Compromised JavaScript Package Caught Stealing npm Credentials (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Compromised JavaScript Package Caught Stealing npm Credentials (bleepingcomputer.com)

Posted by msmash on Friday July 13, 2018 @08:05AM from the security-woes dept.

An anonymous reader shares a report: A hacker gained access to a developer's npm account earlier this week and injected malicious code into a popular JavaScript library, code that was designed to steal the npm credentials of users who utilize the poisoned package inside their projects. The JavaScript (npm) package that got compromised is called eslint-scope, a sub-module of the more famous ESLint, a JavaScript code analysis toolkit. The hack took place on the night between July 11 and 12, according to the results of a preliminary investigation posted on GitHub a few hours ago. "One of our maintainers did observe that a new npm token was generated overnight (said maintainer was asleep)," said Kevin Partington, ESLint project member. Partington believes the hacker used the newly-generated npm token to authenticate and push a new version of the eslint-scope library on the npm repository of JavaScript packages.

44 comments

Min score:

Reason:

Sort:

congrats.... by Daneel+Olivaw+R.+ · 2018-07-13 08:07 · Score: 2

you are breaking critical news a day late.
1. Re:congrats.... by Daneel+Olivaw+R.+ · 2018-07-13 08:11 · Score: 1
  
  Also, I am kinda scared how easy it is to infect libraries. We were lucky this time, people start enforcing package locks and npm audits. Make that shit mandatory.
2. Re:congrats.... by Desler · 2018-07-13 08:36 · Score: 1
  
  Only a day late? Wow, that's quick for Slashdot. Usually it's 3-5 days later. Plus they'll likely be the inevitable dupe posted by one of the other so-called editors just as icing on the cake.
3. Re: congrats.... by Anonymous Coward · 2018-07-13 08:57 · Score: 0
  
  The real problem is that when you use npm install --save [dependency] or yarn add [dependency] it does adds [dependency] with a dynamic version number. So everytime you run npm install to download dependencies, the version you get isn't locked down.
  Note that this is the default behaviour only and you should change it because its fucking dumb
4. Re:congrats.... by Aighearach · 2018-07-13 09:00 · Score: 5, Insightful
  
  It is the same as everything else, if you're willing to install dependencies and allow them to automatically update, you're already p0wned.
  Is the correct way to handle code reuse to learn from code already written, and to reuse the code that does what you want, or is it a crutch that lets you write code you don't actually understand how to write?
  If I'm going to use a JS library, I'm going to choose it very carefully, and then place it inside my project. Even without the security considerations, just stuffing it into your project where the bleeding-edge version is automatically tracked, that's just asking to get hit early with every type of bug, not just the security ones and malfeatures from jerks and criminals. I don't want today's version; and if it is doing something critical where I need to care about updates, then using a third party project doesn't mean I can stop following the news about exploits; it actually means I have to follow it more closely than otherwise.
  Updates aren't magic, they're an attack vector; you need to have a human evaluate the situation and then do an update promptly if needed. Don't trust updates from a repo unless it is a repo that receives testing from human engineers! You OS updates you might therefore want to have on auto; but most package dependencies, you should be on a "stable" version. Don't develop your applications to development versions of dependencies, you don't actually need untested features.
5. Re:congrats.... by Anonymous Coward · 2018-07-13 09:23 · Score: 0
  
  I'm sure they'll keep reposting it for days though!
6. Re:congrats.... by Desler · 2018-07-13 09:32 · Score: 1
  
  p0wned
  The term is "pwned", gramps.
7. Re:congrats.... by Daneel+Olivaw+R.+ · 2018-07-13 09:52 · Score: 1
  
  Yeah, let's all reinvent the wheel or roll own own crypto like iota.
8. Re:congrats.... by sexconker · 2018-07-13 10:38 · Score: 1
  
