Tags: Node.JS
Recently security vulnerabilities were discovered in the event-stream package, and at least one other. Malicious code was added to specific packages in a way that could be done much more broadly. While the specific vulnerability was tightly focused on one specific target and did not affect most of us, the problem could have been extremely wide-spread. As a result we, the Node.js community, need to rethink how packages are managed.
The attached video is a presentation by Jarrod Overson, a security expert, who diagnosed how the event-stream
exploit worked. He describes the conditions under which it executes, and the impact of when it does execute.
Namely ....
The event-stream
module ownership changed hands. The new owner made a few benign changes, then introduced a nefarious dependency, and shipped version 3.3.6 of the module. Then a few days later he stripped out the nefarious dependency, and shipped version 4.0.0 of the module.
This meant that any package.json
depending on ^3.3.5
will automatically update to 3.3.6
and therefore get the malicious extra dependency.
The malicious extra dependency was triggered to execute only during the build of a specific application. The impact was that when that application executed on mobile devices, that bitcoin wallet information was downloaded to a server somewhere.
The big issue -- It could have been a lot worse
The event-stream
package is used by a zillion applications, and it could have had a much broader impact.
And this problem can happen to other packages. The npm system does not have enough checks against insertion of malicious stuff.
In fact the same sort of attack has already happened again. The first attack was a malicious dependency added to event-stream
targeting the build of the dash-copay
mobile application. The new attack was announced by npm, Inc and targets the electron-native-notify
module and specifically targeted the Agama bitcoin wallet.
See: Plot to steal cryptocurrency foiled by the npm security team
For its part npm Inc is increasing its security team, and investing in security screening infrastructure.
For our part we, the Node.js community, need to be more vigilant.
For example in our package.json
dependencies do not use those niceties like ^
in dependency specifiers. Instead we should use hard-coded dependencies to specific package numbers. The corollary step is to double check when updating dependencies to verify correctness.
Another step we can take is to be more conservative about using 3rd party dependencies. Each external dependency is a potential attack vector.