On Open Source

This article only refers to the Javascript ecosystem. Every other language actually include an official standard library and not a crowdsourced one as it is the case with Javascript.

My article from 2 days ago couldn’t come at a more appropriate time.

The popular event-stream library (downloaded more than 2 million times a week) was given away to right9ctrl¹ since the original author dominictarr couldn’t maintain it anymore.

right9ctrl added an obfuscated payload to extract the private keys from specific bitcoin wallets and upload it to his servers. That’s a very simplified explanation. For more details check the full issue on Github.

Am I Affected?

First even if you’re affected the vulnerability is only targeted of applications that store private keys for Bitcoin.

To find out if your project is using the dependency run:

cd node_modules && find . -name 'package.json'|xargs grep event-stream

Version bigger than 3.3.4 and smaller than 4.0 are affected. 3.3.4 and 4.0 are NOT.

What do to if i’m affected:

Pin the version number of the dependency to be either 3.3.4 or 4.x. Clear the cache and run npm install again.

Most dependencies have already been updated to fix the vulnerability, also npm has blocked the download of the affected versions.

The Problem

Most people are blaming the maintainer that recklessly and without due diligence gave the project to a random person that asked for it.

I don’t agree in the slightest. When you pull in MIT dependencies you’re responsible for the dependency. Now we can argue on the fact that it’s basically impossible to audit your dependencies unless you are a huge company. That is definitely a huge problem with the current state of the javascript (and more particularly npm) ecosystem. But the problem is with the system itself and not with dominictarr’s actions.

This is bound to happen again if nothing changes.

Where to Go From Here

The solution can only be applied by npm itself in my opinion.

1. It must be impossible to have the source code on Github be different from the minified code.
2. There should be a way to vet maintainers.
3. There should be a way to support financially open source maintainers.
4. Github shouldn’t block transfers of repositories only because the receiving account has a fork.