My NPM package will eat your lunch

@naugtur, 2021
npm logo your app
hacker

Have you heard of
supply chain attacks?

npm logo your app
# 🤔
publish a package

So, I published a package

I'm gonna sneak it in as
a dependency of
a dev dependency of yours
#### You think you won't run it?
npm docs for lifecycle scripts 

                        "postinstall": "echo 💩 > /etc/hosts"
## Well, 💩
### Need a demo?
### Ok, wait ``` ✨🐋 npm ci cp node_modules s3:// 🔥🔥🐋🔥🔥 ```
### Hold my 🍺
#### I was into JS security before I knew JS or security
My first 5 lines of JavaScript ever ```js function kill(){ setTimeout('kill',0) setTimeout('kill',0) } kill() ``` breaks Windows pre XP SP2
meme: one does not simply hack typescript compiler
ilustrates fixing with a picture of a dude prodding an item with his leg

But I prefer fixing

# Let's fix this mess
## --ignore-scripts ``` npm ci --ignore-scripts yarn --ignore-scripts ```
publish a package

And that's it?

### Almost...
## 😅 #### Does your app still work? #### Yeah. Some scripts are there for a reason
#### Run selected scritps npm CLI has an option to do that ``` npm rebuild bcrypt bignum ``` For more control (and yarn support) use allow-scripts ``` npm install -D allow-scripts ```

allow scripts

allow-scripts npm page screenshot

more tooling?

@lavamoat/allow-scripts etc.
lavamoat logo
### That's great. Now I **"just"** need to look through all my dependencies and create an allow list

There's an app for that

Call to arms!

Please open PRs to data.json
### Need to convince others?
publish a package
### I've got you covered! ``` npm install -D @naugtur/pentest-my-ci ``` It will break your build and print a scary but informative message 😂
### My recommendation ``` ✨🐋 cp remote/package.json ./ cp remote/package-lock.json ./ npm ci --production --ignore-scripts npx allow-scripts cp node_modules s3:// 🔥🔥🐋🔥🔥 ```

Q&A on twitter?



@naugtur   naugtur.pl