I’ve learned a long time ago that not all security research pans out with a stack of vulnerabilities but every time I venture down a rabbit hole I learn something along the way. This is one of those times. During a recent assessment ^Lift team member Jon Lamendola found an…

The Node Security team is excited to announce version 3.0.0 of the nsp CLI tool. Get it by running npm i nsp@next This release marks the 3rd major iteration of the CLI. While the changes mentioned below may seem minor the entire CLI was re-written from the ground up by…

Recently there were a large number of regular expression denial of service ( ReDoS ) vulnerabilities released to the public via GitHub issues. These issues don’t have patches but many of the maintainers are welcoming pull requests. I’m writing to ask the community for some help. …

Before you read this post please run git --version and if it’s not 2.14.1 or greater then please go upgrade it. In this post we are going to explore abusing the recently published git ssh:// url vulnerability inside of a package.json to execute commands during the npm install process. How…

The Practical Developer #DevDiscuss tonight got me thinking about mentorship and how it’s impacted my life. It doesn’t fit in a tweet or a thread of tweets so you get the story about how a mentorship gave me my entire career in security. …

As a startup, where might your organization get the biggest bang for your buck when it comes to security? Consider this controversial thought: Your founders — CEOs, CTOs — are very likely your organization’s greatest security risk. There are few things that better predict an organization’s likelihood of a massive security breach than founders’ knowledge, priorities, and willingness to put in the effort to…

Today marks the 4th birthday of the Node Security Project. During that time we accomplished a lot, failed more than a few times, and inspired many developers to make security an important part of their discipline. …

Earlier this week Zach Grace published an article on one way that you could backdoor a Node.js Express application without touching disk. This jogged my memory of something I posted in our team’s chat this last week but never wrote about; how I would in memory backdoor an express application…

Just before the New Years I published 140+ advisories on Node.js modules. I’ve been researching ways to compromise developers & node.js applications without compromising the npm registry or their CDN. To start, I looked for modules with install hooks that downloaded and executed or used resources from the internet over…