Hello, everyone. I'm here to show you how I run malware directly from NPM on my machine so that you don't have to. Well, that's not the full story, but let's not get ahead of ourselves. Right?
Okay. So, who am I? Hello. I'm Zebe. If you type nauter into any text box anywhere online and you get any results, it's probably going to be about me. I'm into JavaScript. I've been doing Node and JavaScript for many years now. And I switched to more focus on security a few years back. Now I'm working on Labemote, which is the logo in the middle that's protecting Metamask, which is the cute fox. And I'm also running a Meetup and conference group called MeetJS.
Okay. But this presentation is going to be a fairly chaotic take on some security things you might not be aware of yet. And I like to compare it to the TED Talk by Clifford Stahl. If you haven't seen it, I recommend it. Clifford Stahl is the first ever incident responder in security, in computer security overall, before it was called computer security and incident response. Very cool story. Anyway, I digress.
So, let me start with my favorite question. Would you take a string from me and without reading, put it in your source code that you then build and send out to production in your web application? Be it the server side, client side, anything. Would you do that? Okay. Now, would it help convince you to do that if I put it in a tar.gz file? Well, that's exactly what NPM packages are. And don't get me wrong, they're glorious. We love them. But at the same time, they're just unsanitized input from random people online that you put in your application and run in production without reading, aren't they? So yeah, it would be great to just consume NPM packages the way we do. I like consuming NPM packages, but what if some of them are not great, right? And I don't mean lousy packages. I published a fair share of lousy packages and nothing bad happened. But I mean malicious packages. We've heard about malicious packages.
Comments