How Malicious NPM Packages Make Your Apps Vulnerable

How Malicious NPM Packages Make Your Apps Vulnerable

Jun 6, 2022

Zbyszek Tenerowicz (a.k.a. ZB) teaches us how we can be susceptible to malicious packages as developers. We also see demos on the possibilities of what a malicious package can do such as modify code, package.json publish scripts and more. You're sure to learn something new in this session and level up your Developer security skills.

This was a recorded livestream titled "My NPM Package Will Eat Your Lunch"

🔗 Links:

00:00:00 - Stream Start
00:04:42 - Introductions
00:13:50 - Audit-resolver Project
00:25:12 - How do Developers Install Malicious Packages?
00:34:27 - Demo: Malicious Package via postinstall script
00:38:00 - Demo: Malicious Package with TypeScript
00:47:30 - Demo: Malicious Package via Pipeline and prepublish script
00:54:46 - Recommendations to Stop These Attacks
01:00:26 - Some Open Source Tools to Help
01:07:15 - Conclusion
01:10:40 - Outro
01:12:54 - Stream End

Snyk helps software-driven businesses develop fast and stay secure. Continuously find and fix vulnerabilities for npm, Maven, NuGet, RubyGems, PyPI and more.

Learn more about Snyk

📱Social Media📱