Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potentially compromised dependency getcookies (via mailparser) #10641

Closed
segphault opened this issue May 2, 2018 · 4 comments · Fixed by #10648
Closed

Potentially compromised dependency getcookies (via mailparser) #10641

segphault opened this issue May 2, 2018 · 4 comments · Fixed by #10648
Assignees
Milestone

Comments

@segphault
Copy link

@segphault segphault commented May 2, 2018

Description:

On April 20, a seemingly routine dependency update PR introduced what appears to be a compromised package.

Updating mailparser from version 2.2.0 to 2.2.3 pulled in a transitive dependency called http-fetch-cookies, which has a sub-dependency called express-cookies, which depends on a package called getcookies. The getcookies package apparently has a backdoor (reported here) that looks like it uses the vm module to run arbitrary code provided from a request inside of the application's context.

It appears that npm has since removed http-fetch-cookies, express-cookies, get-cookies and mailparser 2.2.3. According to google cache, mailparser 2.2.3 was published 17 days ago with the added dependency. It's worth noting that mailparser became deprecated last month due to lack of funding, and this compromise seems to have happened since then. As mailparser has 67,000 weekly downloads, this is quite concerning.

@bosko

This comment has been minimized.

Copy link

@bosko bosko commented May 2, 2018

This makes it impossible to start Rocket.Chat. After cloning project on Ubuntu 16.04 meteor npm install fails with:

npm ERR! 404 Not Found: mailparser@https://registry.npmjs.org/mailparser/-/mailparser-2.2.3.tgz
@evilpacket

This comment has been minimized.

Copy link

@evilpacket evilpacket commented May 3, 2018

Here is some more context about the mentioned modules. https://blog.npmjs.org/post/173526807575/reported-malicious-module-getcookies

@fazilboudjellal93

This comment has been minimized.

Copy link

@fazilboudjellal93 fazilboudjellal93 commented May 3, 2018

same for me but mine its
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/unset-value-4255578a/package.json'
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/unset-value-4255578a/README.md'
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/unset-value-4255578a/LICENSE'
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/unset-value-4255578a/index.js'
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/aws-sdk-8c444618/clients/alexaforbusiness.d.ts'
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/protobufjs-497d90ae/docs/fonts/OpenSans-Regular-webfont.woff'
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/chimp-6e0f149b/images/test-frameworks.png'
npm ERR! code E404
npm ERR! 404 Not Found: mailparser@https://registry.npmjs.org/mailparser/-/mailparser-2.2.3.tgz

@Sing-Li

This comment has been minimized.

Copy link
Member

@Sing-Li Sing-Li commented May 3, 2018

Thanks @segphault @bosko @evilpacket and @isabellarussell for reporting this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
9 participants
You can’t perform that action at this time.