Session
Real World Attacks in the npm Ecosystem
In this talk we will examine some practical attacks against the npm package ecosystem. We will look at both theoretical attacks as well as attacks which have already happened.
The most recently publicized attack we’ll look at is the `event-stream` module. This will include a breakdown of functionality, why it was difficult to find, and why a static analysis tool will not protect from such an attack. We’ll also look at some other intentionally malicious modules like `getcookies` which have also been published.
We’ll also look at some theoretical attacks and incorporate research done by @ChALkeR and npm.
Content is based on these two posts of mine:
[The Dangers of Malicious Modules](https://medium.com/intrinsic/common-node-js-attack-vectors-the-dangers-of-malicious-modules-863ae949e7e8)
[Compromised npm Package: event-stream](https://medium.com/intrinsic/compromised-npm-package-event-stream-d47d08605502)
Thomas Hunter II
Software Engineer and Published Author
San Francisco, California, United States
Links
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top