SoylentNews is people
SoylentNews
Malware Inserted Into NPM Package by New Maintainer
[NB: NPM is a node.js Package Manager.
https://github.com/dominictarr/event-stream/issues/116
One of the many popular one-function NPM packages for JavaScript was handed to a new maintainer who promptly injected code that steals cryptocurrency wallets.
Some takeaways: NPM has no security, FOSS packages should be inspected before use (including new versions), and maybe importing millions of packages each implementing a single function isn't such a good idea.
Widely Used Open Source Software Contained Bitcoin-Stealing Backdoor
Submitted via IRC for SoyCow0824
Malicious code that crept into event-stream JavaScript library went undetected for weeks.
A hacker or hackers sneaked a backdoor into a widely used open source code library with the aim of surreptitiously stealing funds stored in bitcoin wallets, software developers said Monday.
The malicious code was inserted in two stages into event-stream, a code library with 2 million downloads that’s used by Fortune 500 companies and small startups alike. In stage one, version 3.3.6, published on September 8, included a benign module known as flatmap-stream. Stage two was implemented on October 5 when flatmap-stream was updated to include malicious code that attempted to steal bitcoin wallets and transfer their balances to a server located in Kuala Lumpur. The backdoor came to light last Tuesday with this report from Github user Ayrton Sparling. Officials with the NPM, the open source project manager that hosted event-stream, didn’t issue an advisory until Monday, six days later.
NPM officials said the malicious code was designed to target people using a bitcoin wallet developed by Copay, a company that incorporated event-stream into its app. This release from earlier this month shows Copay updating its code to refer to flatmap-stream, but a Copay official said in a Github discussion that the malicious code was never deployed in any platforms. After this post went live, Copay officials updated their comment to say they did, in fact, release platforms that contained the backdoor.
In a blog post published after this post went live, Copay officials said versions 5.0.2 through 5.1.0 were affected by the backdoor and that users with these versions installed should avoid running the app until after installing version 5.2.0.
(Score: 1, Insightful) by Anonymous Coward on Wednesday November 28 2018, @11:55PM (2 children)
OK. But that normal user is still trusting someone else's word that the code is good. Exactly the same trust that they place in someone handing them a binary blob. An auditor, "other's contributions", or proprietary closed source: All require the user to place trust that running the code is OK.
Either way, that ordinary user is trusting someone. So what advantage does that ordinary user derive from trusting an auditor over the blob distributor from the user's perspective? Especially when bearing in mind that most ordinary users do not know someone they inherently trust to act in the user's interest who has the capability to audit the code?
(Score: 2) by legont on Thursday November 29 2018, @02:05AM
Money in general and crypto targeted here in particular is all about trust. The question is if we want to trust central authorities or develop decentralized trust schemas. You are advertising authorities approach, while it might be beneficial to improve the decentralized one, say put code on blockchain.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 0) by Anonymous Coward on Thursday November 29 2018, @09:05AM
How is that different than any other endeavour in life? You trust your baker that the bread is non-toxic. You trust your doctor that his health advice is sound. You trust the building inspector that his sign-off has value. And in all those cases, you can verify the first advice by having it re-examined by another source (second opinion). This works because the second source does not have financial ties to the original source, only to you. That is why proprietary software is different: even if you were to find two separate auditors to examine proprietary source code, both would have a dependence on the original vendor.