Backdoored dependency? flatmap-stream-0.1.1 and flatmap-stream-0.1.2 #115
Comments
|
If you're reading this, it looks like the solution for the moment is to downgrade to 3.3.4 (which does not have the vulnerability) until npm support can grant permission to a new owner who won't inject compromised packages. |
|
Thrre were no bad intentions: |
|
per the description linked here: #116 (comment) the package attempts to steal Bitcoin from an installed Bitcoin wallet, so yes, it does seem like there were really bad intentions!!! |
|
I mean flatmap-stream were added to this repository not to steal bitcoins but to implement functionality. @right9ctrl just didn't know flatmap were malicious. |
|
@funny-falcon Sure, that's why an utterly unknown package was used for flatmap instead of going with any of the many, many popular libraries which already provide it (lodash springs to mind instantly, but I'm 100% sure there are plenty of others). A package which had literally zero downloads before being integrated into event-stream. That's why the major version was bumped immediately afterwards without invalidating the old minor release which introduced the attack. Sure. You keep believing it was unintentional. Whatever you say. I bet you're not even a sockpuppet. |
|
@funny-falcon @right9ctrl deliberately added an older version of flatmap-stream that contained the malicious code. But whether this was intentional or a mistake is irrelevant. You can kill me in cold blood or as an unintentional casualty; either way I’m dead and want nothing to do with you. |
|
All kinds of justice distinguish intentional and unintentional murders. |
|
maybe someone has a better way, but to scan for flatmap:
and plug the results into: const paths = `/Users/blah/.../node_modules/flatmap-stream/package.json
/Users/blah/.../node_modules/flatmap-stream/package.json
/Users/blah/.../node_modules/flatmap-stream/package.json`;
paths.split(/\n/g).forEach(p => {
const pkg = require(p.trim());
console.log(pkg.version, p);
});and look for 0.1.1 (i think?) |
|
@funny-falcon Are you intentionally being obtuse or are you that much of a fucking idiot? It's called an analogy. We're obviously talking about open source code, not the justice system or due process. One of two scenarios are at play here:
Either way, this person put others at risk by adding a version of But personally @funny-falcon, I'm not one to blindly follow Hanlon's razor. If you want to convince me (and others) that this was not a malicious act, please provide better arguments than simply spamming "no bad intentions" in every thread. You look naive at best and suspect at worst. |
|
It's not really appropriate to use that language nor to attack someone directly like that. Criticize the argument sure not the person. |
|
Can someone put a security notice on npm if there isn't any yet? That would be valuable. |
As I understand it, NPM have already removed the package. But it might still be sitting in your cache. |
|
@right9ctrl also forked node-scrypt which is used by coin and mining software, and in the fork changed already unsafe code (invalid memory reads) into just differently unsafe code. And a certain person assuming "no bad intentions", is as @supernintendo said, "naive at best and suspect at worst" |
|
crazy. |
|
@right9ctrl Crazy... |
|
@supernintendo , first, you are really polite. Thank you for calling me fucking idiot. That really shows your level. Second, with my claim I added link to the issue about flatmap functionality in this library opened three years ago and closed three months ago by @right9ctrl. That is why I claim that it was huge and unforgettable mistake, but just mistake. Third, if you, @supernintendo, never made any mistake, then you are totally right... But there is no single man who never did mistakes. Forth, leftpad happened more than two years ago, but people still import libraries for dozen line of codes. That is npm tradition. Obviously @right9ctrl just followed tradition. Given malicious code is present only in minified version of library, it is clear to me he didn't notice that malware. Do you check minified versions of all libraries you imported to your project? I really doubt. "let him who is without sin cast the first stone" - spoked one great man. Don't forget this sentence. |
|
@funny-falcon You're a good cooker. pot |
|
Have you tried to update event-stream version to 4.0.1 or downgrade to 3.3.5.? This worked for me.
|
|
@kevinpiac what should I run? I haven't event-stream in my package.json . npm install event-stream ? Thanks |
|
@y-chen If you are using npm version 5 or newer, running |
|
Morale of the story:
|
and others
I'm using version 3.3.6 of this module. flatmap-stream was added by this commit:
e316336
The new updates to the package on npm are very suspicious.
0.1.0: https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.0.tgz
0.1.1: https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.1.tgz
0.1.2: https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.2.tgz
Regards.
The text was updated successfully, but these errors were encountered: