Backdoor in event-stream library dependency

I really have a hard time putting as much blame on the author as the people in that Github thread are doing. Maybe they could have handled this specific issue a little better, but the underlying problem is just one of the flaws in the open source community that everyone has to accept. Maintaining a project is a lot of work (even just having your name attached to a dead project involves work) and the benefit from doing that work can be non-existent. If the original author has no use for the project anymore and someone offers to take it over from them, why should the author be expected to refuse? Isn't adding another potentially unknown maintainer generally better for the community than a project dying?

I had this exact same problem from both sides (not working on a project any more and wanting to find someone to maintain it&#x2F;wanting to maintain a project someone wasn&#x27;t working on because I found it interesting). It&#x27;s not always easy to find people who are interested, and, while giving maintainer access to someone you know very little is usually fine and works out great, sometimes you get results like these.<p>In the end, I built something to &quot;solve&quot; this, a project called Code Shelter[1]. It&#x27;s a community of vetted maintainers that want to help maintain abandoned FOSS projects, so if you want your project to live on but don&#x27;t want to do it yourself, you just add it there and you can be reasonably sure that nothing like this will happen to it.<p>Of course, you have to get a large enough pool of trusted maintainers that someone will be interested in each project, but it&#x27;s still better than blindly adding people. I can&#x27;t fault the maintainer of that project, since trusting people is usually fine, but it&#x27;s too bad this happened to him. The commenters are acting a bit entitled too, but I guess it&#x27;s the tradeoff of activity vs security.<p>[1] <a href="https:&#x2F;&#x2F;www.codeshelter.co&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.codeshelter.co&#x2F;</a>

NPM is just a mess, and the whole culture and ecosystem that surrounds it. Micropackaging does make a little bit of sense at least in theory for the web, where code size ought to matter, but in practice it&#x27;s a complete shitshow, and leads to these insane dependency paths and duplication and complete impossibility to actually keep abreast with updates to dependencies, much less seriously vet them.<p>The insidious threat is that these bad practices will start leaking out of Javascript world and infect other communities. Fortunately most of them are not as broken by default as JS, and have blessed standard libraries that aren&#x27;t so anemic, so there is less for this type of activity to glom on to.

Unpinned dependencies are harmful.<p>If you aren’t reviewing the diffs of your dependencies when you update them, you’re trusting random strangers on the Internet to run code on your systems.<p>Espionage often spans multi-year timelines of preparation and trust building. No lesser solution will ever be sufficient to protect you. Either read the diffs, or pay someone like RedHat to do so and hope that you can trust them.

That thread is a huge argument for paid software. It&#x27;s mind blowing how folks expect people to maintain things for nothing and get mad when it doesn&#x27;t work perfectly. Some silly choices were made by the original maintainer but give the dude a break. He doesn&#x27;t owe you a damn thing.

Get ready for more of these type of attacks as time goes by, and they won&#x27;t all be as obvious as this one.<p>Supply chain attacks are increasingly being seen as a good vector and there are thousands of unmaintianed Open source libraries buried in the dependencies of popular projects.<p>Also worth noting that package security solutions, which check for known vulnerabilities, are unlikely to solve this kind of problem unless they track &quot;known good&quot; package versions and alert when things change.

The (most recent) payload turns out to attempt to steal Bitcoin wallets:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;dominictarr&#x2F;event-stream&#x2F;issues&#x2F;116#issuecomment-441745900" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;dominictarr&#x2F;event-stream&#x2F;issues&#x2F;116#issue...</a>

Move fast and break things. I view this as an endemic fault of how npm, and to a larger extent javascript, culture works and thinks.<p>I believe npm to be a giant landmine of untrustwothy packages thrown together. No package is trustyworthy as the dependency chain runs too wide and too deep. And having unwieldy dependency trees is considered a feature of npm.

