Presented at
DEF CON 33 (2025),
Aug. 8, 2025, 9 a.m.
(240 minutes).
Software supply chain attacks are out of control! Between 2019 and 2023 software supply chain attacks increased by more than 740% year on year. Things have only gotten worse since then, with attacks like Bybit, Ultralytics, LottieFiles, Polyfills, and of course XZ utils happening in the last 18 months. But how are these supply chain attacks delivered? Often, the attack starts with a malicious npm package.
According to Sonatype, 98.5% of malicious software packages exist in the npm registry. There are several reasons that npm is particularly well suited for delivering malware, and that's why I chose to focus just on npm for this 4 hour workshop.
This hands-on workshop will teach both software engineers, and infosec practitioners how npm malware works. We’ll learn what makes npm malware unique from other software package malware, and how the author has been using his knowledge of npm malware in his research, and to deliver unique offensive security engagements. Most importantly how to identify, analyze, create and defend against malicious NPM packages in this workshop.
The trainer for this workshop, Paul McCarty, is literally writing the book on the subject “Hacking npm”, so he will drop lots of in-depth, never before seen npm techniques.
Presenters:
-
Paul "6mile" McCarty
- Head of Research at Safety
Paul is the Head of Research at Safety (safetycli.com) and a DevSecOps OG. He loves software supply chain research and delivering supply chain offensive security training and engagements. He's spent the last two years deep-diving into npm and has made several discoveries about the ecosystem. Paul founded multiple startups starting in the '90s, with UtahConnect, SecureStack in 2017, and SourceCodeRED in 2023. Paul has worked for NASA, Boeing, Blue Cross/Blue Shield, John Deere, the US military, the Australian government and several startups over the last 30 years. Paul is a frequent open-source contributor and author of several DevSecOps, software supply chain and threat modelling projects. He’s currently writing a book entitled “Hacking NPM”, and when he’s not doing that, he’s snowboarding with his wife and 3 amazing kids.
Similar Presentations: