Critical Thinking - Bug Bounty Podcast

Episode 74: Supply Chain Attack Primer - Popping RCE Without an HTTP Request (feat 0xLupin)

Jun 6, 2024

Expert 0xLupin discusses supply chain attacks, ethical considerations for maintainers, and new tool Depi. Topics include types of attacks, vulnerabilities in CI builds, challenges in managing software dependencies, detecting supply chain attacks, domain squatting, securing bug bounty programs, significance of lock files, bug hunting emotions, analyzing attack scenarios, and risks of NPM and Yarn supply chain attacks.

01:38:20

Creator website

Episode guests

0xLupin

AI Summary

Highlights

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Properly managing maintainers and monitoring their actions is crucial to safeguard the software supply chain.

Weak credentials or lapses in domain registration by maintainers pose serious threats that require proactive mitigation measures.

Vetting maintainers and enforcing stringent security measures can prevent breaches and maintain software supply chain integrity.

Deep dives

Complexity of Supply Chain Maintainers

Maintaining a vast number of packages internally can lead to significant risks in the supply chain. With each package maintained by a small percentage of individuals, potential vulnerabilities and attacks can impact millions of users. The challenge lies in the responsible management of these maintainers and ensuring that their actions or oversights do not compromise the overall supply chain, emphasizing the need for thorough security measures and monitoring.

Security Concerns in Registries and Ownership of Software Supply Chains

01:36

Exploration of Ethical Security Research and Hosting Backdoors on Public Registries

02:41

Exploring the Importance of Lock Files and Supply Chain Security

01:34

Intro

2min

Exploring Supply Chain Attacks and Dependency Confusion

7min

Software Supply Chain Security in Tech Companies

12min

Challenges in Managing Software Dependencies and Security Vulnerabilities

7min

Detecting and Mitigating Supply Chain Attacks

18min

Discussion on Domain Squatting and Weak Links in Sub-collection

2min

Securing Supply Chains and Bug Bounty Programs

19min

Significance of Lock Files and Supply Chain Security Vulnerabilities

8min

Exploring Bug Hunting Emotions and Implications of Software Supply Chain Vulnerabilities

2min

10.

Analyzing Supply Chain Attack Scenarios and Vulnerabilities

20min

11.

Exploring Supply Chain Vulnerabilities and Bug Bounty Perspectives

2min

Episode 74: In this episode of Critical Thinking - Bug Bounty Podcast Justin sits down with Roni "Lupin" Carta for a deep dive into supply chain attacks and dependency confusion. We explore the supply chain attacks, the ethical considerations surrounding maintainers and hosting packages on public registries, and chat about the vision and uses of his new tool Depi.

We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

------ Links ------

Follow your hosts Rhynorater & Teknogeek on twitter:

https://twitter.com/0xteknogeek

https://twitter.com/rhynorater

------ Ways to Support CTBBPodcast ------

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

Today's Sponsor - Project Discovery: https://nux.gg/podcast

Today’s Guest: https://x.com/0xLupin

Resources:

Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

git-dump

https://github.com/tomnomnom/dotfiles/blob/master/scripts/git-dump

Depi

https://www.landh.tech/depi

Weak links of Supply Chain

https://arxiv.org/pdf/2112.10165

Timestamps: