Contact Us

Why You Should Care What You Npm Install

As if we haven’t learned anything from the Left-pad debacle on November 26th the Javascript world was shaken once again.


A popular Npm library with over 2 million installs had a backdoor. Wait, what?! Yep, you heard it correctly the event-stream library which was not archived at that time and was used all over the place from your garage script kiddie to enterprise systems was infected with an obnoxious back-door, a crypto miner /stealer/something. From now on we will call it the C — virus for dramatic effect.

Damn crypto hype, it’s high time the bubble burst and let us go on with our lives. — @Me, December 2018

But, how did it happen? Well, a combination of unfortunate circumstances and the author’s faith in people led us here where we are today.

The author stopped using and maintaining the library a long time ago. Since it wasn’t archived over time it became a dependency of many projects and lo and behold one day a good Samaritan slid into his inbox and offered to take the burden of maintaining the library upon himself and to carry the torch onwards, but he was not good, was he now.

Step 1 Go through the most popular inactive open source libraries. Step 2 Reach out to author and ask to help out. Step 3 Get push access and release a compromised version. Step 4 Reach 2 million applications within a week. - @KrauseFx

The author transferred the rights of the Npm module to this kind stranger but left the module’s code on his Github account since there were some problems with name conflict when he tried to transfer it to the stranger’s account, or so he says, but I suppose they weren’t accidental either. This Samaritan was one nefarious schemer.

As soon as he got hold of the library he removed the publishing rights of the old author, added the flatmap-stream module which contained the C-virus, did a minor version bump and finally a new release on Npm.

The event-stream library was updated to the new minor version all over the world.

As soon as he planted the C-virus, he removed the flatmap-stream module from the library and then he did a major version bump and once again a new release on Npm. Quite smart isn’t it? Now there was nothing suspicious in the codebase but since it was a major version update most of the systems wouldn’t update to it because they are version locked to the previous major version thus they would still have the infected code.

Even one of my coworkers got infected, barely anyone noticed, but Kevin Beaumont.

NPM library with 2m installs has a backdoor, looks to be some kind of Trojan (stealer?) - @GossiTheDog

That was a brief summary and I probably missed a step or two but you get the picture.


SHORT NOTICE:

We shouldn’t blame the author, he probably didn’t really think it through that much but maintaining open source software is a real hassle and can be really mentally draining on the authors, especially in today’s entitled society where people expect everything for nothing. So let’s not put the blame on him.


Now let’s get back on track! Oh, here’s another gem by Kevin Beaumont

One of the things to emerge over last few years is npm and Node.js ecosystem - billion dollar companies and startups alike are building complex systems on top of often unmaintained code written by random people for no pay. - @GossiTheDog

Hallelujah, praise the Lord! Preach! People didn’t come up with this meme for no reason:

Key takeaways from this mess:

  • Sometimes we take for granted and don’t think what we Npm install/Composer require/Yarn add/Gem install etc.
  • Developers have become too lazy. We have started taking “don’t reinvent the wheel too literally”, instead of writing a few extra lines we’d rather require a library, sometimes even for the most trivial of tasks (especially in the Javascript World this seems to be the trend) 
  • You should always put careful thought in what you require as a dependency, more dependencies can sometimes mean more technical debt
  • Add a layer of abstraction and design an interface as a bridge/adapter between your domain logic and libraries, so you can swap them more easily if the need arises
  • When a library stops being maintained we now own that code and it is our responsibility to fix it as part of our codebase, or find a suitable replacement for it


These lessons were once again learned the hard way by many businesses this November.


Thanks for reading my long rant!

Before you go…

If you enjoyed reading this post please share it. You should check out our other publications, you might like them too! We write from time to time about software development, tips and tricks, and how to become a better developer and business person in general. Join us on the journey of constant improvement!

Follow us on Facebook, Twitter, LinkedIn, Medium or DEV.to.

Sasa Blagojevic photo

Sasa Blagojevic

Sasa is a highly driven full stack software developer with background in finance and accounting. A relentless problem solver who is passionate about finding elegant solutions to problems at hand. Writing maintainable and performant code is very important to him. He specializes in PHP and Ruby and all things backend. When he's not writing code he spends his time spreading the gospel of JSGuru.

Powered by an API first CMS.

We collect information about how our Users use and interact with the Site. This may include the pages Users visit most often and when and where Users get error messages. We use these “session state cookies” to help us improve our Site and Services. Blocking or deleting these cookies will not prevent the Site from working.

OK, close this

We collect information about how our Users use and interact with the Site. This may include the pages Users visit most often and when and where Users get error messages. We use these “session state cookies” to help us improve our Site and Services. Blocking or deleting these cookies will not prevent the Site from working.

OK, close this