A related question: I&#x27;m a NodeJS, Python and Java user&#x2F;developer; can anyone explain why this problem appears more frequently in the <i>npm</i> ecosystem than in Maven, PyPi, etc?<p>Is it the Github-ization of package creation and maintenance? Is it the pervasiveness of left-pad style packages? Is it <i>npm&#x27;s</i> governance? Is it the community&#x27;s perspective and culture? Have the malicious just not made it to other repo systems yet?

Also note the same user owns this library:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;right9ctrl&#x2F;node-scrypt" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;right9ctrl&#x2F;node-scrypt</a><p>I would be very suspicious of that as well and audit anything that library has touched.

Looks like the sleuths on github just found out it targets a bitcoin wallet called `copay-dash`<p><a href="https:&#x2F;&#x2F;github.com&#x2F;dominictarr&#x2F;event-stream&#x2F;issues&#x2F;116#issuecomment-441744625" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;dominictarr&#x2F;event-stream&#x2F;issues&#x2F;116#issue...</a>

We may need permissions for our dependencies (cf. Android apps). Ryan Dahl already did this with Deno, specifically because he saw weaknesses in Node: network, environment variables, file system, sub-processes.<p>We may need reproducible builds and reproducible minification. If we want developers to audit their own dependencies, in case we deem that practical, packages cannot ship their own minified sources. Auditing the non-minified source is hard enough.<p>We may need (for-profit) organizations that audit packages and award their official seal which you can trust before you add or update a dependency.<p>We <i>may</i> need better standard libraries and fewer micro-packages.

&gt; Now we have to run a background check when someone wants to help? The problem is in the tools.<p>I don&#x27;t agree with this comment, really. But -- there&#x27;s almost always room for improvement w&#x2F;tools. IIUC this unpacks encrypted JS bytecode and then executes it? Is there any way to statically know whether this could happen?<p><pre><code> &quot;var newModule = new module.constructor;&quot; ... newModule[&#x27;_compile&#x27;]() </code></pre> From what terribly little I know about Javascript it looks like it would be hard to create a lint&#x2F;warning that finds this sort of thing without false positives. However, an audit tool that merely discloses this and any other things-that-deserve-greater-scrutiny would be valuable. If you could walk your dependency tree and see whether&#x2F;when this changes, it would be very useful. Of course, to be useful you probably need some kind of dependency pinning too, which IIUC npm does not (yet) support?

This isn’t about Dominic, this is about using node for anything secure (for example, somehow people use node in cryptocurrency projects)<p>If you have any security requirements whatsoever, and you are using node, you need to do your own audits of the (hundreds of) packages you use. If that’s not practical then node isn’t practical

I guess it&#x27;s not npm specific, because the same thing can happen in any other open source repo, can&#x27;t it? Some guy takes over maintenance of a dormant package and then adds code which no one bothers to check.

I don&#x27;t think most people in HN are seeing the real story here. This is not another harmless stunt like left-pad to make us all wag our fingers at the Node community. This is a coordinated, targeted attack on a popular Bitcoin wallet software to steal private keys using a popular open source library and NPM as an attack vector.<p>This is potentially the biggest Bitcoin heist since MTGox and the biggest news in Bitcoin all year. The last time BitPay got scammed they lost 5,000 BTC and that was back in 2015. I wouldn&#x27;t be surprised if this is causing the current mass sell-off. Does anyone know how to find real-time transaction volume stats broken down by client, country, etc.?

Makes me wonder if there&#x27;s a business opportunity. Make your own version of NPM, based off of the real NPM, but some level of auditing for package updates. Don&#x27;t report suspicious commits from new contributors right away, that sort of thing. Charge companies a few hundred $ a month to use your site instead of NPM, and they can update packages at will without risk of picking up something nasty.<p>Then again, the fact that nobody has done this already suggests that it wouldn&#x27;t work.

