Node.js Event-Stream Hack Reveals Open Source 'Developer Infrastructure' Exploit (arstechnica.com) 82
"[O]n Nov. 26 it was publicly revealed that a widely deployed open-source Node.js programming language module known as event-stream had been injected with malicious code that looked to steal cryptocurrency wallets," reports eWeek, adding "The event-stream library has over two million downloads."
An anonymous reader quotes Ars Technica: The backdoor came to light [November 20th] with this report from Github user Ayrton Sparling. Officials with the NPM, the open source project manager that hosted event-stream, didn't issue an advisory until six days later.... "This compromise was not targeting module developers in general or really even developers," an NPM official told Ars in an email. "It targeted a select few developers at a company, Copay, that had a very specific development environment set up. Even then, the payload itself didn't run on those developers' computers; rather, it would be packaged into a consumer-facing app when the developers built a release. The goal was to steal Bitcoin from this application's end users...."
According to the Github discussion that exposed the backdoor, the longtime event-stream developer no longer had time to provide updates. So several months ago, he accepted the help of an unknown developer. The new developer took care to keep the backdoor from being discovered. Besides being gradually implemented in stages, it also narrowly targeted only the Copay wallet app. The malicious code was also hard to spot because the flatmap-stream module was encrypted. The attack is the latest to exploit weaknesses in a widely used supply chain to target downstream end users... The supply-chain attacks show one of the weaknesses of open source code. Because of its openness and the lack of funds of many of its hobbyist developers and users, open source code can be subject to malicious modifications that often escape notice.
"The time has come," concludes Ars Technica, "for maintainers and users of open source software to devise new measures to better police the millions of packages being used all around us." Sophos' security blog also asks why so many developers "immediately and blindly trusted the new maintainer," and shared a concerned comment from developer named Chris Northwood.
"Nothing's stopping this happening again, and it's terrifying."
An anonymous reader quotes Ars Technica: The backdoor came to light [November 20th] with this report from Github user Ayrton Sparling. Officials with the NPM, the open source project manager that hosted event-stream, didn't issue an advisory until six days later.... "This compromise was not targeting module developers in general or really even developers," an NPM official told Ars in an email. "It targeted a select few developers at a company, Copay, that had a very specific development environment set up. Even then, the payload itself didn't run on those developers' computers; rather, it would be packaged into a consumer-facing app when the developers built a release. The goal was to steal Bitcoin from this application's end users...."
According to the Github discussion that exposed the backdoor, the longtime event-stream developer no longer had time to provide updates. So several months ago, he accepted the help of an unknown developer. The new developer took care to keep the backdoor from being discovered. Besides being gradually implemented in stages, it also narrowly targeted only the Copay wallet app. The malicious code was also hard to spot because the flatmap-stream module was encrypted. The attack is the latest to exploit weaknesses in a widely used supply chain to target downstream end users... The supply-chain attacks show one of the weaknesses of open source code. Because of its openness and the lack of funds of many of its hobbyist developers and users, open source code can be subject to malicious modifications that often escape notice.
"The time has come," concludes Ars Technica, "for maintainers and users of open source software to devise new measures to better police the millions of packages being used all around us." Sophos' security blog also asks why so many developers "immediately and blindly trusted the new maintainer," and shared a concerned comment from developer named Chris Northwood.
"Nothing's stopping this happening again, and it's terrifying."
Many eyes (Score:3, Insightful)
Many eyes mean nothing if they aren't looking.
Re: (Score:1)
Re: (Score:1)
Good thing (Score:3)
Re: (Score:2)
Javascript as a server language.
If you said that 10 years ago, people would've looked you like you just said that the president ... bad example.
Re: (Score:1)
Trump Derangement Syndrom (Score:1)
> If you said that 10 years ago, people would've looked you like you just said that the president ... bad example.
My god are you lame.
Re: (Score:2)
Javascript as a server language. If you said that 10 years ago, people would've looked you like you just said that the president ... bad example.
So, something like the Netscape Enterprise Server?
Re:Good thing (Score:5, Insightful)
Language had nothing to do with it. This could have occurred in any language. Its the culture of using random libraries found off the web without doing security audits that's the culprit.
Re: (Score:2)
npm is especially bad, but ruby and python aren't much better - they all encourage the use of brawndo-installer ("curl $URL | sudo bash" - it's got what programmers crave) to install libs and other software.
