Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Wednesday November 28 2018, @03:34PM   Printer-friendly
from the don't-trust;-do-verify dept.

Malware Inserted Into NPM Package by New Maintainer

[NB: NPM is a node.js Package Manager.

https://github.com/dominictarr/event-stream/issues/116

One of the many popular one-function NPM packages for JavaScript was handed to a new maintainer who promptly injected code that steals cryptocurrency wallets.

Some takeaways: NPM has no security, FOSS packages should be inspected before use (including new versions), and maybe importing millions of packages each implementing a single function isn't such a good idea.

Widely Used Open Source Software Contained Bitcoin-Stealing Backdoor

Submitted via IRC for SoyCow0824

Malicious code that crept into event-stream JavaScript library went undetected for weeks.

A hacker or hackers sneaked a backdoor into a widely used open source code library with the aim of surreptitiously stealing funds stored in bitcoin wallets, software developers said Monday.

The malicious code was inserted in two stages into event-stream, a code library with 2 million downloads that’s used by Fortune 500 companies and small startups alike. In stage one, version 3.3.6, published on September 8, included a benign module known as flatmap-stream. Stage two was implemented on October 5 when flatmap-stream was updated to include malicious code that attempted to steal bitcoin wallets and transfer their balances to a server located in Kuala Lumpur. The backdoor came to light last Tuesday with this report from Github user Ayrton Sparling. Officials with the NPM, the open source project manager that hosted event-stream, didn’t issue an advisory until Monday, six days later.

NPM officials said the malicious code was designed to target people using a bitcoin wallet developed by Copay, a company that incorporated event-stream into its app. This release from earlier this month shows Copay updating its code to refer to flatmap-stream, but a Copay official said in a Github discussion that the malicious code was never deployed in any platforms. After this post went live, Copay officials updated their comment to say they did, in fact, release platforms that contained the backdoor.

In a blog post published after this post went live, Copay officials said versions 5.0.2 through 5.1.0 were affected by the backdoor and that users with these versions installed should avoid running the app until after installing version 5.2.0.

Source: https://arstechnica.com/information-technology/2018/11/hacker-backdoors-widely-used-open-source-software-to-steal-bitcoin/


Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by canopic jug on Wednesday November 28 2018, @04:00PM

    by canopic jug (3949) Subscriber Badge on Wednesday November 28 2018, @04:00PM (#767330) Journal

    Alternately the title could be more about how the project was allowed to become more or less abandoned [boingboing.net].

    --
    Money is not free speech. Elections should not be auctions.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2