Would anyone want to support a third party which audits popular dependencies, and digitally signs off after being reviewed? I currently audit source code for private companies, would be cool to pivot and focus on open source projects.<p>Feel free to email me, jt3@justin-taft.com

This whole debacle has been really interesting.<p>I&#x27;ve personally met Dominic and chatted with him in the past (although I doubt he would remember me) and he&#x27;s a great guy. I may not agree with his world views but he&#x27;s respectable.<p>Just giving away a repo, and reading his description of it, sounds like something he would do, haha. I&#x27;m sure from his view, he&#x27;s just been open sourcing experimental modules (however big or small) and that&#x27;s all it is: fun<p>On the flipside, the inhouse CSS framework where I work actually pulls in event-stream as a sub-sub-subdependency which could have bitten us possibly if the attack wasn&#x27;t so specific.<p>It&#x27;s easily to blame Dominic but ultimately, he&#x27;s just a guy who made some code for fun and people started using it.<p>I&#x27;m sure when you&#x27;re in a position like that, one of two things is likely:<p>1) You either don&#x27;t look at download&#x2F;usage analytics because why would you? It&#x27;s one of many projects and you&#x27;re not measuring their success by anything more than how you feel. People can use whatever code but it&#x27;s not exactly a product being sold<p>or<p>2) You do look at the numbers perhaps but 2 million people? How do you even quantify that? It could be 1 million bots, 2 million hobbyists, 50,000 enterprises who don&#x27;t cache internally and npm install over and over, or even all 3 combined!<p>Anyway, this whole event hasn&#x27;t happened in a vacuum so at least it&#x27;ll (hopefully) spark constructive discussion about the state of JS and companies&#x2F;projects relying on possibly unmaintained sub-sub-sub... you know

Someone post a list of every public package that depend on that one <a href="https:&#x2F;&#x2F;github.com&#x2F;dominictarr&#x2F;event-stream&#x2F;issues&#x2F;116#issuecomment-441731288" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;dominictarr&#x2F;event-stream&#x2F;issues&#x2F;116#issue...</a><p>A lot of very common packages...

This is one of the gaping security holes that open source has always had, you don’t know where the code came from and your best indication if it’s safe is how popular it is. Npm and Maven libs being the scariest since there are hundreds for even small apps.

NPM needs to make accessing the source code easier. It has always bothered me that the linked repository can be set to absolutely anything the author wants.

IMHO there are only 2 long-term solutions to this type of problems: 1) Reduce the number of external dependences as much as possible 2) Pay authors to properly maintain the packages that you rely on. If you use them on commercial projects it&#x27;s the first and the cheapest possible security measure you should invest in.

Wow, looks like it was also used in Microsoft and BBC News repos.. unless I read the updates incorrectly. Perhaps the attacker was targeting a specific user?

I think the underlying issue here is ownership of a package, that is the sensitive thing that was given away. This is why I prefer to publish scoped packages, e.g. `@dominictarr&#x2F;event-stream` not `event-stream` onto npm, so that ownership doesn&#x27;t need to be given away. If someone wants to give continuity to the project, it can be done under a different fork. Also, it&#x27;s important to pin versions for immutability. Naive OSS software, with changing owners and evolving versions, is essentially &quot;mutable&quot;, and a weak spot for attacks.

Another example of how social engineering is usually what gets you hacked as opposed to a software vulnerability

So, I&#x27;m not a javascript person. I don&#x27;t know the ecosystem that well. I&#x27;m not really even a programmer except at gunpoint, just a sysadmin.<p>But even 5 years ago I remember thinking &quot;400 dependencies for a project is just WAY too many&quot; and imagining something like this. And now I see some of the big frameworks require literally thousands of packages. Is there something about Javascript that necessitates this kind of ultra-fine hairsplitting on packages, or could that be made better?

Is there a way to get stats on suspicious activity on NPM repos? I feel like this is a service that every node.js project is in need of after left-pad and now this.

Are there actually any future plans for JavaScript to add a decent standard library?<p>Coming from other languages, the lack of built-in functions seems crazy, and the NPM situation just <i>weird</i>. An empty template I use for bootstrapping jquery-based web apps, based on using Gulp 4 for transpiling ES6, SASS compilation etc, has a node_modules folder with 23,268 Files across 3,080 Folders!