  Yeah, let's all reinvent the wheel or roll own own crypto like iota.
  Rolling your own crypto isn't bad. Presuming you can do it correctly.
  Even if you only take it as far as running your own CA and signing and trusting your own certs, you'll be way more secure than the rest of the world depending on 3rd party CAs.
  If you want to get serious, you take a standard algorithm but change the default parameters, investigate what curve is used and why (hello NSA), etc.
  If you're worried you might fuck something up, then you take a standard algorithm and standard config, but add a second layer of something else on top so if you fuck up the outer layer the inner layer is still protected by established, standard shit.
  Developing your own actual algorithm isn't gonna fly. Only a handful of humans on the planet can do that, and the truth is they don't really understand the math (if they did, they'd be able to prove it formally). The only formally-proved, secure, and reversible encryption methods are those in which the key length is as long as (or longer than) the plaintext. For example, XOR. f(x) = 0 is provably secure, but non-reversible (and completely useless).
9. Re:congrats.... by Aighearach · 2018-07-13 10:52 · Score: 2
  
  Sorry kid, the old words didn't disappear just because the new word was really groovy.
  Now get off the lawn, I spilled my meds somewhere in this field and I'm gonna sit here and watch the grass grow until I either remember where I dropped them, or forget why I'm sitting here.
10. Re:congrats.... by Anonymous Coward · 2018-07-13 11:17 · Score: 0
  
  The term is "pwned", gramps.
  Dad, all the cool kids say "pwnt" now.
11. Re:congrats.... by phantomfive · 2018-07-13 14:02 · Score: 1
  
  If I'm going to use a JS library, I'm going to choose it very carefully, and then place it inside my project. Even without the security considerations, just stuffing it into your project where the bleeding-edge version is automatically tracked, that's just asking to get hit early with every type of bug, not just the security ones and malfeatures from jerks and criminals. I don't want today's version; and if it is doing something critical where I need to care about updates, then using a third party project doesn't mean I can stop following the news about exploits; it actually means I have to follow it more closely than otherwise.
  I just want to point out that this is really hard to do these days (ie, a lot of effort). That is the #1 thing that frustrates me about web development these days.
  
  --
  "First they came for the slanderers and i said nothing."
12. Re:congrats.... by phantomfive · 2018-07-13 14:05 · Score: 1
  
  For example, XOR. f(x) = 0 is provably secure, but non-reversible (and completely useless).
  Secure in theory, but you still have to be careful to not fall to sidechannel attacks.
  
  --
  "First they came for the slanderers and i said nothing."
13. Re:congrats.... by DontBeAMoran · 2018-07-14 03:48 · Score: 1
  
  Nope, you're four hours late. It's "pwn" now.
  
  --
  #DeleteFacebook
14. Re:congrats.... by Desler · 2018-07-14 06:54 · Score: 1
  
  And none say "p0wnt" like grandpa would think.
15. Re:congrats.... by Desler · 2018-07-14 06:54 · Score: 1
  
  No one ever used the term "p0wned."
16. Re:congrats.... by Aighearach · 2018-07-14 17:17 · Score: 1
  
  It's why I went back to writing secure dynamic websites in C with no framework.
  I just wish I was joking. It feels like there should be some kind of punchline right here.
17. Re:congrats.... by Anonymous Coward · 2018-07-15 11:07 · Score: 0
  
  Unfortunately, its not that simple. Just installing tools you might use, not libraries could be a problem. An example is like installing webpack, which then further installs 800+ other modules, which in turn depends on other modules. Its almost impossible, except for a large development team, to go through all of the modules that are included for a security check.
  Although I agree with people in saying that npm is littered with a lot of garbage with zero accountability. I've seen a lot of people compare it to something like apt-get/yum/dnf where we just install willy nilly packages, but its not even remotely the same. #1 the developers are NOT in charge of the standard repos that the distros use. #2 if a there is a security issue with a module they will either remove it or patch it themselves (esp if the module is not maintained anymore). npm has a lot of modules that are not maintained and are considered abandoned, with no way of someone taking over of the module.
18. Re:congrats.... by phantomfive · 2018-07-15 14:00 · Score: 1
  
  Do you have anything you've open sourced?
  
