Contact person: Business Client

Phone:Show

Email:Show

Location: Gangtok, India

Budget: Recommended by industry experts

Time to start: As soon as possible

Project description:
"I need a hands-on, reproducible lab that walks through a full software-supply-chain compromise against a Node.js web application. The scenario must show a malicious package injection making its way from an upstream dependency into the running app, illustrate the impact, then pivot to hardening and detection techniques that shut the door on the attacker.

Scope
The focus is explicitly on malicious package injection; other vectors such as dependency-confusion or typosquatting may be mentioned only as context, but the code and documentation you deliver should center on the single chosen vector.

What I expect to receive
• A minimal yet realistic Node.js app stored in Git (public or private repo is fine)
• A companion malicious package/repo that poisons the supply chain and triggers observable damage or exfiltration
• Step-by-step attack walkthrough: cloning, building, exploiting, and verifying impact
• Hardening section: updated pipeline, lockfile or checksum strategy, and any other countermeasures you recommend
• Detection section: scripts, queries, or open-source tooling configurations that reliably flag the injected package in CI/CD or runtime logs
• Clear README covering prerequisites, setup with Docker or similar container tooling, and clean-up steps

Acceptance criteria
1. A fresh machine running standard Docker and Git can reproduce the attack and the fix without manual tweaks.
2. All commands in the README execute without error.
3. After hardening measures are applied, rerunning the attack path fails and the detection pieces register the attempt.

Keep the code self-contained, well-commented, and license-clear so it can be used for internal DevSecOps red-team training." (client-provided description)