On Open Source
My article from 2 days ago couldn’t come at a more appropriate time.
The popular event-stream library (downloaded more than 2 million times a week) was given away to right9ctrl1 since the original author dominictarr couldn’t maintain it anymore.
right9ctrl added an obfuscated payload to extract the private keys from specific bitcoin wallets and upload it to his servers. That’s a very simplified explanation. For more details check the full issue on Github.
Am I Affected?
First even if you’re affected the vulnerability is only targeted of applications that store private keys for Bitcoin.
To find out if your project is using the dependency run:
cd node_modules && find . -name 'package.json'|xargs grep event-stream
Version bigger than 3.3.4 and smaller than 4.0 are affected. 3.3.4 and 4.0 are NOT.
What do to if i’m affected:
Pin the version number of the dependency to be either 3.3.4 or 4.x. Clear the cache and run
npm install again.
Most dependencies have already been updated to fix the vulnerability, also npm has blocked the download of the affected versions.
Most people are blaming the maintainer that recklessly and without due diligence gave the project to a random person that asked for it.
This is bound to happen again if nothing changes.
Where to Go From Here
The solution can only be applied by npm itself in my opinion.
- It must be impossible to have the source code on Github be different from the minified code.
- There should be a way to vet maintainers.
- There should be a way to support financially open source maintainers.
- Github shouldn’t block transfers of repositories only because the receiving account has a fork.
That either deleted his profile or got suspended by Github. ↩