[ { "start": 0.08, "end": 4.0, "text": "There's a good chance you already heard or" }, { "start": 4.04, "end": 7.99, "text": "read about the NPM package attacks that" }, { "start": 8.039, "end": 11.24, "text": "happened over the last couple of days,\nover the last week" }, { "start": 11.54, "end": 14.94, "text": "essentially. There have been two major" }, { "start": 15.0, "end": 18.78, "text": "attacks on the NPM package ecosystem" }, { "start": 19.36, "end": 23.12, "text": "where collectively,\npackages with billions of" }, { "start": 23.18, "end": 27.12, "text": "downloads, weekly downloads,\nhave been targeted by" }, { "start": 27.2, "end": 30.51, "text": "attacks that aimed to distribute and" }, { "start": 30.68, "end": 33.96, "text": "deploy malicious code, steal" }, { "start": 34.56, "end": 38.08, "text": "secrets from your machine, for example,\nfrom" }, { "start": 38.38, "end": 42.17, "text": "CICD machines, and so on. Now, in case you" }, { "start": 42.28, "end": 45.66, "text": "haven't really heard\nor read about these attacks, I'll briefly" }, { "start": 45.7, "end": 49.53, "text": "summarize what happened but then,\nmore importantly, I" }, { "start": 49.54, "end": 53.44, "text": "wanna dive into what that means for you" }, { "start": 53.5, "end": 57.4, "text": "and me, for us developers,\nbecause this of course is" }, { "start": 58.06, "end": 61.9, "text": "a kind of attack and a scale of attack" }, { "start": 61.91, "end": 65.9, "text": "that's ... well,\nI'm sure it has happened before but it's" }, { "start": 65.91, "end": 69.81, "text": "not something we see every day\nand it has some" }, { "start": 69.84, "end": 73.78, "text": "serious impact on the NPM ecosystem\nand how" }, { "start": 73.82, "end": 77.73, "text": "we as developers should interact with\nthose packages," }, { "start": 77.78, "end": 80.69, "text": "I'd say. But let's start at the basics." }, { "start": 80.74, "end": 84.7, "text": "It started essentially a week ago with" }, { "start": 84.92, "end": 88.2, "text": "the first big attack which, uh, was less" }, { "start": 88.26, "end": 90.88, "text": "impactful than the second attack to\nwhich I'll get." }, { "start": 91.15, "end": 95.01, "text": "But that first attack essentially worked\nby" }, { "start": 95.04, "end": 98.78, "text": "getting access to an account,\nan NPM account" }, { "start": 98.88, "end": 102.82, "text": "of the maintainer of one NPM package which" }, { "start": 102.88, "end": 106.54, "text": "of course gets used by other packages\nand so on." }, { "start": 106.58, "end": 110.18, "text": "And that attack in the end happened\nthrough a phishing" }, { "start": 110.52, "end": 113.94, "text": "email,\nso they used a phishing email to get" }, { "start": 113.96, "end": 117.88, "text": "access to this package maintainer's NPM\naccount" }, { "start": 118.04, "end": 121.9, "text": "and through that access\nwhich they got successfully, they were" }, { "start": 121.94, "end": 125.12, "text": "then able to deploy a malicious version of\nthat" }, { "start": 125.16, "end": 128.919, "text": "package, a package\nwhich came with some extra" }, { "start": 129.08, "end": 131.96, "text": "code which in the end deployed a" }, { "start": 132.46, "end": 136.12, "text": "cryptocurrency, uh, token stealer." }, { "start": 136.16, "end": 139.8, "text": "So the goal of this attack essentially\nwas to get into" }, { "start": 139.86, "end": 143.44, "text": "packages that are then used on websites to" }, { "start": 143.62, "end": 147.6, "text": "steal cryptocurrency in the end from the\nvisitors of" }, { "start": 147.68, "end": 150.9, "text": "these websites.\nSo the goal of this attack was not" }, { "start": 151.53, "end": 154.68, "text": "to compromise the system" }, { "start": 154.82, "end": 158.58, "text": "of people, of developer, uh,\ndevelopers using" }, { "start": 158.64, "end": 162.18, "text": "that package or of, um, machine" }, { "start": 162.24, "end": 166.22, "text": "CID- CICD machines that deploy," }, { "start": 166.34, "end": 170.1, "text": "uh, applications using that package.\nThat was not the goal of this attack." }, { "start": 170.12, "end": 173.66, "text": "The goal of that attack\nwas to run on websites and to" }, { "start": 173.7, "end": 177.2, "text": "target the users of those websites to\nsteal" }, { "start": 177.22, "end": 180.95, "text": "cryptocurrency, and\nthat wasn't too successful." }, { "start": 181.04, "end": 184.92, "text": "Uh, from what I read, they\nwere able to steal like $1,000" }, { "start": 184.98, "end": 188.32, "text": "or so,\nbut still what this attack shows us, of" }, { "start": 188.38, "end": 191.7, "text": "course, how dangerous using" }, { "start": 192.04, "end": 195.74, "text": "lots of NPM packages can be,\nand I'll get back to that" }, { "start": 195.78, "end": 199.34, "text": "later, and how vulnerable the entire NPM" }, { "start": 199.4, "end": 202.9, "text": "ecosystem can be.\nBecause even though this first" }, { "start": 202.98, "end": 206.94, "text": "attack wasn't too impactful, it was, of" }, { "start": 207.0, "end": 210.32, "text": "course, a successful attack. And the" }, { "start": 210.64, "end": 214.57, "text": "second attack about\nwhich I wanna talk shows us that" }, { "start": 214.6, "end": 218.54, "text": "the threat can be much higher than what" }, { "start": 218.58, "end": 221.41, "text": "resonated or what was done by that first" }, { "start": 221.44, "end": 225.24, "text": "attack. Because that second attack\nwhich happened a" }, { "start": 225.3, "end": 229.18, "text": "couple of days after\nthat first attack which, as far as I know," }, { "start": 229.26, "end": 233.22, "text": "isn't directly linked to it as it seems,\nbut I'm not 100% sure" }, { "start": 233.26, "end": 236.8, "text": "about that. But that second attack\nwas now not" }, { "start": 237.16, "end": 241.13, "text": "about stealing cryptocurrency.\nThat second attack was about" }, { "start": 241.26, "end": 244.66, "text": "getting on your machine\nor the machines where" }, { "start": 244.72, "end": 248.0, "text": "applications are deployed, CICD machines,\nand" }, { "start": 248.18, "end": 252.0, "text": "stealing security credentials,\ncredentials in general," }, { "start": 252.08, "end": 256.019, "text": "stealing AWS access keys, NPM, uh," }, { "start": 256.079, "end": 259.62, "text": "access tokens, GitHub access tokens,\nand all" }, { "start": 259.7, "end": 263.34, "text": "kinds of credentials, uh, security keys,\ntokens" }, { "start": 263.68, "end": 267.49, "text": "you might find on those machines. Now\nthat second attack," }, { "start": 268.18, "end": 271.48, "text": "as it seems, as far as I know, did not" }, { "start": 271.6, "end": 275.58, "text": "start from an phishing,\nfrom a phishing mail but instead" }, { "start": 275.66, "end": 279.62, "text": "from a already compromised, um,\nNPM account from an" }, { "start": 279.68, "end": 283.42, "text": "earlier attack potentially.\nWhatever it was, they were" }, { "start": 283.5, "end": 287.02, "text": "able to publish a new version of a\npackage," }, { "start": 287.08, "end": 290.94, "text": "ironically of a package\nthat wasn't super actively" }, { "start": 291.05, "end": 294.75, "text": "maintained,\nso that hasn't seen a lot of updates," }, { "start": 294.86, "end": 298.73, "text": "uh, in, in the past.\nBut they now published a new version of" }, { "start": 298.78, "end": 302.22, "text": "turns out, that package\nwas used by enough other" }, { "start": 302.26, "end": 306.12, "text": "packages to have an impact because this\nsecond attack" }, { "start": 306.26, "end": 309.72, "text": "actually now was not about including some\ncode that" }, { "start": 309.8, "end": 313.72, "text": "runs on the deployed website. Instead,\nthat second attack" }, { "start": 313.82, "end": 316.84, "text": "was about running" }, { "start": 316.9, "end": 320.81, "text": "malicious software in the end,\na malicious script on the" }, { "start": 320.86, "end": 324.74, "text": "machine where that compromised package\nwas used in" }, { "start": 324.78, "end": 328.68, "text": "a build process and then that script would" }, { "start": 328.8, "end": 332.58, "text": "actually search for secrets,\nfor credentials, for" }, { "start": 332.68, "end": 336.56, "text": "access tokens on that machine\nand use those to" }, { "start": 336.66, "end": 339.95, "text": "A, exfiltrate them,\nto share them with the attackers but" }, { "start": 340.24, "end": 344.22, "text": "B, also to spread. So it" }, { "start": 344.32, "end": 348.16, "text": "was a worm. The goal\nwas to then use these access tokens, for" }, { "start": 348.2, "end": 352.04, "text": "example,\nto publish the same malicious software on" }, { "start": 352.1, "end": 355.82, "text": "other packages. So\nif package B used package A which was" }, { "start": 355.88, "end": 359.78, "text": "compromised,\nthen during the build process of package" }, { "start": 359.82, "end": 363.44, "text": "was...... the chance that this malicious" }, { "start": 363.62, "end": 367.58, "text": "code, which was in package A,\nwould actually get access to the GitHub" }, { "start": 367.64, "end": 371.63, "text": "repository to the NPM account of package B\nas well and" }, { "start": 371.66, "end": 375.6, "text": "then continue spreading, and that's,\nof course, extremely dangerous and" }, { "start": 375.64, "end": 379.57, "text": "it was and is an extremely dangerous\nattack because of" }, { "start": 379.62, "end": 383.5, "text": "this worm, uh,\nlike behavior of because it was" }, { "start": 383.7, "end": 387.12, "text": "spreading and it was not just stealing\nthose" }, { "start": 387.28, "end": 391.1, "text": "secrets from one affected package,\nbut it was using them to" }, { "start": 391.12, "end": 394.94, "text": "affect more packages. And, therefore,\nthis second attack" }, { "start": 395.3, "end": 399.02, "text": "had a way larger impact than this first" }, { "start": 399.12, "end": 403.02, "text": "attack. Ye-,\nbecause of this worm-like behavior," }, { "start": 403.03, "end": 406.13, "text": "this attack was able to successfully\ncompromise" }, { "start": 406.94, "end": 410.569, "text": "many hundreds of packages because all\nthese packages, of course," }, { "start": 410.58, "end": 414.43, "text": "typically depend on each other\nand then you might just be using" }, { "start": 414.5, "end": 417.98, "text": "one of these packages,\nbut because of the packages" }, { "start": 418.02, "end": 421.67, "text": "internally,\nsuddenly you might be affected as" }, { "start": 421.72, "end": 425.13, "text": "well. So how can you find out if you\nare affected?" }, { "start": 425.18, "end": 428.72, "text": "Well, a couple of things. Uh, for one,\nyou should, of" }, { "start": 428.78, "end": 432.72, "text": "course, check whether your projects which" }, { "start": 432.8, "end": 436.57, "text": "you built or where you downloaded, um, new" }, { "start": 436.6, "end": 440.47, "text": "versions of the packages over the last\nweek or so," }, { "start": 440.52, "end": 444.1, "text": "if these projects use one of those, uh,\nknown" }, { "start": 444.26, "end": 448.18, "text": "compromised packages,\nand I'll put some links below this, uh," }, { "start": 448.22, "end": 451.02, "text": "this episode, to help you scan for that." }, { "start": 451.04, "end": 454.42, "text": "So that's, of course, one thing, and\nwhen you look for these packages," }, { "start": 454.54, "end": 458.5, "text": "not look in your package lock, uh,\nin your package JSON file, but in your" }, { "start": 458.56, "end": 460.81, "text": "package-lock.json file because that" }, { "start": 460.92, "end": 464.82, "text": "package-lock.json file,\nthat's actually the file that" }, { "start": 464.86, "end": 468.7, "text": "lists all the packages used in your\nproject, including the packages used" }, { "start": 468.74, "end": 472.36, "text": "by packages and it shows you the exact\nversions used" }, { "start": 472.46, "end": 476.06, "text": "there, which allows you to find out\nthat if you are using one of the" }, { "start": 476.1, "end": 479.84, "text": "compromised packages,\nif you're using one of the compromised" }, { "start": 480.04, "end": 482.44, "text": "versions, which, of course,\nis an important information." }, { "start": 482.46, "end": 486.32, "text": "So that's one thing to do. Uh,\nin addition," }, { "start": 486.66, "end": 489.3, "text": "due to how that attack worked,\nit seems that it" }, { "start": 489.36, "end": 492.42, "text": "exfiltrated, uh, those stolen secrets" }, { "start": 493.08, "end": 496.94, "text": "mainly by creating a new public GitHub\nrepository in" }, { "start": 496.98, "end": 500.71, "text": "your account if you are affected, uh,\nwhich had this" }, { "start": 500.76, "end": 503.74, "text": "name, uh, I, I keep on forgetting it," }, { "start": 503.75, "end": 507.58, "text": "shayhulut, which had this name.