I was understanding until I read:<p>&quot;he emailed me and said he wanted to maintain the module, so I gave it to him. I don&#x27;t get any thing from maintaining this module, and I don&#x27;t even use it anymore, and havn&#x27;t for years.&quot;<p>in the thread. Then, I looked through the commits and realized how not ready @right9ctrl was to maintain a heavily used package. Basic linting and small, iterative changes are absent.<p>So, when I see Dominic-さん just &quot;handing&quot; the package over -- it seems careless. This is often why -- I try to write my own packages unless I absolutely need some sort of framework. It&#x27;s trading one set of problems for another (the potentiality for bugs vs. a package as a security issue).

It looks like no one is even sure what the code actually does? Or am I misreading that thread.

People have to understand that the Node.js ecosystem is different than in other programming languages&#x2F;platforms. Modules are composed from smaller modules with a granularity so small that it is almost unique. When you&#x27;re publicly publishing something low-level to npm you really should understand that the community may build on top of it to the point where it is used by many modules and as a result used by many end-users. You are not obligated to maintain it, but it&#x27;s not really fair to be totally careless either. The community is like society, if you&#x27;re in it, try to be a good citizen or the community will move against you to preserve it&#x27;s ideals.

This is one of the reasons npm packages with a compiled minified dist js files are a bad idea, makes hiding malicious code surprisingly easy.

Anyone know how this was found and whether that process can be automated? There are likely a lot more packages that are infected with the same technique.<p>I looked at the linked commits: <a href="https:&#x2F;&#x2F;github.com&#x2F;dominictarr&#x2F;event-stream&#x2F;commits&#x2F;master" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;dominictarr&#x2F;event-stream&#x2F;commits&#x2F;master</a><p>and it looks so surprisingly normal.<p>I am pretty sure I wouldn&#x27;t have caught it even if I was code reviewing it.<p>Did someone heroically rerun every package&#x27;s build process to see if the minified output was tampered with?

Running the open source projects through organizations like Apache Software Foundation [1] would help. They can have processes for handling abandoned projects and also set guidelines that projects must follow when it comes to including 3rd party packages.<p>This is not just a security risk. There might be some business implications if somebody would sneak in for example some AGPL licensed software to the dependency chain of a popular package with more permissive license.<p>[1] <a href="https:&#x2F;&#x2F;www.apache.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.apache.org&#x2F;</a>

I love reading these threads. People seem to expect way more out of open-source software than is actually guaranteed to them. It is a template of some computer code that may be relevant to your work; nothing more, nothing less. &quot;I can&#x27;t believe you let this happen to me!&quot; Well, read the license: &quot;THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED&quot;. If you don&#x27;t agree to that, you have no legal right to use the code. Not sure what else there is to discuss.

Might be unpopular, but I&#x27;m super okay with maintainers just disappearing and ignoring their projects. Stop putting so much weight on the original package namespace. I know it&#x27;s a lot of work, but in my experience, when maintainers disappear, the community creates a fork that&#x27;s better maintained and people migrate to that version.<p>I think if you want to stop working on a project, and it&#x27;s on github, just leave a note in the README, archive it and move on with your life. Don&#x27;t give the keys to someone on the internet.

Regardless of if the author&#x27;s to blame, the outcome would be no different if the author&#x27;s Github account were compromised or the author themselves were compromised&#x2F;decided to act maliciously. In either case, user&#x27;s of the code also have an effort to act responsibly. Are any downstream package author&#x27;s that incremented the dependency or failed to lock it to a specific version less culpable? (event-stream is being used by SuperPopularPackageX which allows the compromised version)

Seems like we need a linter that can look for binary, hex, or otherwise encrypted-looking data in source code (I have no idea how you&#x27;d teach the linter to look for anything that &quot;looks like gibberish&quot;--I&#x27;d leave that to people smarter than me). From past experience with other popular apps that get backdoored with bitcoin miners, anything intentionally obfuscated in what is supposed to be an <i>open source</i> application is almost always suspicious.

