Open source code makes up 90% of most codebases. How do you know if you can trust your open source dependencies? Do you know what’s really going on in your node_modules folder? It is critical to manage your dependencies effectively to reduce risk but most teams have an ad-hoc process where any developer can introduce dependencies. Software supply chain attacks have exploded over the past 12 months and they’re only accelerating in 2022. We’ll dive into examples of recent supply chain attacks targeting the JavaScript, Node.js, and npm ecosystems, as well as concrete steps you can take to protect your apps, projects, and teams from this emerging threat.
Open source code makes up 90% of most codebases. How do you know if you can trust your open source dependencies? Do you know what’s really going on in your node_modules folder? It is critical to manage your dependencies effectively to reduce risk but most teams have an ad-hoc process where any developer can introduce dependencies. Software supply chain attacks have exploded over the past 12 months and they’re only accelerating in 2022. We’ll dive into examples of recent supply chain attacks targeting the Node.js, JavaScript, and npm ecosystems, as well as concrete steps you can take to protect your apps, projects, and teams from this emerging threat.
Takeaways for this talk:
1. Understand the scope of the supply chain threats against the open source ecosystem, specifically with a focus on JavaScript, Node.js, and npm.
2. Review of our work to audit every open source package on npm to detect the following types of attacks: malware, typo-squats, hidden code, misleading packages, permission creep
3. Specific examples and code walk-throughs of actual malware that was found on npm
4. Discussion of existing methods and tools for detecting supply chain attacks against open source, including limitations
5. Introduction of new open source tool which helps detect supply chain attacks in real-time