\nSo you wanna check for" }, { "start": 507.64, "end": 511.539, "text": "that and you wanna check your GitHub\nsecurity logs, to which you also find a" }, { "start": 511.58, "end": 515.22, "text": "link below,\nyou can use it for your account to check" }, { "start": 515.319, "end": 518.88, "text": "any action related to creating such a\nrepository or" }, { "start": 518.94, "end": 522.799, "text": "switching one of your existing private\nrepositories to public because that's" }, { "start": 522.88, "end": 525.28, "text": "also something this attack did and so on." }, { "start": 525.3, "end": 529.13, "text": "So these are steps you should take\nand again you'll find more detailed" }, { "start": 529.2, "end": 532.84, "text": "resources below. That's one thing that" }, { "start": 532.92, "end": 536.56, "text": "you should do right now if you fear\nthat you might be" }, { "start": 536.6, "end": 540.44, "text": "affected. But, of course, this attack also" }, { "start": 540.92, "end": 544.84, "text": "brings up the question,\nwhat can we do to mitigate such" }, { "start": 545.12, "end": 547.81, "text": "attacks or to prevent such attacks in the\nfirst place?" }, { "start": 547.92, "end": 551.68, "text": "Of course, that's a pretty big thing" }, { "start": 551.72, "end": 555.569, "text": "with m- with many building blocks because,\nof course, it all starts with" }, { "start": 555.6, "end": 559.46, "text": "making sure that if you're a package\nmaintainer that your NPM and" }, { "start": 559.48, "end": 563.449, "text": "GitHub accounts are secure and\nare not easily compromised by" }, { "start": 563.5, "end": 567.48, "text": "using two-factor authentication,\nthough even that is not a" }, { "start": 567.6, "end": 571.48, "text": "100% guarantee because with phishing there\nare ways of getting" }, { "start": 571.58, "end": 574.81, "text": "around that too with social engineering\nand so on, but it is, of course," }, { "start": 574.84, "end": 578.34, "text": "important.\nThere are a couple of steps you can take" }, { "start": 578.38, "end": 582.16, "text": "maintainer to help reduce" }, { "start": 582.22, "end": 586.08, "text": "the,\nthe risk of becoming a spreader of" }, { "start": 586.14, "end": 590.08, "text": "software, but, of course, you and me,\nyou might primarily" }, { "start": 590.22, "end": 594.08, "text": "be users of packages, uh, and, therefore,\nthe question is what" }, { "start": 594.14, "end": 597.3, "text": "can we do? And it starts with" }, { "start": 597.44, "end": 601.319, "text": "limiting the amount of packages you're\nusing, I'd" }, { "start": 601.36, "end": 604.76, "text": "say.\nI'll get to some other recommendations as" }, { "start": 604.819, "end": 608.7, "text": "recommendation I haven't seen enough in\nall those blog" }, { "start": 608.78, "end": 612.74, "text": "posts and articles\nand so on I read because there is a" }, { "start": 612.78, "end": 616.5, "text": "tendency for some developers at least to" }, { "start": 616.62, "end": 620.41, "text": "use too many packages. Um," }, { "start": 620.62, "end": 622.98, "text": "y- uh, it... and I get it.\nIt's convenient, right?" }, { "start": 623.079, "end": 626.64, "text": "Um,\nyou can solve a lot of problems you might" }, { "start": 626.66, "end": 630.1, "text": "during the development process by bringing\nin a" }, { "start": 630.18, "end": 633.16, "text": "package that does what you're looking for." }, { "start": 633.26, "end": 637.2, "text": "Um,\ninstead of writing your own code to solve" }, { "start": 637.22, "end": 639.06, "text": "in a package and you're done with it." }, { "start": 639.079, "end": 643.04, "text": "And, of course, for certain tasks,\nthat makes sense." }, { "start": 643.12, "end": 646.579, "text": "You're using React because you want a\npackage" }, { "start": 646.66, "end": 650.319, "text": "that, uh,\nmakes it way easier to reactively" }, { "start": 650.38, "end": 654.1, "text": "update the DOM and build highly\ninteractive, uh," }, { "start": 654.12, "end": 657.66, "text": "browser-based web applications, so yeah,\nyou wanna use" }, { "start": 657.78, "end": 661.569, "text": "React probably. For authentication,\nyou probably..." }, { "start": 661.6, "end": 665.02, "text": "you'll wanna use a package.