Re: (Score:1)
Also a problem for closed source software (Score:5, Interesting)
The supply-chain attacks show one of the weaknesses of open source code. Because of its openness and the lack of funds of many of its hobbyist developers and users, open source code can be subject to malicious modifications that often escape notice.
Every time I read something like this I have to imagine it was written by someone who works for or owns stock in one of those companies that produces "compliance" tools/services targeted at businesses that use open source.
I mean, come on. This exact same problem exists for closed source software. Face it, you know about as much about the developers of any random closed source application or library as you do about any random open source application or library. In fact, it is less likely that a malicious change will be discovered if you do not have access to the source code.
Re: (Score:2)
I think that developers of nonfree software are doing QA on their code,
That's optimistic.
Re: (Score:1)
I believe that the grandparent was on to something. If you think about how Node.js and other javascript framework libraries work, they're frequently configured to pull the latest updates for all of their dependencies and the dependencies of those dependencies and so on. You can imagine this as a large tree of dependencies with many sub-trees. Furthermore, because Node.js pulls in many "utility" and other libraries either directly or indirectly, and many utility libraries are maintained by a small group of d
Re: (Score:2)
indeed, in every argument against open source software, the same argument can always be used against proprietary software too.
Node / npm is a cancer (Score:1)
A sure sign that development is being taken over by normies and retards
Re:Node / npm is a cancer (Score:4, Insightful)
The main problem with node starts way earlier. First, 100 packages doing the same. Well, not really. Just kinda. Say you need a package that deals with a certain database. You'll find 5. And no matter which one you eventually choose randomly (because asking google is like asking a bunch of /. users which Linux distri to get, you'll get 5 answers telling you the merits of 6 different solutions), it will be the one that you eventually realize doesn't have that one crucial feature you actually needed, won't play nice with whatever other middleware you have to use or has simply not been updated for 2 years because whoever wrote it lost interest.
Which leads to the next thing: Abandoned packages. Most of those solutions depend on a single maintainer. And his whims. When he doesn't feel like maintaining it anymore, poof. Try to maintain that code now that some crucial part of it simply isn't updated anymore, the technology it communicated with did move on and becomes incompatible and you're SOL.
I mean, I get it, it's a toy for people who learned web design, can't be assed to learn a real language and also want to do shit with servers. Ok. But ... seriously, python is not THAT hard...
Re: Node / npm is a cancer (Score:1)
I love Python, even though I only used it to work with Zope.
But Python, AFAIK, does not offer the same full stack tool chains now available via JS.
JS has become PHP, except with even fewer obstacles to keep people from getting in way over their head.
I suspect that if Python were as accommodating, the state of Python would plummet as well. The problem isnâ(TM)t the language, the problem is that there are too many people programming who do not have the wisdom or experience to do it competently.
That, and
Re: (Score:3)
The problem is people making packages that have no business doing so. Half of them are sorta-kinda working with glaring security holes that make even newbie programmers cringe.
abandoned packages (Score:2)
It's not a language problem - it's an economic problem. There's no money in being an open source developer. I suspect more than 50% of packages on NPM are de facto abandoned.
The old model for FOSS development went like this: write some Free Software that many people use. Build up you cred as a developer. Land sweet consulting gigs and collect big bucks.
But that model has failed. Companies (for the most part) don't care what software you wrote. All they care about is price. So now a developer can waste a bu
Re:abandoned packages (Score:5, Interesting)
This is actually a language problem in a roundabout way.
I've been wondering who on earth thought that javascript, of all the available languages on the planet, would be a good choice for a server language. Then it hit me: Nobody thought it would be a good language, but we have a shitload of unemployed frontend developers that have zero experience with anything BUT javascript. And the same cheap bastard companies that went and hired the so-so skilled, self-taught frontend devs during the high times of the dot.com boom now hire exactly the same people for backend development.
These people have been bullshitted the first time when everyone was doing stuff "on the internet" and got rich (well... kinda...) off it that this is the next big thing, now they get bullshitted into believing that they get rich developing backend stuff. In the end, in both cases what you're dealing with is cheap companies trying to cash in by jumping the bandwagon of whatever is the hot cake in IT with the cheapest personnel they can get.
