View profile

Naugtur's randomly newsletter - Issue #2

Naugtur's randomly newsletter
Naugtur's randomly newsletter
Hi!
This is my second newsletter sent from Revue and potentially last.
Just when I finished choosing what to use for newslettering and setting up they’re shutting it down. Oh well, at least it’s just email and I can move elsewhere. But for now - here’s what’s new:

Events!
For my Polish subscribers, I’ll be speaking at OH MY HACK https://omhconf.pl/omh-2022/ in Warsaw on Dec 3 - if you’re getting a ticket, use this code IDE_NA_OMH for 20% off ➡️ https://bit.ly/BiletOMH
If you want to see how short I can make the Hardened JS topic (or just watch other great lightning talks) - try DevSecCon Lightning https://www.devseccon.com/events/devseccon-lightning-2022 on Dec 7
And last but not least (this has not been officially announced yet) there’s going to be a meet.js Summit Watch Party on Dec 8, 14:00 CET on meet.js discord. Watch talks and chat about them, interact with the sponsors - a great way to make up for your bad decision if you didn’t come to the conference in person :D
Speaking of meet.js - I’m aware of 5 local meetups planned before the end of the year. Check your city!
Bad bins and how to keep them at bay
Folks from socket.dev found this new awful way of supply-chain attacking someone. https://socket.dev/blog/npm-bin-script-confusion
I’m almost done with the only protection you can locally use to defeat those: https://github.com/LavaMoat/LavaMoat/pull/390
Try it out, comment, ask questions - it’s opensource!
My new toy
Have you heard about LofyGang? https://lofygang.info/
I downloaded one of the (still available) packages to see how far I’d get if I try to manually analyze it. I got through 4 layers of obfuscation but thttps://github.com/naugtur/lavalabhen got stuck on the infinite loop that only happens if you deobfuscate… So, I built a tool to analyze JS malware without deobfuscating.
It’s still just an experiment, a result of one morning spent coding, but I encourage you to take a look if you’re into JS security stuff :)
Remember, no warranty of any kind ;)
Training, anyone?
I don’t hahttps://naugtur.pl/training/ve a lot of time to find people who’d like to invite me to their team to do some training, but if they find me, I sometimes run 1 day trainings - see https://naugtur.pl/training/
If you were hesitating to get one, any training where I can issue an invoice before the end of 2022 gets a discount
Did you enjoy this issue? Yes No
Naugtur's randomly newsletter
Naugtur's randomly newsletter @naugtur

Events I organize or take part in
Updates on my opensource work in JS supply chain security
Training/workshops announcements, knowledge sharing

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.