A popular Npm library with over 2 million installs had a backdoor. Wait, what?! Yep, you heard it correctly the event-stream library which was not archived at that time and was used all over the place from your garage script kiddie to enterprise systems was infected with an obnoxious back-door, a crypto miner /stealer/something. From now on we will call it the C — virus for dramatic effect.
Damn crypto hype, it’s high time the bubble burst and let us go on with our lives. — @Me, December 2018
But, how did it happen? Well, a combination of unfortunate circumstances and the author’s faith in people led us here where we are today.
The author stopped using and maintaining the library a long time ago. Since it wasn’t archived over time it became a dependency of many projects and lo and behold one day a good Samaritan slid into his inbox and offered to take the burden of maintaining the library upon himself and to carry the torch onwards, but he was not good, was he now.
Step 1 Go through the most popular inactive open source libraries. Step 2 Reach out to author and ask to help out. Step 3 Get push access and release a compromised version. Step 4 Reach 2 million applications within a week. – @KrauseFx
The author transferred the rights of the Npm module to this kind stranger but left the module’s code on his Github account since there were some problems with name conflict when he tried to transfer it to the stranger’s account, or so he says, but I suppose they weren’t accidental either. This Samaritan was one nefarious schemer.
As soon as he got hold of the library he removed the publishing rights of the old author, added the
flatmap-stream module which contained the C-virus, did a minor version bump and finally a new release on Npm.
The event-stream library was updated to the new minor version all over the world.
As soon as he planted the C-virus, he removed the
flatmap-stream module from the library and then he did a major version bump and once again a new release on Npm. Quite smart isn’t it? Now there was nothing suspicious in the codebase but since it was a major version update most of the systems wouldn’t update to it because they are version locked to the previous major version thus they would still have the infected code.
Even one of my coworkers got infected, barely anyone noticed, but Kevin Beaumont.
NPM library with 2m installs has a backdoor, looks to be some kind of Trojan (stealer?) – @GossiTheDog
That was a brief summary and I probably missed a step or two but you get the picture.
We shouldn’t blame the author, he probably didn’t really think it through that much but maintaining open source software is a real hassle and can be really mentally draining on the authors, especially in today’s entitled society where people expect everything for nothing. So let’s not put the blame on him.
Now let’s get back on track! Oh, here’s another gem by Kevin Beaumont
One of the things to emerge over last few years is npm and Node.js ecosystem – billion dollar companies and startups alike are building complex systems on top of often unmaintained code written by random people for no pay. – @GossiTheDog
Hallelujah, praise the Lord! Preach! People didn’t come up with this meme for no reason:
Key takeaways from this mess:
- Sometimes we take for granted and don’t think what we Npm install/Composer require/Yarn add/Gem install etc.
- You should always put careful thought in what you require as a dependency, more dependencies can sometimes mean more technical debt
- Add a layer of abstraction and design an interface as a bridge/adapter between your domain logic and libraries, so you can swap them more easily if the need arises
- When a library stops being maintained we now own that code and it is our responsibility to fix it as part of our codebase, or find a suitable replacement for it
These lessons were once again learned the hard way by many businesses this November.
Thanks for reading my long rant!