Malicious packages are a growing threat across all major package managers that can lead to data exfiltration from build and developer machines.
Attackers publish packages with common misspellings of popular libraries to execute malicious code when a developer makes a typo.
A demonstration shows how a misspelled package name can lead to remote code execution during a standard build process using MSBuild targets.
You can secure your nuget.config by requiring signature validation and specifying a list of trusted package owners to prevent unauthorized packages.
NuGet's package resolution can be exploited by attackers who publish a public package with the same name as your internal private library.
A demonstration shows how a floating version reference can cause NuGet to pull a malicious public package over a trusted private one.
The packageSourceMapping feature in nuget.config allows you to explicitly define which source a package pattern should be restored from.
A review of essential security measures includes using trusted signers, package source mapping, reserving prefixes, and signing your own packages.
33:29Sebastian Leuer
28:27Niels Tanis
24:47Adrian Mouat
32:55Natale Vinto
29:47Thomas Chauchefoin & Paul Gerste
27:32Jasmin Azemović
37:36Vandana Verma
29:50Kevin Lewis
Jobs that call for the skills explored in this talk.
Purview & Zero Trust
Manchester, United Kingdom
Controlware GmbH
Nürnberg, Germany
SAP AG
Berlin, Germany
