Slashdot Mirror

← Back to Stories (view on slashdot.org)

Node.js Event-Stream Hack Reveals Open Source 'Developer Infrastructure' Exploit (arstechnica.com)

Posted by EditorDavid on from the weakest-links dept.

"[O]n Nov. 26 it was publicly revealed that a widely deployed open-source Node.js programming language module known as event-stream had been injected with malicious code that looked to steal cryptocurrency wallets," reports eWeek, adding "The event-stream library has over two million downloads."

An anonymous reader quotes Ars Technica: The backdoor came to light [November 20th] with this report from Github user Ayrton Sparling. Officials with the NPM, the open source project manager that hosted event-stream, didn't issue an advisory until six days later.... "This compromise was not targeting module developers in general or really even developers," an NPM official told Ars in an email. "It targeted a select few developers at a company, Copay, that had a very specific development environment set up. Even then, the payload itself didn't run on those developers' computers; rather, it would be packaged into a consumer-facing app when the developers built a release. The goal was to steal Bitcoin from this application's end users...."

According to the Github discussion that exposed the backdoor, the longtime event-stream developer no longer had time to provide updates. So several months ago, he accepted the help of an unknown developer. The new developer took care to keep the backdoor from being discovered. Besides being gradually implemented in stages, it also narrowly targeted only the Copay wallet app. The malicious code was also hard to spot because the flatmap-stream module was encrypted. The attack is the latest to exploit weaknesses in a widely used supply chain to target downstream end users... The supply-chain attacks show one of the weaknesses of open source code. Because of its openness and the lack of funds of many of its hobbyist developers and users, open source code can be subject to malicious modifications that often escape notice.
"The time has come," concludes Ars Technica, "for maintainers and users of open source software to devise new measures to better police the millions of packages being used all around us." Sophos' security blog also asks why so many developers "immediately and blindly trusted the new maintainer," and shared a concerned comment from developer named Chris Northwood.

"Nothing's stopping this happening again, and it's terrifying."

82 comments

  1. Many eyes by Anonymous Coward · · Score: 3, Insightful

    Many eyes mean nothing if they aren't looking.

    1. Re: Many eyes by Anonymous Coward · · Score: 0

      The craziest things happen in this space.

    2. Re:Many eyes by Anonymous Coward · · Score: 0

      When using floss, either audit external libs OR do not link to web-based resources. It's generally safer to download and use locally your "node.js"/whatever.js thingie in case the upstream website gets hacked. This actually solves another issue, the fact that library updates pushed from upstream can break production code.

    3. Re:Many eyes by Anonymous Coward · · Score: 0

      Well, they are clearly looking... otherwise this problem wouldn't exist!

    4. Re: Many eyes by Anonymous Coward · · Score: 0

      my teeth don't code. i use floss to clean between my teeth.

  2. Good thing by phantomfive · · Score: 2

    Good thing they used a safe language like Javascript so exploits can't happen.

    --
    "First they came for the slanderers and i said nothing."
    1. Re:Good thing by Opportunist · · Score: 1

      Javascript as a server language.

      If you said that 10 years ago, people would've looked you like you just said that the president ... bad example.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Good thing by AuMatar · · Score: 5, Insightful

      Language had nothing to do with it. This could have occurred in any language. Its the culture of using random libraries found off the web without doing security audits that's the culprit.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    3. Re:Good thing by Anonymous Coward · · Score: 0

      ORANGE SCRIPT BAD!

    4. Re:Good thing by mermeid007 · · Score: 1

      He just wants to be near with you people

    5. Re:Good thing by K.+S.+Kyosuke · · Score: 1

      Javascript as a server language. If you said that 10 years ago, people would've looked you like you just said that the president ... bad example.

      So, something like the Netscape Enterprise Server?

      --
      Ezekiel 23:20
    6. Re: Good thing by Anonymous Coward · · Score: 0

      No, it is the culture of negligently distributing these random libraries to predictably inexperienced and inattentive programmers.

      It would be infeasible to audit the volume of code moving through these package managers. There are not enough qualified eyes, and there is not enough incentive even if the eyes were available.

