Regarding the recent security vulnerability in event-stream and other npm packages

; Date: June 18, 2019

Tags: Node.JS

Recently security vulnerabilities were discovered in the event-stream package, and at least one other. Malicious code was added to specific packages in a way that could be done much more broadly. While the specific vulnerability was tightly focused on one specific target and did not affect most of us, the problem could have been extremely wide-spread. As a result we, the Node.js community, need to rethink how packages are managed.

The attached video is a presentation by Jarrod Overson, a security expert, who diagnosed how the event-stream exploit worked. He describes the conditions under which it executes, and the impact of when it does execute.

Namely ....

The event-stream module ownership changed hands. The new owner made a few benign changes, then introduced a nefarious dependency, and shipped version 3.3.6 of the module. Then a few days later he stripped out the nefarious dependency, and shipped version 4.0.0 of the module.

This meant that any package.json depending on ^3.3.5 will automatically update to 3.3.6 and therefore get the malicious extra dependency.

The malicious extra dependency was triggered to execute only during the build of a specific application. The impact was that when that application executed on mobile devices, that bitcoin wallet information was downloaded to a server somewhere.

The big issue -- It could have been a lot worse

The event-stream package is used by a zillion applications, and it could have had a much broader impact.

And this problem can happen to other packages. The npm system does not have enough checks against insertion of malicious stuff.

In fact the same sort of attack has already happened again. The first attack was a malicious dependency added to event-stream targeting the build of the dash-copay mobile application. The new attack was announced by npm, Inc and targets the electron-native-notify module and specifically targeted the Agama bitcoin wallet.

See: (blog.npmjs.org) Plot to steal cryptocurrency foiled by the npm security team

For its part npm Inc is increasing its security team, and investing in security screening infrastructure.

For our part we, the Node.js community, need to be more vigilant.

For example in our package.json dependencies do not use those niceties like ^ in dependency specifiers. Instead we should use hard-coded dependencies to specific package numbers. The corollary step is to double check when updating dependencies to verify correctness.

Another step we can take is to be more conservative about using 3rd party dependencies. Each external dependency is a potential attack vector.

Analysis of an Exploited NPM Package || Jarrod Overson