By: +David Herron; Date: June 18, 2019
The attached video is a presentation by Jarrod Overson, a security expert, who diagnosed how the
event-stream exploit worked. He describes the conditions under which it executes, and the impact of when it does execute.
event-stream module ownership changed hands. The new owner made a few benign changes, then introduced a nefarious dependency, and shipped version 3.3.6 of the module. Then a few days later he stripped out the nefarious dependency, and shipped version 4.0.0 of the module.
This meant that any
package.json depending on
^3.3.5 will automatically update to
3.3.6 and therefore get the malicious extra dependency.
The malicious extra dependency was triggered to execute only during the build of a specific application. The impact was that when that application executed on mobile devices, that bitcoin wallet information was downloaded to a server somewhere.
The big issue -- It could have been a lot worse
event-stream package is used by a zillion applications, and it could have had a much broader impact.
And this problem can happen to other packages. The npm system does not have enough checks against insertion of malicious stuff.
In fact the same sort of attack has already happened again. The first attack was a malicious dependency added to
event-stream targeting the build of the
dash-copay mobile application. The new attack was announced by npm, Inc and targets the
electron-native-notify module and specifically targeted the Agama bitcoin wallet.
For its part npm Inc is increasing its security team, and investing in security screening infrastructure.
For our part we, the Node.js community, need to be more vigilant.
For example in our
package.json dependencies do not use those niceties like
^ in dependency specifiers. Instead we should use hard-coded dependencies to specific package numbers. The corollary step is to double check when updating dependencies to verify correctness.
Another step we can take is to be more conservative about using 3rd party dependencies. Each external dependency is a potential attack vector.