Zbyszek Tenerowicz

Oops! Stories of supply chain shenanigans

Can a dependency you never import inject a vulnerability into your application's final build? This talk demonstrates how.

Oops! Stories of supply chain shenanigans
#1about 4 minutes

Understanding software supply chain security in JavaScript

Software supply chain security involves managing the risks from third-party code you import, such as NPM packages.

#2about 1 minute

Using npm audit to find known package vulnerabilities

The `npm audit` command helps identify known vulnerabilities, like prototype pollution in older versions of packages like Lodash.

#3about 3 minutes

Overcoming the challenges of running npm audit in CI

Running `npm audit` in CI can lead to frequent build failures from low-risk issues like ReDoS in dev dependencies, causing audit fatigue.

#4about 4 minutes

Managing security alerts with the npm-audit-resolver tool

The `npm-audit-resolver` tool provides an interactive way to review, ignore, or postpone vulnerability alerts from `npm audit`.

#5about 6 minutes

How malicious packages use postinstall scripts to attack

Malicious NPM packages can execute arbitrary code during installation using lifecycle `postinstall` scripts, even if they are never imported in your code.

#6about 4 minutes

How a malicious package can compromise build tools

A malicious package can modify build tools like the TypeScript compiler during installation, causing it to inject malicious code into your application's final output.

#7about 3 minutes

Defending against malicious scripts with --ignore-scripts

Using the `--ignore-scripts` flag during `npm install` prevents `postinstall` scripts from running, but it can break legitimate packages that require them.

#8about 3 minutes

Identifying which package scripts are safe to ignore

The `can-i-ignore-scripts` tool analyzes your dependencies and checks against a community-maintained list to see which packages require their scripts to run.

#9about 1 minute

A secure workflow for installing NPM dependencies in CI

A secure installation process involves using a disposable container, running `npm ci --ignore-scripts`, and then selectively re-running only trusted scripts.

#10about 15 minutes

Q&A on package-lock, CSP, and dependency updates

The Q&A covers the role of `package-lock.json` for reproducible builds, using Content Security Policy (CSP) as a defense, and strategies for updating dependencies.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Demonstrating a supply chain attack using NPM hooks
10:37 MIN

Demonstrating a supply chain attack using NPM hooks

Hacking Kubernetes: Live Demo Marathon

How attackers exploit developers and packages
08:22 MIN

How attackers exploit developers and packages

Vue3 practical development

The danger of dependency confusion in NPM packages
11:13 MIN

The danger of dependency confusion in NPM packages

Security in modern Web Applications - OWASP to the rescue!

Common attacks targeting software developers
08:16 MIN

Common attacks targeting software developers

Vulnerable VS Code extensions are now at your front door

Developers as an unintentional malware distribution vehicle
00:02 MIN

Developers as an unintentional malware distribution vehicle

Walking into the era of Supply Chain Risks

Understanding the risks in your software supply chain
00:14 MIN

Understanding the risks in your software supply chain

How your .NET software supply chain is open to attack : and how to fix it

How developers can become malware distribution vehicles
05:13 MIN

How developers can become malware distribution vehicles

Stranger Danger: Your Java Attack Surface Just Got Bigger

A historical parallel with the event-stream NPM hack
05:28 MIN

A historical parallel with the event-stream NPM hack

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor

Featured Partners

Related Videos

See all videos
Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

Friend or Foe? TypeScript Security Fallacies27:41

Friend or Foe? TypeScript Security Fallacies

Liran Tal

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor42:55

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor

Feross Aboukhadijeh

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

Security in modern Web Applications - OWASP to the rescue!26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

Supply Chain Security and the Real World: Lessons From Incidents24:47

Supply Chain Security and the Real World: Lessons From Incidents

Adrian Mouat

Vulnerable VS Code extensions are now at your front door44:11

Vulnerable VS Code extensions are now at your front door

Raul Onitza-Klugman & Kirill Efimov

How your .NET software supply chain is open to attack : and how to fix it28:45

How your .NET software supply chain is open to attack : and how to fix it

Andrei Epure

Related Articles

View all articles
DC
Daniel Cranney
Dev Digest 195: End of Likes, JavaScript’s a Zoo, and Messing with Bots!
Inside last week’s Dev Digest 195 . 👎 No more external likes 🤗 Needy programs 📉 The worst selling Microsoft product 🟨 JavaScript engines zoo 🍞 No more toasts! 🤖 Messing with bots 👔 Beware of fake job interviews 🗞️ Join over 150,000 developers alread...
Dev Digest 195: End of Likes, JavaScript’s a Zoo, and Messing with Bots!
DC
Daniel Cranney
Security Basics for Vibe Coders
Vibe coding has become a popular trend in the tech world. With so many tools now available for both developers and non-developers, it’s easier than ever to build projects using natural language, in some cases without touching a line of code along the...
Security Basics for Vibe Coders
CH
Chris Heilmann
Dev Digest 151: SEO in an AI world, security fixes and Doomed PDFs
Inside last week’s Dev Digest 151 . 🔎 How ChatGPT compares to search and what that means for SEO ✂️ Job cuts across the board as companies curb DEI programs 🟨 @Microsoft releases 161 Windows security updates ⚠️ @Google’s OAuth bug endangers million...
Dev Digest 151: SEO in an AI world, security fixes and Doomed PDFs

From learning to earning

Jobs that call for the skills explored in this talk.

TypeScript AWS Developer

TypeScript AWS Developer

TechShack
Charing Cross, United Kingdom

£156-182K
Senior
Terraform
TypeScript
Microservices
Amazon Web Services (AWS)
Technical Team Lead-Node.JS

Technical Team Lead-Node.JS

K2 Partnering Solutions Ltd
Municipality of Valencia, Spain

Scrum
React
Node.js
TypeScript
Agile Methodologies
Creative Javascript

Creative Javascript

Thegiglab
Amsterdam, Netherlands

Intermediate
API
CSS
HTML
jQuery
Bootstrap
+1