      The problem here is the NPM people trying to boost their perceived successes with raw numbers of libraries and downloads.

      The problem is people pooping out JavaScript frameworks that compete on maximizing access to functionality while minimizing the qualifications needed to use it.

      PHP has the same problem, but at least it never got a foothold on the client side,

    7. Re:Good thing by Anonymous Coward · · Score: 0

      Language had nothing to do with it. This could have occurred in any language. Its the culture of using random libraries found off the web without doing security audits that's the culprit.

      This is true, but is only part of the story. The other part is why JS noobs are using random shit that they found on the web: Their chosen platform (Node/NPM) make it easy to do so, and also they seem to operate under the misconception that the packages coming from their chosen platform are all deemed safe enough to appear on the platform, and so must be safe enough to use blindly.

      NPM in particular makes it easy to have software made up of lots of other little bits of software so that when you get one you get thousands of other dependent pieces, your average JS noob isn't even thinking about auditing any of it.

      These noobs need to get rid of the training wheels and learn how to actually write code to make a fucking computer Do The Thing, instead of looking for libDoTheThing.min.js on NPM. Of course that won't happen, which is why I tend not to even use Node.JS at work (discourage JS noobs from joining a company where their preferred toys are not ever going to be available). Now that Web Assembly is available, I'm going to be phasing out JS entirely from the tech stack

    8. Re: Good thing by Anonymous Coward · · Score: 0

      Won't multiple deep dependencies create lots of hugs and kisses later on after a few updates?

    9. Re: Good thing by Anonymous Coward · · Score: 0

      Serious question: What languages and frameworks are you going to use to compile to your web assembly?

      As a random example, let's say Go with the web assembly target. Go also makes it easy to pull down random libraries from GitHub. Some of these may make auditing even harder.

      Or deeper: what repositories will pop up (or already exist), that provide precompiled web assembly "binaries", that make things nearly impossible to audit?

    10. Re: Good thing by Anonymous Coward · · Score: 0

      Serious question: What languages and frameworks are you going to use to compile to your web assembly?

      C++ code, probably with boost although it isn't a requirement; CMake for a cross platform build system, emscripten or clang to do the actual compile to wasm

    11. Re: Good thing by Anonymous Coward · · Score: 0

      Blazor.net... if you are looking for a well maintained and supported project.

    12. Re:Good thing by Anonymous Coward · · Score: 0

      Language had nothing to do with it. This could have occurred in any language. Its the culture of using random libraries found off the web without doing security audits that's the culprit.

      Yup.
      A few months ago, a decade-younger colleague of mine was excitedly telling me about Docker, and how easy it was to pull images other people built for just about anything from the internet. So convenient.
      Then I asked him if he thought it was a good idea to pull unvetted software directly from the internet and run it in the hearth of our data center. His smile turned into an eyes-wide-open expression of fear.
      A few weeks after that there was an article here on /. about Docker images poisoned with malware. Imagine that...

    13. Re:Good thing by KJ+Hrim · · Score: 1

      It's often the case where something is included into an application without the long view... If you are on a two week sprint, and need it done, including a functioning component is the easy answer. Two, or Three years later the person who made that selection is long gone. In this case it was the "worst-case-scenario", a library that was on the verge of being abandoned rescued by a nefarious helper. THIS IS JUST ONE OF MANY...

    14. Re: Good thing by Anonymous Coward · · Score: 0

      Sorry I don't follow.

      Are we talking server side, like node.js? Then why C++/Boost->webasm, instead of just portable C++/Boost->native, or a different modern language like Go/Python/etc, or older & safer than C++ like Java?

      If we're talking execution on the client side in the browser... C++/Boost as webasm isn't making sense to me; the richness of web libraries, bindings, etc just isn't there..

      Please enlighten me.

    15. Re: Good thing by Anonymous Coward · · Score: 0

      Thanks for the tip!

    16. Re:Good thing by cas2000 · · Score: 1

      npm is especially bad, but ruby and python aren't much better - they all encourage the use of brawndo-installer ("curl $URL | sudo bash" - it's got what programmers crave) to install libs and other software.

