SoylentNews is people
SoylentNews
Malware Inserted Into NPM Package by New Maintainer
[NB: NPM is a node.js Package Manager.
https://github.com/dominictarr/event-stream/issues/116
One of the many popular one-function NPM packages for JavaScript was handed to a new maintainer who promptly injected code that steals cryptocurrency wallets.
Some takeaways: NPM has no security, FOSS packages should be inspected before use (including new versions), and maybe importing millions of packages each implementing a single function isn't such a good idea.
Widely Used Open Source Software Contained Bitcoin-Stealing Backdoor
Submitted via IRC for SoyCow0824
Malicious code that crept into event-stream JavaScript library went undetected for weeks.
A hacker or hackers sneaked a backdoor into a widely used open source code library with the aim of surreptitiously stealing funds stored in bitcoin wallets, software developers said Monday.
The malicious code was inserted in two stages into event-stream, a code library with 2 million downloads that’s used by Fortune 500 companies and small startups alike. In stage one, version 3.3.6, published on September 8, included a benign module known as flatmap-stream. Stage two was implemented on October 5 when flatmap-stream was updated to include malicious code that attempted to steal bitcoin wallets and transfer their balances to a server located in Kuala Lumpur. The backdoor came to light last Tuesday with this report from Github user Ayrton Sparling. Officials with the NPM, the open source project manager that hosted event-stream, didn’t issue an advisory until Monday, six days later.
NPM officials said the malicious code was designed to target people using a bitcoin wallet developed by Copay, a company that incorporated event-stream into its app. This release from earlier this month shows Copay updating its code to refer to flatmap-stream, but a Copay official said in a Github discussion that the malicious code was never deployed in any platforms. After this post went live, Copay officials updated their comment to say they did, in fact, release platforms that contained the backdoor.
In a blog post published after this post went live, Copay officials said versions 5.0.2 through 5.1.0 were affected by the backdoor and that users with these versions installed should avoid running the app until after installing version 5.2.0.
(Score: 3, Interesting) by maxwell demon on Wednesday November 28 2018, @06:56PM (6 children)
Encryption is the absolute antithesis to Open Source. And should by itself have been a big warning sign.
And yes, most people don't look at the source at all when downloading packages; but for those it doesn't matter whether the code is encrypted or not, they don't see it either way. Encryption only matters for those that do look, and for those the encryption should have been an immediate red flag.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1, Insightful) by Anonymous Coward on Wednesday November 28 2018, @07:54PM (4 children)
Which is one of the big reasons why Security in Open Source is a non-issue to the vast majority of software users. They do not have the training, time, or inclination to screen source code. (At the end-user level, I mean).
Before anyone gets their hackles up, I'm not saying that Open Source is therefore bad at all. It's better than proprietary in this regard. Just that the whole "anyone can look at the code" argument only has true meaning to those who know how to parse code. Jimmy-Bob-Facebook-Using-Non-Programmer-Beer-Swiller still has to trust somebody in any event whether that's an open source development team, the wider community who looks at open source development teams work, or EvilzProprietarySoftware Company's binary blobs. Jimmy Bob don't care so long as he getz his Facebooks.
(Score: 0) by Anonymous Coward on Wednesday November 28 2018, @09:14PM (3 children)
Ordinary users can hire someone they trust to audit the code, or passively benefit from others' contributions. So, even normal users benefit from the freedoms granted to them by Free Software.
(Score: 1, Insightful) by Anonymous Coward on Wednesday November 28 2018, @11:55PM (2 children)
OK. But that normal user is still trusting someone else's word that the code is good. Exactly the same trust that they place in someone handing them a binary blob. An auditor, "other's contributions", or proprietary closed source: All require the user to place trust that running the code is OK.
Either way, that ordinary user is trusting someone. So what advantage does that ordinary user derive from trusting an auditor over the blob distributor from the user's perspective? Especially when bearing in mind that most ordinary users do not know someone they inherently trust to act in the user's interest who has the capability to audit the code?
(Score: 2) by legont on Thursday November 29 2018, @02:05AM
Money in general and crypto targeted here in particular is all about trust. The question is if we want to trust central authorities or develop decentralized trust schemas. You are advertising authorities approach, while it might be beneficial to improve the decentralized one, say put code on blockchain.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 0) by Anonymous Coward on Thursday November 29 2018, @09:05AM
How is that different than any other endeavour in life? You trust your baker that the bread is non-toxic. You trust your doctor that his health advice is sound. You trust the building inspector that his sign-off has value. And in all those cases, you can verify the first advice by having it re-examined by another source (second opinion). This works because the second source does not have financial ties to the original source, only to you. That is why proprietary software is different: even if you were to find two separate auditors to examine proprietary source code, both would have a dependence on the original vendor.
(Score: 0) by Anonymous Coward on Wednesday November 28 2018, @08:14PM
Obfuscation is common with javascript code, to save on transfer of the gigabytes of code it takes to track a user's mouse movement, or insert the perfect ad into open space.
As for the huge amounts of shitty libraries, isn't this what we were taught in software engineering to be code reuse? Just use what someone else wrote, pull it in directly from his repo. The luser programming the system doesn't care, and the luser using it has no choice.