Of course you can't land a nice consulting job in such an environment. These people that hire the same code monkeys they hired before for frontend won't hire you for consulting for the same reason: They want cheap, not good.
It still works quite fine with other Open Source projects, and you'll notice that the key OSS-products have very active and fairly well doing developers, just not in node.js.
Re: (Score:2)
Yup. Stir that in with Agile methods and it explains a lot.
Re: (Score:2)
I'm in IT security, I have to deal with it...
Tidelift (Score:1)
Possibly Tidelift [tidelift.com]?
Whether Tidelift will "fly" (cringing at metaphor mixing), I have no idea....
WebAssembly Gonna Nuke It From Orbit (Score:3, Informative)
Thank god WebAssembly is rapidly advancing with the fever of someone trapped in an elevator with fat guy who ate nothing but beans for lunch and the entire clusterfuck that is Javascript/Node is about to be dumped on the garbage heap of dead tech.
Re: (Score:1)
Re: (Score:2)
These sorts of attacks have been conducted against more than just NPM.
Meanwhile Javascript is getting more popular, not less, to the extent is had started to to challenge other languages outside the safety of the browser. Not at all the sign of a dying language, IOW WebAssembly may end up having less impact than you think.
Re: (Score:2)
You poor stockholm syndrome suffering bastard.
Re: (Score:2)
Keep using Javascript kid, I'll keep using the right tool for the job.
Re: (Score:2)
I'm not poor, and I've done most of my programming in other languages.
That does not change the fact that Javascript is going from strength to strength. You may not like it, but that doesn't mean it is dying.
This is a cultural problem mostly (Score:3, Insightful)
This problem is far more prevalent in certain language communities, most notably JavaScript (but there are others). Communities where, to put it bluntly, most developers don't understand or care how their stack works, they just toss another dependency on the giant pile and fetch the newest version from github every time they build and deploy. Communities where it's considered normal to install something by piping a wget into a root shell. Without even pausing to think, they automatically cargo-cult the first monkeyman who touched the monolith and wrote a library.
Here's a pro tip, kids: don't add dependencies you don't need (and you probably don't). But if you have to, import them into your local source tree so that you have a predictable, reliable build that's also resilient against github going down. Unless you just enjoy being fucked unpredictably by a thousand possible events outside your control.
Re: (Score:2)
I have seen what should have been static pages with a form use javascript to generate the HTML for absolutely no good reason. This is nothing more or less than people who have no clue what they're doing.
Library babbies BTFO. (Score:1)
This is what happens when you BLINDLY use another persons code without looking at it once.
If you yourself cannot understand the code of others, don't fucking use it, it will bite you in the ass.
If it has barely any contributors, or even one, trust it even less so!
I don't care who the person claims to be, or if they were even a deity in human form, their code ain't going on any of my systems, no way.
And if any sudden changes just came out of the blue for no reason other than chaaaaange, it can go to 10 kinds
It all reminds of a scene in an old movie (Score:2)
The dare devil driver jumps in the car, rips the mirror out, and screams "I don't need it! What's behind me is of no concern!"
Move Fast! Break Things! Disrupt!!!
gack
Re: (Score:1)
Franco: And now my friend, the first-a rule of Italian driving.
[Franco rips off his rear-view mirror and throws it out of the car]
Franco: What's-a behind me is not important.
Re: (Score:2)
Yea, I was trying to avoid the all too sensitive reference. I'm tired of getting yelled at this week.
Fetching hundreds of code snippets from the net... (Score:3)
Before irresponsible "programmers" started to include even 5-lines-of-code snippets from unknown authors from the Internet, it was common sense to only depend on sizeable libraries of significant complexity, and only a few of them.
With the insane fragmentation of node.js code, there is no chance anyone can reasonably rule out that parts of that code come from an adversary.
Encrypted? (Score:2)
What does this mean?
Re: (Score:2, Informative)
In this case it actually was encrypted, with the key being a string that only occurred in the particular application they were targeting. Either way though, if anyone actually bothers to look at the code they import they would probably notice long random strings that don't appear to do anything, and be very suspicious about it.
Re: (Score:1)
Encryoted Source != Open Source (Score:2)
"The malicious code was also hard to spot because the flatmap-stream module was encrypted."
Seems like a problem here is the code was not in fact by any rational definition, "open".