    17. Re: Good thing by Anonymous Coward · · Score: 0

      Won't multiple deep dependencies create lots of hugs and kisses later on after a few updates?

      Hugs and kisses? That's some kind of euphemism. Depending on NPM is like being sexually promiscuous without taking any precautions. Either way, you can get some serious infections.

      So don't get hugged up. Practice safe programming.

    18. Re: Good thing by Anonymous Coward · · Score: 0

      Sorry I don't follow.

      Are we talking server side, like node.js? Then why C++/Boost->webasm, instead of just portable C++/Boost->native, or a different modern language like Go/Python/etc, or older & safer than C++ like Java?

      If we're talking execution on the client side in the browser... C++/Boost as webasm isn't making sense to me; the richness of web libraries, bindings, etc just isn't there..

      Please enlighten me.

      I'm talking about writing an entire app with native code: When you build for web: in goes C++ code and out comes some .wasm module(s), optionally with the html page and js code to load it automagically done for you. When you build the same thing targeting Windows for example, in goes C++ and out comes an .exe and some .dlls (depending on how you structure your code)

      Want to build your module for Android, OSX or iOS? They all support C++

      Why not use Python, Java, Go, etc? I don't want to distribute a ~200MB framework along with my ~5MB of binaries and also I might want to build the reusable components for mobile etc

      C++/Boost as webasm isn't making sense to me; the richness of web libraries, bindings, etc just isn't there..

      And that's the point, especially within the context of this article: the "richness" you speak of is also the mountains of shit written by fucking idiots. Writing native code has the side effect of excluding the people who need training wheels such as Node.JS & NPM

      if you want to do this but really need someone to hold your hand through the scary compiled code, there are frameworks being made, and from the big established players in tech, there are also efforts such as Blazor from Microsoft (For wasm at the moment they send down the entire dot net dll for whatever framework feature you've used in your code)

  3. "he accepted the help of an unknown developer" by Anonymous Coward · · Score: 0

    There's your problem.

    If you're that much of a blackeyer, there's nothing in the world that can protect you. You might as well become a pro-NSA Alex Jones, and go around calling everyone a "conspiracy theorist", who ever dares thinking and isn't currently dead asleep.

    1. Re: "he accepted the help of an unknown developer" by Anonymous Coward · · Score: 0

      This is the worst story I have ever read, hands down. You canâ(TM)t make this shit up.

    2. Re: "he accepted the help of an unknown developer" by Anonymous Coward · · Score: 0

      But they donâ(TM)t usually do they?

  4. Open Source security is inexistent by Anonymous Coward · · Score: 0

    Just because an open source program seems to be developed with security in mind doesn't mean that the other thousand open source packages that it relies on aren't full of security holes. Especially since nobody is looking anymore at a lot of these packages.

    1. Re:Open Source security is inexistent by Anonymous Coward · · Score: 0

      Hey big boy, wanna take a good look at my package?

    2. Re:Open Source security is inexistent by Anonymous Coward · · Score: 0

      No one has ever used your package, it doesn't hurt if it continues to be ignored.

  5. Also a problem for closed source software by El+Cubano · · Score: 5, Interesting

    The supply-chain attacks show one of the weaknesses of open source code. Because of its openness and the lack of funds of many of its hobbyist developers and users, open source code can be subject to malicious modifications that often escape notice.

    Every time I read something like this I have to imagine it was written by someone who works for or owns stock in one of those companies that produces "compliance" tools/services targeted at businesses that use open source.

    I mean, come on. This exact same problem exists for closed source software. Face it, you know about as much about the developers of any random closed source application or library as you do about any random open source application or library. In fact, it is less likely that a malicious change will be discovered if you do not have access to the source code.

    1. Re:Also a problem for closed source software by Anonymous Coward · · Score: 0

      In the future it's probably going to become inevitable that developers identities are verified in a way they can be held accountable for their code. Problem is the risk just changes to someone gaining access to their accounts. Let's hope this is not the work of proprietary companies attempting to discredit Open Source.

