Show HN: 在发布到 NPM 之前,将这段 Markdown 给你的代码代理
1 分•作者: freakynit•大约 2 个月前
<a href="https://npm-supply-chain-attack-techniques.pagey.site/attack-techniques-context.md" rel="nofollow">https://npm-supply-chain-attack-techniques.pagey.site/attack...</a>
网站:<a href="https://npm-supply-chain-attack-techniques.pagey.site" rel="nofollow">https://npm-supply-chain-attack-techniques.pagey.site</a>
本文涵盖了过去一年中用于对 npm 软件包进行各种攻击的所有技术。在发布之前,请使用它来彻底审查您的项目。
涵盖的漏洞利用及缓解措施:
1. 维护者账户接管和恶意发布
2. 生命周期钩子执行
3. 自我复制的 npm 蠕虫
4. CI/CD 身份平面攻击
5. 基于 Git 的依赖项走私
6. 远程动态依赖项
7. 通过 npm 和软件包 CDN 托管的钓鱼基础设施
8. 凭证和密钥窃取
9. 数据渗出和死信通道
10. 持久性和反取证
11. 混淆和有效载荷打包
12. 软件包命名和发现滥用
查看原文
<a href="https://npm-supply-chain-attack-techniques.pagey.site/attack-techniques-context.md" rel="nofollow">https://npm-supply-chain-attack-techniques.pagey.site/attack...</a><p>Website: <a href="https://npm-supply-chain-attack-techniques.pagey.site" rel="nofollow">https://npm-supply-chain-attack-techniques.pagey.site</a><p>This covers all techniques used in past 1 year to conduct various attacks on npm packages. Use it to get your project reviewed thoroughly before publishing.<p>Exploits covered with mitigation information:<p>1. Maintainer Account Takeover and Malicious Publish<p>2. Lifecycle Hook Execution<p>3. Self-Replicating npm Worms<p>4. CI/CD Identity Plane Attacks<p>5. Git-Based Dependency Smuggling<p>6. Remote Dynamic Dependencies<p>7. Phishing Infrastructure Hosted Through npm and Package CDNs<p>8. Credential and Secret Harvesting<p>9. Exfiltration and Dead-Drop Channels<p>10. Persistence and Anti-Forensics<p>11. Obfuscation and Payload Packaging<p>12. Package Naming and Discovery Abuse