Skip to content

maximivanov/nodejs-leak-env-vars

Repository files navigation

Leak AWS Lambda (EC2) environment variables via a compromised NPM package

Code for How compromised NPM package can steal your secrets (POC + prevention)

Repository content

  • phone-home-listener. HTTP endpoint logging all incoming requests and their parameters, query string and bodies. Attacker-owned resource.
  • compromised-npm-package. Useful NPM package that was hacked and had malicious code injected. 3rd party-owned, compromised by the attacker.

Application examples, from vulnerable to protected:

Each of the applications has function code in lambda folder and infrastructure scripts in the terraform folder.

Example usage. This deploys both cloud resources and the code:

aws configure # skip if AWS credentials are already set

cd leak-env-vars-poc/terraform

terraform init

terraform deploy

About

POC of a vulnerable app leaking environment variables via a compromised NPM package

Topics

Resources

License

Stars

Watchers

Forks