    2. Re:Also a problem for closed source software by Anonymous Coward · · Score: 1

      I believe that the grandparent was on to something. If you think about how Node.js and other javascript framework libraries work, they're frequently configured to pull the latest updates for all of their dependencies and the dependencies of those dependencies and so on. You can imagine this as a large tree of dependencies with many sub-trees. Furthermore, because Node.js pulls in many "utility" and other libraries either directly or indirectly, and many utility libraries are maintained by a small group of developers, there is an enormous temptation to inject malicious code. If you can put malicious code into a popular utility or bit of functionality in the Node.js community, it's very likely that your malicious utility library will be pulled into and used as a dependency in thousands or even millions of websites or APIs. It's the scale of something like Node.js and it's dependency auto-pulling behavior (built-in distribution) that makes a compromise like this attractive to hackers.

    3. Re:Also a problem for closed source software by sad_ · · Score: 1

      indeed, in every argument against open source software, the same argument can always be used against proprietary software too.

      --
      On a long enough timeline, the survival rate for everyone drops to zero.
  6. Node / npm is a cancer by Anonymous Coward · · Score: 1

    A sure sign that development is being taken over by normies and retards

    1. Re:Node / npm is a cancer by Opportunist · · Score: 3, Insightful

      The main problem with node starts way earlier. First, 100 packages doing the same. Well, not really. Just kinda. Say you need a package that deals with a certain database. You'll find 5. And no matter which one you eventually choose randomly (because asking google is like asking a bunch of /. users which Linux distri to get, you'll get 5 answers telling you the merits of 6 different solutions), it will be the one that you eventually realize doesn't have that one crucial feature you actually needed, won't play nice with whatever other middleware you have to use or has simply not been updated for 2 years because whoever wrote it lost interest.

      Which leads to the next thing: Abandoned packages. Most of those solutions depend on a single maintainer. And his whims. When he doesn't feel like maintaining it anymore, poof. Try to maintain that code now that some crucial part of it simply isn't updated anymore, the technology it communicated with did move on and becomes incompatible and you're SOL.

      I mean, I get it, it's a toy for people who learned web design, can't be assed to learn a real language and also want to do shit with servers. Ok. But ... seriously, python is not THAT hard...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re: Node / npm is a cancer by Anonymous Coward · · Score: 1

      I love Python, even though I only used it to work with Zope.

      But Python, AFAIK, does not offer the same full stack tool chains now available via JS.

      JS has become PHP, except with even fewer obstacles to keep people from getting in way over their head.

      I suspect that if Python were as accommodating, the state of Python would plummet as well. The problem isnâ(TM)t the language, the problem is that there are too many people programming who do not have the wisdom or experience to do it competently.

      That, and the previous statement will be denounced as elitism. Which it is. So be it.

    3. Re: Node / npm is a cancer by Opportunist · · Score: 2

      The problem is people making packages that have no business doing so. Half of them are sorta-kinda working with glaring security holes that make even newbie programmers cringe.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. WebAssembly Gonna Nuke It From Orbit by L_R_Shaw · · Score: 3, Informative

    Thank god WebAssembly is rapidly advancing with the fever of someone trapped in an elevator with fat guy who ate nothing but beans for lunch and the entire clusterfuck that is Javascript/Node is about to be dumped on the garbage heap of dead tech.

    1. Re:WebAssembly Gonna Nuke It From Orbit by mermeid007 · · Score: 1

      Yeah, Javascript kind of sucks unless its used by the same team all the time and they can keep the code bug free. Random Javascript on a new project or occassional/sudden use/transition to Javascript? That's a nightmare waiting to happen.

    2. Re:WebAssembly Gonna Nuke It From Orbit by anss123 · · Score: 1

      These sorts of attacks have been conducted against more than just NPM.

      Meanwhile Javascript is getting more popular, not less, to the extent is had started to to challenge other languages outside the safety of the browser. Not at all the sign of a dying language, IOW WebAssembly may end up having less impact than you think.

    3. Re:WebAssembly Gonna Nuke It From Orbit by HornWumpus · · Score: 1

      You poor stockholm syndrome suffering bastard.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    4. Re:WebAssembly Gonna Nuke It From Orbit by Anonymous Coward · · Score: 0

      Someone get a bottle of warm milk for this ancient child, nap time for baby boomer Java toddlers.

    5. Re:WebAssembly Gonna Nuke It From Orbit by HornWumpus · · Score: 1

      Keep using Javascript kid, I'll keep using the right tool for the job.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    6. Re:WebAssembly Gonna Nuke It From Orbit by Anonymous Coward · · Score: 0

      Lying? That's your only actual tool, you even brag about it lol. I doubt you know anything in depth beyond that.

    7. Re: WebAssembly Gonna Nuke It From Orbit by Anonymous Coward · · Score: 0

      JavaScript is challenging other languages like PHP by becoming an even bigger guardrail-free dumpster fire.

    8. Re:WebAssembly Gonna Nuke It From Orbit by anss123 · · Score: 1

      I'm not poor, and I've done most of my programming in other languages.

      That does not change the fact that Javascript is going from strength to strength. You may not like it, but that doesn't mean it is dying.

  8. The "Many Eyeballs" Fallacy by Anonymous Coward · · Score: 0

    Unfortunately I think that developers of nonfree software are doing QA on their code, but blindly trusting & using OSS libraries assuming that because the source is out there, it's good quality. As we have proven time and again, this is a bad (and dangerous) assumption to make.

    1. Re: The "Many Eyeballs" Fallacy by Anonymous Coward · · Score: 0

      It's rare that they do. Deadline is far more important than security audit, if the audit is possible at all.

    2. Re:The "Many Eyeballs" Fallacy by phantomfive · · Score: 1

      I think that developers of nonfree software are doing QA on their code,

      That's optimistic.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:The "Many Eyeballs" Fallacy by Anonymous Coward · · Score: 0

      They company I work for uses several different smaller ERP systems for different facets of the company.

      I guarantee you that for each of these ERP systems, the only ones doing QA are us, the customers. It is not at all uncommon for us to receive updates that break functionality that we use in those applications, for the most part because some dev somewhere implemented a change without understanding what the impact would be for current use cases, so we're usually 4-6 weeks behind on implementation for those updates due to testing, and much longer when we find problems.

      That's just for the intended application functionality. For security? One of these apps is a client-server model that connects to a sql server. When the app starts, the database connection credentials are stored in a world-readable text file in the system temporary location, for the entire time the application is open. I can't even begin...

  9. This is a cultural problem mostly by Anonymous Coward · · Score: 3, Insightful

    This problem is far more prevalent in certain language communities, most notably JavaScript (but there are others). Communities where, to put it bluntly, most developers don't understand or care how their stack works, they just toss another dependency on the giant pile and fetch the newest version from github every time they build and deploy. Communities where it's considered normal to install something by piping a wget into a root shell. Without even pausing to think, they automatically cargo-cult the first monkeyman who touched the monolith and wrote a library.

    Here's a pro tip, kids: don't add dependencies you don't need (and you probably don't). But if you have to, import them into your local source tree so that you have a predictable, reliable build that's also resilient against github going down. Unless you just enjoy being fucked unpredictably by a thousand possible events outside your control.

    1. Re:This is a cultural problem mostly by sjames · · Score: 1

      I have seen what should have been static pages with a form use javascript to generate the HTML for absolutely no good reason. This is nothing more or less than people who have no clue what they're doing.

  10. Trump Derangement Syndrom by L_R_Shaw · · Score: 1

    > If you said that 10 years ago, people would've looked you like you just said that the president ... bad example.

    My god are you lame.

    1. Re: Trump Derangement Syndrom by Anonymous Coward · · Score: 0

      No, you are the lame one. You didnâ(TM)t even hera what they said.

  11. Everything gets hacked eventually.. by edris90 · · Score: 1

    I mean really shouldn't we have been expecting this and continue to expect this kind of thing to happen every so often just due to the illusionary nature of security it self. Security is a motivation game if you can be motivate someone to continue trying different methods before they find one that works they may choose to move on. Anybody who doesn't quit will eventually bypass any security.

