1 of 40

Marco Ippolito

Developers in Danger:�How supply chain attacks target devs not production�

2 of 40

Marco Ippolito

@satanacchio

Senior Developer Experience Engineer @NearForm

Core contributor @Node.js

Open Source Enthusiast

2

3 of 40

@satanacchio

What is supply chain and why it matters?

3

4 of 40

4

5 of 40

@satanacchio

5

6 of 40

@satanacchio

What about software?

6

7 of 40

@satanacchio

Node.js follows the “minimal core” principle, it delegates everything non essential to the ecosystem

7

8 of 40

Heaviest object in the universe

@satanacchio

8

9 of 40

@nest/cli 1,559,836 weekly downloads

274 modules�Some notable dependency:

fs-monkey (unlicensed) Monkey-patches for filesystem related things.��memfs (unlicensed, 1 major behind) JavaScript file system utilities for Node.js and browser.

caniuse-lite (CC-BY-4.0) It is compatible with all versions of the GNU GPL; however, like all CC licenses, it should not be used on software.

@satanacchio

10 of 40

@satanacchio

More dependencies means more opportunities for an attacker to try exploit a vulnerability

10

11 of 40

@satanacchio

11

12 of 40

@satanacchio

source

Installing an average iiii package introduces an implicit trust on 79 third-party packages and 39 maintainers

12

13 of 40

@satanacchio

Who is the target?

13

14 of 40

@satanacchio

14

15 of 40

@satanacchio

While production environments are often containerized, monitored, with strict security policies, your machine is not!

15

16 of 40

@satanacchio

noblox.js-vps (versions 4.14.0 to 4.23.0)
noblox.js-ssh (versions 4.2.3 to 4.2.5)
noblox.js-secure (versions 4.1.0, 4.2.0 to 4.2.3)

downloaded 963 times�source

npm supply chain attack targeting roblox developers

16

17 of 40

@satanacchio

17

18 of 40

@satanacchio

18

19 of 40

@satanacchio

19

20 of 40

@satanacchio

How to I defend myself against npm supply chain attacks?

20

21 of 40

@satanacchio

21

22 of 40

@satanacchio

22

23 of 40

@satanacchio

ALWAYS use the flag --ignore-scripts when running npm install �unless you are 100000% sure!

23

24 of 40

@satanacchio

24

25 of 40

@satanacchio

25

26 of 40

@satanacchio

26

27 of 40

@satanacchio

28 of 40

@satanacchio

29 of 40

@satanacchio

29

30 of 40

@satanacchio

30

31 of 40

@satanacchio

31

32 of 40

@satanacchio

32

33 of 40

@satanacchio

33

34 of 40

@satanacchio

34

35 of 40

@satanacchio

--allow-fs-read

--allow-fs-write

--allow-worker

--allow-child-process

35

36 of 40

@satanacchio

36

37 of 40

@satanacchio

37

38 of 40

@satanacchio

38

39 of 40

@satanacchio

Permission model is still experimental!

39

40 of 40

United States:

International:

United Kingdom:

Ireland:

(916) 299-6882

+353 51 330 290

0870 067 95569

051 330 290

nearform.com

sales@nearform.com

Thanks for listening!!!