The EventStream incident shows just how easily attackers can infiltrate the open source software supply chain by adding a malicious dependency to a trusted component.
EventStream is a very popular library with almost 2 million downloads per week. Even so, the original owner, Dominic Tarr, has not maintained it since 2012. So, in September 2018, Tarr transferred project ownership to a volunteer to maintain it.
The new owner, a user called Right9ctrl, turned out to be a bad actor. Soon after taking ownership of EventStream, Right9ctrl added a dependency to flatmap-stream. Until then, flatmap-stream was a little-known library that had no downloads on NPM. Right after that, someone (it’s not clear who) made a change to flatmap-stream that included the malicious code. Now the EventStream library was pulling in a malicious dependency.
Three days later, Right9ctrl removed the dependency on flatmap-stream from the EventStream library (perhaps to hide his or her tracks). However, people who included the EventStream package in their projects during those three days pulled in the malicious code. And if they haven’t updated their projects since then, it may still be there.
The malicious code, which targets the copay-dash library, looks for cryptocurrency wallet profiles. It maps the wallet IDs with the public keys of profiles with balances over 100 BTC (Bitcoin) or 1,000 BCH (Bitcoin Cash). Then it sends the identified wallets to a server in Kuala Lumpur.
What makes the EventStream incident so unusual is the attack approach. A common method of distributing malware is typosquatting, where an attacker publishes a malicious package with a similar name as a popular package. But in this case, the new owner/attacker gained ownership of the original package through a legitimate channel.
“This represents a scary social-engineering vector for malware,” Cory Doctorow said on the Boing Boing blog. “A malicious person volunteers to help maintain the project, makes some small, positive contributions, gets commit access to the project, and releases a malicious patch, infecting millions of users and apps.”
This represents a scary social-engineering vector for malware.
What’s not unusual is for owners of popular packages to give them away. As Tarr points out, “There are likely to be many other modules in your dependency trees that are now a burden to their authors” and thus may end up in the hands of new owners.
Interestingly enough, after someone alerted Tarr of the vulnerability in EventStream, he could not update the code on NPM. He had already transferred the rights to the library to Right9ctrl. Thus, he had to contact NPM to remove the malicious package from the repository.
NPM has now pulled flatmap-stream, so applications trying to download it will return an error. If your projects include any of these packages, update all dependencies to the latest recommended versions.
So what does this story tell us? Dependency management is hard. NPM verifies the immediate dependencies that you add to your package when you install them (as long as you don’t ignore the notifications). But those dependencies may become compromised later if someone adds another dependency that has malicious code. Even if a library contains malicious code for only a few days, for a popular library, that’s enough to affect thousands or millions of users. If these users don’t update their applications, the malicious code will still be there. And the malicious dependency may not necessarily target the original application. Instead, it might go after peer dependencies used in the same or other applications.
Take these steps to make sure your code is not using any malicious or outdated dependencies:
Ksenia Peguero, is a senior research manager at Synopsys, where she is managing the R&D team for the Rapid Scan Static engine, the next gen approach to SAST. Her research expertise ranges from security of web stack, to mobile languages, to cloud environments, and infrastructure as code. Before diving into research and engineering, Ksenia had a consulting career in a variety of application security practices including penetration testing, threat modeling, code review, and static analysis tool design, customization, and deployment. During her decade in application security, Ksenia has established and evolved secure coding guidance and practices for many firms, developed and delivered numerous software security trainings, and presented at conferences around the world, such as RSA and OWASP AppSec Global. Ksenia holds a Ph.D. in Computer Science from George Washington University.