    1. Re: Everything gets hacked eventually.. by edris90 · · Score: 1

      Correction if you can motivation someone to discontinue attempts, before they happen upon one that works, you may potentially avoid circumvention for the moment.

  12. This is what happens! by Anonymous Coward · · Score: 0

    This is what happens when you drop your standards to let the gay and the trans and the negro and the woman contribute because equality....

  13. Library babbies BTFO. by Anonymous Coward · · Score: 1

    This is what happens when you BLINDLY use another persons code without looking at it once.
    If you yourself cannot understand the code of others, don't fucking use it, it will bite you in the ass.
    If it has barely any contributors, or even one, trust it even less so!
    I don't care who the person claims to be, or if they were even a deity in human form, their code ain't going on any of my systems, no way.
    And if any sudden changes just came out of the blue for no reason other than chaaaaange, it can go to 10 kinds of hell for all I care because most of the time it is ads, exploits or usually incompatible with everything before it. (this has happened from Chrome to [insert any app ever] to even LInux!)

    This is why the whole systemd branch of Linux can suck a fat one. Fuck Harry Poettering and his shitware.
    Dude doesn't even understand basic Linux foundations and standards. (see that time his shit software ignored rm flags)
    I don't know why anyone listens to him when he has proven his shoddy code is broken at the rotten core. Either they are being paid off or sucked off.
    I look forward to the next shitfest that wreck of a suite causes. Calling it for January.

  14. It all reminds of a scene in an old movie by bferrell · · Score: 1

    The dare devil driver jumps in the car, rips the mirror out, and screams "I don't need it! What's behind me is of no concern!"

    Move Fast! Break Things! Disrupt!!!

    gack

    1. Re:It all reminds of a scene in an old movie by buzz_mccool · · Score: 1

      Gumball Rally (1976)

      Franco: And now my friend, the first-a rule of Italian driving.
      [Franco rips off his rear-view mirror and throws it out of the car]
      Franco: What's-a behind me is not important.

    2. Re:It all reminds of a scene in an old movie by bferrell · · Score: 1

      Yea, I was trying to avoid the all too sensitive reference. I'm tired of getting yelled at this week.

  15. Fetching hundreds of code snippets from the net... by ffkom · · Score: 2

    what could possibly go wrong? The ridiculously oversized dependency-trees of node.js software, along with the lack of any decent web-of-trust structure backed by cryptographic signatures, makes this a "will happen again and again" event.

    Before irresponsible "programmers" started to include even 5-lines-of-code snippets from unknown authors from the Internet, it was common sense to only depend on sizeable libraries of significant complexity, and only a few of them.

    With the insane fragmentation of node.js code, there is no chance anyone can reasonably rule out that parts of that code come from an adversary.

  16. Re: Fetching hundreds of code snippets from the ne by Anonymous Coward · · Score: 0

    the crypto will not save you, j:st makes it harder. all code, source or compiled, is subject to a well-executed, long-play code injection attack. Look at all the unintended zero-days that get discovered all the time.

  17. Encrypted? by TFlan91 · · Score: 1

    The malicious code was also hard to spot because the flatmap-stream module was encrypted.

    What does this mean?

    1. Re: Encrypted? by Anonymous Coward · · Score: 0

      My guess is that it was not encrypted, but rather minified, encoded or otherwise obfuscated.

      In most contexts this is considered defacto sketchy or at best a lame attempt at DRM. Some security tools flag enceded scripts by default.

      But with JavaScripts roots as code that needs to be delivered over the internet to the browser, minification is commonplace and developers may not bat an eye at a wall of nearly unintelligible code.

    2. Re: Encrypted? by Anonymous Coward · · Score: 2, Informative

      In this case it actually was encrypted, with the key being a string that only occurred in the particular application they were targeting. Either way though, if anyone actually bothers to look at the code they import they would probably notice long random strings that don't appear to do anything, and be very suspicious about it.

  18. A huge security hole in JS? by Anonymous Coward · · Score: 0

    I am shocked - SHOCKED - that there is gambling going on in this establishment!

