The majority of NPM attacks utilise post-install scripts to run arbitrary code when the infected package is installed. In response to the Shai-Hulud worm I disabled post-install scripts using this yarn config line: enableScripts: false. I also added an allowlist in the package.json dependenciesMeta section.

It's been a week and across a team of about 20 people we've had no issues with dependencies, so I recommend everyone take this measure to only allow postinstall script selectively.

It adds a little friction but controls a huge amount of supply chain risk.

I'm the only security person at a latter-stage fintech startup and I'm trying to make the case that we should establish a security team and that I should lead it. Any advice would be very much appreciated.

I've been setting strategy and acting the part of a security leader for nearly a year now, I'm mostly hoping to get recognised for it and take security to the next level.

I'm officially publicising CVE-2024-25680, a denial of service vulnerability against Vercel.

This is under active exploitation in the wild, particularly against sites belonging web3 companies, where it is being used for extortion.

The exploit is a simple CL.TE request smuggling vulnerability which tricks the server to keep the connection open for a relatively long time. Times vary but typically you'd expect more than a 10x increase compared to normal response times.

Below is a PoC you can adjust to see if your deployment is vulnerable, ensure you are using http1.1 and not automatically updating the content-length:

Post / HTTP/1.1
host: <YOUR_VERCEL_SITE>
Transfer-Encoding: chunked
Content-Length: 4

1
A
X