The problem with JS (Node and browser) is that the standard library is pretty much useless.<p>What JS&#x2F;NPM needs is some sort of certification program for secure libraries that would fill the void of the lack of a standard library. NPM of course would give a warning when installing a non certified library.<p>This would be a tremendous effort, but it would really be the only way for NPM to survive in the long term. NPM is one of the reasons we&#x27;ve moved to Go for our server side code.

To the outsider, these threads assume so much context that they don&#x27;t make sense. (Of course, if you are a computer or you have intimate knowledge of these tools, and these threads make perfect sense!)<p>Who, what, where, why, and how need to be answered.<p>Usually when there&#x27;s a link like this on hacker news, one of the highly moderated comments explains the situation in ways that don&#x27;t require as much context as a typical commiter would have.

Scoping dependencies to their author by default would help (not eliminate) this problem.<p>For example, if this had been @dominictarr&#x2F;event-stream the entire time, and he chose a new maintainer, that would then <i>by definition</i> change the name of the package to @right9ctrl&#x2F;event-stream, requiring all users to intentionally change their dependency.<p>Yes, it&#x27;s painful. But it prevents getting caught out by a malicious patch release.<p>That said, the whole github&#x2F;npm relationship is broken to begin with. No simple mechanism exists that I&#x27;m aware of to verify that a tag as pushed to GitHub is exactly the same as what is published to npm. And due to various prepublish hooks, it can be very difficult to actually prove this. One solution would be GitHub support for building &amp; publishing packages, with a Travis-like build log, so users can be assured that the package as it sits on npm actually was built from expected source.<p>@right9ctrl could have just avoided committing this entirely, and just published a malicious patch release. If he had done that for a few days then published another that removes the injection, it might have gone unnoticed for months.

Clever.<p>Something out there depends on ps-tree (directly or indirectly) and the description in its package.json is the AES key for this string.

This situation reminds me a lot of the hypothetical situation outlined in this post [1]. Definitely worth the read for anyone who hasn&#x27;t already seen it.<p>[1] <a href="https:&#x2F;&#x2F;hackernoon.com&#x2F;im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5" rel="nofollow">https:&#x2F;&#x2F;hackernoon.com&#x2F;im-harvesting-credit-card-numbers-and...</a>

All these arguments about Moral&#x2F;Legal liability are just head-scathingly nonsensical to me.<p>Look, if you&#x27;re pulling external dependencies into your project from <i>anywhere</i>, and you don&#x27;t version pin and hash compare those dependencies every time you build, then you get <i>ZERO</i> security guarantees. Simple as that. You might have some &quot;in a perfect friendly world&quot; <i>expectations</i>, but no guarantees, no recourse and no one else to blame when the world does not conform.<p>The notion that the author of the package could&#x2F;should do anything to mitigate that for you is ridiculous. Ignoring many, many plausible coercion&#x2F;honest mistake scenarios, just consider that a once-reputable maintainer can over time <i>become</i> malicious. That&#x27;s it. If you have any actual real security requirements, then I&#x27;m sorry but you don&#x27;t get to say &quot;but but but DRY!!!&quot; and call it a day. You are responsible for what software you run in your product.

Semver seems like a huge problem here, blindly pulling in changes is just asking for a lot trouble, intentional or not.<p>I&#x27;d also say NPM&#x27;s centralized naming structure is also problematic, people don&#x27;t want to update 1000&#x27;s of modules to some new latest version of X which was forked and is now maintained, so it&#x27;s handed off like this.

it&#x27;s kind of impressive this compromise was discovered _at all_. Anyone know the story of how it was? There seems to be a lot of back story before the linked issue begins.<p>I&#x27;m interested in who noticed the compromise, when, and how. Because with open source, noticing the compromise is about the _best_ we can expect from a &quot;worst case&quot;.

I&#x27;m also a little bit pissed with the author of this repo. But seriously, how can you vet everyone contributing to your unmaintained open source project..<p>Good security scanning and perhaps identity verification on Github could help. So at least you can ignore pull requests from authors that didn&#x27;t verify their identity.

