
Last week, someone injected malicious code into a wildly popular JavaScript library. The library wasn’t hacked; the code was put there by a maintainer who was given access by the library’s creator. Event-Stream is a JavaScript npm package for handling Node.js streaming data. With roughly two million weekly downloads, its creator found managing it alone difficult and time-consuming. A GitHub user going by ‘Right9ctrl’ was granted access after offering to help maintain the library. Instead of helping out, this person infused the library with obfuscated code that stole cryptocurrency information from users. Here’s what it all means:
Some quick tips for using 3rd party libraries in a safer way:
🕵️♂️ Thoroughly vet all dependencies, don't just pod install 🙅♀️ Avoid nested dependencies when possible 📌 Pin to specific versions, don't auto-update 📦 Check all 3rd party code into your repo so you can track changes — John Sundell (@johnsundell) November 26, 2018
Red (The Bad Stuff)
- This ‘hack’ was essentially official. The package creator didn’t vet Right9ctrl or ease them into the project.
- It was aimed at popular cryptocurrency wallet ‘Copay,’ which is available for desktop and mobile.
- Right9ctrl tried to bury the malicious code by releasing versions of Event-Stream without the crypto-stealing code after the commit with the nefarious code.
- Though Event-Stream was the high-profile point of interaction, the code itself resided in a different library, Flatmap-Stream.
Green (The Good Stuff)
- The hack has been identified and stopped.
- Developers can target Event-Stream version 3.3.4, which doesn’t include the suspect code. Copay versions 5.0.2 through 5.1.0 should not be used.
- Right9ctrl has apparently been banned from GitHub; their page is dark.
- This incident targeted a single cryptocurrency wallet.
Step 1️⃣ Go through the most popular inactive open source libraries Step 2️⃣ Reach out to author and ask to help out Step 3️⃣ Get push access and release a compromised version Step 4️⃣ Reach 2 million applications within a weekhttps://t.co/T4CmEJrUmN pic.twitter.com/OZRWpMJCQ6
— Felix Krause (@KrauseFx) November 26, 2018