A widely used Node.js code library listed in NPM's warehouse of repositories was altered to include crypto-coin-stealing malware. The lib in question,
event-stream, is downloaded roughly two million times a week by application programmers.
This vandalism is a stark reminder of the dangers of relying on deep and complex webs of dependencies in software: unless precautions are taken throughout the whole chain, any one component can be modified to break an app's security. If your project uses
event-stream in some way, you should check to make sure you didn't fetch and install the dodgy version during testing or deployment.
Here's how it all started: a developer identified on GitHub as "right9control" volunteered to take over
flatmap-stream, which was later modified to include Bitcoin-siphoning malware – prompting alarm yet again that those pulling third-party packages into their apps have no idea what that code may be doing.
A timeline can be found here, but in short: on September 9, right9control added
flatmap-stream as a dependency to
event-stream, and then on September 16, removed the dependency by implementing the code themselves. However, this latter change was not automatically pushed out to the library's users. On October 5,
flatmap-stream was altered by a user called "hugeglass" to include obfuscated code that attempted to drain Bitcoins from wallets using the software.
Thus, anyone using
event-stream and pulling in the cursed
flatmap-stream, rather than the rewritten code, since October 5 would be potentially hit by the malicious script. The offending code has been removed from
event-stream. If it's any relief, the hidden malware is highly targeted, and not designed to attack every programmer or application using
Ayrton Sparling, a computer science student at California State University, Fullerton (FallingSnow on GitHub), flagged the problem last week in a GitHub issues post. According to Sparling, a commit to the
event-stream module added
flatmap-stream as a dependency, which then included injection code targeting another package,
The malicious code in
email@example.com – apparently an attempt to steal coins from Dash Copay Bitcoin wallets – is hosted on GitHub and was distributed through the Node Package Manager (NPM) until it was removed from NPM's listing on Monday this week.
In a statement emailed to The Register today, an NPM spokesperson said, "At 9:18 PT this morning, the sub dependency
flatmap-stream was unpublished, and shortly after 9:30 PT this morning, NPM Inc. assumed control of the
event-stream package." NPM's spokesperson said the matter is currently being investigated.
EventStream was created by Dominic Tarr, a New Zealand-based developer who stopped maintaining the code. According to Tarr, right9control emailed him to say that he wanted to take over maintenance of the project, and was granted access because Tarr no longer had any interest in looking after it.
Now Pushing Malware: NPM package dev logins slurped by hacked tool popular with codersREAD MORE
The Register emailed right9control, based in Tokyo if the individual's GitHub profile is accurate, but we've received no response. A server used for the attack is run by a service provider operating out of Kuala Lumpur, Malaysia. It may well be that right9control had no idea
flatmap-stream would be tampered with to smuggle in wallet-raiding code when updating
event-stream to use the module.
Some developers commenting via the GitHub issues post and elsewhere have criticized Tarr for failing to provide adequate notice to the code community about the change in
event-stream's ownership. Others argue that the software license specifically disclaims any responsibility and that developers have only themselves to blame for trusting code that comes with no guarantees.
In a phone interview with The Register, NPM director of security Adam Baldwin said, "Based on our current analysis, which is not complete yet, the early indications suggest it's an extremely targeted attack on a Bitcoin platform."
Baldwin said NPM has not yet gathered data on the number of individuals who downloaded the compromised code for their Node.js apps. He confirmed that version 3.3.6 of EventStream, which included the
flatmap-stream dependency, was released on September 9, and the malicious version of
flatmap-stream appeared on October 5.
"The payload only decrypts if being run in a certain environment," he said. "It's the most sophisticated payload we've seen to date."
But because the attack is so targeted, Baldwin expects its impact will be minimal.
NPM and other code repositories like Python's PyPI and Ruby's RubyGems have been dealing with the problem of compromised package libraries for years. Despite the ongoing addition of defenses like automated vulnerability scanning and of reporting mechanisms, the risks are unlikely to go away while people have the freedom to publish unvetted code.
However, dependency pinning – in which a specific version rather than a range of versions is required – can help.
Asked about how this situation might be avoided in the future, Baldwin acknowledged that both unmaintained code and transferring code ownership pose potential problems. He credited the NPM community for identifying the malicious code and said if the organization tightened things down so much that no one could publish code, it would harm the community.
"We have to give maintainers the ability to move on," he said. "At the same time, the community is wonderful because there are lots of eyes on projects." ®