This isn't a story about NPM even though it's inspired by NPM. Twice. The maintainer of the "colors" NPM library intentionally changed the library's behavior from its expected functionality to printing garbage messages. The library was exhibiting the type of malicious activity that typically comes from a compromised package. Only this time users of the library, which easily number in the thousands, discovered this was sabotage by the package maintainer himself. This opens up a broader discussion on supply chain security than just provenance. How do we ensure open source tools receive the investments they need -- security or otherwise? For that matter, how do we ensure internal tools receive the investments they need? Log4j was just one recent example of seeing old code appear in surprising places.

 

Scams and security flaws in (so-called) web3 and when decentralization looks centralized, SSRF from a URL parsing problem, vuln in AWS Glue, 10 vulns used for CI/CD compromises!

 

Show Notes: https://securityweekly.com/asw180

Segment resources:

- https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/

- https://www.zdnet.com/article/when-open-source-developers-go-bad/

- https://www.zdnet.com/article/log4j-after-white-house-meeting-google-calls-for-list-of-critical-open-source-projects/

- https://www.theregister.com/2022/01/17/open_source_closed_wallets_big/

- https://blog.google/technology/safety-security/making-open-source-software-safer-and-more-secure/

- https://docs.linuxfoundation.org/lfx/security/onboarding-your-project

- https://arstechnica.com/information-technology/2016/03/rage-quit-coder-unpublished-17-lines-of-javascript-and-broke-the-internet/

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly