timetime
Jan 2015
rimrafallrimrafall
Jan 2017
crossenvcrossenv

16. $ npm install crossenv --save

17. crossenv != cross-envcrossenv != cross-env
$ npm install crossenv --save

18. crossenv/package.json

19. crossenv/package.json

20. crossenv/package.json

21. crossenv/package.json

22. crossenv/package-setup.js

23. crossenv/package-setup.js

24. crossenv/package-setup.js

25. crossenv/package-setup.js

26. crossenv/package-setup.js

27. coffescript coffescript oror coffe-script coffe-script

28. coffescript coffescript oror coffe-script coffe-script
coffeescriptcoffeescript

29. src: https://snyk.io/vuln

30. src: https://snyk.io/vuln

31. src: https://snyk.io/vuln

32. src: https://snyk.io/vuln

33. src: https://snyk.io/vuln

34. post-install script ✅post-install script ✅

35. post-install script ✅post-install script ✅
call-home base64 payload ✅call-home base64 payload ✅

36. How did we find out about this maliciousHow did we find out about this malicious
crossenv package?crossenv package?
post-install script ✅post-install script ✅
call-home base64 payload ✅call-home base64 payload ✅

38. Malicious ModulesMalicious Modules
timetime
Jan 2015
rimrafallrimrafall
Jan 2017
crossenvcrossenv
May 2018
getcookiesgetcookies

39. getcookiesgetcookies
parse http headers for cookie dataparse http headers for cookie data

40. getcookiesgetcookies
parse http headers for cookie dataparse http headers for cookie data
or does it... ?or does it... ?

42. getcookiesgetcookies
http-fetch-cookies
└── express-cookies
└── getcookies

43. getcookiesgetcookies
mailparser
└── http-fetch-cookies
└── express-cookies
└──getcookies

57. Reset the bufferReset the buffer

58. Reset the bufferReset the buffer
Load JavaScript codeLoad JavaScript code

59. Reset the bufferReset the buffer
Load JavaScript codeLoad JavaScript code
Execute codeExecute code

61. Observation 1Observation 1
security by code review has to be on-point ALL THE TIME,security by code review has to be on-point ALL THE TIME,
where-as attackers only have to get lucky ONCEwhere-as attackers only have to get lucky ONCE

62. Malicious ModulesMalicious Modules
timetime
Jan 2015
rimrafallrimrafall
Jan 2017
crossenvcrossenv
May 2018
getcookiesgetcookies
Jul 2018
eslint-eslint-
scopescope

63. eslint-scope 3.7.2eslint-scope 3.7.2
malicious package publishedmalicious package published

64. eslint-scope 3.7.2eslint-scope 3.7.2
malicious package publishedmalicious package published

65. What's going on?What's going on?

71. Who depends on eslint-scope?Who depends on eslint-scope?

72. Who depends on eslint-scope?Who depends on eslint-scope?
babel-eslintbabel-eslint

73. Who depends on eslint-scope?Who depends on eslint-scope?
babel-eslintbabel-eslint
eslinteslint

74. Who depends on eslint-scope?Who depends on eslint-scope?
babel-eslintbabel-eslint
eslinteslint
webpackwebpack

75. npm invalidates all tokensnpm invalidates all tokens
<= 2018-07-12<= 2018-07-12

76. npm invalidates all tokensnpm invalidates all tokens
<= 2018-07-12<= 2018-07-12
estimated potential ~4,500 accounts estimated potential ~4,500 accounts
were compromised were compromised

77. Observation 2Observation 2
eslint-scope published an npm package, but actorseslint-scope published an npm package, but actors
had no github repository access so the source codehad no github repository access so the source code
varied between github and the published npmvaried between github and the published npm
packagepackage

78. How does something likeHow does something like
this happen?this happen?

79. Compromised Contributors ?Compromised Contributors ?CompromisedCompromised ContributorsContributors ??

80. Compromised Contributors ?Compromised Contributors ?
14%14%
compromised npm modulescompromised npm modules
CompromisedCompromised ContributorsContributors ??
src: https://github.com/ChALkeR/notes

81. Compromised Contributors ?Compromised Contributors ?
20%20%
npm total monthly downloadsnpm total monthly downloads
CompromisedCompromised ContributorsContributors ??

82. Compromised Contributors ?Compromised Contributors ?
20%20%
npm total monthly downloadsnpm total monthly downloads
expressexpress reactreact
debugdebug
momentmoment
requestrequest
CompromisedCompromised ContributorsContributors ??

83. https://giphy.com/embed/aWPGuTlDqq2yc

84. Compromised Contributors ?Compromised Contributors ?
662662 usersusers
123456123456
had their password set tohad their password set to
CompromisedCompromised ContributorsContributors ??

85. Compromised Contributors ?Compromised Contributors ?
14091409 usersusers
had their password set tohad their password set to
their usernametheir username
CompromisedCompromised ContributorsContributors ??

86. Compromised Contributors ?Compromised Contributors ?
11%11% usersusers
had their password set tohad their password set to
previously leaked passwordpreviously leaked password
CompromisedCompromised ContributorsContributors ??

87. Malicious ModulesMalicious Modules
timetime
Jan 2015
rimrafallrimrafall
Jan 2017
crossenvcrossenv
May 2018
getcookiesgetcookies
Jul 2018
eslint-eslint-
scopescope
event-streamevent-stream
Nov 2019

88. src: https://snyk.io/blog/a-post-mortem-of-the-malicious-event-stream-backdoor

89. Observation 3Observation 3
due to the increased use of transpilers, reviewing anddue to the increased use of transpilers, reviewing and
comparing source code between actual source tocomparing source code between actual source to
distributed is a real problemdistributed is a real problem

90. Dependency ManagementDependency Management

91. (CC BY-NC-SA 2.0)

94. Common SecurityCommon Security
VulnerabilitiesVulnerabilities
Command InjectionCommand Injection

95. The npmjs EcosystemThe npmjs Ecosystem
Silver Linings inSilver Linings in
Node.js SecurityNode.js Security

96. FightingFighting TyposquattingTyposquatting
Package Moniker RulesPackage Moniker Rules

97. react-nativereact-native
FightingFighting TyposquattingTyposquatting
Package Moniker RulesPackage Moniker Rules

98. react-nativereact-native
reactnativereactnative
FightingFighting TyposquattingTyposquatting
Package Moniker RulesPackage Moniker Rules

99. rea-ct.nativerea-ct.native
react-nativereact-native
reactnativereactnative
FightingFighting TyposquattingTyposquatting
Package Moniker RulesPackage Moniker Rules

100. rea-ct.nativerea-ct.native
react-nativereact-native
reactnativereactnative
react_nativereact_native
FightingFighting TyposquattingTyposquatting
Package Moniker RulesPackage Moniker Rules

101. rea-ct.nativerea-ct.native
react-nativereact-native
reactnativereactnative
react_nativereact_native
@lirantal/rea-ct.native @lirantal/rea-ct.native
FightingFighting TyposquattingTyposquatting
Package Moniker RulesPackage Moniker Rules

102. FightingFighting TyposquattingTyposquatting
Package Moniker RulesPackage Moniker Rules

103. FightingFighting TyposquattingTyposquatting
JSONStream JSONStream !=!= jsonstream jsonstream
Package Moniker RulesPackage Moniker Rules

104. Package PublishingPackage Publishing NotificationsNotifications

105. $ npm profile enable-2fa
2FA successfully enabled.
Below are your recovery codes,
please print these out.
Enable 2FAEnable 2FA
since npm >= 5.5.1since npm >= 5.5.1

106. $ npm profile enable-2fa
2FA successfully enabled.
Below are your recovery codes,
please print these out.
Enable 2FAEnable 2FA
since npm >= 5.5.1since npm >= 5.5.1

