Show HN: 在发布到 NPM 之前,将这段 Markdown 给你的代码代理

1作者: freakynit大约 2 个月前
<a href="https://npm-supply-chain-attack-techniques.pagey.site/attack-techniques-context.md" rel="nofollow">https://npm-supply-chain-attack-techniques.pagey.site/attack...</a> 网站:<a href="https://npm-supply-chain-attack-techniques.pagey.site" rel="nofollow">https://npm-supply-chain-attack-techniques.pagey.site</a> 本文涵盖了过去一年中用于对 npm 软件包进行各种攻击的所有技术。在发布之前,请使用它来彻底审查您的项目。 涵盖的漏洞利用及缓解措施: 1. 维护者账户接管和恶意发布 2. 生命周期钩子执行 3. 自我复制的 npm 蠕虫 4. CI/CD 身份平面攻击 5. 基于 Git 的依赖项走私 6. 远程动态依赖项 7. 通过 npm 和软件包 CDN 托管的钓鱼基础设施 8. 凭证和密钥窃取 9. 数据渗出和死信通道 10. 持久性和反取证 11. 混淆和有效载荷打包 12. 软件包命名和发现滥用
查看原文
<a href="https:&#x2F;&#x2F;npm-supply-chain-attack-techniques.pagey.site&#x2F;attack-techniques-context.md" rel="nofollow">https:&#x2F;&#x2F;npm-supply-chain-attack-techniques.pagey.site&#x2F;attack...</a><p>Website: <a href="https:&#x2F;&#x2F;npm-supply-chain-attack-techniques.pagey.site" rel="nofollow">https:&#x2F;&#x2F;npm-supply-chain-attack-techniques.pagey.site</a><p>This covers all techniques used in past 1 year to conduct various attacks on npm packages. Use it to get your project reviewed thoroughly before publishing.<p>Exploits covered with mitigation information:<p>1. Maintainer Account Takeover and Malicious Publish<p>2. Lifecycle Hook Execution<p>3. Self-Replicating npm Worms<p>4. CI&#x2F;CD Identity Plane Attacks<p>5. Git-Based Dependency Smuggling<p>6. Remote Dynamic Dependencies<p>7. Phishing Infrastructure Hosted Through npm and Package CDNs<p>8. Credential and Secret Harvesting<p>9. Exfiltration and Dead-Drop Channels<p>10. Persistence and Anti-Forensics<p>11. Obfuscation and Payload Packaging<p>12. Package Naming and Discovery Abuse