\nFor your backend framework, you" }, { "start": 665.06, "end": 669.02, "text": "probably wanna use a library. So we" }, { "start": 669.1, "end": 672.56, "text": "all use them, of course. We, uh,\nwe all probably" }, { "start": 672.8, "end": 676.78, "text": "rarely build web applications totally from\nscratch with" }, { "start": 676.86, "end": 680.8, "text": "just HTML, CSS, and JavaScript\nand no packages, though" }, { "start": 680.81, "end": 684.29, "text": "that is actually a valid strategy for\ncertain kinds of sites and" }, { "start": 684.38, "end": 687.14, "text": "applications. Just saying. But yeah,\nwe all use" }, { "start": 687.18, "end": 690.62, "text": "packages.\nBut do you really need a package for" }, { "start": 690.68, "end": 693.98, "text": "checking whether a number is odd or even?" }, { "start": 695.06, "end": 698.78, "text": "Not sure about that. And, of course,\nthat's an extreme example, but you get" }, { "start": 698.819, "end": 702.34, "text": "my point. Especially now with AI" }, { "start": 702.42, "end": 706.4, "text": "available,\nit's so easy to quickly generate" }, { "start": 706.48, "end": 710.34, "text": "code for problems you might not" }, { "start": 710.44, "end": 714.42, "text": "know the solution immediately,\nlike let's say you need to invert" }, { "start": 714.48, "end": 718.22, "text": "a binary tree,\nnot something you need to do every day," }, { "start": 718.23, "end": 721.62, "text": "applications, in most applications,\nbut let's say you, you want" }, { "start": 721.68, "end": 725.66, "text": "some efficient algorithm for searching\nor for inverting a" }, { "start": 725.68, "end": 729.5, "text": "binary tree,\nwhatever.If you need to do something like" }, { "start": 729.6, "end": 733.4, "text": "can bring in a package\nthat does it for you, you can sit" }, { "start": 733.44, "end": 737.0, "text": "down and try to learn the algorithm\nand write it from scratch," }, { "start": 737.02, "end": 740.6, "text": "good exercise,\nor you can use AI to generate it because" }, { "start": 740.66, "end": 743.859, "text": "exactly the kind of tasks that\nare super easy for" }, { "start": 743.92, "end": 747.72, "text": "AI. Now I will say, AI-generated code is" }, { "start": 747.76, "end": 751.54, "text": "not necessarily secure\nand AI also sometimes" }, { "start": 751.6, "end": 754.24, "text": "wants to bring in extra packages,\npackages." }, { "start": 754.28, "end": 758.0, "text": "It can be lazy too. But still, uh, y- you" }, { "start": 758.12, "end": 761.92, "text": "really can write more code on your own\nor with help of AI than you might" }, { "start": 761.98, "end": 765.24, "text": "think. So,\nthat's really one thing that's important" }, { "start": 765.3, "end": 769.21, "text": "because there is this tendency f- by,\nfor some developers at least," }, { "start": 769.24, "end": 772.98, "text": "to solve everything by adding a new\npackage, a new library," }, { "start": 773.04, "end": 775.78, "text": "and I would" }, { "start": 775.84, "end": 779.0, "text": "recommend to try as little" }, { "start": 779.28, "end": 782.96, "text": "packages as possible. That\nis something I've done for" }, { "start": 783.3, "end": 785.96, "text": "years. I like the challenge of" }, { "start": 786.18, "end": 789.92, "text": "using, yeah, not a lot of packages, not a" }, { "start": 789.96, "end": 793.79, "text": "lot of libraries.\nI like the challenge of solving problems" }, { "start": 793.82, "end": 796.72, "text": "Now with AI, that's even easier.\nBut of course, I'm also using" }, { "start": 796.76, "end": 800.66, "text": "packages. And if, due to how those" }, { "start": 800.7, "end": 804.62, "text": "packages work,\nthat they all have their own dependencies," }, { "start": 804.66, "end": 808.46, "text": "would get affected by, uh,\na worm like this, then we're, of" }, { "start": 808.54, "end": 812.4, "text": "course, all in trouble. Uh,\nI don't even wanna think about that" }, { "start": 812.5, "end": 816.32, "text": "happening.\nThat would probably affect hundreds of" }, { "start": 816.38, "end": 820.1, "text": "millions of machines\nif such a package would get" }, { "start": 820.16, "end": 823.84, "text": "compromised. But yeah.\nSo limiting the number of packages you" }, { "start": 823.94, "end": 827.78, "text": "use is a good idea.\nAnother thing you might wanna consider" }, { "start": 827.79, "end": 831.65, "text": "doing is fix your dependency" }, { "start": 831.72, "end": 835.37, "text": "versions.\nAnd I'm not necessarily doing that." }, { "start": 835.42, "end": 838.3, "text": "I'll be 100% honest here.\nI should be doing it." }, { "start": 838.38, "end": 841.58, "text": "I will be doing it in the future.\nI haven't done it, but" }, { "start": 842.68, "end": 845.9, "text": "I've read it a lot related to these\nattacks and, of course, it makes" }, { "start": 845.98, "end": 849.46, "text": "sense. We typically fix the major" }, { "start": 849.74, "end": 853.67, "text": "versions of our packages.\nMaybe also the minor versions, but" }, { "start": 853.76, "end": 857.13, "text": "not the patch versions.\nSo in case you don't know, um, many" }, { "start": 857.179, "end": 860.249, "text": "packages, or actually, well,\npretty much all these" }, { "start": 860.28, "end": 864.1, "text": "packages, um, on NPM have, like, a major,\na" }, { "start": 864.12, "end": 867.88, "text": "minor,\nand a patch version number in their" }, { "start": 867.9, "end": 871.64, "text": "number and depending on how you configured\nyour package" }, { "start": 871.68, "end": 875.24, "text": "JSON file when you run NPM install\nand so on, you" }, { "start": 875.34, "end": 878.62, "text": "either download a very specific version\nor the latest" }, { "start": 878.98, "end": 882.58, "text": "patch or the latest minor\nor even the latest major" }, { "start": 882.62, "end": 886.48, "text": "version. And in theory, it makes sense to" }, { "start": 886.58, "end": 890.19, "text": "always download the latest patch version\nbecause" }, { "start": 890.22, "end": 894.15, "text": "patch versions,\ndepending on how the maintainer handles" }, { "start": 894.2, "end": 897.27, "text": "in theory,\nthey don't change the fundamental" }, { "start": 897.82, "end": 901.42, "text": "nature or behavior of a package.\nThey don't have breaking changes" }, { "start": 901.46, "end": 905.02, "text": "they fix security issues\nor performance issues and so on." }, { "start": 905.08, "end": 909.02, "text": "So in theory,\nyou wanna stay up to date with patches," }, { "start": 909.1, "end": 912.94, "text": "but in reality,\nas attacks like this show us," }, { "start": 913.0, "end": 916.71, "text": "was spread through a patch update,\nwe might" }, { "start": 916.78, "end": 919.77, "text": "not want to automatically use patch\nversions either." }, { "start": 919.82, "end": 923.32, "text": "We might want to fix our versions\nand then deliberately" }, { "start": 923.42, "end": 927.38, "text": "choose to update our version numbers after\ncarefully" }, { "start": 927.46, "end": 931.28, "text": "making sure that the new version is safe,\nnot just from a b- breaking" }, { "start": 931.3, "end": 934.98, "text": "change or performance perspective,\nbut also from a security perspective." }, { "start": 935.02, "end": 938.98, "text": "It is more work, but how much work\nis it to" }, { "start": 939.04, "end": 942.66, "text": "clean up a compromised system,\nto rotate all your," }, { "start": 942.76, "end": 946.28, "text": "uh, compromised tokens and credentials and" }, { "start": 946.34, "end": 950.0, "text": "mitigate that, uh, uh, that danger and," }, { "start": 950.08, "end": 953.7, "text": "uh, that damage that was done? So yeah,\nthat's one" }, { "start": 953.78, "end": 957.57, "text": "thing. Uh,\nif you're using PNPM as a package manager," }, { "start": 957.62, "end": 961.34, "text": "example, which I don't,\nyou can even set a certain" }, { "start": 961.64, "end": 965.48, "text": "setting, the minimum release age setting,\nto make sure that" }, { "start": 965.54, "end": 969.52, "text": "you do, for example,\nautomatically download patch versions." }, { "start": 969.56, "end": 973.04, "text": "But that the package has to be a" }, { "start": 973.1, "end": 976.86, "text": "minimum number of, uh, days old, uh," }, { "start": 976.98, "end": 980.9, "text": "for example. So that you make sure\nthat you're" }, { "start": 981.02, "end": 984.74, "text": "not downloading patch versions on day one,\na couple of hours" }, { "start": 984.84, "end": 988.819, "text": "after they were released.