Security: Following the discovery of a backdoor in a widely used module available on the JavaScript package manager npm, the administrators of the platform published a press release coming back to the incident. The original developer of the module has also posted some explanations.
The npm platform issued a statement returning to the incident spotted two days earlier. The event-stream module, a very popular open-source JavaScript module, had indeed been modified at the beginning of September to include flatmap-stream, a dependency of the module. This dependency was added by a new maintainer of the project at the beginning of September, but it contained malicious code. “The event-stream module is very popular, but the malicious code was aimed at developers from a very specific company. The malware in question had no effect in an environment other than that targeted, ”confirm the administrators of the npm platform in a blog post dedicated to the incident.
The developers who discovered the malicious code initially wondered what its role was: the code in question had been extensively modified so that its real action was not obvious at first glance. But as the administrators of npm confirm, it was intended to attack the developers of the Copay app, a cryptocurrency wallet. “When a developer at Copay runs one of his scripts to release a new build of the application, the final code includes the malicious code,” explains the npm blog post. The code in question then analyzed the data of the wallet launched by the user: if it contained more than 100 bitcoins or 1000 bitcoins cash,
Copay has confirmed that several versions of its app, now retired, were posted on its site with the malicious code included. The affected versions are those between version 5.0.2 and version 5.1.0. Updated versions without malicious code have been uploaded since the discovery of the module. publicity
I can have admin rights?
The story highlights the essential role of maintainers in the security of open source ecosystems. In fact, Dominic Tarr, the developer behind the module, gave his explanation of the events that led to this infection in a text published on Github: he explains that he was contacted by another developer who wanted the help to maintain the project. “Since the beginnings of node / npm, sharing access rights with others has always been a common practice,” explains the developer, who recalls that open source has always relied on this principle. He explains that he did not expect this project to be so successful and that he had other projects to maintain and develop at the same time.
“We are entering a strange period where we are using a whole series of dependencies which are” maintained “by people who are no longer interested, who are overworked, or who no longer even use them” continues Dominic Tarr. With the advent of cryptocurrencies, which allow cybercriminals to easily reap the benefits of these hacks, the question arises all the more urgently. According to him, the community must think about solutions to respond to this type of scenario: paying maintainers for their work or forcing companies and developers who use an addiction to participate in its maintenance.
The issue of dependency on open source project maintainers had already arisen around the time of the left-pad incident, another module widely used by the opensource community and distributed through the npm package manager. Following dissensions with the administrators of npm, the creator of this module had purely and simply withdrawn it from the platform and had rendered unusable all the projects which used this module. This new incident shows that cybercriminals do not hesitate to exploit these weaknesses to achieve their ends.
Discussion about this post