It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder

Rate this content
Bookmark

Do you know what’s really going on in your node_modules folder? Software supply chain attacks have exploded over the past 12 months and they’re only accelerating in 2022 and beyond. We’ll dive into examples of recent supply chain attacks and what concrete steps you can take to protect your team from this emerging threat.


You can check the slides for Feross' talk here.

Feross Aboukhadijeh
Feross Aboukhadijeh
26 min
18 Feb, 2022

Comments

Sign in or register to post your comment.

Video Summary and Transcription

The talk discusses the importance of supply chain security in the open source ecosystem, highlighting the risks of relying on open source code without proper code review. It explores the trend of supply chain attacks and the need for a new approach to detect and block malicious dependencies. The talk also introduces Socket, a tool that assesses the security of packages and provides automation and analysis to protect against malware and supply chain attacks. It emphasizes the need to prioritize security in software development and offers insights into potential solutions such as realms and Deno's command line flags.

1. Introduction and Stories

Short description:

Hello and welcome. Thanks for coming to my talk. It's a jungle out there. My name is Firas, and I'm an open source maintainer. I started WebTorrent, and StandardJS. I've been doing open source since 2014. In the past, I volunteered on the Node.js board of directors, and I also teach a class on web security at Stanford University. Now I'm the founder of a startup called Socket, which helps protect the open source ecosystem. Let me tell you a story. On January 13th, 2012, a developer named Faizal Salman published a new project to GitHub. It was called UAParserJS, and it parsed user agent strings. Over the next 10 years, Faizal continued to develop the package, and it eventually grew to 7 million downloads per week, being used by nearly 3 million GitHub repositories. Now, let me tell you a different story. On October 5th, 2021, a hacker was offering to sell the password to an NPM account that controlled a package with over 7 million weekly downloads. Two weeks later, uaparser.js was compromised, and three malicious versions were published. Malware was added to these packages that would execute immediately whenever anyone installed one of the compromised versions. Now, let's take a look at what that malware does. It uses a pre-install script that splits based on the operating system of the target. On Mac, nothing happens, but Windows and Linux users aren't so lucky.

Hello and welcome. Thanks for coming to my talk. It's a jungle out there. What's going on inside your modules folder? My name is Firas, and I'm an open source maintainer. I started WebTorrent, and StandardJS. I've been doing open source since 2014. In the past, I volunteered on the Node.js board of directors, and I also teach a class on web security at Stanford University. Now I'm the founder of a startup called Socket, which helps protect the open source ecosystem.

Before we get started, let me tell you a story. On January 13th, 2012, over 10 years ago, a developer named Faizal Salman published a new project to GitHub. It was called UAParserJS, and it parsed user agent strings. Now, lots of people found this project useful. And so over the next 10 years, Faizal continued to develop the package, along with the help from many open source contributors. He published 54 versions, as the package grew in popularity. It eventually grew to 7 million downloads per week. Eventually being used by nearly 3 million GitHub repositories.

Now, let me tell you a different story. On October 5th, 2021, on a notorious Russian hacking forum, this post appeared. A hacker was offering to sell the password to an NPM account that controlled a package with over 7 million weekly downloads. His asking price was $20,000 for this password. Now, this is where the two stories intersect. Two weeks later, uaparser.js was compromised, and three malicious versions were published. Malware was added to these packages that would execute immediately whenever anyone installed one of the compromised versions. So, now let's take a look at what that malware does. So, this is the package JSON file for the compromised version. And you'll see that it uses a pre-install script. So, this means that command will run automatically any time this package is installed. So, now let's look at what that script does. So, the first thing you'll see is that it splits based on the operating system of the target. On Mac, nothing happens, which is lucky for Mac users, but Windows and Linux users aren't so lucky.

2. Malicious Package Attack

Short description:

And you'll see here that command prompt has spawned for each of these platforms using child process.exe. Now, let's take a look at what that pre-install.sh script does. It fetches the user's country and proceeds to download an executable file. This program is a Monero miner used to mine the Monero cryptocurrency. On Windows, the script downloads a DLL file that steals passwords from over 100 different programs and the Windows credential manager. This package was published for about four hours, compromising those who installed it during that time. Over 700 packages have been removed from NPM for security reasons in the last 30 days. The trend of attacks on the open ecosystem and trust among maintainers is accelerating. 2022 will be the year of supply chain security. The system of downloading code from the Internet and executing it with full permissions is risky, but it's a miracle that it has mostly worked for this long.

