On July 12, 2018, the ESLint project experienced a security incident, detailed here, that resulted in two malicious npm packages being published. This has since been resolved, but I wanted to detail how Twistlock could help a customer identify risk associated with an incident like this and protect against a malicious package.
Obviously, comprehensive protection against the introduction of malicious code like this requires an SDLC-style development process to properly manage the risk associated with all code. In the aftermath of an event like this, though, many orgs will want to assess their exposure to such a risk. Twistlock collects extensive package info for images and this data is available via API — querying the JSON returned from the API to quickly identify if either of the affected packages were present in images in your CI/CD pipeline, registries, and container hosts.
Protection with Twistlock
Additionally, Twistlock runtime protection provides flexible options for protecting against a known threat like this. For example, the malicious code introduced into the ESLint packages reportedly used pastebin.com to download additional code. A runtime rule, like the one I created in the screenshot below, could be used to block outbound access to Pastebin and generate an audit trail of potentially problematic queries:
Twistlock provides a comprehensive and capable platform for inventorying, monitoring, and protecting cloud native workloads. To learn more about how we help enterprises detect and respond to real-world attacks, check out Enhanced Runtime Anomaly Detection Based on Real-World Research.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
AWS Fargate Security: Runtime Defense with Twistlock 2.5Read the Blog
Cloud Native Forensics: Security Incident Response in Twistlock 2.5Read the Blog
Announcing Twistlock 2.5: GA Release NotesRead the Blog
GitOps 101: What Is GitOps, and Why Would You Use It?Read the Blog
DevSecOps Learning Resources: How to Learn to Do DevSecOpsRead the Blog