How Malicious NPM Packages Make Your Apps Vulnerable
Zbyszek Tenerowicz (a.k.a. ZB) teaches us how we can be susceptible to malicious packages as developers. We also see demos on the possibilities of what a malicious package can do such as modify code, package.json publish scripts and more. You're sure to learn something new in this session and level up your Developer security skills.
This was a recorded livestream titled "My NPM Package Will Eat Your Lunch"
- ZB/naugtur's Twitter: https://twitter.com/naugtur
- ZB/naugtur's GitHub: https://github.com/naugtur
- npm audit resolver project: https://github.com/naugtur/npm-audit-resolver
- ignore scripts project: https://github.com/naugtur/can-i-ignore-scripts
- LavaMoat project: https://github.com/LavaMoat/LavaMoat
00:00:00 - Stream Start
00:04:42 - Introductions
00:13:50 - Audit-resolver Project
00:25:12 - How do Developers Install Malicious Packages?
00:34:27 - Demo: Malicious Package via postinstall script
00:38:00 - Demo: Malicious Package with TypeScript
00:47:30 - Demo: Malicious Package via Pipeline and prepublish script
00:54:46 - Recommendations to Stop These Attacks
01:00:26 - Some Open Source Tools to Help
01:07:15 - Conclusion
01:10:40 - Outro
01:12:54 - Stream End
Snyk helps software-driven businesses develop fast and stay secure. Continuously find and fix vulnerabilities for npm, Maven, NuGet, RubyGems, PyPI and more.
Learn more about Snyk http://bit.ly/snyk-io