And you'll see here that command prompt has spawned for each of these platforms using child process.exe. So, now let's take a look at what that pre-install.sh script does. The very first line fetches the user's country and figures out whether the from Russia, Ukraine, Belarus, or Kazakhstan, and stores that in a variable. Now, if the user comes from one of those countries, then the script exits without doing anything further. However, if you come from any other country, then the script proceeds to download an executable file from this IP address, mark that file as executable, and then run it.

And now based on these command line flags, you can see here that this program is a Monero miner, which is going to be used to mine the Monero cryptocurrency for the attacker. Now, this is the script on Windows. It's very similar. So it starts off with downloading that same or similar Monero miner, but it also downloads a DLL file as well and runs that. And then here you can see it just starting up the Monero miner and registering the DLL file on Windows.

Now, what does this extra DLL file do? Well, it steals passwords from over 100 different programs on the Windows machine, as well as all the passwords in the Windows credential manager. So, yikes, this is a really nasty piece of malware. And, you know, anyone unlucky enough to run this lost all their passwords and had to do, you know, kind of a complete reset of their online accounts. Not a fun time. So, this is kind of the aftermath. So, this package was published for about four hours. And the open source community was pretty diligent and reported it, and the maintainer was also quite diligent. And so, you know, anyone who happened to install it during the four-hour window was compromised, but it was removed relatively quickly. Any software builds done in projects without using a lock file were compromised. And anyone who was unlucky enough to update to this new version of the package or maybe who merged a bot PR to update to this new version during this time would have also been compromised.

So, this was big news in the JavaScript world, and I'm guessing you may have already heard about this attack. But this is really just the tip of the iceberg. So, we've been tracking packages that are removed from NPM for security reasons, and we've seen over 700 packages removed for security reasons in just the last 30 days. And I think this trend is accelerating as attackers take advantage of the open ecosystem and the trust that maintainers have for each other and the sort of liberal contribution policies that we've all sort of adopted in the modern open source era. So, I think 2022 will be the year of supply chain security, as the awareness of this issue is now coming to the fore. So, one question you might ask is, why is this happening now? I want to start by just pointing out that what we're trying to do here is kind of crazy. We're trying to download code from the Internet, written by unknown individuals that we haven't read, that we execute with full permissions on our laptops and our servers, where we keep our most important data. So, this is what we're doing every day when we use NPM install. And I just have to say really quickly that I personally think it's a miracle that the system works. And that it's continued to mostly work for this long.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

Towards a Standard Library for JavaScript Runtimes
Node Congress 2022Node Congress 2022
34 min
Towards a Standard Library for JavaScript Runtimes
Top Content
You can check the slides for James' talk here.
ESM Loaders: Enhancing Module Loading in Node.js
JSNation 2023JSNation 2023
22 min
ESM Loaders: Enhancing Module Loading in Node.js
Native ESM support for Node.js was a chance for the Node.js project to release official support for enhancing the module loading experience, to enable use cases such as on the fly transpilation, module stubbing, support for loading modules from HTTP, and monitoring.
While CommonJS has support for all this, it was never officially supported and was done by hacking into the Node.js runtime code. ESM has fixed all this. We will look at the architecture of ESM loading in Node.js, and discuss the loader API that supports enhancing it. We will also look into advanced features such as loader chaining and off thread execution.
Out of the Box Node.js Diagnostics
Node Congress 2022Node Congress 2022
34 min
Out of the Box Node.js Diagnostics
In the early years of Node.js, diagnostics and debugging were considerable pain points. Modern versions of Node have improved considerably in these areas. Features like async stack traces, heap snapshots, and CPU profiling no longer require third party modules or modifications to application source code. This talk explores the various diagnostic features that have recently been built into Node.
You can check the slides for Colin's talk here. 
The State of Passwordless Auth on the Web
JSNation 2023JSNation 2023
30 min
The State of Passwordless Auth on the Web
Can we get rid of passwords yet? They make for a poor user experience and users are notoriously bad with them. The advent of WebAuthn has brought a passwordless world closer, but where do we really stand?
In this talk we'll explore the current user experience of WebAuthn and the requirements a user has to fulfill for them to authenticate without a password. We'll also explore the fallbacks and safeguards we can use to make the password experience better and more secure. By the end of the session you'll have a vision for how authentication could look in the future and a blueprint for how to build the best auth experience today.
Node.js Compatibility in Deno
Node Congress 2022Node Congress 2022
34 min
Node.js Compatibility in Deno
Can Deno run apps and libraries authored for Node.js? What are the tradeoffs? How does it work? What’s next?
Multithreaded Logging with Pino
JSNation Live 2021JSNation Live 2021
19 min
Multithreaded Logging with Pino
Top Content
Almost every developer thinks that adding one more log line would not decrease the performance of their server... until logging becomes the biggest bottleneck for their systems! We created one of the fastest JSON loggers for Node.js: pino. One of our key decisions was to remove all "transport" to another process (or infrastructure): it reduced both CPU and memory consumption, removing any bottleneck from logging. However, this created friction and lowered the developer experience of using Pino and in-process transports is the most asked feature our user.In the upcoming version 7, we will solve this problem and increase throughput at the same time: we are introducing pino.transport() to start a worker thread that you can use to transfer your logs safely to other destinations, without sacrificing neither performance nor the developer experience.

