Zbyszek Tenerowicz

Zbyszek Tenerowicz

Full-stack engineer and technology researcher. Leads Security Lab team at MetaMask working on LavaMoat and Endo. Started using Node.js at v0.8 and never stopped. Enjoys innovating and teaching security, diagnostics and maintainability. One of the oldest members of meet.js Poland community - both as a speaker and organizer. Hacking JavaScript since his teenage years.
Watch Me Run Malware From NPM
JSNation US 2024JSNation US 2024
21 min
Watch Me Run Malware From NPM
Watch video: Watch Me Run Malware From NPM
Watch me run real obfuscated malware from NPM safely while revealing what it does. 
Learn how it's possible and use the technology behind it to secure your application from malicious code that gets past your audits and detections.

And if obfuscation is not enough, watch it applied to a malware payload delivered as pre-compiled V8 bytecode with no source code provided for it.
I Run Code From the Internet!
React Advanced 2023React Advanced 2023
20 min
I Run Code From the Internet!
Watch video: I Run Code From the Internet!
Is it wise to run code from strangers? Well, we do it all the time and there's no backing out of it. Let's take a look at how a JavaScript project could get hacked and then defend itself from supply chain attacks. 
Limit access to globals for each package? Sure. Control if a package can access network or file system? Yup, that too. And no more install scripts or prototype pollution.
I Run Code From the Internet!
React Summit 2023React Summit 2023
12 min
I Run Code From the Internet!
Watch video: I Run Code From the Internet!
Is it wise to run code from strangers? Well, we do it all the time and there's no backing out of it. Let's take a look at how a JavaScript project could get hacked and then defend itself from supply chain attacks. Limit access to globals for each package? Sure. Control if a package can access network or file system? Yup, that too. And no more install scripts or prototype pollution.
Eval all the strings! - Hardened JavaScript
Node Congress 2023Node Congress 2023
8 min
Eval all the strings! - Hardened JavaScript
This talk is about SecureEcmaScript and Compartments which are TC39 proposals, and I'm working on tooling to make these concepts usable with people championing those proposals.
This is a first-hand account of the future of JavaScript security.
SES + tooling (LavaMoat or Endo) is making limiting access to network, fs, core modules or globals possible on a per-package basis.
I want to show how they work, what possibilities they open and how to make that future happen today with some effort.
To me this is the final step in securing npm supply chain - even if a package gets taken over by bad actors, it won't be able to hurt me.