►
From YouTube: JavaScript Supply Chain Security - Adam Baldwin
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hello,
everyone
and
welcome
to
today's
webinar
javascript
supply
chain
security.
My
name
is
Danielle
Wambach
and
I'll.
Be
your
moderator.
I
work
on
the
marketing
team
here
at
NPM
in
am
excited
to
be
hosting
today's
session.
I'm
pleased
to
introduce
today's
MPM
speaker,
Adam
Baldwin
VP
of
security
before
I
hand
it
over
to
Adam
I,
have
a
few
housekeeping
items
to
cover
about
the
presentation
in
the
bright
top
webinar
platform.
A
First,
today's
webinar
will
be
available
on
demand
after
the
live
session
and
is
accessible
through
the
same
link
you're
using
now,
we've
also
added
we'll
be
able
to
slides,
as
well
as
related
content,
including
MPM
latest
blogs,
on
the
same
subject
as
we're
talking
about
today.
Next
we'd
love
to
hear
from
you
during
today's
presentation.
If
you
have
a
question
for
Adam,
please
feel
free
to
send
it
through
the
ask
a
question.
A
B
Danielle
all
right,
JavaScript
supply
chain
security,
as
you
mentioned,
I'm
Adam,
I'm,
the
VP
of
security
and
NPM.
Most
people
know
NPM
from
the
CLI
right.
It's
the
tool
that
developers
interact
with
that
lets
them
discover
and
manage
their
code
reuse.
It
gets
packages
from
the
public
registry,
the
world's
largest
corpus
of
open
source
packages
over
1
billion
packages,
2
billion
downloads
a
day
and
almost
8,000
publishes
a
day.
It's
it's
growing
and
being
updated.
A
B
Very
quick
pace,
of
course,
web
NPM
is
also
made
up
of
the
website,
write
the
platform
where
developers
go
to
perform
searches
and
find
new
packages
to
solve
the
new
business
need
that
they
have,
and
all
of
it
is
backed
by
NPM
Inc,
the
company.
That's
you
know,
delivering
enterprise
products
and
solutions
help
organizations
manage
their
modern
development.
That's
about
NPM!
Let's
talk
about
today's
presentation.
Here's
our
agenda,
we're
going
to
talk
about
what
is
a
supply
chain
attack,
we're
going
to
talk
and
discuss
a
case.
B
Study
of
a
recent
Lee
discovered
malware,
a
targeted
malware
against
the
comodo
platform
in
which
the
NPM
team
helped
protect
an
estimated
13
million
in
cryptocurrency
we're
going
to
discuss
some
steps
that
NPM
is
taking
to
protect
you,
the
steps
that
you
can
take
to
be
protected
and
then
we'll
answer.
Any
questions
that
you
have
Adeiny
Allah
mentioned
feel
free
to
submit
them
any
time
during
the
presentation.
Whoaa
we'll
do
our
best
to
get
them
at
the
end.
B
B
Has
or
one
of
the
trusted
systems
belong,
that
build
chain
for
a
successful
supply
chain
attack
an
attacker
must
gain
access
to
manipulate
the
underlying
dependency
right.
They
if
they
can
change
or
get
access
to
an
account
that
has
a
dependency
that
one
of
your
applications
use.
They
can
bring
in
a
malicious
component.
B
They
could
introduce
a
new
component
to
the
build
process,
usually
through
social
engineering.
Oh
here's,
a
pull
request.
Here's
a
new
component
use
this
and
then
they
later
introduce
it
as
a
malicious
component.
They
also
must
build
trust
right
through
social
engineering
through
their
contributions
and
their
their
history.
These
fake
accounts
these
attackers.
They
have
to
build
a
good
legend
right,
and
sometimes
it's
just
luck.
B
B
Many
different
people
and
you
can
you-
can
impact
any
one
of
those
and
that
meal
might
not
be
as
successful
or
you
can
still
do
everything
you
can,
but
you
still
might
get
e-coli
on
something
right.