Not sure how useful this would be to anyone but i built this tool last year to learn about Go and highlight issues with dependencies. This tool tries to enumerate dependencies of the project and highlight concerning facts for each dependency such as the size of collaborator, the age of the repository or if it has not been updated for more than 6 months, etc.. The tool currently supports go-dep, npm, pip, ruby-gem but ONLY support githubapi. The tool can be found here if anyone is interested or just want an idea to write something similar for the community:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;GovAuCSU&#x2F;DRAT" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;GovAuCSU&#x2F;DRAT</a><p>Disclaimer: I am not a dev, just a pentester by trade so the code is probably ugly as fuck for many of you =))

I don&#x27;t believe, that Dominic (the former maintainer, who gave the control of package to complete stranger) is the sole party to blame here. The biggest responsibility lies with so-called &quot;administration&quot; of NPM, who have systematically failed to promote security and robustness in their package system.<p>The practice of handing control of open-source packages to new maintainers is old and well-established. You can go to Sourceforge and request to take control of any old, low-impact, unmaintained repository and Sourceforge administration will likely grant it to you after a considerable delay and some investigation (at least they used to do so in the past, not sure if they will continue to after all this mess). The responsibility to ensure, that new versions of packages haven&#x27;t been subverted by malicious actors, have always lied with people, who brought those packages into distribution — the package maintainers. Unfortunately, NPM does not have any &quot;maintainers&quot; in the traditional sense — package authors can&#x27;t be trusted to remain impartial, and &quot;administrators&quot; just sit on their backs, waiting for devs to fill their repository with quality software. There is zero oversight — you can do anything with your packages as long as it does not outright contradict local law, including openly selling them to hackers, openly incorporating backdoors, and even sabotaging entire package ecosystem by unilaterally deleting hundreds of popular packages.<p>Covert transfer of control should not even be possible in centralized repository like NPM. If you want to give your package to someone, that act should be registered with repository administration, and future users of package should be warned of it — just like users of services and goods are commonly informed when an existing company changes it&#x27;s organizational structure. It is one thing to privately give access to Github repo to someone. It is entirely different thing to hand over a repository package — which is automatically distributed onto large number of computers around the world. In later case authors, who failed to announce the change of ownership to repository maintainers, should bear full monetary responsibility for their actions.

This eerily reminds me of <a href="https:&#x2F;&#x2F;hackernoon.com&#x2F;im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5" rel="nofollow">https:&#x2F;&#x2F;hackernoon.com&#x2F;im-harvesting-credit-card-numbers-and...</a>

Can I ask a simple question not being a javascript guy? Should this be considered a security vulnerability in need of mitigation, ie should I try and identify all the places this&#x2F;these packages may used in our production code, and ...do something?

This is one reason why you don&#x27;t depend on trivial libraries you can roll in-house and maintain yourself. Shame on people perpetuating the &quot;depending on is-array or left-pad is totally fine&quot; ideology.

We&#x27;re going to see a lot more of this. Dependencies are a security risk. If you&#x27;re writing a secure system that will be storing personally-identifiable information as GDPR defines it, then you need to audit every dependency that you include in your project (and every dependency that each of those dependencies include). And then again every time they change version.<p>The golden days of including any old gem or npm package that seems to solve the problem you&#x27;re looking at are over.

Looks like the malicious commits were made with a fake user account. No identifying information, barely any repos, generic profile picture.

Is there a way to run npm and show what <i>would</i> be installed via an &#x27;npm install&#x27; short of actually installing it? That combined with a diff tool against package-lock versions would limit the review list. AFAIK, the way it is now you can&#x27;t tell if one thing changed or one thousand until after completed.

We need to incorporate the fact that people will move on with their lives and transfer ownership of projects.<p>This could be solved in a few ways.<p>Maybe instead of signing over ownership, maybe the protocol should be to force a fork and make notes in the README that there&#x27;s a new repo whose author has not been vetted and should be used with caution.

Is one solution a system where our ssh keys participate in some sort of trust graph like SSL certificates do?<p>(I expect that question is very naive from the point of view of people who know this area, but I&#x27;d be interested to be pointed in the right direction.)

