NPM packages are getting hacked

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] security is like a tom and jerry game sometimes tom wins sometimes jerry wins and sometimes nobody wins hey there everyone hitesh here back again with another video and in this video we're gonna talk about something very very important security issues in the npm packages now at the very first time when i saw this all over the news i was busy in making courses and some other personal work as well i was pretty sure that a whole lot of people are going to talk about it so if i'm busy i'm sure somebody will talk about it but this topic got like slided under the rug like anything and i thought this is not good we should be talking more about these subjects so that more knowledge is spread around and we should have at least a discussion around it the only way to make our application more secure is to talk about it having more engagement around it and passing on the knowledge that we know about as a developer community if we pass on these knowledge and we talk more about these incidents we can definitely protect ourselves and at least have the knowledge being passed on in the early days of my career i have spent a good chunk of amount in security all about it web application security majorly was my topic i have spent good amount of time in that writing research paper helping in writing research paper as well as doing actual audits and whole bunch of other things from writing custom exploits to writing articles for magazines like pentest yes i have done all of that and in case you are involved in security you will probably find my name somewhere or the other so proving the point that yes i know a word or two about the security not pretty much high-end but i know my fair share of stuff now before i go ahead further and discuss about this particular incident which everybody should know about let me tell you one thing security is not something which is a goal to achieve it's an internal part and a process of building the application if you want and see security like this is something i have to achieve no this doesn't work like that security is a process and it's a part of development as well and this should be taught right from upfront when the application is designed but no matter what you do it's a cat and mouse game and one day or the other your application or whatever you're building is gonna get compromised it's not a matter of if it's a matter of when even companies big as google microsoft and facebook and all these big giants they get compromised one day or the other so it's it's a really scary world it's a situation like this all we can do is try as best as possible to delay that situation one of the many way of doing that is taking care of what's happening in the market and getting ourselves updated as this happens and one good way of doing that is hitting that subscribe button so that you can keep updated about all the things which is latestly happening around now this attack what i'm talking about is not an ordinary sql injection some cross-site scripting though it is way more complicated than that really simple to understand but very very complicated to execute and what's further might going to impress you it's not about writing a custom exploit and using some of the open port vulnerabilities no it's not like that it's directly writing code that take advantage of the system entirely just pushing the code like that okay so let me bring you down to how this attack was executed and how you can protect yourself a little bit towards these kinds of situation in order to understand you need to have a full understanding of how npm works not too much but at least the basic of it in the earlier days i have already rolled out a video about understanding the npm and december versioning in detail but i'm pretty sure only a handful of you watched that video because it was educational content and this is a spicy content so you'll be watching this one so a brief tour of how sembler versioning works in all the npm packages you see three parts of the application whatever the package name is and then x dot y dot z in some of the mechanism we allow the z version to be updated in sum we allow y version to get updated and in usual cases the x version is updated manually and usually this is how our application or the package.json file looks like sometimes you allow it automatically to just push all these major updates sometimes minor updates and patches so this is how usually our npm file looks like or the package.json and in the current scenario we don't build application by writing entirety of our code by ourself it's no longer a norm we don't do it anymore there's always some or the other library that we use it is it might be a react library view angular some npm packages maybe for parsing some of the data maybe some conversion something xcos or some library is there which is involved the question comes in what happens when these libraries are compromised yes my friend it is as scary as you can imagine it's one of these packages which is pretty popular one gets compromised entirely of our code base no matter how much security you're putting in everything is just polluted everything is compromised this is exactly what happened with one of the package recently and i'm seeing a trend that these kinds of attacks are rising like exponentially one of the pretty popular package is ua parser this package is utilized quite a lot by almost everybody in the production to find out more details about your system on what operating system you are what is the browser you are using what version you are using are you on android devices ios everybody uses it facebook apple shopify v and all of the guys anybody who is in the production actually uses this now ua parser is not a small package it is pretty much insanely powerful and a popular package eight million weekly downloads if this is not popular i don't know what the is now in this sophisticated attack attackers somehow got the ability to push code into the repository from the user or the publisher directly and he smartly updated three versions of this package now very smartly the three version that he pushed on was 0.7.29 0.8.0 and 1.0.0 so notice here how smartly he's targeting all three parts of it x y and z so no matter what kind of automatic updation of this package you have allowed into your production system all of them are gonna get compromised now there was no estimated being put out that how much damage this uh this vulnerability or this attack has actually made but very quickly it was patched up it was not too long now there is no official documentation or a public figure that how much damage this package updation has made or anything but very quickly the author or the founder of the package came in and says that i believe that my account was compromised my npm publishing account was compromised and somebody has hijacked it and pushed these updates and i'm releasing out another update on top of that to fix all of that now after analyzing all these attacks the code that was pushed up it was found out that there was a script malicious script which was running in these npm packages and it allowed attacker to actually steal all of the passwords which were stored in the browser as well as there was some crypto mining script that was executing via this code and in case you are thinking that it was not too bad another one of the github user who actually inspected all of these scripts uh it is not confirmed but he actually claimed that the amount of patch that is being sent up the malicious one on the windows system it actually downloads a dana bot and just compromise it further down it's like almost like a trojan horse but again this was not verified but this was the claim of the user so much scary now of course in the later on version everything was fixed and thanks to the open source that the code was open it was analyzed and we found out all of those things but now can you see that open source definitely is good we were able to find it out but since everything was open source everybody was using this package showing that the trust that yeah this is all good everybody got compromised at the same time i love open source you love open source and this is the entire community we all love we use so many of the packages we are dependent on so many of the things that we don't really bother to go in and check all of these codes and to be honest it's not even possible the place we where we are it's so far that it's not even possible now obviously attackers are targeting more of such npm packages and so many of the reports are coming all around in the community that hey i was also being targeted because i host this kind of package which is popular of course attackers are not going to attack for a package which gets 100 200 downloads that makes no sense but imagine if this scales up to something like a core package of angular or maybe react how much scary it can get okay so looks like i have scared you enough for today so let let's talk about what could be the possible solution of that now yes again a lot of security researcher at that time came forward and have recommended that hey we should get rid of all these till days and all these uh tides whatever we are having these uh special privileges that hey just automatically patch all of these things we should manually update all these things yeah that is one of the possible very very very fatigue way but it is one of the way but my point here is that this is an existing problem this is the one thing that we are facing around and obviously we are not going to be solving this problem if we are not going to talk about it so more people are going to make videos more people are going to write article about it and are going to talk openly in the community then something we are going to come up with and i personally believe that npm js is on to such a scale now that i think there should be more of the protection mechanism that should be injected directly by the npm and it should not be like something that hey community should is gonna do and come up with something no it shouldn't be like that npm should come forward and the people who are so much expert in these domains should come up with some of the ideas and have some talks and discussion or some conference talk about it that what can be possible solution for these uh attacks that are coming around and yeah for all those people who are thinking that this was one isolated situation no this is not an isolated situation which we came around ua parser just got the popularity around it that hey it was attacked and it was hacked but there are so many of the other packages which are getting hacked getting attacked and are rolling out the final good version of the patch but they are not being talked much around and i want they should be talked more so in case you have enjoyed this video go ahead hit that subscribe button hit that like button go follow me up on instagram as well in case you enjoy such videos and definitely there is a lot on this channel right from the crash courses to the series on golang and these spicy videos and a whole bunch of other things so we're gonna find something up here always that's it for this video i'm gonna surely catch you up in the next [Music] one the door [Music]

Info

Channel: Hitesh Choudhary

Views: 35,665

Rating: 4.9355431 out of 5

Keywords: Programming, javascript, npmjs, npm packages, crypto mining, attacks in packages, package.json, npm hacks

Id: gpWMK6la0kU

Channel Id: undefined

Length: 10min 37sec (637 seconds)

Published: Thu Nov 11 2021