I'm running code from the internet!


-> RedTeam edition <-

@naugtur, The Hack Summit 2023

Who's that guy?

https://naugtur.pl

[![](CliffordStoll_2006-embed.jpg)](https://www.ted.com/talks/clifford_stoll_the_call_to_learn?utm_campaign=tedspread&utm_medium=referral&utm_source=tedcomshare) It's going to be a bit like this TED talk by Clifford Stoll
npm logo gobble
Put your malicious code in a package and people will gobble it up like cookies.

Supply chain attack

delivery


postinstall

typo squatting

dependency confusion

package takeover

prototype poisoning

πŸ™ˆ

BTW

Don't publish malware to NPM please

## Prototype poisoning # πŸ§ͺ🍏 ![]() ```js const a = {}; Object.prototype.toString = ()=>'πŸ‘»'; console.log(`scary object: ${a}`); ``` ``` scary object: πŸ‘» ```
### JS can be tweaked and it's no accident - designed in 10 days - humbly assuming there's room for improvement
## polyfills #### and ## prototype poisoning #### are the same thing #### with different intentions
## attack examples # ☠️ repo:[js-training-examples -> defensive coding](https://github.com/naugtur/js-training-examples)

@naugtur   naugtur.pl

naugtur.pl/training