Node.js Event-Stream Hack Reveals Open Source 'Developer Infrastructure' Exploit

"[O]n Nov. 26 it was publicly revealed that a widely deployed open-source Node.js programming language module known as event-stream had been injected with malicious code that looked to steal cryptocurrency wallets," reports eWeek, adding "The event-stream library has over two million downloads."

An anonymous reader quotes Ars Technica: The backdoor came to light [November 20th] with this report from Github user Ayrton Sparling. Officials with the NPM, the open source project manager that hosted event-stream, didn't issue an advisory until six days later.... "This compromise was not targeting module developers in general or really even developers," an NPM official told Ars in an email. "It targeted a select few developers at a company, Copay, that had a very specific development environment set up. Even then, the payload itself didn't run on those developers' computers; rather, it would be packaged into a consumer-facing app when the developers built a release. The goal was to steal Bitcoin from this application's end users...."

According to the Github discussion that exposed the backdoor, the longtime event-stream developer no longer had time to provide updates. So several months ago, he accepted the help of an unknown developer. The new developer took care to keep the backdoor from being discovered. Besides being gradually implemented in stages, it also narrowly targeted only the Copay wallet app. The malicious code was also hard to spot because the flatmap-stream module was encrypted. The attack is the latest to exploit weaknesses in a widely used supply chain to target downstream end users... The supply-chain attacks show one of the weaknesses of open source code. Because of its openness and the lack of funds of many of its hobbyist developers and users, open source code can be subject to malicious modifications that often escape notice.
"The time has come," concludes Ars Technica, "for maintainers and users of open source software to devise new measures to better police the millions of packages being used all around us." Sophos' security blog also asks why so many developers "immediately and blindly trusted the new maintainer," and shared a concerned comment from developer named Chris Northwood.

"Nothing's stopping this happening again, and it's terrifying."

Also a problem for closed source software

[El+Cubano]

The supply-chain attacks show one of the weaknesses of open source code. Because of its openness and the lack of funds of many of its hobbyist developers and users, open source code can be subject to malicious modifications that often escape notice.

Every time I read something like this I have to imagine it was written by someone who works for or owns stock in one of those companies that produces "compliance" tools/services targeted at businesses that use open source.

I mean, come on. This exact same problem exists for closed source software. Face it, you know about as much about the developers of any random closed source application or library as you do about any random open source application or library. In fact, it is less likely that a malicious change will be discovered if you do not have access to the source code.

Re:abandoned packages

[Opportunist]

This is actually a language problem in a roundabout way.

I've been wondering who on earth thought that javascript, of all the available languages on the planet, would be a good choice for a server language. Then it hit me: Nobody thought it would be a good language, but we have a shitload of unemployed frontend developers that have zero experience with anything BUT javascript. And the same cheap bastard companies that went and hired the so-so skilled, self-taught frontend devs during the high times of the dot.com boom now hire exactly the same people for backend development.

These people have been bullshitted the first time when everyone was doing stuff "on the internet" and got rich (well... kinda...) off it that this is the next big thing, now they get bullshitted into believing that they get rich developing backend stuff. In the end, in both cases what you're dealing with is cheap companies trying to cash in by jumping the bandwagon of whatever is the hot cake in IT with the cheapest personnel they can get.

Of course you can't land a nice consulting job in such an environment. These people that hire the same code monkeys they hired before for frontend won't hire you for consulting for the same reason: They want cheap, not good.

It still works quite fine with other Open Source projects, and you'll notice that the key OSS-products have very active and fairly well doing developers, just not in node.js.