English versionEN

Watch Me Run Malware From NPM

Zbyszek Tenerowicz

One of the oldest members of meet.js Poland community.

This talk is scheduled for Nov 21, 17:10

The recording will be published after editing. Multipass and Full ticket holders have early access.

Get Multipass

Bookmark

Watch me run real obfuscated malware from NPM safely while revealing what it does.
Learn how it's possible and use the technology behind it to secure your application from malicious code that gets past your audits and detections.

And if obfuscation is not enough, watch it applied to a malware payload delivered as pre-compiled V8 bytecode with no source code provided for it.

This talk has been presented at JSNation US 2024, check out the latest edition of this JavaScript Conference.

FAQ

The speaker is Zebe, a JavaScript and Node enthusiast with a focus on security, working on Labemote and running a Meetup and conference group called MeetJS.

The presentation focuses on security concerns related to running malware directly from NPM, exploring malicious packages, and defending applications against them.

NPM packages are compared to unsanitized input from random people online, which are consumed and run in production without reading.

The main concern is the potential for malicious packages to be included in applications, leading to security vulnerabilities.

The speaker created NPM Audit Resolver to address vulnerable dependencies by providing a structured way to manage them.

Malicious NPM packages can be explored on Socket Dev, where old versions are not removed, allowing users to view and download package contents.

Hardin JavaScript is a security tool that controls the scope and import mechanisms in JavaScript, providing scope isolation and preventing prototype pollution.

LavaLab is used to run and evaluate malware samples in a controlled environment, allowing the speaker to demonstrate how malware operates.

Lafamote improves security by placing each package in its own compartment, controlling dependency structure, and allowing selective access to globals and imports.

Using security tools like Lafamote is important to protect applications from malicious packages that could compromise security if they run in production.

npm security

Zbyszek Tenerowicz

21 Nov, 2024

Video transcription, chapters and summary will be available after the recording is published.

Available in other languages:

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

Levelling up Monorepos with npm Workspaces

DevOps.js Conf 2022

33 min

Levelling up Monorepos with npm Workspaces

Top Content

Ruy Adorno

Open-source maintainer, Node.js contributor, npm cli team member at GitHub

NPM workspaces help manage multiple nested packages within a single top-level package, improving since the release of NPM CLI 7.0. You can easily add dependencies to workspaces and handle duplications. Running scripts and orchestration in a monorepo is made easier with NPM workspaces. The npm pkg command is useful for setting and retrieving keys and values from package.json files. NPM workspaces offer benefits compared to Lerna and future plans include better workspace linking and adding missing features.

devops monorepos npm

It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder

Node Congress 2022

26 min

It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder

Top Content

Feross Aboukhadijeh

Feross is the author and maintainer of WebTorrent, StandardJS, and 100s of other open source projects

The talk discusses the importance of supply chain security in the open source ecosystem, highlighting the risks of relying on open source code without proper code review. It explores the trend of supply chain attacks and the need for a new approach to detect and block malicious dependencies. The talk also introduces Socket, a tool that assesses the security of packages and provides automation and analysis to protect against malware and supply chain attacks. It emphasizes the need to prioritize security in software development and offers insights into potential solutions such as realms and Deno's command line flags.

node.js security

The State of Passwordless Auth on the Web

JSNation 2023

30 min

The State of Passwordless Auth on the Web

Phil Nash

DataStax

Passwords are terrible and easily hacked, with most people not using password managers. The credential management API and autocomplete attribute can improve user experience and security. Two-factor authentication enhances security but regresses user experience. Passkeys offer a seamless and secure login experience, but browser support may be limited. Recommendations include detecting Passkey support and offering fallbacks to passwords and two-factor authentication.

security authentication

5 Ways You Could Have Hacked Node.js

JSNation 2023

22 min

5 Ways You Could Have Hacked Node.js

Top Content

Rafael Gonzaga

NearForm & Technical Steering Committee, Brazil

The Node.js security team is responsible for addressing vulnerabilities and receives reports through HackerOne. The Talk discusses various hacking techniques, including DLL injections and DNS rebinding attacks. It also highlights Node.js security vulnerabilities such as HTTP request smuggling and certification validation. The importance of using HTTP proxy tunneling and the experimental permission model in Node.js 20 is emphasized. NearForm, a company specializing in Node.js, offers services for scaling and improving security.

node.js security

Content Security Policy with Next.js: Leveling Up your Website's Security

React Summit US 2023

9 min

Content Security Policy with Next.js: Leveling Up your Website's Security

Top Content

Watch video: Content Security Policy with Next.js: Leveling Up your Website's Security

Lucas Estevão

Technical Manager and Principal UI Engineer.

Lucas Estevão, a Principal UI Engineer and Technical Manager at Avenue Code, discusses how to implement Content Security Policy (CSP) with Next.js to enhance website security. He explains that CSP is a security layer that protects against cross-site scripting and data injection attacks by restricting browser functionality. The talk covers adding CSP to an XJS application using meta tags or headers, and demonstrates the use of the 'nonce' attribute for allowing inline scripts securely. Estevão also highlights the importance of using content security reports to identify and improve application security.

next.js security react 18

Let Me Show You How React Applications Get Hacked in the Real-World

React Advanced 2021

22 min

Let Me Show You How React Applications Get Hacked in the Real-World

Top Content

Liran Tal

Snyk

React's default security against XSS vulnerabilities, exploring and fixing XSS vulnerabilities in React, exploring control characters and security issues, exploring an alternative solution for JSON parsing, and exploring JSON input and third-party dependencies.

react security xss

Workshops on related topic

0 to Auth in an hour with ReactJS

React Summit 2023

56 min

0 to Auth in an hour with ReactJS

WorkshopFree

Kevin Gao

Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool. There are multiple alternatives that are much better than passwords to identify and authenticate your users - including SSO, SAML, OAuth, Magic Links, One-Time Passwords, and Authenticator Apps.
While addressing security aspects and avoiding common pitfalls, we will enhance a full-stack JS application (Node.js backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session securely for subsequent client requests, validating / refreshing sessions- Basic Authorization - extracting and validating claims from the session token JWT and handling authorization in backend flows
At the end of the workshop, we will also touch other approaches of authentication implementation with Descope - using frontend or backend SDKs.

react web development security authentication

OWASP Top Ten Security Vulnerabilities in Node.js

JSNation 2024

97 min

OWASP Top Ten Security Vulnerabilities in Node.js

Workshop

Marco Ippolito

In this workshop, we'll cover the top 10 most common vulnerabilities and critical security risks identified by OWASP, which is a trusted authority in Web Application Security.During the workshop, you will learn how to prevent these vulnerabilities and develop the ability to recognize them in web applications.The workshop includes 10 code challenges that represent each of the OWASP's most common vulnerabilities. There will be given hints to help solve the vulnerabilities and pass the tests.The trainer will also provide detailed explanations, slides, and real-life examples in Node.js to help understand the problems better. Additionally, you'll gain insights from a Node.js Maintainer who will share how they manage security within a large project.It's suitable for Node.js Developers of all skill levels, from beginners to experts, it requires a general knowledge of web application and JavaScript.
Table of contents:- Broken Access Control- Cryptographic Failures- Injection- Insecure Design- Security Misconfiguration- Vulnerable and Outdated Components- Identification and Authentication Failures- Software and Data Integrity Failures- Security Logging and Monitoring Failures- Server-Side Request Forgery

node.js security

How to Build Front-End Access Control with NFTs

JSNation 2024

88 min

How to Build Front-End Access Control with NFTs

WorkshopFree

Solange Gueiros

Understand the fundamentals of NFT technology and its application in bolstering web security. Through practical demonstrations and hands-on exercises, attendees will learn how to seamlessly integrate NFT-based access control mechanisms into their front-end development projects.

security

Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk

JSNation 2022

99 min

Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk

WorkshopFree

Matthew Salmon

npm and security, how much do you know about your dependencies?Hack-along, live hacking of a vulnerable Node app https://github.com/snyk-labs/nodejs-goof, Vulnerabilities from both Open source and written code. Encouraged to download the application and hack along with us.Fixing the issues and an introduction to Snyk with a demo.Open questions.

case study javascript node.js security npm

Bring Code Quality and Security to your CI/CD pipeline

DevOps.js Conf 2022

76 min

Bring Code Quality and Security to your CI/CD pipeline

WorkshopFree

Elena Vilchik

In this workshop we will go through all the aspects and stages when integrating your project into Code Quality and Security Ecosystem. We will take a simple web-application as a starting point and create a CI pipeline triggering code quality monitoring for it. We will do a full development cycle starting from coding in the IDE and opening a Pull Request and I will show you how you can control the quality at those stages. At the end of the workshop you will be ready to enable such integration for your own projects.

code quality ci cd security

Build Web3 apps with React

React Summit 2022

51 min

Build Web3 apps with React

WorkshopFree

Shain Dholakiya

The workshop is designed to help Web2 developers start building for Web3 using the Hyperverse. The Hyperverse is an open marketplace of community-built, audited, easy to discover smart modules. Our goal - to make it easy for React developers to build Web3 apps without writing a single line of smart contract code. Think “npm for smart contracts.”
Learn more about the Hyperverse here.
We will go over all the blockchain/crypto basics you need to know to start building on the Hyperverse, so you do not need to have any previous knowledge about the Web3 space. You just need to have React experience.

web apps npm web3