jm + flatmap-stream   2

event-stream vulnerability explained - Zach Schneider
This was an incredibly clever attack, very reminiscent of this blog post from January about how a similar attack might work. The attacker covered their tracks well — the code and commit log on GitHub all tell an innocuous and fairly common story (a new maintainer joins a project, adds a feature, and then tweaks the implementation of their feature a bit). Other than the warning signs about flatmap-stream (new package, no contributors or download activity), the attack was virtually undetectable. And indeed, it wasn’t discovered for over two months — it was only found because the attacker made a tiny mistake and used the deprecated crypto.createDecipher rather than crypto.createDecipheriv, which raised a suspicious deprecation warning in another library that consumes event-stream.

Unfortunately, this genre of attack isn’t going away anytime soon. JavaScript is the most popular language right now and it’s not really close, meaning it will continue to be an attractive target for hackers. JavaScript also has relatively few standard-library convenience features compared to other languages, which encourages developers to import them from npm packages instead — this, along with other cultural factors, means that JavaScript projects tend to have massive dependency trees.

(via Nelson)
npm  malware  bitcoin  security  javascript  event-stream  flatmap-stream  hacks 
12 days ago by jm
flatmap-stream NPM package backdoor incident
Good twitter thread with background on the incident. 2,000,000 downloads per week, used by many other core libs. It appears the attacker persuaded the (overloaded) legit maintainer to hand over ownership then backdoored the package in order to attack copay-dash, a cryptocurrency wallet app.
cryptocurrency  npm  packages  open-source  twitter  flatmap-stream  packaging  security  backdoors 
14 days ago by jm

Copy this bookmark:



description:


tags: