Supply Chain

Supply Chain Attack

• Running file encryption attack in Node.js module.
• left-pad.
• eslint.
• antd.
• faker.js.
• colors.js.
• node-ipc.
• es5-ext.
• event-source-polyfill.
• styled-components.

Supply Chain Protection

评估 NPM package 质量:

• 代码质量.
• 测试完备性.
• 文档完备性.
• 工程完备性 (DevOps).
• 开发人员构成.
• 兼容性:
• 流行度.
• 历史遗留 Bug.
• 重复实现复杂度.
• 使用时长.
• 后续依赖版本更新策略.

pnpm workspace config to prevent supply chain attacks:

minimumReleaseAge: <duration-in-minutes>

minimumReleaseAgeExclude:
  - package-with-critical-hotfix@1.2.3

trustPolicy: no-downgrade

trustPolicyExclude:
  - package-that-migrated-cicd@1.2.3

Malicious Package Attack

名字与流行包相近, 通过 postinstall 脚本执行病毒脚本, 获取系统环境变量信息 e.g. crossenv.

Malicious Package Protection

• No typo in package.json:
  • NPM package database.
  • NPM package advisor.
• 禁止执行 postinstall 脚本.
• Use mature dependency management tools: renovate.
• Stay alert to security issues:
  • Apply operating system patches.
  • Security tools: npm audit, socket.security.
  • Official advisories.
  • Mailing lists and blogs.
  • Social media.
• Package integrity check.

cat FILENAME.js | openssl dgst -sha384 -binary | openssl base64 -A

strictDepBuilds: true

onlyBuiltDependencies:
  - package-with-necessary-build-scripts

ignoredBuiltDependencies:
  - package-with-unnecessary-build-scripts