Last week Ayrton Sparling, a Computer Science major at CSUF, California disclosed that the popular npm package, event-stream, contains a malicious package named flatmap-stream. He disclosed the issue via the GitHub issue on the EventStream’s repository.
The event-stream npm package was originally created and maintained by Dominic Tarr. However, this popular package has not been updated for a long time now. According to Thomas Hunter’s post on Medium, “Ownership of event-stream, was transferred by the original author to a malicious user, right9ctrl. The malicious user was able to gain the trust of the original author by making a series of meaningful contributions to the package.”
The malicious owner then added a malicious library named flatmap-stream to the events-stream package as a dependency. This led to a download and invocation of the event-stream package (using the malicious 3.3.6 version) by every user. The malicious library download added up to nearly 8 million downloads since it was included in September 2018.
The malicious package represents a highly targeted attack and affects an open source app called bitpay/copay. Copay is a secure bitcoin wallet platform for both desktop and mobile devices. “We know the malicious package specifically targets that application because the obfuscated code reads the description field from a project’s package.json file, then uses that description to decode an AES256 encrypted payload”, said Thomas in his post.
Post this breakout, many users from Twitter and GitHub have positively supported Dominic. In a statement on the event-stream issue, Dominic stated, “I’ve shared publish rights with other people before. Of course, If I had realized they had a malicious intent I wouldn’t have, but at the time it looked like someone who was actually trying to help me”.
Here is my statement on the event-stream issue: https://t.co/OmvlVuECHL
Thanks to everyone who sent me friendly emoji 😉 I'm okay. But this is really a much bigger issue (the viability of open source). I'm glad that this incidence is raising awareness!
— Dominic Tarr (@dominictarr) November 26, 2018
As a support to Dominic, André Staltz, an open source hacker, tweeted,
My comment on this incident, since Dominic is getting a lot of blame and I work closely with him.
1/ Yes he did a mistake (with huge proportions), but you have to understand Dominic has 700+ packages and this one is just one more. Each package has several issues and comments. https://t.co/XgYBBS7Ypb
— André Staltz (@andrestaltz) November 26, 2018
Users affected by this malicious code are advised to eliminate this package from their application by reverting back to version 3.3.4 of event-stream.
If the user application deals with Bitcoin, they should inspect its activity in the last 3 months to see if any mined or transferred bitcoins did not make it into their wallet.
However, if the application does not deal with bitcoin but is especially sensitive, an inspection of its activity in the last 3 months for any suspicious activity is recommended. This is to analyze the notably data sent on the network to unintended destinations.
To know more about this in detail, visit Eventstream’s repository.