Paul McCarty
Paul is the Head of Research at Safety (safetycli.com) and a well-known researcher in the malicious packages space, as well as being a DevSecOps OG. He founded multiple startups including SecureStack in 2017, SourceCodeRED in 2023 and GitHax in 2024 . Paul has worked for NASA, Boeing, Blue Cross/Blue Shield, John Deere, the US military, and Australian government amongst others. Paul is a frequent contributor to open source and is the author of several DevSecOps, software supply chain and threat modelling projects. He’s currently writing a book entitled “Hacking NPM” and when he’s not doing that he’s snowboarding with his wife and 3 amazing kids.
Session
NPM is the world's largest software registry, but it faces significant security challenges. Attackers frequently target NPM packages because traditional security tools like SCA and EDR aren't effective at protecting developers from malicious packages. When malicious packages are identified, NPM removes them from the registry and all mirror servers are supposed to follow suit.
What's concerning is that of the 8 global NPM mirrors, 5 are located in China - representing 63% of all NPM mirrors. These Chinese mirrors operate under unique regulatory constraints, including rules that require security researchers to report vulnerabilities to the Ministry of State Security (MSS) before disclosing them to affected companies.
During my research, I discovered that while Chinese NPM mirrors appear to remove malicious packages, they continue serving them in a hidden manner. This presentation will demonstrate how I've been leveraging this behaviour for two years to access previously unseen malware, and show the audience how to do the same.