It would be nice if we could pin libraries to a particular maintainer, as well as a version.

Great breakdown of events here: <a href="https:&#x2F;&#x2F;schneid.io&#x2F;blog&#x2F;event-stream-vulnerability-explained&#x2F;" rel="nofollow">https:&#x2F;&#x2F;schneid.io&#x2F;blog&#x2F;event-stream-vulnerability-explained...</a>

I know I am going to be in the minority, but I think it&#x27;s time for the JS community (and others) to reconsider whether Apache &amp; Eclipse orgs with more &quot;rigid&quot; governance requirements should used more for popular packages.

I see a way to solve this with technology and that is for tools to allow secondary developers to publish on the package repository, but after a mandatory N-day delay. The main owner can then always have a chance to review.

A lot of butthurt people railing on the guy. Maybe he just doesn&#x27;t care anymore about a dead package he has no intention of maintaining.<p>Blame yourselves devs, not the author who donated hours and hours of free work for your benefit.

I see a lucrative business opportunity in alerting users when pwned&#x2F;vulnerable NPM packages are used in their projects. Maybe something like this exists already?

STOP RELYING ON 10000000000000 PACKAGES FROM DIFFERENT PEOPLE! Create 0 dependencies packages or at least a package with dependencies you control!

If this is possible (a repo being maintained by not the original owner), then you have to assume it&#x27;s happening.<p>So how can you be mad?

This is bound to happen from time to time. We should invent some tools to nuke the affected code from orbit.

Tl;dr: event-stream repo was injected with an attack that crawls your dependencies trying to find “copay-dash”. It then attacks it to steal all your bitcoin. The attacker was given maintenance rights to the repo by simply emailing the owner, who gave the rights freely. The owner and npm didn’t do a background check. Because of the MIT license, the owner has no liability&#x2F;responsibility for his actions.

Instead of blaming the original authors of the package start contributing to OSS.

$ npm ls event-stream flatmap-stream &#x2F; └── (empty)

Boy am I gonna start versioning real soon.

The more I read about major security vulnerabilities that should not have passed inspection, the more I believe someone put it intentionally or was told to.

its like watching people learn about the warranty clause of software licenses in real-time!

Hi all,<p>Here&#x27;s a quick summary of the situation.<p>WHAT HAPPENED?<p>==============<p>A widely-used dependency was handed over to a different maintainer, who proceeded to add a malicious sub-dependency to it. The sub-dependency only contained the malicious code in a single release, and only in the minified version, likely to avoid detection.<p>WHAT DID THE MALICIOUS CODE DO?<p>===============================<p>The malicious code used the &#x27;package description&#x27; to decrypt its payload; this was done to ensure that the malicious code would only run when the dependency was used in a specific application.<p>That specific application was the Copay Bitcoin wallet, from BitPay. The malicious code injects itself into the application, steals the user&#x27;s Bitcoin wallet, and sends it off to a remote server. It&#x27;s currently unknown who operates this server.<p>There may be other forks or projects with the same package description, &quot;A secure Bitcoin wallet&quot;, that are also affected.<p>HOW DO I KNOW WHETHER I WAS AFFECTED?<p>=====================================<p>As a developer: Look in your `package-lock.json` or `yarn.lock` for an entry of the `flatmap-stream` dependency, specifically version 0.1.1. Unless you were developing on Copay, the code probably wouldn&#x27;t have run, but you should still remove the dependency.<p>As a Copay user: No release of Copay included this malicious dependency. It&#x27;s unclear whether copay-dash, a fork of Copay, did. Contact your wallet developer for more information.<p>HOW CAN THIS BE PREVENTED IN THE FUTURE?<p>========================================<p>This is probably the most crucial question here. There&#x27;s already a &quot;lol JS&quot; bandwagon gaining steam in many places, but that&#x27;s not really the issue here; nor are small modules the issue.<p>Dominic Tarr is an established contributor to the ecosystem and part of the community, not some random unknown party, so this issue would have existed regardless of the size of the dependency.<p>I would argue that the real problem here is of a social and partly-economic nature: There&#x27;s no clear way for maintainers to find a good new maintainer for their projects.<p>This is not a problem that is unique to JS, either; such support structures are missing in most ecosystems.<p>As a developer community, we should probably have a serious discussion about the security risks introduced by lack of funding, and by the lack of a support structure for no-longer-maintained packages.<p>The latter can be solved on a grassroots level, without any payment being involved. The former is going to involve funding models of some sort, and I hope that this discussion can be had in a neutral manner, not as a marketing pitch for a specific startup.<p>Another important problem is that there&#x27;s essentially no code review tooling. While in this specific case even a review would have been unlikely to catch the issue, it&#x27;s pretty much impossible right now to review all of your dependencies in a project (in any language) without going crazy.<p>Possible solutions to that would include a review tracking system, that integrates with your package management and flags any new dependency in the tree as &#x27;needs review&#x27; before accepting it.