    1. Re:A huge security hole in JS? by xski · · Score: 1

      +1 Casablanca Reference

  19. Just goes to show... by Anonymous Coward · · Score: 0

    ... how totally sneaky those "hacker" bogeymen of the cyberwebs with their cyber "hacks" and their "hacking" the cyber are!

    Obviously, as soon as you invoke "hack", "hacked", "hackers", it cannot possibly be your fault no matter what actually happened. Or maybe you're just an idiot, just like EditorDavid.

  20. abandoned packages by astrofurter · · Score: 1

    It's not a language problem - it's an economic problem. There's no money in being an open source developer. I suspect more than 50% of packages on NPM are de facto abandoned.

    The old model for FOSS development went like this: write some Free Software that many people use. Build up you cred as a developer. Land sweet consulting gigs and collect big bucks.

    But that model has failed. Companies (for the most part) don't care what software you wrote. All they care about is price. So now a developer can waste a bunch of time writing a cool, widely used package - but the high dollar consulting gigs just don't materialize.

    Instead companies will hire cheap code monkeys to glue together open source components. And the dev who actually wrote the FOSS gets zero dollars for his efforts. So he stops working on it.

    That's where we are now. The FOSS model has produced massive gains in productivity. But all that value has accrued to leeches. While the FOSS developers got nothing; and by raising the productivity of lower skilled devs, in fact helped drive down their own pay.

    Unless we can figure out a viable economic model for Free-like-speech software, I see an implosion coming. As more and more projects are abandoned, the whole edifice built atop them becomes shaky and eventually collapses.

    1. Re:abandoned packages by Opportunist · · Score: 4, Interesting

      This is actually a language problem in a roundabout way.

      I've been wondering who on earth thought that javascript, of all the available languages on the planet, would be a good choice for a server language. Then it hit me: Nobody thought it would be a good language, but we have a shitload of unemployed frontend developers that have zero experience with anything BUT javascript. And the same cheap bastard companies that went and hired the so-so skilled, self-taught frontend devs during the high times of the dot.com boom now hire exactly the same people for backend development.

      These people have been bullshitted the first time when everyone was doing stuff "on the internet" and got rich (well... kinda...) off it that this is the next big thing, now they get bullshitted into believing that they get rich developing backend stuff. In the end, in both cases what you're dealing with is cheap companies trying to cash in by jumping the bandwagon of whatever is the hot cake in IT with the cheapest personnel they can get.

      Of course you can't land a nice consulting job in such an environment. These people that hire the same code monkeys they hired before for frontend won't hire you for consulting for the same reason: They want cheap, not good.

      It still works quite fine with other Open Source projects, and you'll notice that the key OSS-products have very active and fairly well doing developers, just not in node.js.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:abandoned packages by ShoulderOfOrion · · Score: 1

      Yup. Stir that in with Agile methods and it explains a lot.

    3. Re:abandoned packages by Anonymous Coward · · Score: 0

      While you were messing with apache/IIS configs and visual studio settings and error handling the node devs were out launching webscale platforms, deal wit it.

    4. Re:abandoned packages by Opportunist · · Score: 1

      I'm in IT security, I have to deal with it...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  21. Stay on target by Anonymous Coward · · Score: 0

    The Death Star has blown up a planet! Not at all the sign of a dying weapons platform.

  22. Tidelift by Mathinker · · Score: 1

    Possibly Tidelift?

    Whether Tidelift will "fly" (cringing at metaphor mixing), I have no idea....

  23. Encryoted Source != Open Source by RonVNX · · Score: 1

    "The malicious code was also hard to spot because the flatmap-stream module was encrypted."
    Seems like a problem here is the code was not in fact by any rational definition, "open".

  24. Is that right? by Anonymous Coward · · Score: 0

    The supply-chain attacks show one of the weaknesses of open source code.

    Yeah, because Cisco has never ever been victim to a supply chain attack. (Hint: more than half of Cisco's physical products are manufactured in China.) *cough* CVE-2012-5445 *cough*

  25. WTF does the language have to do with it? by Anonymous Coward · · Score: 0

    WTF does the language have to do with it?