In this talk we will examine some practical attacks against the npm package ecosystem. We will look at both theoretical attacks as well as attacks which have already happened.

The most recently publicized attack we’ll look at is the `event-stream` module. This will include a breakdown of functionality, why it was difficult to find, and why a static analysis tool will not protect from such an attack. We’ll also look at some other intentionally malicious modules like `getcookies` which have also been published.

We’ll also look at some theoretical attacks and incorporate research done by @ChALkeR and npm.

Content is based on these two posts of mine:
[The Dangers of Malicious Modules](https://medium.com/intrinsic/common-node-js-attack-vectors-the-dangers-of-malicious-modules-863ae949e7e8)
[Compromised npm Package: event-stream](https://medium.com/intrinsic/compromised-npm-package-event-stream-d47d08605502)