My NPM package will eat your lunch

@naugtur 2022
npm logo your app
hacker

Have you heard of
supply chain attacks?

npm logo your app
# 🤔
publish a package

So, I published a package

I'm gonna sneak it in as
a dependency of
a dev dependency of yours
#### You think you won't run it?
npm docs for lifecycle scripts 

                        "postinstall": "echo 💩 > /etc/hosts"
## Well, 💩
### Need a demo?
### Ok, wait ``` ✨🐋 npm ci cp node_modules s3:// 🔥🔥🐋🔥🔥 ```
### Hold my 🍺
#### I was into JS security before I knew JS or security
My first 5 lines of JavaScript ever ```js function kill(){ setTimeout('kill',0) setTimeout('kill',0) } kill() ``` breaks Windows pre XP SP2
meme: one does not simply hack typescript compiler
ilustrates fixing with a picture of a dude prodding an item with his leg

But I prefer fixing

# Let's fix this mess
## --ignore-scripts ``` npm ci --ignore-scripts yarn --ignore-scripts ```
publish a package

And that's it?

### Almost...
## 😅 #### Does your app still work? #### Yeah. Some scripts are there for a reason
#### Run selected scritps npm CLI has an option to do that ``` npm rebuild bcrypt bignum ``` For more control (and yarn support) use allow-scripts ``` npm install -D @lavamoat/allow-scripts ```

lavamoat

lavamoat logo

lavamoat

lavamoat logo 🥳

If you know what MetaMask is
and you are a developer,
check out Snaps!









https://docs.metamask.io/guide/snaps.html
### more control - setup helper - stops if setup broken ![](allow-scripts_LavaMoat.png)
### That's great. Now I **"just"** need to look through all my dependencies and create an allow list

There's an app for that

Call to arms!

Please open PRs to data.json
### Need to convince others?
publish a package
### I've got you covered! ``` npm install -D @naugtur/pentest-my-ci ``` It will break your build and print a scary but informative message 😂
### My recommendation ``` ✨🐋 cp remote/package*.json ./ npm ci --production --ignore-scripts npm run allow-scripts cache_save: node_modules 🔥🔥🐋🔥🔥 ``` ``` ✨🐋 (cache_get: node_modules) git checkout npm run build cache_save: dist 🔥🔥🐋🔥🔥 ``` ``` ✨🐋 (cache_get: dist) git checkout npm publish // or deploy 🔥🔥🐋🔥🔥 ```
#### Watch lavamoat organization #### for ### a reusable workflow #### installing packages safely

Look out for my next talk

Hardedning JavaScript



@naugtur   naugtur.pl