Slashdot Mirror
Node.js Event-Stream Hack Reveals Open Source 'Developer Infrastructure' Exploit (arstechnica.com)
"[O]n Nov. 26 it was publicly revealed that a widely deployed open-source Node.js programming language module known as event-stream had been injected with malicious code that looked to steal cryptocurrency wallets," reports eWeek, adding "The event-stream library has over two million downloads."
An anonymous reader quotes Ars Technica: The backdoor came to light [November 20th] with this report from Github user Ayrton Sparling. Officials with the NPM, the open source project manager that hosted event-stream, didn't issue an advisory until six days later.... "This compromise was not targeting module developers in general or really even developers," an NPM official told Ars in an email. "It targeted a select few developers at a company, Copay, that had a very specific development environment set up. Even then, the payload itself didn't run on those developers' computers; rather, it would be packaged into a consumer-facing app when the developers built a release. The goal was to steal Bitcoin from this application's end users...."
According to the Github discussion that exposed the backdoor, the longtime event-stream developer no longer had time to provide updates. So several months ago, he accepted the help of an unknown developer. The new developer took care to keep the backdoor from being discovered. Besides being gradually implemented in stages, it also narrowly targeted only the Copay wallet app. The malicious code was also hard to spot because the flatmap-stream module was encrypted. The attack is the latest to exploit weaknesses in a widely used supply chain to target downstream end users... The supply-chain attacks show one of the weaknesses of open source code. Because of its openness and the lack of funds of many of its hobbyist developers and users, open source code can be subject to malicious modifications that often escape notice.
"The time has come," concludes Ars Technica, "for maintainers and users of open source software to devise new measures to better police the millions of packages being used all around us." Sophos' security blog also asks why so many developers "immediately and blindly trusted the new maintainer," and shared a concerned comment from developer named Chris Northwood.
"Nothing's stopping this happening again, and it's terrifying."
An anonymous reader quotes Ars Technica: The backdoor came to light [November 20th] with this report from Github user Ayrton Sparling. Officials with the NPM, the open source project manager that hosted event-stream, didn't issue an advisory until six days later.... "This compromise was not targeting module developers in general or really even developers," an NPM official told Ars in an email. "It targeted a select few developers at a company, Copay, that had a very specific development environment set up. Even then, the payload itself didn't run on those developers' computers; rather, it would be packaged into a consumer-facing app when the developers built a release. The goal was to steal Bitcoin from this application's end users...."
According to the Github discussion that exposed the backdoor, the longtime event-stream developer no longer had time to provide updates. So several months ago, he accepted the help of an unknown developer. The new developer took care to keep the backdoor from being discovered. Besides being gradually implemented in stages, it also narrowly targeted only the Copay wallet app. The malicious code was also hard to spot because the flatmap-stream module was encrypted. The attack is the latest to exploit weaknesses in a widely used supply chain to target downstream end users... The supply-chain attacks show one of the weaknesses of open source code. Because of its openness and the lack of funds of many of its hobbyist developers and users, open source code can be subject to malicious modifications that often escape notice.
"The time has come," concludes Ars Technica, "for maintainers and users of open source software to devise new measures to better police the millions of packages being used all around us." Sophos' security blog also asks why so many developers "immediately and blindly trusted the new maintainer," and shared a concerned comment from developer named Chris Northwood.
"Nothing's stopping this happening again, and it's terrifying."
Many eyes mean nothing if they aren't looking.
The main problem with node starts way earlier. First, 100 packages doing the same. Well, not really. Just kinda. Say you need a package that deals with a certain database. You'll find 5. And no matter which one you eventually choose randomly (because asking google is like asking a bunch of /. users which Linux distri to get, you'll get 5 answers telling you the merits of 6 different solutions), it will be the one that you eventually realize doesn't have that one crucial feature you actually needed, won't play nice with whatever other middleware you have to use or has simply not been updated for 2 years because whoever wrote it lost interest.
Which leads to the next thing: Abandoned packages. Most of those solutions depend on a single maintainer. And his whims. When he doesn't feel like maintaining it anymore, poof. Try to maintain that code now that some crucial part of it simply isn't updated anymore, the technology it communicated with did move on and becomes incompatible and you're SOL.
I mean, I get it, it's a toy for people who learned web design, can't be assed to learn a real language and also want to do shit with servers. Ok. But ... seriously, python is not THAT hard...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Language had nothing to do with it. This could have occurred in any language. Its the culture of using random libraries found off the web without doing security audits that's the culprit.
I still have more fans than freaks. WTF is wrong with you people?
This problem is far more prevalent in certain language communities, most notably JavaScript (but there are others). Communities where, to put it bluntly, most developers don't understand or care how their stack works, they just toss another dependency on the giant pile and fetch the newest version from github every time they build and deploy. Communities where it's considered normal to install something by piping a wget into a root shell. Without even pausing to think, they automatically cargo-cult the first monkeyman who touched the monolith and wrote a library.
Here's a pro tip, kids: don't add dependencies you don't need (and you probably don't). But if you have to, import them into your local source tree so that you have a predictable, reliable build that's also resilient against github going down. Unless you just enjoy being fucked unpredictably by a thousand possible events outside your control.