nodejs and the javascript community continues to be a shit show run by amateurs.

There are a few issues with NPM that make this kind of thing especially easy&#x2F;lucrative:<p>- An ecosystem of massive amounts of transitive dependencies increases the number of people you need to trust. If I wanted to attack a project that used NPM, their package.json dependencies would be a really good place to start. Find the least popular transitive dep they use and email the owner to see if you can be a contributor (repeat for all of their xdeps). If they don&#x27;t immediately give you publishing rights like OP did, then show some chutzpah and make valid commits until they do. While this attack works on any programming language&#x27;s dep system, it&#x27;s easier the more transitive deps a project has. People ITT blaming the OP don&#x27;t understand this attack always works on a long enough timescale. Do you think there isn&#x27;t someone out there who would make high quality contributions to an xdep of primedice.com (online gambling site) for 5 years to finally get publish access?<p>- Anything may run during `npm install`. npm install supports an --ignore-scripts argument to not run any scripts during install. This should be the default.<p>- Unqualified module names make it more desirable to &quot;take over&quot; a package than just publish your own package &quot;npm install &lt;username&gt;&#x2F;event-stream&quot;, so it contributes to an ecosystem of ownership-transfer that&#x27;s far less likely to exist on, say, <a href="https:&#x2F;&#x2F;package.elm-lang.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;package.elm-lang.org&#x2F;</a> where everything is qualified by a Github username.<p>- NPM website doesn&#x27;t show you source code. The github link on the project page is just a convention. I think the NPM website should have a light source code browser of whatever is in the tarball that you download and execute during `npm install`. Bonus points for reproducible builds from that source.<p>- Developers don&#x27;t actually review every bit of code they use and execute, especially not transitive deps. And we certainly aren&#x27;t going to bother to download the tarball from NPM and unpack it to inspect the code of every dep. Most people reading this don&#x27;t even know how to do that.<p>I&#x27;ve thought of some ideas to help the situation, like creating a Github shield that verifies that a conventional build script like `npm run publish-build` reproduces the tarballed code on NPM, but then I would just be doing free work for the NPM organization, and it&#x27;s still just a hack.

&quot;Hey! This random piece of software I found under the table at the pub does not have my best interests at heart?! My feelings are hurt!&quot;

Everyone is fired.<p>If you insist on pushing out hundreds of packages on npm, then drop support for them and hand over rights to random strangers, you are acting completely irresponsibly. You shouldn&#x27;t be given a pass because you&#x27;re doing it all voluntarily. Your professional reputation should suffer for it.

Is anyone going to bother crawling through all dependents of this library, extracting the package.json descriptions to find the proper key to decrypt the string and find out which package was being targeted?

Well, it would not happen if people used Elm :)

Well this undermines everything dominictarr has done for secure scuttlebutt and other projects, including datproject and its connection to Knight Foundation.<p>&quot;Oops, I just gave the repo to an unkown dude&quot;, OK. Sure. Just replace &quot;unkown dude&quot; with &quot;to my colleagues at 5 eyes secret service organization&quot;<p>This kind of mistake is not a mistake, not from a dude like dominic.