SoylentNews is people
SoylentNews
Malware Inserted Into NPM Package by New Maintainer
[NB: NPM is a node.js Package Manager.
https://github.com/dominictarr/event-stream/issues/116
One of the many popular one-function NPM packages for JavaScript was handed to a new maintainer who promptly injected code that steals cryptocurrency wallets.
Some takeaways: NPM has no security, FOSS packages should be inspected before use (including new versions), and maybe importing millions of packages each implementing a single function isn't such a good idea.
Widely Used Open Source Software Contained Bitcoin-Stealing Backdoor
Submitted via IRC for SoyCow0824
Malicious code that crept into event-stream JavaScript library went undetected for weeks.
A hacker or hackers sneaked a backdoor into a widely used open source code library with the aim of surreptitiously stealing funds stored in bitcoin wallets, software developers said Monday.
The malicious code was inserted in two stages into event-stream, a code library with 2 million downloads that’s used by Fortune 500 companies and small startups alike. In stage one, version 3.3.6, published on September 8, included a benign module known as flatmap-stream. Stage two was implemented on October 5 when flatmap-stream was updated to include malicious code that attempted to steal bitcoin wallets and transfer their balances to a server located in Kuala Lumpur. The backdoor came to light last Tuesday with this report from Github user Ayrton Sparling. Officials with the NPM, the open source project manager that hosted event-stream, didn’t issue an advisory until Monday, six days later.
NPM officials said the malicious code was designed to target people using a bitcoin wallet developed by Copay, a company that incorporated event-stream into its app. This release from earlier this month shows Copay updating its code to refer to flatmap-stream, but a Copay official said in a Github discussion that the malicious code was never deployed in any platforms. After this post went live, Copay officials updated their comment to say they did, in fact, release platforms that contained the backdoor.
In a blog post published after this post went live, Copay officials said versions 5.0.2 through 5.1.0 were affected by the backdoor and that users with these versions installed should avoid running the app until after installing version 5.2.0.
(Score: 2) by JoeMerchant on Wednesday November 28 2018, @10:09PM (2 children)
Again, we are far, far away from this future, but in such a future one would choose financial software based, in part, upon code quality audit results from third parties, and financial software publishers who use packages maintained by relatively anonymous individuals without thorough documented reviews of the anonymous code should fall to the bottom of the "feel safe with your money here" list.
Right now, I'm not sure that safe and money can be used in the same sentence, unless you are among the top 1% of wealthy in the world and you use a significant part of your personal wealth to ensure your continued position at the top of whatever piles (of wealth) come to the world next.
🌻🌻 [google.com]
(Score: 2) by legont on Thursday November 29 2018, @02:11AM (1 child)
While I totally agree with you, it helps to remember that economical vertical mobility implies a high chance to loose money. Without vertical mobility there will be not much of a progress.
In an ideal world a person spends parts of her life in all the income categories, including prison slavery.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by PiMuNu on Thursday November 29 2018, @08:10AM
In an ideal world the lowest tier is "enough to have a reasonable life" and no one is in "prison slavery"