So
it's
about
a
process
getting
things
from
the
farm
to
your
table
and
that's
similar
to
the
supply
chain
attack.
A
B
Other
ecosystem
that
has
third-party
dependencies
it's
because,
while
your
app
is
made
up
of
many
different
dependencies
right
and
these
dependencies
themselves
have
many
other
dependencies
and
each
one
of
these
dependencies
is
maintained
by
a
person
and
since
roughly
97%,
that's
probably
been
generous
of
the
code
and
the
monitor
by
the
application
comes
from
NPM
the
majority
of
the
code
that
you're
shipping
to
production,
it's
not
maintained
or
manufactured
by
your
developers.
It's
by
somebody
else,
right,
there's
a
lot
of
attack
surface
when
it
comes
to
these
small
module
type
paradigms
right.
B
B
The
goal
was
to
introduce
a
new
malicious
dependency
to
run
code
on
the
Komodo
user
systems,
stealing
pass
phrases
for
cryptic
cornwallis
and
to
ultimately
steal
their
crypto
going.
The
time
line
looks
something
like
this
and
I
hope
that
this
kind
of
brings
together
the
things
that
an
attacker
would
do
to
pull
off.
B
Something
like
this,
so
January
12,
the
suspected
attacker
joins
github
and
this
it
appears
that
they
forged
their
github
history
to
have
private
commits
before
that,
because
if
you
go
look
they've
got
a
badge
that
says
they
joined
github,
January
12th,
but
they've
got
previous
commits
before
that
timeline,
which
is
confusing.
So
they
were
there
trying
to
bolster
their
legends.
Their
build
some
trust,
March,
6,
electron
native
native
notified
was
published.
So
we,
this
module,
came
to
be
it
didn't,
do
anything
malicious.
B
In
fact,
it
was
a
useful
module
if
it
was
useful
in
providing
native
notifications
with
an
electron
application.
March
14th
by
a
week
later,
the
github
user
submitted
a
pull
request
to
bring
in
the
electron
native
notified
module
into
the
aggramar
wallet
to
Komodo
egg,
on
the
wallet
March
23rd,
the
attacker,
updated
electron
and
is
notified
to
include
the
malicious
payload
right
so
and
then
on
this
on
April
13th,
the
wallet
was
built
and
released,
which
contained
that
malicious
code.
B
So
they
basically
found
a
route
on
the
exfiltration
server
of
that
particular
malware
authors
where
they
were
sending
those
seeds
tune
for
the
wallet
they
were
able
to
find
a
way
to
gather
all
the
seeds
and
then
take
that
crypto
coin
before
the
attacker
was
able
to
and
then
refund
that
to
their
users.
So
if
you
was
able
to
detect
it
because
we
flag
we're
slugging
on
patterns
in
code,
we
flag
on
publications
coming
from
things
like
anonymized
networks,
and
it
also
other
things.
B
So
that's
how
we
detected
it
and
how
that
kind
of
played
out
from
a
timeline
perspective.
It's
really
focused
around
social
engineering
right.
They
had
to
create
a
plausible
situation
to
get
their
code
to
come
into
the
wallet
and
they
weren't
attacking
the
developers
themselves.
As
we've
seen
in
the
past,
we've
seen
a
lot
of
modules
that
have
post
install
scripts
that
are,
that
are
attacking
the
developers
themselves
or
the
installers
of
the
module
themselves
in
this
case,
they're
attacking
the
end
users
of
that
platform.
B
So
they
were,
they
were
relying
on
building
a
legend,
relying
on
good
contributions,
building
trust
and
then
and
then
at
a
later
moment
in
time,
bringing
in
their
malicious
dependency,
I
use
a
network-based
staged
payload,
meaning
that
once
it
you
know,
it
only
included
a
small
downloader
in
the
actual
code.
To
hopefully
avoid
you
know
audit
or
something
like
that,
and
then
when
it
was
run
on
the
end-user
system,
then
it
would
actually
download
its
malicious
payload
and
do
whatever
the
attacker
wanted.
B
A
B
On
and
we
still
do
rely
on
our
11
million
users
to
bring
us
attention
right,
but
this
time
we
were
able
to
catch
it,
we
were
able
to
notify
the
user.
We
were
able
to
work
with.
You
know,
Heroku,
to
take
down
the
attacker
server,
we're
able
to
work
with
comodo
to
protect
those
assets,
and
it
was
a
pretty
significant
win
for
our
team.
B
So
some
of
our
trends
that
we've
been
seeing
you
know
going
from
2017
to
2019.
As
can
be
expected,
we
have
more
people.
Publishing
NPM
is
more
popular
than
ever
so
we're
seeing.
Obviously
that's
trending
up
right.
It
becomes
a
more
popular
attack,
vector
more
things
are
being
built
with
it.
More
important
things
are
being
built
with
node
we're
seeing
people
publishing
more
malware,
but
what
we're
seeing
in
2019
is
interesting.
2019
this
year
was
we're
seeing
more
financially
motivated
attacks.
B
They
want
that
cryptic
coin
that
they're
financially
motivated
and
they're,
trying
hard
to
be
patient
to
be
sneaky,
to
really
have
a
well
planned
out
attack.
This
is
different
or
another
example
of
this
is
the
copay
wallet
that
was
that
earlier
this
year,
which
was
through
the
ESO
in
scope
module.
If
you
want
to
look
up
that,
that's
on
her
blog
belong
to
anything
Jess
calm.
B
So
let's
talk
about
what
what
are
some
of
the
things
that
MPM
security
is
going
to
protect
our
users?
You
know,
first
of
all,
yeah
we
have
an
NPM
security
team.
We
have
a
focus,
you
know
funded
dedicated
security
team
and
that's
more
than
many
other
ecosystems
can
say
right.
We
have
this
dedicated
team
to
field
the
reports
from
our
users
to
do.
B
Research
and
to
be
looking
for
these
types
of
anomalies
and
try
to
get
to
them
before
they
impact
users
right
we're
the
front
you
know
from
a
mower
perspective
were
the
tip
of
the
spear
right.
We
don't
have
nobody's
reporting
these
these
these
type
of
things
elsewhere,
because
we
are
the
we're
the
teams
that
deal
with
them
industry
edge
them
in
to
get
them
out
of
the
registry.
A
B
We
all
make
mistakes
and,
what's
what's
amazing,
is
it
takes
from-from
time
the
time
that
you
have
the
email
in
your
inbox
saying
that
we
revoked
that
so
key
to
protecting
your
account,
for
you
is
under
two
seconds
pretty
amazing:
we're
preventing
credential,
stuffing
attacks,
basically
password
reuse
from
passwords
that
were
from
a
known
breach.
We
use
the
have
I've
in
Poland
project
by
Troy
hunt,
it's
an
amazing
project
that
provides
password
hashes
from
known
breaches
and
during
signup
or
password
change.
B
We're
also,
you
know,
collecting
insights
from
11
million
developers.
We
have
a
report
of
vulnerability
button
on
our
website
that
leads
to
triage
maintainer
communication
and
advisories
being
issued
right,
where
we're
fielding
all
those
reports
and
anything
that
that's
not
worthy
of
going
to
maintainer.
That's
just
up:
it's
not
a
report,
that's
a
vulnerability
it.
Never
the
maintainer
never
sees
it
so
we're
eliminating
those
false
positives
as
a
service
to
the
ecosystem,
and
then
you
know
trying
to
connect
researchers
and
maintainer
stuff
to
improve
the
quality
of
modules
out
there.
B
Of
course,
one
of
our
big
initiatives
that
you're
going
to
hear
more
about
in
the
upcoming
year,
it's
going
to
be
our
automated
threat,
intelligence
gathering,
we're
taking
published
packages,
we're
doing
all
kinds
of
interesting
runtime
static
inside
gathering
that
we
can
then
feed
in
an
PM
enterprise
and
help
you
make
contextual
decisions
about
whether
to
use
modules
or
not
whether
to
let
them
into
your
ecosystem
or
not.
Should
you
block
them
or
not?
That's
that's
an
amazing
power
that
we're
going
to
be
bringing
to
champion
enterprise
and
through
sort
of
our
threat,
intelligence
gallery.
B
So
some
of
the
things
that
that
am/pm
is
up
to
the
m-series
team
is
up
to
for
protecting
users,
and
so
what
are
some
things
that
you
can
do
to
protect
yourself?
Because,
and
we
can
only
do
so
much
and
as
the
organization
that's
using
node
deceiving
JavaScript
that's
using
NPM
to
build
applications.
There
are
certain
things
that
that
you
can
do
to
sort
of
help.
Protect
yourself
from
you
know:
attacks
on
dependencies,
one
of
the
first
ones
is
to
understand
the
consequences
of
Stenberg,
and
this
is
a
you
know.
B
This
is
a
contract
between
you
and
your
dependency
tree
when
you
bring
a
module
in
depending
on
how
you
sort
of
define
in
your
your
dependency
tree,
how
you
want
to
bring
that
in
whether
you
use
a
carrot
or
a
tilde.
It
changes
the
rules
on
what
you
allow
to
be
brought
in
if
you
don't
pin
your
dependencies.
So
if
you.
A
B
You
you
want,
you
want
trust
to
be
a
conscious
decision.
Right,
like
simper,
can
be
like
a
person
sitting
in
the
chair.
You
don't
want
to
assume
that
some
of
those
removed
one
of
the
legs,
that's
the
last
time
you
said
in
it.
You
know
you
bring
a
version
down,
you
look
at
it.
It
looks
fine
well
because
of
that
contract
you're
going
to
be
bringing
in
a
potentially
new
version
of
potentially
malicious
version,
so
to
kind
of
come
back.
B
That
file
should
be
committed
to
your
application
repositories
and
it
can
actually
help
your
performance
through
CI
builds
by
doing
so
using
NPM
CI
you're
going
to
get
faster,
build
times
using
that
such
as
one-way
pinning
your
dependencies
so
that
you
don't
have
those
dependency
shifting
out
from
under
you
when
you
least
expect
it.
So
you
want
to
be
updating
those
dependencies
with
purpose.
The
other
thing
you
do
is
enable
and
enforce
two-factor
authentication.
B
Okay,
if
you
do
happen
to
leak
your
token
and
we
do
happen
to
not
reset
it
somehow
or
your
password
is
an
easy
to
guess.
Password.
Somehow,
two-factor
off
adds
that
additional
layer
of
protection
that
can
lead
to
fewer
compromised
accounts
some
some
facts
about
2fa
within
the
NPM
either
system,
roughly
seven
percent
of
all
of
our
users
have
to
factor
out
the
naval
and
over
the
last
30
days,
23:23.
A
half
percent
of
all
publishes
in
the
last
30
days
were
protected
by
two
FA,
so
we're
trending
in
the
right
direction.
B
Those
numbers
are
ever-increasing,
which
is
great,
but
something
that
you
can
do
for
your
organization
to
help.
You
know
protect
your
accounts.
Finally,
you
can
audit
your
dependencies.
Unfortunately,
at
the
end
of
the
day,
it
is
open
source
software.
You
are
ultimately
responsible
for
what
you
require
and
no
no
tool
or
technology
can
replace
the
process.
That
is
security.
So,
if
you're
dealing
with
a
high
risk
application,
you
do
have
to
audit
those
dependencies
that
you're
bringing
and
unfortunately
that
can
be
a
very
time
intensive
task.
B
An
tiem
audit,
of
course,
can
help
with
that,
because
it
can
tell
you
about
known,
vulnerabilities
and
then
p.m.
audit
fix
it
help
you
fix
those
vulnerabilities,
but
that
doesn't
protect
you
against
those
O'day's.
