Zbyszek Tenerowicz

Oops! Stories of supply chain shenanigans

Can a dependency you never import inject a vulnerability into your application's final build? This talk demonstrates how.

Oops! Stories of supply chain shenanigans
#1about 4 minutes

Understanding software supply chain security in JavaScript

Software supply chain security involves managing the risks from third-party code you import, such as NPM packages.

#2about 1 minute

Using npm audit to find known package vulnerabilities

The `npm audit` command helps identify known vulnerabilities, like prototype pollution in older versions of packages like Lodash.

#3about 3 minutes

Overcoming the challenges of running npm audit in CI

Running `npm audit` in CI can lead to frequent build failures from low-risk issues like ReDoS in dev dependencies, causing audit fatigue.

#4about 4 minutes

Managing security alerts with the npm-audit-resolver tool

The `npm-audit-resolver` tool provides an interactive way to review, ignore, or postpone vulnerability alerts from `npm audit`.

#5about 6 minutes

How malicious packages use postinstall scripts to attack

Malicious NPM packages can execute arbitrary code during installation using lifecycle `postinstall` scripts, even if they are never imported in your code.

#6about 4 minutes

How a malicious package can compromise build tools

A malicious package can modify build tools like the TypeScript compiler during installation, causing it to inject malicious code into your application's final output.

#7about 3 minutes

Defending against malicious scripts with --ignore-scripts

Using the `--ignore-scripts` flag during `npm install` prevents `postinstall` scripts from running, but it can break legitimate packages that require them.

#8about 3 minutes

Identifying which package scripts are safe to ignore

The `can-i-ignore-scripts` tool analyzes your dependencies and checks against a community-maintained list to see which packages require their scripts to run.

#9about 1 minute

A secure workflow for installing NPM dependencies in CI

A secure installation process involves using a disposable container, running `npm ci --ignore-scripts`, and then selectively re-running only trusted scripts.

#10about 15 minutes

Q&A on package-lock, CSP, and dependency updates

The Q&A covers the role of `package-lock.json` for reproducible builds, using Content Security Policy (CSP) as a defense, and strategies for updating dependencies.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Demonstrating a supply chain attack using NPM hooks
10:37 MIN

Demonstrating a supply chain attack using NPM hooks

Hacking Kubernetes: Live Demo Marathon

How attackers exploit developers and packages
08:22 MIN

How attackers exploit developers and packages

Vue3 practical development

The danger of dependency confusion in NPM packages
11:13 MIN

The danger of dependency confusion in NPM packages

Security in modern Web Applications - OWASP to the rescue!

Common attacks targeting software developers
08:16 MIN

Common attacks targeting software developers

Vulnerable VS Code extensions are now at your front door

Developers as an unintentional malware distribution vehicle
00:02 MIN

Developers as an unintentional malware distribution vehicle

Walking into the era of Supply Chain Risks

Understanding the risks in your software supply chain
00:14 MIN

Understanding the risks in your software supply chain

How your .NET software supply chain is open to attack : and how to fix it

How developers can become malware distribution vehicles
05:13 MIN

How developers can become malware distribution vehicles

Stranger Danger: Your Java Attack Surface Just Got Bigger

Taking action on NPM supply chain security vulnerabilities
19:31 MIN

Taking action on NPM supply chain security vulnerabilities

WeAreDevelopers LIVE - Build a multi AI agents game master with Strands & our weekly web finds

Featured Partners

Related Videos

See all videos
Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks27:10

Hack-Proof The Node.js runtime: The Mechanics and Defense of Path Traversal Attacks

Sonya Moisset

Friend or Foe? TypeScript Security Fallacies27:41

Friend or Foe? TypeScript Security Fallacies

Liran Tal

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor42:55

Coffee with Developers with Feross Aboukhadijeh of Socket about the xz backdoor

Feross Aboukhadijeh

Walking into the era of Supply Chain Risks37:36

Walking into the era of Supply Chain Risks

Vandana Verma

Security in modern Web Applications - OWASP to the rescue!26:59

Security in modern Web Applications - OWASP to the rescue!

Jakub Andrzejewski

Supply Chain Security and the Real World: Lessons From Incidents24:47

Supply Chain Security and the Real World: Lessons From Incidents

Adrian Mouat

Vulnerable VS Code extensions are now at your front door44:11

Vulnerable VS Code extensions are now at your front door

Raul Onitza-Klugman & Kirill Efimov

How your .NET software supply chain is open to attack : and how to fix it28:45

How your .NET software supply chain is open to attack : and how to fix it

Andrei Epure

Related Articles

View all articles
DC
Daniel Cranney
Dev Digest 195: End of Likes, JavaScript’s a Zoo, and Messing with Bots!
Inside last week’s Dev Digest 195 . 👎 No more external likes 🤗 Needy programs 📉 The worst selling Microsoft product 🟨 JavaScript engines zoo 🍞 No more toasts! 🤖 Messing with bots 👔 Beware of fake job interviews 🗞️ Join over 150,000 developers alread...
Dev Digest 195: End of Likes, JavaScript’s a Zoo, and Messing with Bots!
DC
Daniel Cranney
Security Basics for Vibe Coders
Vibe coding has become a popular trend in the tech world. With so many tools now available for both developers and non-developers, it’s easier than ever to build projects using natural language, in some cases without touching a line of code along the...
Security Basics for Vibe Coders

From learning to earning

Jobs that call for the skills explored in this talk.