In an era of escalating supply chain attacks, this presentation sheds light on the threats posed to open-source software, particularly the NPM ecosystem. We explore the ‘What, Why, and How’ of these attacks and their consequences, emphasising the need for preemptive measures.
The talk drills down into the vulnerability of NPM packages, especially their susceptibility to account takeovers when maintainers’ email addresses expire. Despite sounding trivial, this issue can have catastrophic ramifications, affecting countless applications.
Our research involves scanning 2.1 million NPM packages, identifying vulnerabilities, and gauging their impact through download statistics. We present our methodology and introduce an open-source script to automate vulnerability identification.
Additionally, we discuss the history of NPM dependency attacks, illustrate recent vulnerabilities, and share strategies to fortify against such threats. Attendees will leave with a heightened awareness of open-source security, the ability to identify vulnerable NPM dependencies, and the means to protect their organisations.
This presentation addresses a pressing gap in current security practices, providing valuable insights for defending against NPM package vulnerabilities.
This event is proudly organised in partnership with Mobsquad
Join the Community!
If you haven’t joined the Discord community, please do so! You can find us on Discord at: https://devseccon.io/discordcommunity