Workshops on related topic

Node.js Masterclass
Node Congress 2023Node Congress 2023
109 min
Node.js Masterclass
Top Content
Workshop
Matteo Collina
Matteo Collina
Have you ever struggled with designing and structuring your Node.js applications? Building applications that are well organised, testable and extendable is not always easy. It can often turn out to be a lot more complicated than you expect it to be. In this live event Matteo will show you how he builds Node.js applications from scratch. You’ll learn how he approaches application design, and the philosophies that he applies to create modular, maintainable and effective applications.

Level: intermediate
0 to Auth in an hour with ReactJS
React Summit 2023React Summit 2023
56 min
0 to Auth in an hour with ReactJS
WorkshopFree
Kevin Gao
Kevin Gao
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool. There are multiple alternatives that are much better than passwords to identify and authenticate your users - including SSO, SAML, OAuth, Magic Links, One-Time Passwords, and Authenticator Apps.
While addressing security aspects and avoiding common pitfalls, we will enhance a full-stack JS application (Node.js backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session securely for subsequent client requests, validating / refreshing sessions- Basic Authorization - extracting and validating claims from the session token JWT and handling authorization in backend flows
At the end of the workshop, we will also touch other approaches of authentication implementation with Descope - using frontend or backend SDKs.
Build and Deploy a Backend With Fastify & Platformatic
JSNation 2023JSNation 2023
104 min
Build and Deploy a Backend With Fastify & Platformatic
WorkshopFree
Matteo Collina
Matteo Collina
Platformatic allows you to rapidly develop GraphQL and REST APIs with minimal effort. The best part is that it also allows you to unleash the full potential of Node.js and Fastify whenever you need to. You can fully customise a Platformatic application by writing your own additional features and plugins. In the workshop, we’ll cover both our Open Source modules and our Cloud offering:- Platformatic OSS (open-source software) — Tools and libraries for rapidly building robust applications with Node.js (https://oss.platformatic.dev/).- Platformatic Cloud (currently in beta) — Our hosting platform that includes features such as preview apps, built-in metrics and integration with your Git flow (https://platformatic.dev/). 
In this workshop you'll learn how to develop APIs with Fastify and deploy them to the Platformatic Cloud.
0 to Auth in an Hour Using NodeJS SDK
Node Congress 2023Node Congress 2023
63 min
0 to Auth in an Hour Using NodeJS SDK
WorkshopFree
Asaf Shen
Asaf Shen
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool.
We will enhance a full-stack JS application (Node.JS backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session for subsequent client requests, validating / refreshing sessions
At the end of the workshop, we will also touch on another approach to code authentication using frontend Descope Flows (drag-and-drop workflows), while keeping only session validation in the backend. With this, we will also show how easy it is to enable biometrics and other passwordless authentication methods.
Table of contents- A quick intro to core authentication concepts- Coding- Why passwordless matters
Prerequisites- IDE for your choice- Node 18 or higher
Building a Hyper Fast Web Server with Deno
JSNation Live 2021JSNation Live 2021
156 min
Building a Hyper Fast Web Server with Deno
WorkshopFree
Matt Landers
Will Johnston
2 authors
Deno 1.9 introduced a new web server API that takes advantage of Hyper, a fast and correct HTTP implementation for Rust. Using this API instead of the std/http implementation increases performance and provides support for HTTP2. In this workshop, learn how to create a web server utilizing Hyper under the hood and boost the performance for your web apps.
GraphQL - From Zero to Hero in 3 hours
React Summit 2022React Summit 2022
164 min
GraphQL - From Zero to Hero in 3 hours
Workshop
Pawel Sawicki
Pawel Sawicki
How to build a fullstack GraphQL application (Postgres + NestJs + React) in the shortest time possible.
All beginnings are hard. Even harder than choosing the technology is often developing a suitable architecture. Especially when it comes to GraphQL.
In this workshop, you will get a variety of best practices that you would normally have to work through over a number of projects - all in just three hours.
If you've always wanted to participate in a hackathon to get something up and running in the shortest amount of time - then take an active part in this workshop, and participate in the thought processes of the trainer.