\nBecause with those attacks that happened," }, { "start": 988.939, "end": 992.79, "text": "was that they had a relatively small\nattack window." }, { "start": 992.9, "end": 996.42, "text": "The attack, thankfully,\nwas detected quite quickly and" }, { "start": 996.46, "end": 1000.41, "text": "those compromised versions\nwere unpublished, so the window of" }, { "start": 1000.44, "end": 1004.34, "text": "attack was relatively small but big" }, { "start": 1004.36, "end": 1007.62, "text": "enough to affect many, many machines." }, { "start": 1007.64, "end": 1011.62, "text": "Now if you were to set a minimum, uh,\nrelease age," }, { "start": 1011.64, "end": 1015.22, "text": "which again, is available with PNPM,\nbut to my knowledge not with" }, { "start": 1015.3, "end": 1019.25, "text": "NPM right now, if you\nwere to use this setting," }, { "start": 1019.28, "end": 1023.16, "text": "or with more safety I should say, uh,\nauto-update" }, { "start": 1023.38, "end": 1027.29, "text": "for new patch versions and so on.\nBut you would make sure that you only" }, { "start": 1027.3, "end": 1031.03, "text": "do it after a couple of days to make sure\nthat others have" }, { "start": 1031.099, "end": 1035.079, "text": "tested the water first\nand potential security issues might've" }, { "start": 1035.119, "end": 1038.619, "text": "been detected. It's not a guarantee,\nbut it's an additional, uh," }, { "start": 1039.079, "end": 1042.68, "text": "step to make your environment more secure" }, { "start": 1042.8, "end": 1046.38, "text": "and it allows you to still auto-update,\num, for" }, { "start": 1046.46, "end": 1049.579, "text": "example.\nSo that's another thing you might wanna" }, { "start": 1049.62, "end": 1053.58, "text": "consider.\nNow another thing you should think" }, { "start": 1053.68, "end": 1057.3, "text": "about or you should do in general,\nto be very honest," }, { "start": 1057.4, "end": 1060.8, "text": "is limit the scope of your access" }, { "start": 1060.86, "end": 1064.28, "text": "tokens and credentials. It is, of course,\nsuper" }, { "start": 1064.34, "end": 1068.24, "text": "convenient to always create access tokens\nthat have full" }, { "start": 1068.4, "end": 1071.84, "text": "access to everything. Like,\nlet's talk about AWS." }, { "start": 1071.88, "end": 1075.07, "text": "If you run some deployment" }, { "start": 1075.14, "end": 1078.76, "text": "process that also uses AWS or the" }, { "start": 1078.8, "end": 1082.7, "text": "deployed app is using AWS and therefore\nis part of the," }, { "start": 1082.71, "end": 1086.68, "text": "uh, build process, you\nare exposing your AWS access" }, { "start": 1086.72, "end": 1090.71, "text": "key and your credentials to the build\nprocess to c- bake it into" }, { "start": 1090.74, "end": 1094.308, "text": "the built application, so to say.It is,\nof course, convenient to have an" }, { "start": 1094.348, "end": 1097.948, "text": "AWS access token\nthat gives the application admin" }, { "start": 1098.068, "end": 1101.728, "text": "access to all your AWS resources because\nit's your code, right?" }, { "start": 1101.768, "end": 1105.668, "text": "What could go wrong? Well,\nsomething like this attack could go wrong." }, { "start": 1105.728, "end": 1109.548, "text": "If that AWS token is ever stolen, like" }, { "start": 1109.608, "end": 1113.378, "text": "it could be through that attack,\nthen you're in a huge" }, { "start": 1113.448, "end": 1117.408, "text": "trouble.\nYou have a token out there in the wild" }, { "start": 1117.448, "end": 1120.918, "text": "attackers full access to your AWS account,\nand that's just one" }, { "start": 1120.928, "end": 1123.828, "text": "example. It's the same, of course,\nfor the other cloud providers." }, { "start": 1123.868, "end": 1127.477, "text": "It's the same for AI tokens. I mean,\nthink of, um," }, { "start": 1127.528, "end": 1131.168, "text": "some malicious actor stealing your OpenAI" }, { "start": 1131.348, "end": 1135.228, "text": "access token and then using AI, uh,\nand you're paying the" }, { "start": 1135.248, "end": 1139.108, "text": "bill. Of course,\nyou might have some limits in place there," }, { "start": 1139.188, "end": 1142.408, "text": "that is not a lot of fun. So as a best" }, { "start": 1142.508, "end": 1146.428, "text": "practice,\nyou should really try to limit the scope" }, { "start": 1146.488, "end": 1149.628, "text": "those access tokens and credentials\nif it's possible." }, { "start": 1149.688, "end": 1153.438, "text": "Not all providers,\nnot all services give you a lot of" }, { "start": 1153.588, "end": 1156.888, "text": "options there, but many do, and if you're,\nfor example, building an" }, { "start": 1156.947, "end": 1160.138, "text": "application that only needs to send email\nthrough" }, { "start": 1160.188, "end": 1164.028, "text": "AWS, then your AWS access token should" }, { "start": 