  --
  "First they came for the slanderers and i said nothing."
19. Re:congrats.... by sexconker · 2018-07-16 05:55 · Score: 1
  
  That's an implementation issue. No mere mortal is going to be able to truly trust modern computing hardware.
The risk of open source. by jellomizer · 2018-07-13 08:11 · Score: 0

Open collaborative coding with the public, always opens the door for bad actors to get in and inject bad code. Especially if the review process is kinda lax.

--
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
1. Re:The risk of open source. by Tsolias · 2018-07-13 08:21 · Score: 2
  
  That's why people say, ignorance is happiness.
  You take your proprietary binary,
  you never think that it's compromised,
  so you live a happy dev life in ignorance.
2. Re: The risk of open source. by Anonymous Coward · 2018-07-13 08:26 · Score: 0
  
  So lax it has been caught in a day. Disgusting.
3. Re:The risk of open source. by 110010001000 · 2018-07-13 08:34 · Score: 3, Informative
  
  Closed source software has been stealing credentials and data for years. It took a day to catch the open source one. Your phone is riddled with data stealing software right now.
4. Re:The risk of open source. by Aighearach · 2018-07-13 09:02 · Score: 1
  
  Sorry for adding the spoiler, but in this case "kinda lax" is a sarcastic way of saying, "missing or absent." The npn "review" process is that after somebody injects malware, and it gets pushed out, then if enough people report it as a bug it might get removed.
5. Re:The risk of open source. by Anonymous Coward · 2018-07-14 03:15 · Score: 0
  
  No, I don't use Android, sorry.
Well, the law doesn't apply to some. by Anonymous Coward · 2018-07-13 08:19 · Score: 0

The law for thee - but not for mi? #Law&OrderParty #TreasonIsFineAlso http://www.parkerliveonline.com/2018/07/11/ariz-lawmaker-brags-speeding/
If the internet is only remembered for one thing. by Fly+Swatter · 2018-07-13 08:24 · Score: 1

It is showing the true nature of man.
Here's an unpleasant fact few can stomach by Anonymous Coward · 2018-07-13 08:59 · Score: 0

Javascript has destroyed the web; we were better as in, safer, same functionality available, better able to create web pages etc. before it took over the world.
1. Re:Here's an unpleasant fact few can stomach by sexconker · 2018-07-13 10:40 · Score: 2
  
  That's a pleasant fact to me. JS is garbage. The interactive web is garbage. So what if I have to submit a page and wait for another response?
  I prefer that over executing your code on my box.
Christianity & Trumptards have underscored tha by Anonymous Coward · 2018-07-13 09:06 · Score: 0

If the internet is only remembered for one thing ... It is showing the true nature of man.
You got that right. The Trumptards have underlined it in bold, and the picture aint pretty.
It is depressing to belong to a species whose extinction and absence will be a profound improvement for the world, and possibly the entire universe within our light-cone.
Re:I got a package u can compromise by Anonymous Coward · 2018-07-13 10:32 · Score: 0

It's such a tiny package though. It isn't worth compromising.
Re:Christianity & Trumptards have underscored by Anonymous Coward · 2018-07-13 10:36 · Score: 0

Howso? How would the world benefit from the fall of man? Reduced co2 levels? You think the planet gives a shit about that? You're a moron. Man is the pinnacle of evolution and as such is the ultimate destiny of this planet.
Funny by Anonymous Coward · 2018-07-13 10:58 · Score: 0

Secure or easy. Pick one.
Package Systems are Cancer by Anonymous Coward · 2018-07-13 15:37 · Score: 0

