Zbyszek Tenerowicz

Oops! Stories of supply chain shenanigans

Can a dependency you never import inject a vulnerability into your application's final build? This talk demonstrates how.

Oops! Stories of supply chain shenanigans
#1about 4 minutes

Understanding software supply chain security in JavaScript

Software supply chain security involves managing the risks from third-party code you import, such as NPM packages.

#2about 1 minute

Using npm audit to find known package vulnerabilities

The `npm audit` command helps identify known vulnerabilities, like prototype pollution in older versions of packages like Lodash.

#3about 3 minutes

Overcoming the challenges of running npm audit in CI

Running `npm audit` in CI can lead to frequent build failures from low-risk issues like ReDoS in dev dependencies, causing audit fatigue.

#4about 4 minutes

Managing security alerts with the npm-audit-resolver tool

The `npm-audit-resolver` tool provides an interactive way to review, ignore, or postpone vulnerability alerts from `npm audit`.

#5about 6 minutes

How malicious packages use postinstall scripts to attack

Malicious NPM packages can execute arbitrary code during installation using lifecycle `postinstall` scripts, even if they are never imported in your code.

#6about 4 minutes

How a malicious package can compromise build tools

A malicious package can modify build tools like the TypeScript compiler during installation, causing it to inject malicious code into your application's final output.

#7about 3 minutes

Defending against malicious scripts with --ignore-scripts

Using the `--ignore-scripts` flag during `npm install` prevents `postinstall` scripts from running, but it can break legitimate packages that require them.

#8about 3 minutes

Identifying which package scripts are safe to ignore

The `can-i-ignore-scripts` tool analyzes your dependencies and checks against a community-maintained list to see which packages require their scripts to run.

#9about 1 minute

A secure workflow for installing NPM dependencies in CI

A secure installation process involves using a disposable container, running `npm ci --ignore-scripts`, and then selectively re-running only trusted scripts.

#10about 15 minutes

Q&A on package-lock, CSP, and dependency updates

The Q&A covers the role of `package-lock.json` for reproducible builds, using Content Security Policy (CSP) as a defense, and strategies for updating dependencies.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Demonstrating a supply chain attack using NPM hooks
02:44 MIN

Demonstrating a supply chain attack using NPM hooks

Hacking Kubernetes: Live Demo Marathon

How attackers exploit developers and packages
05:43 MIN

How attackers exploit developers and packages

Vue3 practical development

The danger of dependency confusion in NPM packages
02:18 MIN

The danger of dependency confusion in NPM packages

Security in modern Web Applications - OWASP to the rescue!

Developers as an unintentional malware distribution vehicle
03:36 MIN

Developers as an unintentional malware distribution vehicle

Walking into the era of Supply Chain Risks

Understanding the risks in your software supply chain
02:52 MIN

Understanding the risks in your software supply chain

How your .NET software supply chain is open to attack : and how to fix it

How developers can become malware distribution vehicles
02:39 MIN

How developers can become malware distribution vehicles

Stranger Danger: Your Java Attack Surface Just Got Bigger

Common attacks targeting software developers
05:49 MIN

Common attacks targeting software developers

Vulnerable VS Code extensions are now at your front door

Taking action on NPM supply chain security vulnerabilities
05:36 MIN

Taking action on NPM supply chain security vulnerabilities

WeAreDevelopers LIVE - Build a multi AI agents game master with Strands & our weekly web finds

Featured Partners

Related Videos

See all videos
Vulnerable VS Code extensions are now at your front door
44:11

Vulnerable VS Code extensions are now at your front door

Raul Onitza-Klugman & Kirill Efimov

Lies we Tell Ourselves As Developers
31:13

Lies we Tell Ourselves As Developers

Stefan Baumgartner

101 Typical Security Pitfalls
28:41

101 Typical Security Pitfalls

Alexander Pirker

A Primer in Single Page Application Security (Angular, React, Vue.js)
36:39

A Primer in Single Page Application Security (Angular, React, Vue.js)

Thomas Konrad

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks
27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

Walking into the era of Supply Chain Risks
37:36

Walking into the era of Supply Chain Risks

Vandana Verma

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor
42:55

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor

Feross Aboukhadijeh

Friend or Foe? TypeScript Security Fallacies
27:41

Friend or Foe? TypeScript Security Fallacies

Liran Tal

Related Articles

View all articles
Chris Heilmann
Dev Digest 111 - npm i -g issues
In last Friday's Dev Digest we looked at some global tech issues, took a deep dive into code assistants, we have a great video about NPM security and want you to tell us your favourite code questions to use in CODE100. News and ArticlesLet's start th...
Dev Digest 111 - npm i -g issues
Chris Heilmann
Dev Digest 138 - Are you secure about this?
Hello there! This is the 2nd "out of the can" edition of 3 as I am on vacation in Greece eating lovely things on the beach. So, fewer news, but lots of great resources. Many around the topic of security. Enjoy! News and ArticlesGoogle Pixel phones t...
Dev Digest 138 - Are you secure about this?
Chris Heilmann
Dev Digest 136 - No JS(on) of mine
News and ArticlesDouglas Crockford is our featured video, so let's talk about evolving JavaScript and all things JSON. Judicious JSON explains all the weird things in it, you can learn why it can be incredibly slow, people wonder what even is a JSON ...
Dev Digest 136 - No JS(on) of mine
Chris Heilmann
Dev Digest 110 - XY marks the spotty security
This time we give you a collection of links about the XZ backdoor, solve the last CODE100 puzzle, announce the next round of it, let you play with colours and explain why Lava lamps are great to keep the web secure.News and ArticlesThe big piece of n...
Dev Digest 110 - XY marks the spotty security

From learning to earning

Jobs that call for the skills explored in this talk.