Overview
Explore the world of malicious NPM packages and their impact on application security in this recorded livestream. Learn how developers can inadvertently install harmful packages and witness demonstrations of various attack vectors, including postinstall scripts, TypeScript exploits, and pipeline vulnerabilities. Discover practical recommendations and open-source tools to protect against these threats, enhancing your developer security skills. Gain insights from expert Zbyszek Tenerowicz as he covers topics such as the audit-resolver project, malicious package installation methods, and effective countermeasures. Dive into this comprehensive session to strengthen your understanding of NPM package security and safeguard your applications from potential vulnerabilities.
Syllabus
- Stream Start
- Introductions
- Audit-resolver Project
- How do Developers Install Malicious Packages?
- Demo: Malicious Package via postinstall script
- Demo: Malicious Package with TypeScript
- Demo: Malicious Package via Pipeline and prepublish script
- Recommendations to Stop These Attacks
- Some Open Source Tools to Help
- Conclusion
- Outro
- Stream End
Taught by
Snyk