If you are a JS developer one of the tools you probably use the most is npm. You also probably read this article that reminded us that things could go wrong in many ways. And they actually did. Here I will talk a bit about two incidents that happened in 2018.
I am not writing this to bash npm of the JS ecosystem, not at all! If that was the case I would go to /r/programming and post something like "DAE think JS bad? lolol Edit: thanks for the gold stranger!". Just kidding, I understand (and share) many of the frustrations that a lot of people have when working with JS, but that is not the point. I think that every problem or incident is a learning opportunity so it would be a waste if these events were simply forgotten.
Package: eslint-scope@3.7 and eslint-config-eslint@5.0 (July)
What happened?
The two packages (with eslint-scope being very popular with million of downloads) were shipped with a script that downloads a text from pastebin and eval it, sending the npm tokens of the victim to the attacker.
Interestingly, in some cases the script doesn't wait for the whole attack code to be loaded, resulting in a syntax error, which is how the vulnerability was found. The QA for this attack probably didn't account for slower internet speed SMH.
How the incident developed?
The attacker gained access to the credentials of a maintainer of the affected packages and added a postinstall script. This script downloads the code that will actually do the hard work.
Read more
https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes
https://blog.npmjs.org/post/175824896885/incident-report-npm-inc-operations-incident-of
https://blog.npmjs.org/post/176488970320/community-questions-following-the-eslint-security
event-stream@3.3.6 (Sep - November)
What happened?
The highly downloaded package event-stream (it was used by many other packages, including nodemon and popular cli tools) was shipped with the malicious dependency flatmap-stream. This package had a very specific target, a Bitcoin wallet platform called Copey. If some conditions were met the malicious code would send the victim's private account data to the attacker.
How the incident developed?
Despite its popularity event-stream was not being actively maintained anymore, with the last actual changes in the code merged more than two years ago. The attacker approached the package owner asking to be made a maintainer, then receiving write and publish rights to the package.
After a few small and harmless commits the attacker sneaked in flatmap-stream as a dependency and made a new minor release. Only after two months this came to light.
Read more
https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream/
https://github.com/dominictarr/event-stream/issues/116
General recommendations
How to prevent that? A lot of debate has been occurring about that, specially in the JS community, but in my opinion some things that we can (and should) do right now are: - If you are a package maintainer, limit the number of users with publish right to npm; - Use 2FA for your npm account and anywhere else where you have important data, actually; - Be very careful with tokens or credentials, never publish them. Remember that they could be inside PRs or commit history; - Use npm audit or Snyk to check if you are using a package with known vulnerabilities;
I think the general advice is: take care of your dependencies. Even if it is too much to check all of the hundreds of packages in your node_modules, if we all take care of at least the modules that we directly import, then we all also can feel safer.
Of course, this is easier said than done, so, what you guys think? How do you decide when adding a dependency? How to say if it is trustworth or not? Should you remove a package that has not been active for years? What should npm change to improve the security?
No comments:
Post a Comment