107. Enable 2FAEnable 2FA
caveatscaveats

108. - auto release ?- auto release ?
Enable 2FAEnable 2FA
caveatscaveats

109. - auto release ?- auto release ?
- tokens are global for all packages- tokens are global for all packages
Enable 2FAEnable 2FA
caveatscaveats

110. - auto release ?- auto release ?
- tokens are global for all packages- tokens are global for all packages
- npm recommends creating a 2nd user- npm recommends creating a 2nd user
Enable 2FAEnable 2FA
caveatscaveats

111. Devs TakeDevs Take Ownership Ownership
for App Securityfor App Security

112. Devs TakeDevs Take Ownership Ownership
for App Securityfor App Security
Source: The State of Open Source Security Report 2019, Snyk
https://snyk.io/opensourcesecurity-2019/

113. FindFind vulnerabilities in vulnerabilities in
open source dependenciesopen source dependencies

114. What if security wasWhat if security was easier?easier?

115. What if security wasWhat if security was actionable?actionable?

116. Node.js Security Working GroupNode.js Security Working Group
Silver Linings inSilver Linings in
Node.js SecurityNode.js Security

117. The Security WGThe Security WG

118. The Security WGThe Security WG
Improving the state of Node.js SecurityImproving the state of Node.js Security
Incident response for Node.js core and theIncident response for Node.js core and the
npm ecosystemnpm ecosystem
Security disclosure policies for bug huntersSecurity disclosure policies for bug hunters
Maintain a public vulnerability databaseMaintain a public vulnerability database

119. The Security WGThe Security WG
Uninitialized BufferUninitialized Buffer base64urlbase64url|| 2,000,0002,000,000 ||
monthly downloadsmonthly downloads

120. The Security WGThe Security WG
Uninitialized BufferUninitialized Buffer base64urlbase64url|| 2,000,0002,000,000 ||
XSS InjectionXSS Injection react-svgreact-svg|| 130,000130,000 ||
monthly downloadsmonthly downloads

121. The Security WGThe Security WG
Uninitialized BufferUninitialized Buffer base64urlbase64url|| 2,000,0002,000,000 ||
XSS InjectionXSS Injection react-svgreact-svg|| 130,000130,000 ||
Path TraversalPath Traversal serveserve|| 564,000564,000 ||
monthly downloadsmonthly downloads

122. The Security WGThe Security WG
Uninitialized BufferUninitialized Buffer base64urlbase64url|| 2,000,0002,000,000 ||
XSS InjectionXSS Injection react-svgreact-svg|| 130,000130,000 ||
Path TraversalPath Traversal serveserve|| 564,000564,000 ||
ReDOSReDOS protobufjsprotobufjs|| 7,200,0007,200,000 ||
monthly downloadsmonthly downloads

123. 0101 Malicious modules & compromised accountsMalicious modules & compromised accounts||
Black Clouds & Silver LiningsBlack Clouds & Silver Linings
in Node.js Securityin Node.js Security
||

124. 0101 Malicious modules & compromised accountsMalicious modules & compromised accounts
02 02 ||
||
Common Security Pitfalls in Node.jsCommon Security Pitfalls in Node.js
Black Clouds & Silver LiningsBlack Clouds & Silver Linings
in Node.js Securityin Node.js Security
||
||

125. 0101 Malicious modules & compromised accountsMalicious modules & compromised accounts
02 02 ||
||
03 03 ||
Common Security Pitfalls in Node.jsCommon Security Pitfalls in Node.js
Developer awareness,Developer awareness,
Fix vulnerabilities in your open source libs,Fix vulnerabilities in your open source libs,
Node.js Security WGNode.js Security WG
Black Clouds & Silver LiningsBlack Clouds & Silver Linings
in Node.js Securityin Node.js Security
||
||

126. @liran_tal
github.com/lirantal
Liran TalLiran Tal
Developer AdvocateDeveloper Advocate
Use Open Source, Stay Secure.Use Open Source, Stay Secure.
Thank you!Thank you!