I guess I'm an old fart now, being mid-30s, but this package management/repository stuff has always seemed like cancer to me because of said things happening.
I think they've mainly been made up to lower the barrier to entry for monkeys who don't understand how to integrate a library into their build system.
When I decide to use a 3rd party library in a project, I either take a copy of a release and integrate it directly, or clone a copy of the git repository for our own servers in case the source disappears so that we have a full revision history of the code.
After doing that, I subscribe to any mailing lists or issue trackers associated with that 3rd party code to keep a tab on what's happening with it and will only update it if there is a critical bug fix or a new feature that we need.
The whole notion of pulling down packages willy nilly without knowing what's actually in them or what they in turn depend on is just completely insane.
1. Re:Package Systems are Cancer by Anonymous Coward · 2018-07-14 02:42 · Score: 0
  
  Even if you use git your still at risk, because the git repositories have been taken over too. The problem here is that as with git and open access repositories where anyone can add a package, some people who put stuff there do not follow good security practices. Its more than a little different than a single source provider like Fedora. Some distros like OpenSuse have begun allowing "community packages" this once again introduces the problem of allowing people who do not have good training or practices to contribute packages. I recommend staying away from the community stuff. The idea of this "Community packages" and crowd sourcing etc, as seen with browser add-ons, python module repositories, etc has long been known to be a problem.
  Sadly, the only real way to be safe is to be very familiar with the source code you are using, avoid convoluted code you don't understand, and using git tools to review every change upstream made.
2. Re:Package Systems are Cancer by DontBeAMoran · 2018-07-14 03:51 · Score: 1
  
  Download the .js file, put it on your own web server, edit and remove the parts your don't use, review the parts you use. That's the only way to be sure.
  
  --
  #DeleteFacebook
3. Re:Package Systems are Cancer by Anonymous Coward · 2018-07-14 17:03 · Score: 0
  
  I guess I'm an old fart now, being mid-30s, but this package management/repository stuff has always seemed like cancer to me because of said things happening.
  I think they've mainly been made up to lower the barrier to entry for monkeys who don't understand how to integrate a library into their build system.
  When I decide to use a 3rd party library in a project, I either take a copy of a release and integrate it directly, or clone a copy of the git repository for our own servers in case the source disappears so that we have a full revision history of the code.
  After doing that, I subscribe to any mailing lists or issue trackers associated with that 3rd party code to keep a tab on what's happening with it and will only update it if there is a critical bug fix or a new feature that we need.
  The whole notion of pulling down packages willy nilly without knowing what's actually in them or what they in turn depend on is just completely insane.
  This. I would use all 5 mod points to mod this comment up if I could.
  If any of you are thinking, "How am I supposed to actually read the mailing lists for all 10,000 packages in my app?"
  Consider that you also can't verify that those 10,000 packages are actually safe to use
  Put down the frameworks, use a few libs sparingly if you need to, and learn how to fucking code
Gotta think long and hard HOW to break the news by Anonymous Coward · 2018-07-13 17:32 · Score: 0

Ha ha only kidding. Just shout "hacker!" a lot and you have prime msmash&beauhd posting material.
And as a security consious developer... by Anonymous Coward · 2018-07-14 01:11 · Score: 0

I really don't want to run any of MY code on YOUR box. Yet that's what
the web today is made up of. It's infuriating.
Doh by ememisya · 2018-07-14 10:43 · Score: 1

This is the risk you take with using a dependency by "some dude" rather than an organization which takes steps to implement proper security. Also demonstrates how auto-updates can also be abused and is not always a good thing. If you must use such a library, go over the code line by line first.
Re:Christianity & Trumptards have underscored by Anonymous Coward · 2018-07-14 17:14 · Score: 0

Howso? How would the world benefit from the fall of man?
Here's one way

You're a moron. Man is the pinnacle of evolution and as such is the ultimate destiny of this planet.
The world would also benefit from having less of this sort of idiocy.
A Tardigrade can survive in much more extreme environments than a human, and is therefore ahead in evolutionary terms.