- This Week on Absolute AppSec
- Posts
- Episode #276 with Myles Borins
Episode #276 with Myles Borins
NPM, Package, and Software Supply-Chain security
Seth Law
February 21, 2025
This week on Absolute AppSec’s 276th episode , Ken Johnson (@cktricky) and Seth Law (@sethlaw) welcome Myles Borins (@myles.dev), a prominent figure in the JavaScript and Node.js ecosystems, to discuss his career and the complexities of maintaining large open-source projects. To watch this episode, or catch the next discussion live on Tuesdays, go to https://www.youtube.com/@AbsoluteAppSec, or find us wherever you get your podcasts.
“Even all the way back to that first [musical] instrument, the Monom, was an open hardware device. And so if you really track [my career] progress, everything was very much about contributing to open standards, to open source, working towards the open web and working on those technologies.”
The discussion begins with Myles recounting his entry into programming through music production, and creation of his own electronic music devices. He pursued an undergraduate degree at the Ontario College of Art and Design in integrated media, followed by a graduate degree at Stanford’s Center for Computer Research in Music and Acoustics. This fascination with systems and processes has evolved into work concerning broader software development and open-source contributions. His early work involve building tools for electronic music, eventually leading to deeper involvement in JavaScript and Node.js. Myles played a significant role in the Node.js Foundation and later at IBM, where he worked on ensuring Node.js compatabilitity across various architectures. Myles now works at Snowflake, where he focuses on the developer platform and is adapting to a database-centric environment where everything operates through SQL APIs, a shift from his previous work in systems and application development.
The bulk of the episode focuses on Myles’s time at GitHub, particularly managing the NPM registry after GitHub’s acquisition of NPM. Myles explains the challenges of inhereting a vast and complex codebase with varying coding standards and a mix of legacy and modern systems. His initial role involved the overseeing the release of NPM version 7, which faced delays due to significant architectural changes and the need to maintain backward compatibility. Successfully releasing NPM 7 required navigating technical complexities and coordinating among diverse teams with different priorities. In addition, Myles discussed the supply-chain security challenges within NPM. There were several incidents of account takeovers (ATOs) affecting high-impact packages, underscoring the difficulties in balancing security with usability. For example, during one incident, a compromised package with millions of downloads remained undetected for several hours, highlighting the need for better alert systems. In response, the team implemented a malware-scanning service and established stricter policies for high-impact packages. Understanding the scale of NPM as well as its influence—being the largest package registry for JavaScript—highlights the complexity Myles and his team faced. The registry serves millions of developers and powers countless applications, making any security lapse potentially catastrophic. Myles’ experiences underscore the importance of proactive security measures in open-source ecosystems and the nuanced approach needed to balance security, usability, and scalability.“Not all of us are serving up millions, right? […] So all of those inherent risks that are in there are going to be different for Google than it is for a company that is doing loan applications or is a social media site.”
“While I was working at NPM, there was quite a lot of feedback that we had gotten from people. There was like, well, why don’t you do all these things that essentially make it harder to use? [Questions like] Why don’t you force some level of verification before people can publish? The reality is that if your security boundaries become so high, that you reduce usability and developer experience, people just aren’t going to use it […] or they’re going to find ways around it.”
Like the rest of the cybersecurity world, Myles reflects on the relationships and trade-offs between the security and developer experience. While imposing strict measures like mandatory multi-factor authentication (MFA) can mitigate risks, it can also deter developers if the process is overly burdensome. To address this, GitHub rolled out MFA requirements in phases, starting with the top 100 packages and gradually expanding. They also introduced granular access tokens and improved token management to enhance security without disrupting workflows. Myles touches on the human factors within security, highlighting the account recovery process as a weak point, often exploited through social engineering. The team at GitHub developed robust verification systems to prevent attackers from reclaiming accounts via expired domains or forged credentials. Maintaining critical infrastructure with real-world complexities in the open-source community is no easy feat, teaching lessons in incident response, product management, and community engagement.
This episode is sponsored by Redpoint Security. Redpoint specializes in “Code Security. By Coders,” which is bolstered by years of experience testing applications and conducting code reviews against all types of applications. Redpoint also offers secure code training to help ground your teams in better security practices across the development lifecycle. So check out redpointsecurity.com for more information and put your company on a path to better security.
Hey you! Yes, you! It’s time to support the podcast by repping some snazzy swag, (like this hoodie below). Visit the merch store to pick your desired color.
And, as always, if you have thoughts you’d like to share with Seth and Ken and the Absolute AppSec audience, join us in Slack.
Stay Secure,
Seth & Ken
https://youtu.be/EQ9cZFyJ_xA - Episode #65 - Adam Baldwin, former VP of security at NPM and founder of the Node Security Project, an initiative to track vulnerabilities and make security a core value in the JavaScript ecosystem, came on the show to discuss 3rd-party dependency & supply chain security.
https://youtu.be/NsMx36Qe4aQ - Episode #244 - Kyle Kelly - Publisher of the Cramhacks newsletter, Kyle also specializes in supply-chain security as a researcher and consultant. He has some relevant thoughts for improving the cybersecurity landscape and analysis of software security supply chains.
https://youtu.be/jALpBoAKiB8 - Episode #236 - Toward the end of this episode, Seth and Ken discuss the discovered use of Hugging Face and Github to host malicious code/packages and discuss the supply-chain security issues and the fact that these types of threats will be increasingly popular against package repositories.
Absolute AppSec Happenings
https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20Hackers'%20Almanack.pdf - DEFCON Franklin releases the DEFCON 32 Hackers’ Almanack. The compendium’s stated purpose is to “compile the most interesting, impactful, and innovative research and vulnerabilities identified at DEF CON.” Check if the talks you liked are featured if you were there, or dig in for a nice overview if you weren’t.
https://projectdiscovery.io/blog/future-of-automating-nuclei-templates-with-ai - Project Discovery talks through the use of AI to create Nuclei templates for CVEs. Good use of AI to speedup analysis of known vulnerable issues. Could also see this being tuned for custom environments, etc.
https://www.inversecos.com/2025/02/an-inside-look-at-nsa-equation-group.html?m=1 - Analysis of NSAs alleged hack of the Chinese Northwestern Polytechnical University. We see a lot of these attributions and analysis with a focus on groups in China, so it’s interesting to read the reverse.
Upcoming Events
Where in the world are Seth and Ken?
February 20-21, 2025 (Ongoing, second day is today) - Harnessing LLMs for Application Security - Virtual Training - Next opportunity for the new course that focuses on strategies for using more than just the chat interface of an LLM to secure software.
March 6-7, 2025 - Apres-Cyber Slopes Summit - Seth will be presenting his Modern vs. 0ld 5k00l talk, where all the old vulnerabilities are new again.
March 27-28, 2025 - Practical Secure Code Review - Virtual Training - The course that started it all! We will reprise this online with a training in Q1, if you have specific dates you would like to see, please reach out (via email or Slack).
June 28-29, 2025 - DEF CON Trainings, Seattle, WA - Seth and Ken will present one of the courses. Watch this space for additional details once it is fully posted.