Those
things
that
that
you
may
need
to
audit
for
that
mall
work
and
that's
something
that
we're
you
know
through
our
sort
of
automated
threat,
intelligence
gathering,
we're
going
to
be
enabling
you
to
have
the
right
context
at
the
right
time
and
that's
all
going
to
come
together,
an
NPM
Enterprise
right,
the
power
of
NPM
with
the
security
and
compliance.
B
B
B
So
let's
say:
we've
got
a
couple
questions
here.
How
often
do
these
attacks
happen
and
are
they
always
targeted?
You
know
they
aren't
always
targeted
oftentimes,
it's
just
you
know,
somebody
being
a
prankster.
You
know
publishing
a
module
that
are
MRF
to
your
files
and
sometimes
it's
more
targeted,
we're
trending
towards
the
more
targeted
attacks
as
I
said,
and
they
seem
to
be
financially
motivated.
Although
you
know
that
doesn't
necessarily
mean
that
that
you
know
history
is
going
to
predict
the
future.
B
Is
there
any
way
I
can
get
a
vulnerability
report
for
my
team
or
company,
while
we,
while
you
can
use
NPM
audit
to
you,
know,
look
at
your
particular
project
and
tell
you
if
you
you
have
a
you
know
known
vulnerabilities.
We
can
also
do
that
for
organizations
that
use
the
public
registry,
you
can
reach
out
to
sales
and
that's
something
that
we
can
generate
for
you
based
on.
You
know
your
IP
addresses
and
in
that
we
can
generate
those
type
of
reports
so
to
reach
out
to
our
sales
team
and
connect.
B
If
any
more
come
in
here,
what
expertise
does
NPM
have
internally
to
focus
on
security,
so
NPM
security
team?
The
base,
the
baseline
security
team,
was
brought
in
through
acquisition
earlier
in
2018.
In
fact,
it
was
a
company
that
I
started
with
security.
That
particular
company
was
a
penetration
testing
company
that
focused
on
you
know
application
security.
B
The
other
thing
is:
is
we
started
at
lift
and
node
security
project,
which
was
an
initiative
to
become
you
know,
to
have
security,
become
a
core
value
within
node
and
JavaScript,
and
and
that's
been
fairly
successful.
So
we've
got
a
team
of
four
people
right
now,
so
you
know
that's
that's
a
small
team,
but
through
automation
through
you,
know,
scaling
our
efforts.
We're
able
to
take
a
look
at
a
lot
of
these
things
and
you
know:
we've
got
people
focused
on
on
triage
and
advisories
and
and
those
kind
of
things
as
well
as
internal
research.
B
B
You
know,
there's
there's
other
tools
from
other
vendors,
that
sort
of
offer
greater
reporting.
You
know,
then
it
then
you
know
MP,
monitor
different
reporting
and
auto
updating
of
vulnerabilities.
You
know,
P
modded
provides
that
you
know,
but
those
those
tools
are
quite
expensive.
You
know
we're
bringing
those
features
to
NPM.
Enterprise
you
know,
package
filtering
is
is
coming,
you
know,
compliance
filtering
will
be
coming
and
they'll
be
more
about
that
I'm
sure
now
soon.
B
So
those
those
controls
that
we're
bringing
to
NPM
Enterprise
are
going
to
give
you
that
control
and
visibility
that
you
need
the
best
part
about
NPM
Enterprise.
You
don't
have
to
install
or
peer
in
an
NPM
with
NPM
on
it.
You
don't
have
to
developer
sauce
to
do
anything
else.
They're
using
the
same
tools
are
familiar
with
day
in
and
day
out.
They
don't
have
to
change
their
behavior,
yet
you
can
get
better
components
and
control
over
over
your
your
charity.
A
Great
thank
you,
as
mentioned
earlier
today,
flies
will
be
available
on
demand
after
the
live
session
is
accessible
through
the
same
link
you're
using
now,
we've
also
added
some
related
material
which
will
find
under
the
attachment
tabs
at
the
bottom
of
your
screen.
Finally,
if
you
like
what
you
heard
today,
please
to
out
tweet
up
your
thoughts
on
today's
webinar
using
hashtag
and
PM
sacks.
Thank
you
for
joining.