Compromised JavaScript Package Caught Stealing npm Credentials (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Compromised JavaScript Package Caught Stealing npm Credentials (bleepingcomputer.com)

Posted by msmash on Friday July 13, 2018 @08:05AM from the security-woes dept.

An anonymous reader shares a report: A hacker gained access to a developer's npm account earlier this week and injected malicious code into a popular JavaScript library, code that was designed to steal the npm credentials of users who utilize the poisoned package inside their projects. The JavaScript (npm) package that got compromised is called eslint-scope, a sub-module of the more famous ESLint, a JavaScript code analysis toolkit. The hack took place on the night between July 11 and 12, according to the results of a preliminary investigation posted on GitHub a few hours ago. "One of our maintainers did observe that a new npm token was generated overnight (said maintainer was asleep)," said Kevin Partington, ESLint project member. Partington believes the hacker used the newly-generated npm token to authenticate and push a new version of the eslint-scope library on the npm repository of JavaScript packages.

23 of 44 comments (clear)

Min score:

Reason:

Sort:

congrats.... by Daneel+Olivaw+R.+ · 2018-07-13 08:07 · Score: 2

you are breaking critical news a day late.
1. Re:congrats.... by Daneel+Olivaw+R.+ · 2018-07-13 08:11 · Score: 1
  
  Also, I am kinda scared how easy it is to infect libraries. We were lucky this time, people start enforcing package locks and npm audits. Make that shit mandatory.
2. Re:congrats.... by Desler · 2018-07-13 08:36 · Score: 1
  
  Only a day late? Wow, that's quick for Slashdot. Usually it's 3-5 days later. Plus they'll likely be the inevitable dupe posted by one of the other so-called editors just as icing on the cake.
3. Re:congrats.... by Aighearach · 2018-07-13 09:00 · Score: 5, Insightful
  
  It is the same as everything else, if you're willing to install dependencies and allow them to automatically update, you're already p0wned.
  Is the correct way to handle code reuse to learn from code already written, and to reuse the code that does what you want, or is it a crutch that lets you write code you don't actually understand how to write?
  If I'm going to use a JS library, I'm going to choose it very carefully, and then place it inside my project. Even without the security considerations, just stuffing it into your project where the bleeding-edge version is automatically tracked, that's just asking to get hit early with every type of bug, not just the security ones and malfeatures from jerks and criminals. I don't want today's version; and if it is doing something critical where I need to care about updates, then using a third party project doesn't mean I can stop following the news about exploits; it actually means I have to follow it more closely than otherwise.
  Updates aren't magic, they're an attack vector; you need to have a human evaluate the situation and then do an update promptly if needed. Don't trust updates from a repo unless it is a repo that receives testing from human engineers! You OS updates you might therefore want to have on auto; but most package dependencies, you should be on a "stable" version. Don't develop your applications to development versions of dependencies, you don't actually need untested features.
4. Re:congrats.... by Desler · 2018-07-13 09:32 · Score: 1
  
  p0wned
  The term is "pwned", gramps.
5. Re:congrats.... by Daneel+Olivaw+R.+ · 2018-07-13 09:52 · Score: 1
  
  Yeah, let's all reinvent the wheel or roll own own crypto like iota.
6. Re:congrats.... by sexconker · 2018-07-13 10:38 · Score: 1
  
  Yeah, let's all reinvent the wheel or roll own own crypto like iota.
  Rolling your own crypto isn't bad. Presuming you can do it correctly.
  Even if you only take it as far as running your own CA and signing and trusting your own certs, you'll be way more secure than the rest of the world depending on 3rd party CAs.
  If you want to get serious, you take a standard algorithm but change the default parameters, investigate what curve is used and why (hello NSA), etc.
  If you're worried you might fuck something up, then you take a standard algorithm and standard config, but add a second layer of something else on top so if you fuck up the outer layer the inner layer is still protected by established, standard shit.
  Developing your own actual algorithm isn't gonna fly. Only a handful of humans on the planet can do that, and the truth is they don't really understand the math (if they did, they'd be able to prove it formally). The only formally-proved, secure, and reversible encryption methods are those in which the key length is as long as (or longer than) the plaintext. For example, XOR. f(x) = 0 is provably secure, but non-reversible (and completely useless).
7. Re:congrats.... by Aighearach · 2018-07-13 10:52 · Score: 2
  
  Sorry kid, the old words didn't disappear just because the new word was really groovy.
  Now get off the lawn, I spilled my meds somewhere in this field and I'm gonna sit here and watch the grass grow until I either remember where I dropped them, or forget why I'm sitting here.
8. Re:congrats.... by phantomfive · 2018-07-13 14:02 · Score: 1
  
  If I'm going to use a JS library, I'm going to choose it very carefully, and then place it inside my project. Even without the security considerations, just stuffing it into your project where the bleeding-edge version is automatically tracked, that's just asking to get hit early with every type of bug, not just the security ones and malfeatures from jerks and criminals. I don't want today's version; and if it is doing something critical where I need to care about updates, then using a third party project doesn't mean I can stop following the news about exploits; it actually means I have to follow it more closely than otherwise.
  I just want to point out that this is really hard to do these days (ie, a lot of effort). That is the #1 thing that frustrates me about web development these days.
  
  --
  "First they came for the slanderers and i said nothing."
9. Re:congrats.... by phantomfive · 2018-07-13 14:05 · Score: 1
  
  For example, XOR. f(x) = 0 is provably secure, but non-reversible (and completely useless).
  Secure in theory, but you still have to be careful to not fall to sidechannel attacks.
  
  --
  "First they came for the slanderers and i said nothing."
10. Re:congrats.... by DontBeAMoran · 2018-07-14 03:48 · Score: 1
  
  Nope, you're four hours late. It's "pwn" now.
  
  --
  #DeleteFacebook
11. Re:congrats.... by Desler · 2018-07-14 06:54 · Score: 1
  
  And none say "p0wnt" like grandpa would think.
12. Re:congrats.... by Desler · 2018-07-14 06:54 · Score: 1
  
  No one ever used the term "p0wned."
13. Re:congrats.... by Aighearach · 2018-07-14 17:17 · Score: 1
  
  It's why I went back to writing secure dynamic websites in C with no framework.
  I just wish I was joking. It feels like there should be some kind of punchline right here.
14. Re:congrats.... by phantomfive · 2018-07-15 14:00 · Score: 1
  
  Do you have anything you've open sourced?
  
  --
  "First they came for the slanderers and i said nothing."
15. Re:congrats.... by sexconker · 2018-07-16 05:55 · Score: 1
  
  That's an implementation issue. No mere mortal is going to be able to truly trust modern computing hardware.
Re:The risk of open source. by Tsolias · 2018-07-13 08:21 · Score: 2

That's why people say, ignorance is happiness.
You take your proprietary binary,
you never think that it's compromised,
so you live a happy dev life in ignorance.
If the internet is only remembered for one thing. by Fly+Swatter · 2018-07-13 08:24 · Score: 1

It is showing the true nature of man.
Re:The risk of open source. by 110010001000 · 2018-07-13 08:34 · Score: 3, Informative

Closed source software has been stealing credentials and data for years. It took a day to catch the open source one. Your phone is riddled with data stealing software right now.
Re:The risk of open source. by Aighearach · 2018-07-13 09:02 · Score: 1

Sorry for adding the spoiler, but in this case "kinda lax" is a sarcastic way of saying, "missing or absent." The npn "review" process is that after somebody injects malware, and it gets pushed out, then if enough people report it as a bug it might get removed.
Re:Here's an unpleasant fact few can stomach by sexconker · 2018-07-13 10:40 · Score: 2

That's a pleasant fact to me. JS is garbage. The interactive web is garbage. So what if I have to submit a page and wait for another response?
I prefer that over executing your code on my box.
Re:Package Systems are Cancer by DontBeAMoran · 2018-07-14 03:51 · Score: 1

Download the .js file, put it on your own web server, edit and remove the parts your don't use, review the parts you use. That's the only way to be sure.

--
#DeleteFacebook
Doh by ememisya · 2018-07-14 10:43 · Score: 1

This is the risk you take with using a dependency by "some dude" rather than an organization which takes steps to implement proper security. Also demonstrates how auto-updates can also be abused and is not always a good thing. If you must use such a library, go over the code line by line first.