1164.088, "end": 1167.608, "text": "only have access for exactly this action,\nto" }, { "start": 1167.668, "end": 1171.588, "text": "exactly this action. Now, in case of AWS" }, { "start": 1171.628, "end": 1175.128, "text": "and also other services, there\nare even better ways than using an access" }, { "start": 1175.208, "end": 1179.008, "text": "token in the first place. You can get" }, { "start": 1179.088, "end": 1183.048, "text": "short-lived credential stare as well, uh,\nbut that is" }, { "start": 1183.068, "end": 1186.688, "text": "beyond the scope of this video. You,\nof course, might wanna look into" }, { "start": 1186.908, "end": 1190.828, "text": "such solutions as well\nif you're using a service like AWS that" }, { "start": 1190.928, "end": 1194.568, "text": "offers even more secure ways of accessing\nit" }, { "start": 1194.868, "end": 1196.708, "text": "than those general access tokens." }, { "start": 1196.728, "end": 1200.548, "text": "But if we're talking about access tokens\nand credentials, limiting the scope" }, { "start": 1200.888, "end": 1204.248, "text": "is definitely something you might wanna\ndo." }, { "start": 1204.288, "end": 1208.118, "text": "And th- of course, if you\nare affected by the attack, by the way," }, { "start": 1208.148, "end": 1211.118, "text": "you wanna rotate all your tokens\nand all your credentials." }, { "start": 1211.128, "end": 1215.038, "text": "You wanna change them all because you have\nto consider them" }, { "start": 1215.088, "end": 1218.128, "text": "compromised. That's, of course, clear." }, { "start": 1218.148, "end": 1222.048, "text": "Well, and that's in the end it for my two" }, { "start": 1222.128, "end": 1225.948, "text": "cents on the attack here.\nThe most important" }, { "start": 1226.088, "end": 1229.988, "text": "takeaway I have from this attack\nis really the part" }, { "start": 1230.048, "end": 1233.648, "text": "with scoping your tokens,\nlimiting the scope, I mean," }, { "start": 1235.188, "end": 1239.068, "text": "not automatically updating to the latest\npatch versions all the time" }, { "start": 1239.148, "end": 1242.588, "text": "automatically,\nand maybe my very most important" }, { "start": 1242.648, "end": 1245.728, "text": "point, not using too many packages." }, { "start": 1245.768, "end": 1249.608, "text": "That is, of course,\nthe best line of defense here because what" }, { "start": 1249.688, "end": 1253.188, "text": "us is how vulnerable this entire" }, { "start": 1253.268, "end": 1256.568, "text": "JavaScript ecosystem is. If one" }, { "start": 1256.648, "end": 1260.148, "text": "package that's used by enough other\npackages gets compromised and" }, { "start": 1260.348, "end": 1263.948, "text": "acts as a worm,\nas it happened in the second attack," }, { "start": 1263.988, "end": 1267.708, "text": "then we can quickly have a spreading\nwildfire that's very" }, { "start": 1267.828, "end": 1271.688, "text": "hard to contain and\nthat can quickly affect millions or even" }, { "start": 1271.728, "end": 1275.608, "text": "billions of machines, um, be that" }, { "start": 1275.668, "end": 1279.408, "text": "your laptop or the machine in the cloud\nwhere you deploy or build your" }, { "start": 1279.448, "end": 1283.328, "text": "application. And that, of course, is" }, { "start": 1283.348, "end": 1286.288, "text": "an unbelievable huge threat." }, { "start": 1287.108, "end": 1290.948, "text": "So yeah,\nthat is something we should all consider" }, { "start": 1290.988, "end": 1294.868, "text": "these attacks have shown us.\nWe should make" }, { "start": 1294.908, "end": 1298.658, "text": "sure that we ramp up our, um," }, { "start": 1298.688, "end": 1302.438, "text": "protection, our mitigation strategies,\nthat we make sure that" }, { "start": 1302.468, "end": 1306.448, "text": "we, uh, limit the, the danger we face on" }, { "start": 1306.508, "end": 1310.228, "text": "our machines or, uh,\nregarding to our credentials and so on." }, { "start": 1310.308, "end": 1314.188, "text": "And, uh, yeah,\nlet me know what you think of that," }, { "start": 1314.208, "end": 1318.138, "text": "also want me to mention. As I mentioned,\nI'll put some important links, um," }, { "start": 1318.328, "end": 1321.848, "text": "in the description, and, uh, yeah,\nI'll see you in the next video." }, { "start": 1321.888, "end": 1322.428, "text": "Bye." } ]