Supplychain attack (rogue deps) targeting devs, a walkthru [hu, w some js code]

https://www.meetup.com/owasp-hu/events/298092058/

https://github.com/edu-secmachine/owasp.231228.meetup.play-flat

by @timurxyz

The context

• "Using Components with Known Vulnerabilities” / OWASP TOP 10
• Rogue code

  Dev pipeline / a dev’s machine Dev env secrets / Production code

• JS/TS
• npm
• open source
• Small/Medium dev teams

The JS-module-shop problem

• Not like AppStore or PlayStore

116th issue

• Listen on it at Syntax.fm
  • https://syntax.fm/show/705/is-running-random-code-from-npm-safe-with-feross-aboukhadijeh
• The story
  • https://github.com/dominictarr/event-stream/issues/116
  • https://snyk.io/blog/a-post-mortem-of-the-malicious-event-stream-backdoor/